Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:35 AM
Connect Directly

Insider Threat Doubles; New Program Offers Assessments

New data shows rapid growth of insider incidents; researchers launch pilot to assess an organization's insider threat risk

Insider-borne attacks have doubled in the last year, according to a new report, and one organization is launching an assessment program to help enterprises protect themselves against them.

The Identity Theft Resource Center reported this week that nearly 16 percent of breaches so far this year came from insiders, up from 6 percent in 2007, and 11.7 percent came from attackers outside the company -- down from 14.1 percent last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

The ITRC's data is consistent with other reports that insider incidents are on the rise. However, many experts point out that disclosure of all incidents is also on the rise, thanks largely to the legal requirements put in place by many states over the last year.

Carnegie Mellon Software Engineering Institute’s CERT Program, meanwhile, is about to roll out an insider risk assessment program pilot that helps organizations pinpoint where and how they’re vulnerable to an insider attack.

The program, which is based on data the CERT team has gathered from over 300 real-life data breaches caused by insiders, next year will be converted into a full-blown service, says Dawn Cappelli, lead for the insider threat team at the Carnegie Mellon Software Engineering Institute CERT Program. The goal is to eventually spin it off into an insider risk assessment software tool, she says.

Cappelli says her team has seen more and more insider attack cases. “There now there will be weeks when there are three or four of them,” she says. “But I don’t know if this is because of the new data breach laws, or if these numbers are increasing” overall, she says. Her team plans a new e-crime survey for later this year that should shed more light on that, she states.

While the ITRC report suggests that insider attacks are in the majority, a recent study by Verizon said that 73 percent of breaches were from “external sources,” although the report also attributed 18 percent of breaches to insiders, which nearly matches the ITRC numbers. Verizon's data linked external hacks to internal mistakes. (See Verizon Study Links External Hacks to Internal Mistakes.)

So why the apparent jump in insider attack numbers? "My opinion, culled from aggregating available data from breach studies and conversations with enterprises, is that the apparent increase in insider threats, at least statistically, is due to the fact that we are paying more attention to the issue driven by the availability and deployment of tools and compliance efforts,” says Christofer Hoff, chief security architect for Unisys. “Increased visibility delivers statistics that become more visible."

Whatever the cause for the spike, CERT’s Capelli says organizations are anxious to drill down and find out whether they’re susceptible to an insider attack. “We haven’t seen anything like this,” Capelli says of CERT’s new risk assessment pilot, which was built around details of the 250 real-world cases CERT evaluated on the specific vulnerability in the organization that was exploited, and the technology, processes, and legal issues associated with the breach.

“We came up with 1,600 distinct areas of concern” for insider attacks and folded them into a diagnostic “tool” for the assessments, Capelli says. One item, for example, analyzes how the company could detect and handle the discovery of a logic bomb planted on their network by an IT guy gone bad, she says.

The CERT team will go on-site at the two organizations that volunteered for the pilot program and interview people in key areas such as IT, security, HR, management, physical security, software engineering, and even the owners of data. The team then will come up with a detailed assessment of where the company is at risk of an insider threat. “We give them data that they can feed into their risk management process,” Capelli says.

Among the new threats Capelli’s team has seen in its research of late is an increase in keyloggers, or keystroke monitoring to steal credentials, and an increase in business partners involved in attacks.

CERT also plans to publish a third edition of its “Common Sense Guide for Prevention and Detection of Insider Threats.” Capelli says the new version of the best practices guide will include ways to prevent emerging threats like insiders using backdoor accounts to siphon data. “We’ll talk about how insiders could be stopped using good account management,” she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    DevSecOps: The Answer to the Cloud Security Skills Gap
    Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
    Attackers' Costs Increasing as Businesses Focus on Security
    Robert Lemos, Contributing Writer,  11/15/2019
    Human Nature vs. AI: A False Dichotomy?
    John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: -when I told you that our cyber-defense was from another age
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-11-20
    An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
    PUBLISHED: 2019-11-20
    The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
    PUBLISHED: 2019-11-20
    The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
    PUBLISHED: 2019-11-20
    A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
    PUBLISHED: 2019-11-20
    A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version may allow local privilege escalation.