NCSAM: Trust abused - looking at threats from the inside

To kick off The Tech Herald’s coverage of National Cyber Security Awareness Month, we start by looking at threats from the inside. To do this, we spoke to Noa Bar Yosef, the senior security strategist at Imperva.

Often when a company suffers a loss as the direct result of a breach, the first reaction from the public is to look for external threats. For most organizations, the first reaction is to look within, starting a breach investigation by clearing those with access first. This seems like an obvious flow to an investigation, but it isn’t always the case, and when an insider causes the damage, the cleanup can be painful.

Abused trust often starts with a change. For some, this change is mounting pressure over bills, or pressure to compete with other employees. Sometimes, abused trust is due to greed, and the chance to do something that seems minor in return for a quick payoff. Take for example the Disney employee who was charged with the task to publish financial earnings, later convicted of insider trading.

Then there is the worst kind of insider threat, one that comes as an act of revenge. Such as an employee who was recently fired, or one that knows the axe is coming. In these cases, the employee will simply snatch all of the information they can, and hope to use it as leverage down the line. Some don’t see this as theft. They worked at a business for years, so the work is theirs to keep.

“An employee leaving the company - whether this was a termination by the company or the sense to leave, [might] attempt to access all documents considered to be under [their] ownership,” Yosef explained.

Managers are fighting an invisible threat. No business wants to hold their employees at a distance, making it clear that if there is any trust at all placed in them, it’s miniscule. You have to trust them. Still, there have been plenty of cases where trust has been abused. So what are the signs of an insider threat?

One is the access itself. If an organization notices sudden spikes in downloads from the file server, or abnormal traffic to an internal development server, this is a red flag, Yosef explained. Such was the case of a DuPont employee who was indicted in 2007, after walking off with $400 million dollars worth of company data.

An organization should also notice activities during questionable times. For example, why would a DMV worker be accessing records during the weekend, given that the branch is closed?

Unauthorized attempts to reach departmentalized data should be questioned. Such as developers trying to access HR systems, even suspicious failed activities, like a high number of invalid login attempts.

Considering the aforementioned red flags, one would think that catching insider fraud would be easy. It’s an established fact that employees are monitored to some degree within an organization, but the larger the network, the harder it is to see everything. Remember, abnormal actions stand out. More often that not, you have to ask, what about normal actions?

“Often, access to the confidential company data may be rightfully obtained in order to perform a job. It could be for example that a salesperson downloaded the complete customer-base to [their] laptop to work offline,” Yosef said.

This is where policy enforcement comes into play, and strict controls when dealing with asset management and employee access. Should it take seven days to terminate an employee’s access to the VPN? Should you allow them to drop off their laptop on Monday or take it from them on Friday?

So assume the worst happens. What should an organization be looking for after a breach if they think the problem started on the inside?

“In order to perform a proper analysis of a breach, the groundwork should hopefully be in place. The groundwork, in this case, is monitoring of data access. This is the monitoring of every individual’s access to the sensitive data, including those privileged users who have the authority to access the data,” Yosef explained.

Some questions to answer include, who accessed the data? Was it someone from accounting or someone from HR? Did they have expected access to this data? When and how was the data accessed?

Of course, it’s not enough for companies to complete the investigation, present a report summary, and close off the case, Yosef added. Rather, the insights of such a breach should be taken into consideration in order to avoid a similar breach from reoccurring.

“This means not only to strengthen the specific control which was abused, since a different one could be exploited at a later stage. Rather, a full-fledged security process should be put in place as part of the company’s security initiative to make sure they avoid the next insider threat.”

If you manage access controls, how do you do it? What are your red flags when dealing with internal threats? We know no business is the same, so any variation and “pro tips” you can share will help everyone.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.