Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:44 PM

Five Significant Insider Attacks Of 2012

From the recent theft of counterterrorism data from Switzerland's intelligence agency to remotely wiretapping boardroom videoconferencing systems, a number of attacks had an inside component

Insider attacks continued to haunt government agencies and companies alike in 2012. From rogue PIN pads at Barnes & Noble to disgruntled employees walking out with a nation's secrets, organizations suffered a wide variety of attacks.

While studies have found that insiders typically account for a minority of incidents, they tend to cause more damage, especially when privileged users, who have access to a company's crown jewels, go rogue. In addition, negligent insiders cause nearly 40 percent of all data breaches, and malicious attacks account for a third of incidents, according to a March study.

"The difference with insiders is they can inflict measurable financial, measurable IP, measurable brand and reputation damage -- more so than an outsider can," says Jim Butterworth, chief security officer for HBGary, a subsidiary of ManTech International. "Make sure that your employees, especially those with access to the crown jewels, are held accountable."

While insiders are usually only marginally involved in the theft of many types of data, incidents involving intellectual property are the exception, according to a Verizon report. In two-thirds of cases, regular employees played some role in the loss of intellectual property, the report stated.

The definition of "insider threat" continues to broaden. Once used to describe any attack by a rogue employee, the term now encompasses attacks that use insider-like access to compromise systems and data, such as employees who bring infected devices inside the firewall or companies that allow Internet-facing resources -- such as remote-desktop applications and videoconferencing -- unfettered access to the inside of their networks.

"In those cases, the breach would have never occurred if not for the insider making a mistake," says Rob Sobers, technical marketing manager for data-protection firm Varonis.

[Protecting intellectual property against insiders is tough enough when the insiders are a company's own employees, but the problem becomes even more difficult when a third party has access to confidential information. See When Someone Else's Insider Is Your Threat.]

Here are five significant attacks involving insiders in 2012.

5. Infrastructure As An Insider: Barnes & Noble
In October, retail book chain Barnes & Noble announced that rogue PIN pad devices had been found at 63 of its 700 stores, allowing criminals to siphon off credit- and debit-card numbers as well as the PINs to victims' bank accounts. Because the affected stores were located in different geographic areas, the attack is thought to be the work of an organized group of criminals.

Less than 1 percent of the devices were compromised with hardware "bugs," making the attack unlikely to be a supply-chain issue, Barnes & Noble stated. The incident showed that compromised infrastructure -- whether corrupted somewhere in the supply chain or later on-site -- is a major insider issue, said Gunter Ollmann, then vice president of research at Damballa, at the time.

"There is very little that can be done to protect these devices than what is already being done today," he said. "In essence, an insider threat is the most insidious."

4. Bug In The Boardroom: Rapid7 Videoconferencing Research
In January, researchers at vulnerability management firm Rapid7 published research showing that many videoconferencing systems were directly accessible from the Internet, essentially giving attackers a direct line into conference and meeting rooms.

The company's researchers scanned about 3 percent of the Internet's address space, finding that some 5,000 systems were set to automatically answer calls from the Internet. Statistically, that indicates a total of 150,000 systems are likely accessible from outside corporate networks. In lab tests with similar equipment, the researchers found that they could listen in on nearby conversations and even read information on whiteboards and sticky notes.

"People definitely want to be familiar with the products they are deploying," said Joshua Talbot, security intelligence manager at Symantec, at the time. "Companies that adopt a new technology should become aware of the security risks that they are bringing into the environment."

Later research found that remote-access software, used to administer a client's systems, could be a major security issue for companies that did not configure the software correctly, giving attackers a backdoor into the enterprise.

3. Data Walk Out: From Cityville To Kixeye
In August, Alan Patmore left Zinga and moved over to a small San Francisco startup, Kixeye. Just before leaving, he created a Dropbox folder and used it to transfer 760 files to the cloud, Zynga claimed in an October lawsuit. The data included a description of Zynga's methods for measuring success of game features, an initial assessment of Cityville, and design documents for nearly a dozen unreleased games, Zynga stated in its complaint. "Patmore transferred this data from Zynga in violation of his obligation and without Zynga's knowledge or consent," the company stated.

Kixeye countersued under California's business codes, claiming that the information is not proprietary and Zynga was attempting to stem an exodus of employees using legal tactics. The saga continues in the Superior Court of California.

Insiders walking out with proprietary data to which the workers believe they have some ownership rights is a common problem for companies. Educating employees about a company's intellectual-property concerns is a must. In addition to legal protections, companies should focus on limiting employees' access to data they do not need to do their work.

"Always make sure that people have access to only what they need," Varonis' Sobers says. "Just because they are an executive, they don't need to have access to everything in the company."

2. The Inadvertent Insider: South Carolina's Dept. Of Revenue Breach
In mid-August, attackers obtained the login credentials for an employee of the South Carolina Department of Revenue, essentially gaining insider access to the agency's systems. The attack, detected in October, resulted in the theft of some 3.6 million Social Security numbers belonging to state residents, as well as 387,000 credit- and debit-card numbers. Total cost: $14 million and growing.

Mandiant, the security firm that conducted the forensics investigation (PDF) into the breach, theorized that the attackers used spearphishing e-mails to compromise a worker's system and collected the credentials. Such a scenario is quite common, Varonis' Sobers says.

"Most of the time, the insider component of these attacks is not malicious," Sobers says.

Organizations should limit their workers' access to information that those employees need to know. The S.C. Department of Revenue did not do that, allowing the Social Security numbers to be stored unencrypted.

1. The Disgruntled Insider: Swiss Intel Leak
Rivaling the leak of U.S. State Department memos by a U.S. military serviceman, the Swiss intelligence agency, NDB, told its American and British counterparts that a disgruntled system administrator had reportedly taken terabytes of classified information from its systems. The employee reportedly had unrestricted rights to the intelligence service's systems and had carried out hard drives containing the stolen data, according to a Reuters report published earlier this month.

"Here is an administrator with root privileges, and there were no measures in place to restrict what that administrator could do," says Todd Thiemann, senior director of product marketing for data-protection provider Vormetric.

While authorities do not believe that the rogue employee sold or transferred the data, they have no way to be sure, sources told Reuters.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
12/19/2012 | 7:57:53 PM
re: Five Significant Insider Attacks Of 2012
Great examples of how an "insider threat" isn't just a disgruntled employee.

Kelly Jackson Higgins, Senior Editor, Dark Reading-
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.