Andrew Horbury outlines the typical insider activities and the related threats to businesses, and dwells on the profile for the average insider and hacktivist.Did you know that insider theft makes up between 8-14% of confirmed data breaches, compared to the 88-92% attributed to external actors? Those figures come from the Symantec Security Threat Response data piece. But these relatively small numbers are somewhat misleading. So, whilst insiders might make only a small percentage of confirmed data breaches, they account for almost 70% of all corporate security issues, compared to the 31% that we can attribute to outsiders. This is reflected, in fact, by the UK Information Commissioner’s Office who fined and prosecuted more businesses because of insider slip-ups than they did because of outsider attacks in 2012.
In fact, the Symantec Internet Security Threat Reports state that most small to medium-size businesses should worry about someone in accounts just as much as they should worry about some anonymous hacker. The majority of confirmed data breaches committed by insiders without malicious reasons are done as some form of game, while there are of course a lot of cases of programmers, administrators engaging in insider data theft – most of such actions are attributed to employees with little or no technical ability or status. Employees involved in the payment chain, particularly in small to medium-size businesses, seem to be the main culprits, often solicited by external actors to skim payment cards or supply customer information in order to commit some fraud.
Only three cases of insider espionage were recorded in 2012, according to the Verizon Data Breach study. And all three involved appear to be ex-employees in managerial or executive positions, trying to take proprietary information to a new employer. So, who’s behind the crime, however? Those who commit such action often exhibit certain behavioral changes or warning signs, according to the research by the CERT’s Insider Threat Center, giving employees and colleagues the chance to prevent such breaches.More than 30% of insiders engaging in IT sabotage have a prior arrest history. They perhaps may boast about the damage that they could do to an organization if they so desired. They might be bitter about being passed over for promotion, for example. They might also have serious conversations with co-workers about starting a competing business and start using the organization’s resources for side business or even for a new employer. The pattern or quantity of the information they retrieve also might change drastically, potentially indicating data theft. And particularly when you can see that people are leaving, you might see the pattern of data theft or data leakage go up. Many of the instances, however, were attributed to human error or insecurely stored information. But the fact that a lot of insider theft is accidental shouldn’t mean it’s overlooked. Data loss is serious and expensive, and if it goes public it can cause incredible damage to the reputation of the business for a long time. What do you need to focus on with insiders? Well, you need to focus on your people; focus on deterrence rather than detection, because at the detection stage perhaps it’s already likely to be too late. You also want to identify information that is most likely to be valuable, and then also monitor ingress and egress, consider potentially restricting the flow of information outbound from one network to another. Also, use solutions like data loss prevention in order to limit the data flow loss. You also want to baseline normal activity, so start to consider looking at what employees do today and then see how those patterns change over time, subsequently looking at what could be perceived as abnormal activity. So, what do they do and what are the threats? Hacktivists have different motives, and that makes the threat they pose hard to determine. To illustrate this, at the beginning of 2012 Anonymous claimed responsibility for a broad range of actions: publication of bank managers’ details, DDoS attacks on government websites, the hacking of two MIT websites, publication of VMware source code, etc. (see left-hand image). This is just one group. Other hacktivists have other motives and other methods. Protests against anti-Islamic Western messages have turned to website defacements and denial-of-service attacks. A group calling itself the Cutting Sword of Justice used malware to wipe the computer hard drives of energy companies in the Middle East in August 2012 (see right-hand image). And a group called Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for denial-of-service attacks against various financial institutions through 2012. The issue is further complicated by the fact that some denial-of-service attacks are used as smoke screen by actual organized criminal gangs before or after they attempt to engage in unauthorized transaction or a deep infiltration to disguise the theft and prevent attempts to stop it. What does a hacktivist profile look like? Again, some of these things come from the Verizon’s Data Breach Report that I mentioned earlier. Well, hacktivists mainly target the information, public and service sectors. We know that they primarily operate in Western Europe and North America. Their most common attack methods are SQL injection attacks, using stolen credentials, brute-force and DoS attacks, remote file inclusion, and of course backdoors. The main assets they target are web applications, databases and mail servers. Their desired data is personal information, credentials and internal corporate data. Also worth noting, however, that this is a rough profile only. Hacktivist activities are erratic and can threaten businesses, both big and small in any sector, by exploiting website vulnerabilities, weak passwords, unpatched software and unencrypted sites. Looking at insiders now, the most common insider cybercrimes were, according to the CERT’s Insider Threat Center, unauthorized access to or use of corporate information; viruses, worms or other malicious code; the theft of intellectual property. Additionally, the same research found that insiders often attempt to gain fellow employees’ passwords or obtain access through trickery or exploitation of a trusted relationship, which is, in essence, a type of social engineering, using charm or something like that in order to gain some information that they want to exploit and use.
In more than 70% of intellectual property theft cases, insiders steal the information within 30 days of announcing their resignation. So, again, it goes back to the point I made a little bit earlier, there are signs – as soon as people start announcing that they’re leaving an organization, they suddenly start to perhaps look for information that they need to take to a new employer or for their own new job. More than half of insiders committing IT sabotage were former employees who regained access via backdoors or corporate accounts that were never properly disabled. So, again, there’s a lesson to be learned there: to properly close down accounts and disable accounts as people move on to new organizations. The main threat from insiders, however, is that they generally know the business security systems and subsequently know exactly where to strike. The other common danger is that businesses often lack website security or lack strict access controls for data. Even temporary staff have access to privileged information.This is exactly what happened in a recent insider data breach in South Korea, where a temporary consultant at the Korea Credit Bureau stole the details of up to 20 million South Koreans from the company’s servers before selling it on to various marketing firms (see left-hand image). Without the right access and managing capabilities, companies might be incredibly exposed. But of course not all insider actions are about money. Many incidents involve the unintentional exposure of private or sensitive data. These, however, can be just as damaging as intentional attacks. These can involve employees sending sensitive documents or information to their own recipient; saving or storing information in an insecure location; taking work home via personal email account, a personal mobile device; or taking sensitive data home on a removable drive or USB stick. Whilst these actions are not disastrous, they do expose data to unauthorized parties and put sensitive corporate information outside of the organization’s control, increasing the risk of data theft. But whether malicious or unintentional, the results of insider actions are often the same. The protection of data at rest and in transit is vital to businesses trying to combat these incidents and their actors.