Insider Threat Doubles; New Program Offers Assessments

Insider-borne attacks have doubled in the last year, according to a new report, and one organization is launching an assessment program to help enterprises protect themselves against them.

The Identity Theft Resource Center reported this week that nearly 16 percent of breaches so far this year came from insiders, up from 6 percent in 2007, and 11.7 percent came from attackers outside the company -- down from 14.1 percent last year.

Data stolen from laptops, thumb drives, and PDAs accounted for 20.2 percent of this year’s breaches so far, followed by accidental exposure by the organization (15.2 percent), and loss or theft by a subcontractor (13.5 percent).

The ITRC's data is consistent with other reports that insider incidents are on the rise. However, many experts point out that disclosure of all incidents is also on the rise, thanks largely to the legal requirements put in place by many states over the last year.

Carnegie Mellon Software Engineering Institute’s CERT Program, meanwhile, is about to roll out an insider risk assessment program pilot that helps organizations pinpoint where and how they’re vulnerable to an insider attack.

The program, which is based on data the CERT team has gathered from over 300 real-life data breaches caused by insiders, next year will be converted into a full-blown service, says Dawn Cappelli, lead for the insider threat team at the Carnegie Mellon Software Engineering Institute CERT Program. The goal is to eventually spin it off into an insider risk assessment software tool, she says.

Cappelli says her team has seen more and more insider attack cases. “There now there will be weeks when there are three or four of them,” she says. “But I don’t know if this is because of the new data breach laws, or if these numbers are increasing” overall, she says. Her team plans a new e-crime survey for later this year that should shed more light on that, she states.

While the ITRC report suggests that insider attacks are in the majority, a recent study by Verizon said that 73 percent of breaches were from “external sources,” although the report also attributed 18 percent of breaches to insiders, which nearly matches the ITRC numbers. Verizon's data linked external hacks to internal mistakes. (See Verizon Study Links External Hacks to Internal Mistakes.)

So why the apparent jump in insider attack numbers? "My opinion, culled from aggregating available data from breach studies and conversations with enterprises, is that the apparent increase in insider threats, at least statistically, is due to the fact that we are paying more attention to the issue driven by the availability and deployment of tools and compliance efforts,” says Christofer Hoff, chief security architect for Unisys. “Increased visibility delivers statistics that become more visible."

Whatever the cause for the spike, CERT’s Capelli says organizations are anxious to drill down and find out whether they’re susceptible to an insider attack. “We haven’t seen anything like this,” Capelli says of CERT’s new risk assessment pilot, which was built around details of the 250 real-world cases CERT evaluated on the specific vulnerability in the organization that was exploited, and the technology, processes, and legal issues associated with the breach.

“We came up with 1,600 distinct areas of concern” for insider attacks and folded them into a diagnostic “tool” for the assessments, Capelli says. One item, for example, analyzes how the company could detect and handle the discovery of a logic bomb planted on their network by an IT guy gone bad, she says.

The CERT team will go on-site at the two organizations that volunteered for the pilot program and interview people in key areas such as IT, security, HR, management, physical security, software engineering, and even the owners of data. The team then will come up with a detailed assessment of where the company is at risk of an insider threat. “We give them data that they can feed into their risk management process,” Capelli says.

Among the new threats Capelli’s team has seen in its research of late is an increase in keyloggers, or keystroke monitoring to steal credentials, and an increase in business partners involved in attacks.

CERT also plans to publish a third edition of its “Common Sense Guide for Prevention and Detection of Insider Threats.” Capelli says the new version of the best practices guide will include ways to prevent emerging threats like insiders using backdoor accounts to siphon data. “We’ll talk about how insiders could be stopped using good account management,” she says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.