For many organizations, the biggest threat to their networks and data doesn’t come from nation-state attackers, hacktivists, or cyber-criminals. Insiders, such as disgruntled ex-employees and frustrated employees, pose significant dangers to the organization’s security.
The malware attack against Saudi oil giant Aramco in August which physically damaged 30,000 computers is a perfect example. It’s still not clear exactly who was behind the devastating attack, but experts believe insiders with privileged access to the network helped the attackers. It took the oil company two weeks to recover from the infection.
Outsiders were behind an overwhelming majority, 98 percent, of data breaches in 2011, according to Verizon’s 2012 Data Breach Investigations Report released earlier this year. Only four percent of the incidents involved insiders in some way, according to the report. When Verizon narrowed the focus to include only data breaches which resulted in intellectual property being stolen (as opposed to personal information being exposed, for example), the trends were very different, Wade Baker, Verizon’s director of security intelligence, told SecurityWatch.
When looking only at IP theft, it turned out almost half of the breaches involved insiders, which was a “dramatic change to the profile,” Baker said. “If a company worried about protecting IP is figuring out where to look at to protect the IP, then you need to know that insiders are a huge issue,” he said.
Insiders in All Shapes, Forms There are “all sorts of insiders,” Baker said, noting that the incidents could have been by malicious insiders, former employees, insiders coerced by outsiders, or even honest mistakes. Employees may need the money, making them willing accomplices when approached by outsiders, or angry enough to lash out at the company, Baker said.
Mistakes cover a whole range, such as forgetting to change or disable the default password, neglecting to encrypt sensitive data, and accidentally posting sensitive data to a public server. There were many instances of former employees going back into systems and causing damage because their accounts had not been revoked after they left the company, Baker said.
In fact, “misuse” was the top-most used threat action in IP theft. Verizon classifies attack methods in seven categories, and the overall DBIR found that most data breaches were the result of malware or hacking. In cases of IP theft, it was more likely that the thieves were users who already had access to the data or systems.
Privileged accounts are often not managed properly, and in many cases have weak passwords or are shared between multiple users, Adam Bosnian, an executive vice-president at Cyber-Ark, told SecurityWatch. “Businesses across industries need to wake up and understand that these privileged accounts are the number one target,” Bosnian said, adding that controlling these access points “needs to be a priority.”
In fact, Cyber-Ark found that 43 percent of businesses in its 6th annual global IT security survey, released in June, did not monitor how privileged accounts were being used despite being aware that attackers are increasingly taking advantage of these accounts, Bosnian said.
To understand trends surrounding intellectual property theft, Verizon analyzed 85 incidents from the 2012 DBIR and 2011 DBIR, Baker said. The sheer number of data breaches involving IP theft means anything related to insider attacks “gets drowned out” in the DBIR, making this kind of a spotlight valuable, Baker said.