Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Security Experts Raise Alarm Over Insider Threats

Economic troubles raising the stakes on potential threats, FIRST members say

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Yurie Ito, another FIRST steering committee member and director of Japan's JPCERT/CC, agreed. "Don't think you're safer once the employee is laid off and outside the wall," Ito warned. "A lot of these people know how the systems work -- they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords, these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous."

Researchers and vendors outside of FIRST also say they are becoming concerned about the threats posed by those with knowledge of corporate systems, such as IT people and privileged users. "The most common insider threats are posed by everyday workers who might walk out with sensitive data on a USB drive," observes Eric Yoshizuru, evangelist at security vendor Symark. "But it's the privileged users who can do the most serious crimes against the organization."

A few years ago, most organizations "trusted their IT organizations to do the right thing," Yoshizuru says. But following a series of very public attacks involving IT people during the past few years, many organizations are beginning to implement tools and processes to protect themselves against threats posed both by employees and the IT people who support them, he notes.

"A lot of companies have been through the wringer with layoffs, and in many cases, the 'survivors' feel overworked, underpaid, and unappreciated," Yoshizuru says. "In some cases, these are people who understand the technical vulnerabilities of the company, but they are nervous -- if they see another layoff coming, they may be tempted to retaliate."

Tom Mullen, security chief for telco giant BT, says organizations must now regard some precautionary measures as a matter of urgency. Exit procedures should be scrutinized and rescrutinized, especially for employees whose severance was involuntary. "You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you're dealing with employees who had any kind of access to critical systems or data," Mullen says. "You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization." Many organizations are approaching the insider threat in much the same way that they approach the external threat: "How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something," notes Derrick Scholl, chair of the FIRST steering committee.

But these methods don't address the real damage that a determined insider might do, Scholl says. "Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse," he states. "Imagine a software company where an insider has the ability to change code in the product without being detected. What if the insider altered design documents or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers? It's a totally different order of threat, and it requires a different way of thinking."

Organizations today must begin the process of separating duties and building checks and balances into their IT and administrative access schemes, Yoshizuru says. "That extends to systems like Salesforce.com, where the administrator may be outside the IT organization," he notes.

Yoshizuru says steps to prevent insider attack may also extend beyond the employee base. "With tough economic times, a lot of companies are bringing in contractors and temporary employees, but they aren't extending the tools and training to those employees that they do to their full-time workers," he observes. "That's a set of issues that companies should be looking at as well."

The 21st Annual FIRST conference will take place June 28 to July 3, 2009, at the Hotel Granvia in Kyoto, Japan.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-0234
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
CVE-2018-7838
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
CVE-2019-6822
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
CVE-2019-6823
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
CVE-2019-6824
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.