Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • IT Management
    • Small Business

    Detecting Malicious Insiders Before Data Breaches Damage Your Business

    By
    Brian Prince
    -
    April 6, 2010
    Share
    Facebook
    Twitter
    Linkedin

      As intriguing as the idea of a mysterious cyber-criminal hacking his way into a corporate network sounds, the majority of data breaches are the work of insiders.

      An employee copies data to a USB device and leaves it in a cab; a contractor misplaces a CD with customer information-these are common causes of data breaches. But sometimes, it is not an accident, and rather than a master criminal scaling the network perimeter it’s a sullen systems administrator causing the havoc.

      Dawn Cappelli knows that well. As the technical lead of CERT’s insider threat research at Carnegie Mellon’s Software Engineering Institute, she has analyzed 450 cases of malicious insiders in search of common threads that businesses can use to develop security strategies. Activity by malicious insiders, she said, can be broken down into three categories: IT sabotage, theft of IP (intellectual property) and fraud.

      “If you look at these crimes, you can’t detect it with technology alone because a system administrator is going to use his authorized access to do what he does everyday and you can’t tell if it’s malicious or not unless you know when to look,” Cappelli said. “Theft of IP; these people are going to take what they work on everyday. They are going to use their authorized access. Unless you put a strategy together that looks at the people, the process and the technology, it’s going to be very hard to detect these things.”

      In the case of IT sabotage, these incidents are typically committed by someone such as a systems administrator who has privileged access, she said, adding that many of these crimes occur after the person has been terminated. The person will often create a back-door account-an act unlikely to raise red flags since it is not abnormal for administrators to create accounts-so as to be able to enter the network remotely later on. Detecting these types of situations relies on a mix of technology and people, starting with communication between human resources and IT when a disgruntled employee is about to be terminated and warrants closer attention.

      “In all of these cases that we have of insider IT sabotage, we don’t have a single case where people said, ‘Oh, he was such a nice guy I can’t believe he ever would have done anything like that,'” Cappelli said. “In all of these cases, it’s the person who, they don’t get along with people, they cause trouble at work … and soon as you see somebody who’s disgruntled you can’t immediately say, ‘Uh-oh, you know what, they might attack.’ You’re looking for this escalation where it gets worse and worse and they don’t get over it like most people do.”

      Communication between human resources and IT can only go so far, of course. Technologies such as logging, activity monitoring and change management also have a key role to play.

      Stealing Sensitive Data as They Leave

      Typically, “When we see an insider employee involved in a breach, we see that privileges and user rights have not been well-defined, and that the employee has a toxic combination of privileges that allows them access to data that is not required to perform their job,” said Thom VanHorn, vice president of global marketing at Application Security. “Implementing best practices and setting up privileges and user rights that provide only the access necessary for the employee’s daily job tasks as well as continuously monitoring user rights goes a long way toward preventing insider attacks.”

      This can certainly be true if someone tries to violate access policies. However, in the breaches she has analyzed, Cappelli said, insiders stealing IP are typically after things they have been working on as they prepare to walk out the door for a new job.

      “They are typically scientists, programmers [and] engineers, although about 29 percent of them were salespeople who stole customer information,” she said. “But most of them are technical people … who steal what they work on. So, ‘I’m a scientist, I’ve been working on these chemical formulas … I’m a programmer, I’ve been working on this source code,’ and that’s what they tend to steal. They typically do this using authorized access, during normal working hours, at work.”

      Most steal the information as they are leaving, within 30 days of their resignation, Cappelli said.

      “If you know this person’s resigned, look back 30 days and look at what have they been putting on removable media,” she said. “Look in your e-mail logs and see what [he or she has] been emailing outside of the network, and make sure that you don’t see anything in there that indicates that they may be stealing your IP.”

      Fraud cases are typically carried out by employees who stay at the company, as opposed to someone who has been fired or is leaving, she said. These people are typically recruited by outsiders to steal or modify information they have access to for pay, and often hold low-level jobs such as data entry, she added.

      The good news, if it can be called that, is that most data breaches involving insiders are not malicious at all. In fact, a November survey of 305 IT decision makers by Forrester Research found that roughly 58 percent of the data leak incidents they experienced in the last two years were caused by an employee accident, such as a lost smartphone. Meanwhile, only about 27 percent of the incidents involved an employee, customer service representative or business partner stealing information or abusing access privileges.

      “Most insider data breaches are in some way related to a lack of awareness on the part of the employee responsible for the breach,” said Mike Spinney, senior privacy analyst at the Ponemon Institute. “They either did something they didn’t know was risky behavior, violated a policy they weren’t aware of or lacked simple vigilance. Certainly there is always an element of malicious behavior, but for the most part folks are simply doing things without fully comprehending the potential risk.”

      Though he eschews the term “insider threat” as being overhyped, Forrester Research analyst Andrew Jaquith said companies need to begin their security strategy by identifying the most valuable data, creating a list of data security risks and examining the balance between corporate policy and compliance.

      “Our advice, generally, is that companies need to think holistically about the range of risks to their data, whether they are to ‘custodial’ data like [Social Security numbers] or credit card numbers, or to corporate secrets,” Jaquith said. “The approaches that are needed to secure each are usually very different. Technology can help with the accidental stuff-but it’s harder with malicious cases.”

      Brian Prince

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×