Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:05 AM

Watch The Watchers: 'Trusted' Employees Can Do Damage

A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely

Many aspects of insider attacks have remained constant over nearly the past decade. Roughly half of all companies record an insider incident, about three-quarters do not report the event to law enforcement, and firms typically are split about whether their insider attacks are more damaging than their external compromises.

Yet a report on insider fraud in the financial industry published earlier this year marks a potential departure from the past: More than half of all fraud incidents involved a manager or other trusted employee, an increase over prior years, according to the Software Engineering Institute (SEI) at Carnegie Mellon University. Considering that incidents involving managers caused $200,106 in actual damage on average, nearly double that of incidents involving non-managers, companies should avoid giving managers carte blanche access to their systems.

"Organizations need to focus on managers who may be involved in a fraud event," says Randy Trzeciak, technical team lead for Insider Threat Research Team at SEI's Computer Emergency Response Team (CERT). "Is there anyone really watching the person who is supposed to be watching for fraud being committed in their particular organization?"

Rogue managers not only cause more damage, but they are able to get away with the crimes longer, according to the report. The average crime committed by a manager lasted nearly three years, almost double the 18 months that non-managers were able to conduct their crimes.

The report, funded by the Department of Homeland Security, studied 80 cases of insider fraud in the financial sector provided to CERT by the U.S. Secret Service. The researchers studied 67 insider fraud attacks and 13 external incidents, finding that most fraud was not very technically sophisticated, and while log files and monitoring appear to aid in detecting external breaches, most insider attacks were detected through an audit, customer complaint, or a suspicious co-worker.

[ While essentially a data security and data leak prevention problem, protecting against intellectual-property theft is also about improving a company's overall security posture. See Five Steps To Protecting Intellectual Property. ]

CERT researchers have classified insider attacks into three broad groups: IT sabotage destroys a valuable asset, intellectual property theft aims to steal information of business value, and fraud uses insider access for illicit, personal gain. The report focused on the last category.

In a previous report, CERT found that, while companies see three times more external incidents than internal incidents, that nearly half -- 46 percent -- considered attacks by insiders more damaging than those by outsiders.

"We do believe that organizations are becoming more aware of the insider threat problem," Trzeciak says. "Many organizations that we talked to do recognize insiders as a threat to their data and organizations."

Other reports have noted the same concern. In its 2012 Trust, Security & Passwords survey, security firm Cyber-Ark polled 820 IT managers and found that 71 percent considered insiders a more critical threat than external hackers.

In the past, insiders had most often made off with customer lists, says Adam Bosnian, executive vice president for corporate development at Cyber-Ark. Yet the firm's recent survey found that most IT managers believed that privileged user accounts were more likely to be targeted.

"We ascribe that to, if I get the customers lists, that's a one-and-done sort of thing. If I have the customer list, I can take it to my next company or sell it, and that's it," he says. "If I have the credentials list, that lets me do a lot more follow-on stuff."

Solutions are more about process and people, says Sam Curry, chief technology officer for identity and data protection at RSA. Technology has to keep the attackers guessing, whether they are in internal employees or external attackers.

"Simply staring at where the money went last time is not going to tell you where the money will go this time," Curry says. "The best way to defeat attackers is to keep the cost to break [your defenses] high. And keep the bad guys having to adapt to you, rather than trying to detect them based on last year's tactics."

Cyber-Ark's Bosnian sees the problem in terms of providing a better solution. Software that discovers and monitors privileged systems and privileged users can help keep a company aware of potential insider threats and even detect an attack when it occurs.

Companies need to determine what assets they have that are valuable and could be accessed or harmed by an insider. Then they need to find who has access to the systems and who really needs to have access. A good way to do that is to change the credentials on important accounts -- such as administer and root accounts, but also accounts used by services that could be co-opted -- and see who complains, Bosnian says.

"People come out of the woodwork, saying, 'What happened? I can't get into the database anymore,'" he says. "Take control of the credential, change the credential, and you will find out who still has access."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
9/26/2012 | 2:10:58 AM
re: Watch The Watchers: 'Trusted' Employees Can Do Damage

The fact that
rogue managers not only caused more damage but that they were able to get away
with their crimes for so long should give most organizations pause. The insider
threat not only impacts the financial sector, but every business that values
its IP, customer data and financial health. Your article presents some
excellent advice for keeping potential bad actors
guessing, whether they are internal or external. Database activity monitoring
and protecting data with encryption that applies fine grained access controls
are two other methods that enterprises should consider.

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.
PUBLISHED: 2021-04-12
A vulnerability in the HTML editor of Slab Quill 4.8.0 allows an attacker to execute arbitrary JavaScript by storing an XSS payload (a crafted onloadstart attribute of an IMG element) in a text field.
PUBLISHED: 2021-04-12
In Liberty lisPBX 2.0-4, configuration backup files can be retrieved remotely from /backup/lispbx-CONF-YYYY-MM-DD.tar or /backup/lispbx-CDR-YYYY-MM-DD.tar without authentication or authorization. These configuration files have all PBX information including extension numbers, contacts, and passwords.
PUBLISHED: 2021-04-12
Dell SRM versions prior to and Dell SMR versions prior to contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged code execution on the vulnerable application. The severity is Cr...