Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/22/2009
12:25 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Tech Insight: How To Protect Your Organization From Malicious Insiders

New report offers insights on how to keep the bad apples from spoiling your company's whole barrel of data

A Special Analysis For Dark Reading

Excerpted from "Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization," a new, downloadable report posted today on the Dark Reading Insider Threat Tech Center.

In our last Dark Reading Insider Threat Tech Center report, "Well-Meaning Employees -- And How To Stop Them," we discussed the most common breaches that originate from within the organization -- those that are caused by well-meaning employees who innocently or unknowingly violate security policies in an effort to get their jobs done. Now it's time to discuss the most unusual -- but perhaps the most dangerous -- insider threat: the employee who knowingly breaks security policy to achieve a selfish or malicious end.

Deliberate insider threats fall into three main areas:

  • theft for financial gain;
  • system or data sabotage, usually to "get revenge" or gain attention; and
  • theft to gain a competitive advantage, sometimes called corporate espionage.

Theft for financial gain is one of the most common malicious threats today, particularly given the poor economic climate, and usually involves an insider abusing access privileges to steal personal data or customer lists that can be sold to criminals. This type of theft is usually carried out by a nontechnical end user who has everyday access to sensitive information.

Sabotage, on the other hand, is most often committed by savvy IT staffers who know how to damage the company's data. And theft for competitive advantage may involve stealing sensitive data, such as customer lists, or intellectual property, such as plans or designs.

What's amazing about all of these malicious insider attacks is that the majority of the breaches occur within a few weeks of the day that an employee resigns or is terminated.

According to most experts, enterprises in 2009 will be hit with an increase in all three major categories of insider threats. Sadly, though, most companies don't have anyone focusing on the insider threat -- malicious or otherwise -- even though the security industry has been talking about it for years.

What can you put into place to help prevent the insider threat from breaching your enterprise in 2009? Several best practices exist, but they all have one common bond: You must actually look at the reports your systems generate! Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.

There's a lot to be said about security awareness training, too. Some companies don't believe in it, while others don't do it well, but in my practice as a security consultant I have seen training lead to some incredible cultural changes within organizations -- and significantly reduce the risk of an insider attack. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and need to know what to do about it.

When I discuss insider threat technology with clients, I teach them this mantra: "If you can't prevent it, you must detect it." Simply put, if you identify a risk, then you should attempt to prevent it. But if you can't prevent it, then implement a detection technology that can at least help you determine how and when it happened. Many organizations focus too heavily on policy and don't implement the technology required to enforce it.

Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. Logging can help detect this activity. Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections, and other behaviors that proper logging can detect.

Aside from logging, there are several other technologies you can use to help detect and mitigate the threat of malicious insider attacks. To find out more about them, download the full report from the Dark Reading Insider Threat Tech Center.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...