Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:15 AM
Connect Directly
E-Mail vvv

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?  

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest. AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.  

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.  

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.   

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link -- the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years' experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world's ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/21/2014 | 11:26:24 AM
malicious insiders
Not surprising that disgruntled employees are a primary source of insider attacks. But what measures can organizations take to identify and prevent them from doing damage? Aren't there civil rights laws that protect them? How proactive can security teams really be? 
User Rank: Apprentice
10/21/2014 | 1:56:20 PM
Finding a purposefully buried needle in a haystack
The post reminds me of Jeff Williams 2009 BlackHat report on Enterprise Java Rootkits, "Hardly anyone watches the developers." According to SANS, "There is no quick and inexpensive method to ensure that malicious code is prevented." But there are some things to keep in mind when undertaking a malicious code review:

·Establish Your Scope. Your team can't possibly review all of the code in your organization. As it is, finding malicious code is like finding a needle in a haystack. Narrow the haystack and you improve your chances of finding the proverbial needle.

·Allow Ample Time. Injectors of malicious code didn't write it on a whim. Discovering it will take more than one pass through the code, so allow your team ample time to ensure their results.

·Train Your Team. Having the latest and greatest tools in application security is nice; knowing how to use them is even better. Encourage your team to learn the ins and outs of the technology so they can use it to its fullest potential.
Franois Amigorena
Franois Amigorena,
User Rank: Author
10/24/2014 | 5:59:38 AM
'Zero trust' models are the way forward

Agree that all the technology solutions in the world cannot solve every problem, and that every organisation is only as strong as its weakest link. However technology does have a place in educating and moderating human behaviour, and our research findings have shown that even supposedly 'educated' users still make mistakes. 

Which is why there's a strong argument for a 'zero trust' model. Using technology like UserLock to funnel your users into working within your security policies, with little to no room for manoeuvre, can educate employees into following company policy. 

Rather than the traditional security model that views everything on the inside of the network as 'trusted', and everything off the network as 'not trusted', leaving it open to internal misuse, that distinction isn't made. With the zero trust model an organisation can benefit from a 'never trust, always verify' principle and therefore enable better access security for all authenticated users." 

User Rank: Apprentice
10/24/2014 | 6:43:17 AM
Re: 'Zero trust' models are the way forward
Zero Trust can only fail.

I'm sorry to contradict you in such strong terms, but Zero trust can only fail. Unless you lock employees out of the network, there will always be scope for negligence, user error and access creep.

My favorite saying is there is no technical fix for the human problem. There are only human ones.

My view is, trust your employees, as adults and partners in creating value. Most insider attacks (if they are not actual infiltration (Deliberately getting hired to be on the inside) are motivated by feeling of being disempowered and disillusioned.

If you don't trust your employees, why should they protect your business. Educate and empower them, recruit them as allies against malicious outsider action, and you will be far more successful. Reward them for highlighting vulnerable system and help them understand what they personally stand to loose from breaches.

Employees will be far more motivated to follow corporate policy if they understand the consequences to them personally (New job?)

And before you respond that this is idealistic or impractical, this is the reality. Every employee is the guardian of value within your business. The sooner businesses realise that the better.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/24/2014 | 7:48:46 AM
Re: 'Zero trust' models are the way forward
Sounds llike you have awesome employees, @TMILLARSL4. But the cynic in me thinks that there is more to your strategy than kumbaya. What exactly do you do in your organization to educate and empower people  that makes them allies in the battle against malicious outsiders?  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.