Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/2/2008
09:35 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Insider Threat Doubles; New Program Offers Assessments

New data shows rapid growth of insider incidents; researchers launch pilot to assess an organization's insider threat risk

Insider-borne attacks have doubled in the last year, according to a new report, and one organization is launching an assessment program to help enterprises protect themselves against them.

The Identity Theft Resource Center reported this week that nearly 16 percent of breaches so far this year came from insiders, up from 6 percent in 2007, and 11.7 percent came from attackers outside the company -- down from 14.1 percent last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

The ITRC's data is consistent with other reports that insider incidents are on the rise. However, many experts point out that disclosure of all incidents is also on the rise, thanks largely to the legal requirements put in place by many states over the last year.

Carnegie Mellon Software Engineering Institute’s CERT Program, meanwhile, is about to roll out an insider risk assessment program pilot that helps organizations pinpoint where and how they’re vulnerable to an insider attack.

The program, which is based on data the CERT team has gathered from over 300 real-life data breaches caused by insiders, next year will be converted into a full-blown service, says Dawn Cappelli, lead for the insider threat team at the Carnegie Mellon Software Engineering Institute CERT Program. The goal is to eventually spin it off into an insider risk assessment software tool, she says.

Cappelli says her team has seen more and more insider attack cases. “There now there will be weeks when there are three or four of them,” she says. “But I don’t know if this is because of the new data breach laws, or if these numbers are increasing” overall, she says. Her team plans a new e-crime survey for later this year that should shed more light on that, she states.

While the ITRC report suggests that insider attacks are in the majority, a recent study by Verizon said that 73 percent of breaches were from “external sources,” although the report also attributed 18 percent of breaches to insiders, which nearly matches the ITRC numbers. Verizon's data linked external hacks to internal mistakes. (See Verizon Study Links External Hacks to Internal Mistakes.)

So why the apparent jump in insider attack numbers? "My opinion, culled from aggregating available data from breach studies and conversations with enterprises, is that the apparent increase in insider threats, at least statistically, is due to the fact that we are paying more attention to the issue driven by the availability and deployment of tools and compliance efforts,” says Christofer Hoff, chief security architect for Unisys. “Increased visibility delivers statistics that become more visible."

Whatever the cause for the spike, CERT’s Capelli says organizations are anxious to drill down and find out whether they’re susceptible to an insider attack. “We haven’t seen anything like this,” Capelli says of CERT’s new risk assessment pilot, which was built around details of the 250 real-world cases CERT evaluated on the specific vulnerability in the organization that was exploited, and the technology, processes, and legal issues associated with the breach.

“We came up with 1,600 distinct areas of concern” for insider attacks and folded them into a diagnostic “tool” for the assessments, Capelli says. One item, for example, analyzes how the company could detect and handle the discovery of a logic bomb planted on their network by an IT guy gone bad, she says.

The CERT team will go on-site at the two organizations that volunteered for the pilot program and interview people in key areas such as IT, security, HR, management, physical security, software engineering, and even the owners of data. The team then will come up with a detailed assessment of where the company is at risk of an insider threat. “We give them data that they can feed into their risk management process,” Capelli says.

Among the new threats Capelli’s team has seen in its research of late is an increase in keyloggers, or keystroke monitoring to steal credentials, and an increase in business partners involved in attacks.

CERT also plans to publish a third edition of its “Common Sense Guide for Prevention and Detection of Insider Threats.” Capelli says the new version of the best practices guide will include ways to prevent emerging threats like insiders using backdoor accounts to siphon data. “We’ll talk about how insiders could be stopped using good account management,” she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
    Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-17366
    PUBLISHED: 2020-08-05
    An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
    CVE-2020-9036
    PUBLISHED: 2020-08-05
    Jeedom through 4.0.38 allows XSS.
    CVE-2020-15127
    PUBLISHED: 2020-08-05
    In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
    CVE-2020-15132
    PUBLISHED: 2020-08-05
    In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
    CVE-2020-7298
    PUBLISHED: 2020-08-05
    Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.