Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Undoubtedly, every InfoSec professional has heard the argument that the perimeter was broken. That was so 1995. The new rage is to break the “human barrier.” You know, those things that run the companies. Increasingly, attackers are using social engineering to target a corporation’s most vulnerable asset: the human. From there attackers hack the systems and completely own the company from the inside out.

A while back, WHMCS, an online banking and bill paying company, was attacked by an outsider with real access credentials pretending to be an insider.  It turns out, the data base administrator for the organization was pretty active on social media. From basic profiling of his public information, attackers were able to garner the answers to his security questions. After a quick phone call and password reset, attackers were able to download 1.1 Gigabytes of credit card numbers and subsequently erased the servers just for kicks. A five-minute phone call opened the window of opportunity for a dox, which turned into total ownership.

That is just an outsider acting as an insider. What about an actual insider that has ill intent towards your company?

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Now that we’ve talked a bit about the scope of damage from insider threats it’s important for organizations to clearly understand how these threats manifest.AT&T recently disclosed that an employee was able to access and exfiltrate confidential and personal user information including social security and driver’s license numbers of thousands of customers. This is an example of a malicious insider attack, one in which the employees purposefully expose data.

Angry and disgruntled
In situations with malicious insiders, employees are either angry, disgruntled, or rogue. They are either on the way out or have already been fired and still have access to corporate logins. These attackers are extremely dangerous because they already know their way around the network and can easily access copious amounts of information, without raising a brow. While it seems little can be done about this type of insider attack, the 2014 Verizon Data Breach Report indicates that 85% of insider privilege misuse attacks used the corporate LAN. With the implementation and enforcement of access controls, network behavioral analysis, and security awareness training that encourages employees to report suspicious activity, these types of attacks can be limited.

The second type of insider threat stems from accidental data uploads, failure to dispose of documents securely, and complex interactions with unintended consequences. Regardless of how it happens, negligent insider attacks occur when employees accidentally expose data.

A negligent insider can also take the form of a partner or third-party that has been granted access and accidentally exposes data. How many breaches do we read about that were the results of a laptop, USB key, or file thrown away improperly, and that it contained thousands of records of sensitive data? These breaches are not malicious insiders, but an uneducated and thoughtless insider that causes harm to your company and to your clients.

I believe the only way for an organization to be successful in preventing insider attacks is to progress beyond the thought process that IT is responsible for all information security issues. In every case above, user education along with proper technical solutions can help reduce the results of insider threat.

You can start by asking yourself the following questions:

  • Are policies in place?
  • Does legal and senior management support IT practices?
  • Do these type of programs reward employees instead of scare them?
  • Do we conduct regular audits?

While this approach may seem unrealistic at first, I’ve seen first hand how global organizations can reduce the number of malware related incidents and shut down both insider and outsider threat with simple modifications to process and employee awareness. Organizations are only as strong as the weakest link — the humans. And as long as that simple fact remains true, attackers will always go after this low-hanging fruit. Make yourself, your employees, and your company not the easy pickings, and you might just have a chance of not being the next headline on Dark Reading.

Chris Hadnagy has over 16 years’ experience as a practitioner and researcher in the security field. His efforts in training, education, and awareness have helped to expose social engineering as the top threat to the security of organizations today. He established the world’s first social engineering framework at http://www.social-engineer.org/, providing an invaluable repository of information for security professionals and enthusiasts. That site grew into a dynamic web resource including a podcast and newsletter, which have become staples in the security industry and are referenced by large organizations around the world. Chris also created the first hands-on social engineering training course and certification, Advanced Practical Social Engineering, attended by law enforcement, military, and private sector professionals. A sought-after writer and speaker, he has spoken and trained at events such as RSA and Black Hat. He is also the best-selling author of two books: Social Engineering: The Art of Human Hacking and Unmasking the Social Engineer: The Human Element of Security.

[Source: DarkReading]

Palo Alto Networks Wins Mobile Security Solution of the Year

Palo Alto Networks recently won Mobile Security Solution of the Year at the 2014 Computing Security Awards in London, honoring GlobalProtect. 

Many thanks to everyone who voted. Check out photos from this year’s gala here — including our own Alex Raistrick and Steve Gerrard accepting the award!

Palo Alto Networks WildFire was also runner up for Anti Malware Solution of the Year.

Learn more

  • For more on GlobalProtect, check out our resources page here.
  • For more on Wildfire, head here.

[Source: Palo Alto Networks]

Dan Sweetman: When Angels Cry (feat. Christine Yandell)

Album: Everything That’s in My Heart
Year: 2008
Songwriters: Dan Sweetman

Life is a mystery
We’re living day to day
So many things can happen
Along the way
Moments of sadness and moments of tears
Moments we can’t forget throughout the years.

The day our heart’s broke
Was a day a nation cried
A day that will live on in our memories.
Remember their faces
Remember their love
We’ve got to believe
They’re looking down from up above.

[Chorus]

Angels cry when children die
A senseless aching pain
Emotions I can’t hold back
My tears are falling like rain.

I know why a parents cries
When innocence is lost
People talk about resolution
But who’s counting the cost
…When angels cry…

For those who are grieving
Comfort abounds
So many people filled with kindness all around.

How could this happen
So many question why
A Mom and her daughters whose lives have passed us by.

[Chorus]

Angels cry when children die
A senseless aching pain
Emotions I can’t hold back
My tears are falling like rain.

I know why a parents cries
When innocence is lost
People talk about resolution
But who’s counting the cost
…When angels cry.

I know that someday
All the answers will be clear…
But for now I pray their spirits will be near.

[Chorus]

Angels cry when children die
A senseless aching pain
Emotions I can’t hold back
My tears are falling like rain.

I know why a parents cries
When innocence is lost
People talk about resolution
But who’s counting the cost
…When angels cry.

English
Exit mobile version