Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Security Experts Raise Alarm Over Insider Threats

Economic troubles raising the stakes on potential threats, FIRST members say

Security researchers and other experts are turning up the heat on insider threats, warning enterprises that the problem is growing and could prove devastating for many enterprises.

In preparation for its meeting in Japan next month, the Forum of Incident Response and Security Teams (FIRST) issued a press release in which its senior officers urge organizations to step up their efforts to protect themselves from insider attacks, saying that many are "ill-prepared for an onslaught which could prove calamitous."

"One of the greatest security threats of our times is from insiders, as organizations lay off tens of thousands of workers," said Scott McIntyre, a FIRST steering committee member and representative of the Netherlands-based KPN Computer Emergency Response Team (CERT). "People know the axe is coming, and the longer employers prolong the swing of that axe, the more danger they expose themselves to, either from sabotage or data theft. An employee who thinks he or she is [going to be laid off] can start fouling up systems which are critical to the organization, or decide to take an unauthorized pay-off by stealing a mass of data."

Yurie Ito, another FIRST steering committee member and director of Japan's JPCERT/CC, agreed. "Don't think you're safer once the employee is laid off and outside the wall," Ito warned. "A lot of these people know how the systems work -- they have the keys to the castle and they know where the secret doors are. Even when companies think they have taken the necessary steps by removing ID and changing passwords, these people have the knowledge and skill that means they still pose a threat. They are extremely dangerous."

Researchers and vendors outside of FIRST also say they are becoming concerned about the threats posed by those with knowledge of corporate systems, such as IT people and privileged users. "The most common insider threats are posed by everyday workers who might walk out with sensitive data on a USB drive," observes Eric Yoshizuru, evangelist at security vendor Symark. "But it's the privileged users who can do the most serious crimes against the organization."

A few years ago, most organizations "trusted their IT organizations to do the right thing," Yoshizuru says. But following a series of very public attacks involving IT people during the past few years, many organizations are beginning to implement tools and processes to protect themselves against threats posed both by employees and the IT people who support them, he notes.

"A lot of companies have been through the wringer with layoffs, and in many cases, the 'survivors' feel overworked, underpaid, and unappreciated," Yoshizuru says. "In some cases, these are people who understand the technical vulnerabilities of the company, but they are nervous -- if they see another layoff coming, they may be tempted to retaliate."

Tom Mullen, security chief for telco giant BT, says organizations must now regard some precautionary measures as a matter of urgency. Exit procedures should be scrutinized and rescrutinized, especially for employees whose severance was involuntary. "You simply must have thorough exit and monitoring plans in place, and these need to be very specific when you're dealing with employees who had any kind of access to critical systems or data," Mullen says. "You have to make sure that under no circumstances can a departing member of staff take any sensitive information out of the organization." Many organizations are approaching the insider threat in much the same way that they approach the external threat: "How is somebody going to get in, what might they steal, and in the worst circumstances, how to restore from backups if outsiders do break in and crash something," notes Derrick Scholl, chair of the FIRST steering committee.

But these methods don't address the real damage that a determined insider might do, Scholl says. "Sure, an insider is capable of stealing corporate secrets, or customer lists, or destroying computers, but their potential for harm is far worse," he states. "Imagine a software company where an insider has the ability to change code in the product without being detected. What if the insider altered design documents or tampered with customer orders? Or ripped out hard drives and corrupted systems just as a big corporation was about to issue its quarterly bills to hundreds of thousands of customers? It's a totally different order of threat, and it requires a different way of thinking."

Organizations today must begin the process of separating duties and building checks and balances into their IT and administrative access schemes, Yoshizuru says. "That extends to systems like Salesforce.com, where the administrator may be outside the IT organization," he notes.

Yoshizuru says steps to prevent insider attack may also extend beyond the employee base. "With tough economic times, a lot of companies are bringing in contractors and temporary employees, but they aren't extending the tools and training to those employees that they do to their full-time workers," he observes. "That's a set of issues that companies should be looking at as well."

The 21st Annual FIRST conference will take place June 28 to July 3, 2009, at the Hotel Granvia in Kyoto, Japan.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.