Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:35 AM
Connect Directly

Insider Threat Doubles; New Program Offers Assessments

New data shows rapid growth of insider incidents; researchers launch pilot to assess an organization's insider threat risk

Insider-borne attacks have doubled in the last year, according to a new report, and one organization is launching an assessment program to help enterprises protect themselves against them.

The Identity Theft Resource Center reported this week that nearly 16 percent of breaches so far this year came from insiders, up from 6 percent in 2007, and 11.7 percent came from attackers outside the company -- down from 14.1 percent last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

The ITRC's data is consistent with other reports that insider incidents are on the rise. However, many experts point out that disclosure of all incidents is also on the rise, thanks largely to the legal requirements put in place by many states over the last year.

Carnegie Mellon Software Engineering Institute’s CERT Program, meanwhile, is about to roll out an insider risk assessment program pilot that helps organizations pinpoint where and how they’re vulnerable to an insider attack.

The program, which is based on data the CERT team has gathered from over 300 real-life data breaches caused by insiders, next year will be converted into a full-blown service, says Dawn Cappelli, lead for the insider threat team at the Carnegie Mellon Software Engineering Institute CERT Program. The goal is to eventually spin it off into an insider risk assessment software tool, she says.

Cappelli says her team has seen more and more insider attack cases. “There now there will be weeks when there are three or four of them,” she says. “But I don’t know if this is because of the new data breach laws, or if these numbers are increasing” overall, she says. Her team plans a new e-crime survey for later this year that should shed more light on that, she states.

While the ITRC report suggests that insider attacks are in the majority, a recent study by Verizon said that 73 percent of breaches were from “external sources,” although the report also attributed 18 percent of breaches to insiders, which nearly matches the ITRC numbers. Verizon's data linked external hacks to internal mistakes. (See Verizon Study Links External Hacks to Internal Mistakes.)

So why the apparent jump in insider attack numbers? "My opinion, culled from aggregating available data from breach studies and conversations with enterprises, is that the apparent increase in insider threats, at least statistically, is due to the fact that we are paying more attention to the issue driven by the availability and deployment of tools and compliance efforts,” says Christofer Hoff, chief security architect for Unisys. “Increased visibility delivers statistics that become more visible."

Whatever the cause for the spike, CERT’s Capelli says organizations are anxious to drill down and find out whether they’re susceptible to an insider attack. “We haven’t seen anything like this,” Capelli says of CERT’s new risk assessment pilot, which was built around details of the 250 real-world cases CERT evaluated on the specific vulnerability in the organization that was exploited, and the technology, processes, and legal issues associated with the breach.

“We came up with 1,600 distinct areas of concern” for insider attacks and folded them into a diagnostic “tool” for the assessments, Capelli says. One item, for example, analyzes how the company could detect and handle the discovery of a logic bomb planted on their network by an IT guy gone bad, she says.

The CERT team will go on-site at the two organizations that volunteered for the pilot program and interview people in key areas such as IT, security, HR, management, physical security, software engineering, and even the owners of data. The team then will come up with a detailed assessment of where the company is at risk of an insider threat. “We give them data that they can feed into their risk management process,” Capelli says.

Among the new threats Capelli’s team has seen in its research of late is an increase in keyloggers, or keystroke monitoring to steal credentials, and an increase in business partners involved in attacks.

CERT also plans to publish a third edition of its “Common Sense Guide for Prevention and Detection of Insider Threats.” Capelli says the new version of the best practices guide will include ways to prevent emerging threats like insiders using backdoor accounts to siphon data. “We’ll talk about how insiders could be stopped using good account management,” she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Unisys Corp. (NYSE: UIS)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
    Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-05
    In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally ...
    PUBLISHED: 2020-08-05
    LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
    PUBLISHED: 2020-08-05
    USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
    PUBLISHED: 2020-08-05
    IBM UrbanCode Deploy (UCD),,, and is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
    PUBLISHED: 2020-08-05
    CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...