Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:35 AM
Connect Directly

Insider Threat Doubles; New Program Offers Assessments

New data shows rapid growth of insider incidents; researchers launch pilot to assess an organization's insider threat risk

Insider-borne attacks have doubled in the last year, according to a new report, and one organization is launching an assessment program to help enterprises protect themselves against them.

The Identity Theft Resource Center reported this week that nearly 16 percent of breaches so far this year came from insiders, up from 6 percent in 2007, and 11.7 percent came from attackers outside the company -- down from 14.1 percent last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

The ITRC's data is consistent with other reports that insider incidents are on the rise. However, many experts point out that disclosure of all incidents is also on the rise, thanks largely to the legal requirements put in place by many states over the last year.

Carnegie Mellon Software Engineering Institute’s CERT Program, meanwhile, is about to roll out an insider risk assessment program pilot that helps organizations pinpoint where and how they’re vulnerable to an insider attack.

The program, which is based on data the CERT team has gathered from over 300 real-life data breaches caused by insiders, next year will be converted into a full-blown service, says Dawn Cappelli, lead for the insider threat team at the Carnegie Mellon Software Engineering Institute CERT Program. The goal is to eventually spin it off into an insider risk assessment software tool, she says.

Cappelli says her team has seen more and more insider attack cases. “There now there will be weeks when there are three or four of them,” she says. “But I don’t know if this is because of the new data breach laws, or if these numbers are increasing” overall, she says. Her team plans a new e-crime survey for later this year that should shed more light on that, she states.

While the ITRC report suggests that insider attacks are in the majority, a recent study by Verizon said that 73 percent of breaches were from “external sources,” although the report also attributed 18 percent of breaches to insiders, which nearly matches the ITRC numbers. Verizon's data linked external hacks to internal mistakes. (See Verizon Study Links External Hacks to Internal Mistakes.)

So why the apparent jump in insider attack numbers? "My opinion, culled from aggregating available data from breach studies and conversations with enterprises, is that the apparent increase in insider threats, at least statistically, is due to the fact that we are paying more attention to the issue driven by the availability and deployment of tools and compliance efforts,” says Christofer Hoff, chief security architect for Unisys. “Increased visibility delivers statistics that become more visible."

Whatever the cause for the spike, CERT’s Capelli says organizations are anxious to drill down and find out whether they’re susceptible to an insider attack. “We haven’t seen anything like this,” Capelli says of CERT’s new risk assessment pilot, which was built around details of the 250 real-world cases CERT evaluated on the specific vulnerability in the organization that was exploited, and the technology, processes, and legal issues associated with the breach.

“We came up with 1,600 distinct areas of concern” for insider attacks and folded them into a diagnostic “tool” for the assessments, Capelli says. One item, for example, analyzes how the company could detect and handle the discovery of a logic bomb planted on their network by an IT guy gone bad, she says.

The CERT team will go on-site at the two organizations that volunteered for the pilot program and interview people in key areas such as IT, security, HR, management, physical security, software engineering, and even the owners of data. The team then will come up with a detailed assessment of where the company is at risk of an insider threat. “We give them data that they can feed into their risk management process,” Capelli says.

Among the new threats Capelli’s team has seen in its research of late is an increase in keyloggers, or keystroke monitoring to steal credentials, and an increase in business partners involved in attacks.

CERT also plans to publish a third edition of its “Common Sense Guide for Prevention and Detection of Insider Threats.” Capelli says the new version of the best practices guide will include ways to prevent emerging threats like insiders using backdoor accounts to siphon data. “We’ll talk about how insiders could be stopped using good account management,” she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/13/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
    Jai Vijayan, Contributing Writer,  7/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-13
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
    PUBLISHED: 2020-07-13
    The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
    PUBLISHED: 2020-07-13
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
    PUBLISHED: 2020-07-13
    The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
    PUBLISHED: 2020-07-13
    Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.