Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Philip Casesa
Philip Casesa
Connect Directly
E-Mail vvv

Securing the Weakest Link: Insiders

No longer is a hoodie-wearing malicious hacker the most obvious perpetrator of an inside cyber attack.

Massive, high-profile security breaches dominate today’s headlines and consumers are swamped with notifications from organizations entrusted with private and sensitive data.  But, increasingly, I am convinced that security professionals and the majority of security vendors are too focused on the wrong things.  

To many, it seems like the hoodie-wearing malicious hacker is the obvious enemy.  We imagine that he (or she) has been waiting for the perfect opportunity to launch that magical zero-day exploit s/he’s been sitting on, just waiting for the perfect moment to strike.  While this type of attack can happen, it isn’t the most common form of an attack that results in a breach; nor is it the biggest risk to your organization. 

Let’s look at what defines an “insider.” An insider is any individual who has authorized access to corporate networks, systems or data. This may include employees, contractors, business partners, auditors or other personnel with a valid reason to access these systems.  Since we are increasingly operating in a connected fashion, businesses are more susceptible to insider threats than ever before.  The volume of critical data in organizations is exploding, causing more information to be available to more staff.  While this can boost productivity, it comes with inherent risks that need to be considered and mitigated, lest that privileged access be used against the organization. 

 Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

 Mitigating risk is all about identifying weak points in the security program. The weakest point in any security program is people; namely, the insider.  Insider threats can be malicious; but more commonly, they are accidental.  Insiders can have ill intent, they can also be manipulated or exploited, or they can simply make a mistake and email a spreadsheet full of client information to the wrong email address.  They can lose laptops or mobile devices with confidential data, or misplace backup tapes.  

These types of incidents are real and happen every day. They can lead to disastrous results on par with any major, external cyberattack.  Traditionally, these threats are overlooked by most businesses because they are more concerned with the unknown malicious actor than the known staff member or business partner.  Organizations are sometimes reluctant to take the steps necessary to mitigate these threats and share important data through a trusted relationship. They put little to no emphasis on implementing security controls for insiders.

Those of you who believe that you can count on employees as a line of defense in the organization, think again. A recent SailPoint Technologies survey found that 27 percent of U.S. office workers at large companies would sell their work password to an outsider for as little as $1001.  Many years ago, (in a 2004 BBC News article) users were willing to trade passwords for chocolate bars.  With employee engagement levels as low as 30 percent in some organizations, asking employees to be a part of the solution may be asking too much.

Given the current insider situation, attackers need not resort to elaborate attack methods to achieve their objectives.  A 2016 Balabit survey indicates that the top two attacker techniques are social engineering (e.g., phishing) and compromised accounts from weak passwords.

There are a number of ways that insiders can cause damage.  In some cases, they are coerced by an outsider to extract data.  This is common when organized crime is involved.  In other cases, legitimate user access is used to extract data, but the user’s real credentials have been compromised and don't trigger security alerts focused on malware, compliance policies and account-brute-force attacks.

The good news is that organizations can do more now than ever before.  Providers are responding with solutions that monitor email traffic, Web usage, network traffic and behavior-based pattern recognition to help detect who in the organization is trustworthy and who may be a risk.  If a staff accountant is in the process of exporting customer data at 3 a.m., this behavior is flagged as anomalous and alerts security staff to a potential compromise.  The employee that starts logging in later, leaving earlier and sending fewer emails to his manager may be disengaged or even disgruntled; and worth keeping an eye on.  

Although this is a murky area, HR can be a security advocate, identifying employees with discipline issues whom could fit a risk profile.  While this may be a little “big brother” sounding in nature, some organizations may find this to be an appropriate way to mitigate the risks that come from insiders.  Organizations without big security budgets still have some old-school mitigations available to them such as employee awareness programs, employee background and reference checks, and exit interviews to gather information about attitudes toward the company and insights into working conditions. 

The clear lesson here is that organizations must look past the perimeter and know what is happening inside the network, in addition to what is happening outside. The most likely enemy won't fit the stereotype: beware that the threat could very well come from within. 

Related Content:

Philip Casesa is one of the leading voices representing (ISC)², often commenting on high-profile cyberattacks, breaches and important cybersecurity topics. His expertise has been featured in Security Week, CIO, CSO, GovInfosecurity, Dark Reading, eSecurity Planet, Health ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/13/2016 | 3:19:58 PM
Very interesting article
Philip this is a well-written, interesting and informative piece.  I agree that some increase in focus on the threat within the perimeter is called for, and on the role HR can help play in keeping organizational security awareness high. 

Mike Tierney



7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...