Dec 07 2023

How Malicious Insiders Use Known Vulnerabilities Against Their Organizations

Category: Insider Threatdisc7 @ 4:17 pm
https://www.crowdstrike.com/blog/how-malicious-insiders-use-known-vulnerabilities-against-organizations/
  • Between January 2021 and April 2023, CrowdStrike Counter Adversary Operations and the CrowdStrike Falcon® Complete managed detection and response (MDR) team identified multiple incidents in which an internal user either exploited or sought to exploit a known vulnerability, or deploy offensive security tooling against their enterprise environment.
  • Approximately 55% of the identified insider threat incidents involved unauthorized use or attempted use of privilege escalation exploits.
  • Approximately 45% of insider threat incidents involved insiders who unwittingly introduced risk to their environment through the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes.
  • Given overlaps in vulnerability use and typical actions on objectives, many methods that detect and mitigate targeted intrusion and eCrime activity are also applicable to insider threat activity.

We are well aware of the devastating effect insiders can have when using their legitimate access and knowledge to target their own organization. These incidents can result in significant monetary and reputational damages. Entities small and large, across all sectors, can fall victim to insider threats

Insider-led cybersecurity incidents are growing more frequent — and more expensive: Reports report from the Ponemon Institute state the number of insider threat events increased by 44% from 2020 to 2022. The average cost per malicious and non-malicious incident climbed to $648,000 USD and $485,000 USD, respectively.1 These incidents can also result in brand and reputational damages that, while hard to quantify, have a significant impact.

What Is an Insider Threat?

For the purposes of this article, an insider threat is defined as an individual with the potential to wittingly or unwittingly use their access to negatively affect the confidentiality, integrity or availability of their organization’s  information or information technology (IT) systems. Within this context, an unauthorized user leveraging a privilege escalation exploit — to gain the permissions necessary to delete network logs or conceal their hands-on-keyboard activity — represents an example of a willing insider threat. Meanwhile, an individual who has permission to use exploits as part of their duties but inadvertently uses the wrong computer/system, or fails to follow the proper safe-handling standard operating procedures, represents an example of an unwitting insider threat.

Source: https://insights.sei.cmu.edu/blog/cert-definition-of-insider-threat-updated/

Since 2021, CrowdStrike Intelligence has observed insider threats achieve their goals through the exploitation of known vulnerabilities. While these activities are hard to detect, not all is doom and gloom. An intelligence-driven review of known cases shows that many defensive actions used to detect and mitigate targeted intrusion and eCrime adversaries are also effective at stopping insider threat activity, given overlaps in vulnerability usage and post-exploitation activity. Falcon Complete can help detect and contain these threats, protecting customers from both insider threats and external adversaries.

Insiders’ Commonly Exploited Vulnerabilities

CrowdStrike Counter Adversary Operations and CrowdStrike Falcon Complete analyzed incidents from January 2021 to April 2023 to deduce the most prevalent vulnerabilities leveraged without authorization by internal users in their enterprise environment. This is a high-confidence qualitative assessment based on observed behaviors consistent with attempted or successful exploitation based on Falcon Complete incident data. These incidents fall into two broad categories: 

  • Unauthorized exploitation to escalate privileges and support follow-on objectives
  • Unauthorized testing of exploits or downloading of offensive tools for defensive or training purposes

While this article covers specific vulnerabilities, it is not intended to conclusively identify all vulnerabilities potentially related to insider threat activities. Depending on the intended target and objectives, numerous other vulnerabilities with existing public proof-of-concept exploits could accomplish similar objectives.

Unauthorized Exploitation to Escalate Privileges and Support Follow-on Objectives

Privilege escalation is typically the intermediate step between initial access and reaching the actual objective in a cyber intrusion. It is considered a critical stage in the attack chain, since many of the subsequent steps — such as defense evasion and manipulating sensitive programs/systems — require an elevated privilege level. This is especially relevant to insiders who usually possess low-level access to the target environment as part of their duties. 

An insider user that escalates privileges without authorization is abusing their access and, at a minimum, attempting to bypass the principle of least privilege (POLP). According to this principle, users and processes are only granted the minimum permissions required to perform their assigned tasks. POLP is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture, and it allows organizations to control and monitor network and data access.2 

Fifty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved attempted local privilege escalation (LPE) to support follow-on actions. For example, insiders sought higher privileges to download unauthorized software, remove forensic evidence or troubleshoot IT systems. By attempting to escalate privileges, these internal users wittingly or unwittingly introduced risk to their network, and as a result, these incidents fall under the insider threat umbrella regardless of malicious intent (see Figure 1).

Figure 1. Hypothetical example of an insider threat leveraging a local privilege escalation (LPE)

These incidents leveraged six well-known vulnerabilities that have publicly available exploit proof-of-concept (POC) code on GitHub and are included in the United States Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities (KEV). The broad range of vulnerabilities used highlights the large number of potential attack vectors and the breadth of the attack surface.  

CVE NumberCVE NameTargeted OSIn CISA KEV
CVE-2017-0213Windows Component Object Model (COM) Elevation of Privilege VulnerabilityWindowsYes
CVE-2022-0847Linux Kernel Privilege Escalation Vulnerability (aka DirtyPipe)LinuxYes
CVE-2021-4034Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)LinuxYes
CVE-2019-13272Linux Kernel Improper Privilege Management VulnerabilityLinuxYes
CVE-2015-1701Microsoft Win32k Privilege Escalation VulnerabilityWindowsYes
CVE-2014-4113Microsoft Win32k Privilege Escalation VulnerabilityWindowsYes

Table 1. Vulnerabilities observed being leveraged by insiders to escalate privileges

CVE-2017-0213 Incidents

In early April 2023, CrowdStrike Falcon Complete detected and blocked an internal user’s attempt to exploit a Windows Component Object Model (COM) privilege escalation vulnerability (CVE-2017-0213) at a Western Europe-based retail entity. Specifically, the internal user leveraged the WhatsApp messenger application to download an exploit targeting CVE-2017-0213 in an attempt to escalate privileges and install the uTorrent file-sharing application as well as unauthorized games. 

Successful exploitation of CVE-2017-0213 allows an authenticated attacker to run arbitrary code with elevated privileges. Since April 2022, CrowdStrike Falcon Complete has detected six other incidents involving internal users attempting to leverage CVE-2017-0213 to conduct unauthorized follow-on activities. Notably, in late July 2022, a terminated employee at a U.S.-based media entity unsuccessfully attempted to leverage this vulnerability to conduct unauthorized activities.  

Other Incidents

The remaining incidents involved internal users leveraging five privilege escalation vulnerabilities to gain elevated privileges in order to conduct unauthorized follow-on operations. Notably, in mid-July 2022, an internal user at an Australia-based technology entity attempted to execute an exploit for CVE-2021-4034 (PwnKit) to gain administrative rights and troubleshoot their host machine. Also, in mid-October 2022, an internal user at a U.S.-based technology entity leveraged CVE-2015-1701, a Microsoft Win32k privilege escalation vulnerability, to gain the necessary permissions to bypass internal controls and allow for the unauthorized installation of a Java virtual machine.  

How Insider Threats Unintentionally Put Organizations At Risk

Forty-five percent of the insider threat incidents identified by CrowdStrike Counter Adversary Operations involved insiders who unwittingly introduced risk to their environment via the unauthorized download of exploits or by downloading other offensive security tools for testing or training purposes. In these incidents, the insiders, who may be responsible for using exploits and offensive tools as part of their regular duties, unwittingly introduced risk to their environment by not following safe-handling procedures (see Table 2). For example, in some of the incidents, the insider users should have downloaded the exploits in virtual machines or other specific hosts to provide better network segmentation between testing and production environments. 

There are several ways this could cause damage. Testing exploits on unauthorized systems could disrupt operations, as some exploits could cause system crashes or other unintended negative actions. Additionally, an adversary with a foothold on the insider threats’ network could leverage these exploits or tools to support their own malicious activity.  Finally, downloading unvetted code can introduce backdoors or other malicious artifacts into the internal user’s network. 

Below are some of the vulnerabilities involved in cases of insider threats unintentionally putting their organization at risk. 

CVE NumberCVE NameTargeted OSIn CISA KEV
CVE-2021-42013Apache HTTP Server 2.4.49 and 2.4.50 Path TraversalMacYes
CVE-2021-4034Polkit Out-of-Bounds Read and Write Vulnerability (aka PwnKit)LinuxYes
CVE-2020-0601Windows CryptoAPI Spoofing VulnerabilityWindowsYes
CVE-2016-3309Windows Kernel Privilege Escalation VulnerabilityWindowsYes
CVE-2022-21999Windows Print Spooler Elevation of Privilege VulnerabilityWindowsYes
N/AMetasploit FrameworkN/AN/A
N/AElevateKitN/AN/A

Table 2. Vulnerabilities observed being leveraged by insiders for testing/defensive purposes

CVE-2021-42013 Incident

In October 2022, CrowdStrike Falcon Complete detected and contained a script leveraging CVE-2021-42013 to launch an Apache reverse shell at a U.S.-based technology entity. Successful exploitation of CVE-2021-42013 allows an unauthenticated attacker to execute code remotely. In this incident, the internal user leveraged this vulnerability without permission to exploit a server as part of a Capture-the-Flag (CTF) competition. This incident highlights the importance of properly scoping and communicating any restrictions regarding CTF and similar exercises in corporate networks.

Other Vulnerability Incidents

Other incidents involved internal users exploiting individual vulnerabilities for testing and/or training purposes. While these users — often in security roles — are permitted to test exploits as part of their job duties, they were not authorized to conduct that activity in the specific hosts that triggered the CrowdStrike Falcon® sensor.  For example, in February 2023, an internal user at a United States-based technology entity attempted to download an exploit for CVE-2016-3309, a Windows kernel privilege escalation vulnerability, on their corporate computer instead of on the approved system for these types of activities (a separate virtual machine). The Falcon Complete team was able to quickly triage event logs recorded using Falcon’s Endpoint Activity Monitoring (EAM) application to provide additional context surrounding the initial download of the CVE-2016-3309 exploit. 

Metasploit Framework

From May 2022 to February 2023, Falcon Complete observed multiple incidents involving the unauthorized deployment of the Metasploit Framework on Windows and Linux hosts by insider users. The Metasploit Framework is a well-known penetration testing framework that can be used for exploitation, enumeration, post-exploitation and other offensive activities. This tool is commonly used by security teams for testing and executing exploits — however, it can also provide insiders a readily available mechanism for conducting pre- and post-exploitation activities. While each incident was assessed to be related to defense-focused testing activity, the unauthorized deployment of the Metasploit Framework by an internal user introduces risks to the enterprise network.

ElevateKit

In December 2022, Falcon Complete observed an incident involving an internal user downloading and staging ElevateKit, a privilege escalation framework commonly leveraged alongside Cobalt Strike. ElevateKit registers modules with the Cobalt Strike Beacon payload to allow for privilege escalation using publicly available exploits.3 In addition to ElevateKit, the user also staged Mimikatz and PowerLurk, two tools also commonly used in penetration testing engagements for credential dumping and establishing persistence via Windows Management Instrumentation (WMI). While this incident was later determined to be related to unauthorized security testing preparation, a threat actor could potentially abuse these previously deployed tools to escalate privileges, move laterally or establish persistence. 

Non-Exploit Based Insider Threat Activity

Internal users are not limited to exploiting vulnerabilities to achieve their results. In addition to using their own credentials, insider threats could leverage various other methods to escalate privileges, evade defenses and/or execute arbitrary code. The following is a non-exhaustive list of other potential approaches and methods:

  • DLL hijacking
  • Insecure file system permissions
  • Insecure service configurations
  • Exploitation through removable media
  • Windows accessibility features bypass 
  • Image file execution options injection

Recommendations

The inherent difficulty in identifying insider threat activity, and the limited sample size, preclude definitive and granular observations. However, a review of the incidents and vulnerabilities associated with insider threats from January 2021 to April 2023 highlights several factors that may aid in preventing and detecting future insider threat activity. 

Many of the vulnerabilities described in this article have also been exploited by targeted intrusion and eCrime adversaries. Thus, many of the popular defense-in-depth measures applied by network defenders to detect and mitigate targeted intrusion or eCrime activity will help identify and neutralize insider threats, given similar overlaps in observed tactics, techniques and procedures and desired actions on objective (e.g., data exfiltration, data destruction, etc.).

CrowdStrike Counter Adversary Operations assesses that more than half of the identified insider threat incidents involved internal users unauthorized use or attempted use of privilege escalation exploits to support follow-on objectives. This assessment is made with high confidence based on available forensic data and observed hands-on-keyboard activity.  While each user’s individual calculus for selecting specific vulnerabilities to leverage remains unknown, the chosen vulnerabilities have publicly available exploits on GitHub and have been exploited in the wild. As such, restricting or monitoring the download of exploits from GitHub and other online code repositories from personnel who do not require that access as part of their regular duties could mitigate this threat — limiting access to ready-to-use exploits can hinder insider threats from conducting malicious activity.

The use of older vulnerabilities, some disclosed as early as 2015, underscores that vulnerabilities can remain useful to all attackers (internal or external) until patched or mitigated. This is particularly relevant to internal systems that may be under a slower patching cycle than that of internet-exposed systems. Internal users are particularly well positioned to leverage older local privilege escalation vulnerabilities, as they often already possess the low-level privileges and/or credentials needed to successfully run these exploits,  have a better understanding of the host environment and can conduct basic reconnaissance commands with lesser risk of discovery than a remote attacker. 

Approximately 45% of the insider threat incidents involved insiders ostensibly expected to leverage exploits and offensive tools as part of their regular duties who unwittingly introduced risk to their environment by the unauthorized download of exploits or other offensive security tools. Not following proper procedures related to the handling of exploits and other offensive tooling can cause system crashes or other negative effects to the host environment. Although CrowdStrike Counter Adversary Operations has not observed this so far, a resourceful adversary with a foothold in the internal user’s network could also leverage these offensive tools or exploits for their own operations. 

Mitigation Options 

Vulnerability Management 

It is critical to ensure timely vulnerability patching in order to protect enterprise devices. CrowdStrike Falcon Exposure Management provides real-time, instant visibility into new and emerging vulnerabilities by using scanless vulnerability assessment technology integrated with the CrowdStrike Falcon® sensor. This prioritizes risks based on an advanced AI model and integrates threat intelligence provided by the CrowdStrike Intelligence team to provide insight into trending threats.

Insider threats can also leverage non-exploit based attack vectors, suggesting timely patching is alone insufficient to address the potential threats. This is why it’s essential for organizations to implement multiple layers of defense such as Falcon Complete MDR and CrowdStrike® Falcon OverWatch™ managed threat hunting. 

The Falcon Complete team actively monitors for and remediates exploitation and post-exploitation behaviors by analyzing suspicious process characteristics and behaviors, utilizing machine learning to detect malicious payloads, monitoring script execution and more. In addition, the Falcon OverWatch 24/7 threat hunting service provides early indicators of threat actor activity and exploitation attempts. Falcon Overwatch integrates indicators of compromise (IOCs) and threat intelligence provided by CrowdStrike Intelligence to identify, prevent and provide attribution for emerging threats. 

User Behavior Analysis to Detect Insider Threat Activity

User behavior analysis is also a key technique that CrowdStrike Falcon® Complete Identity Threat Protection leverages to detect an adversary that may be using stolen credentials of a legitimate user or identify suspicious activity from an insider. By baselining normal behavior for every user based on authentication/historical data (which machines the user typically accesses, for example), utilizing advanced algorithms and machine learning technologies to auto-classify accounts (users and servers) — such as privileged, stealthy, service accounts, server types like VDI, etc. — and correlating with possible AD attack paths and escalation of privileges, we build detailed behavioral profiles for every entity, ultimately helping the analyst (and the detection engine) understand what is considered normal behavior and what is not. Any deviation from this baseline user behavior would set off a detection of an adversary in the environment or an insider with malicious intent, which can trigger automated responses (alert, multifactor authentication or block) based on pre-created policies.

Tailored User Training

Given the unwitting nature of many of the incidents discussed in this article, tailored training — for both new and existing employees) on how to properly download, store and execute exploits and offensive tooling for testing and training purposes could almost certainly reduce these occurrences in the future. Multiple incidents involved new employees that were not well-versed on specific company policies related to exploit handling and use of external/virtual machines for testing purposes, suggesting that it is paramount to ensure new employees — particularly those in cybersecurity roles — receive the necessary training during their onboarding process. 

Additionally, many of these incidents occurred at organizations in the technology sector, suggesting more tailored training for tech-savvy employees can also help mitigate future occurrences of these types of incidents. Nonetheless, organizations should ensure new and existing security procedures to prevent these types of incidents are not overly restrictive and cumbersome as to drive internal users to find ways to bypass them.  

Additional Resources

Sources

  1. https://www.proofpoint.com/us/resources/threat-reports/cost-of-insider-threats | https://www.thesasig.com/resources/2020-cost-of-insider-threats-global-report/
  2. https://www.crowdstrike.com/cybersecurity-101/principle-of-least-privilege-polp/
  3. https://github.com/rsmudge/ElevateKit

Managing the Insider Threat: No Dark Corners and the Rising Tide Menace

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Insider Threat


May 22 2023

What is Insider Attacks? : How Prepared Are You?

Category: Information Security,Insider Threatdisc7 @ 10:21 am

Insider attacks often catch organizations by surprise because they’re tricky to spot.

Banking on reactive solutions like antivirus software or a patch management solution to avoid such attacks is not wise.

Understanding what contributes to the increasing number of insider threats and addressing these factors is the only way to secure your enterprise against such attacks.

An insider attack is often defined as an exploit by malicious intruders within an organization.

This type of attack usually targets insecure data. Insider threats might lurk within any company; in some industries, they can account for more than 70% of cyberattacks.

More often than not, insider attacks are neglected. Perhaps this is why they have been on a constant rise.

A survey by CA Technologies in 2018 found that about 90% of organizations feel vulnerable to insider attacks.

Organizations also feel that the data most vulnerable to insider attacks is sensitive personal information (49%), intellectual property (32%), employee data (31%), and privileged account information (52%).

Many insider attacks are associated with excessive access privileges. While it might be unpleasant or inconvenient not to trust employees, organizations must be vigilant.

This can be accomplished by monitoring possible sources of cyberattacks. A big problem is that many companies are unaware of how to identify and combat insider threats.

Questions then arise: Where can you find the best network security tools to gain more knowledge on combating insider attacks? What security standards should you follow to stay within your industry’s security compliance requirements and protect your digital assets better? How do you differentiate between a malicious insider and a non-malicious one?

Insider Threat Warnings That You Should Look Out For

Here are some tell-tale signs you can monitor to avoid an insider attack. Be on the lookout for anyone who:

  • Downloads large amounts of data on personal portable devices or attempts to access data they don’t normally use for their day-to-day work.
  • Requests network or data access to resources not required for their job, or searches for and tries to access confidential data.
  • Emails sensitive information to a personal email account or people outside your organization.
  • Accesses the network and corporate data outside of regular work hours.
  • Exhibits negative attitudes or behaviors—for instance, a disgruntled employee leaving the organization.
  • Ignores security awareness best practices, such as locking screens, not using USBs or external drives, not sharing passwords and user accounts, or does not take cyber threats seriously.

Once you have started monitoring, you can implement security measures to prevent attacks from occurring. We’ve put together a short list of solutions for curbing insider threats.

1. Zero Trust

Zero Trust, a new cybersecurity buzzword, is a holistic approach for tightening network security by identifying and granting access, or “trust”.

No specific tool or software is associated with this approach, but organizations must follow certain principles to stay secure.

More users, applications, and servers and embracing various IoT devices expands your network perimeter.

How do you exert control and reduce your overall attack surface in such cases?

How can you ensure that the right access is granted to each user?

IT security at some organizations reflects the age-old castle-and-moat defense mentality that everything inside an organization’s perimeter should be trusted while everything outside should not.

This concept focuses on trust too much and tends to forget that we might know little about the intentions of those we deem “insiders.”

The remedy is Zero Trust, which revokes excessive access privileges of users and devices without proper identity authentication.

By implementing Zero Trust, you can:

  • Understand your organization’s access needs.
  • Decrease risk by monitoring device and user traffic.
  • Lower the potential for a breach.
  • Profoundly increase your business’s agility.

2. Privileged access management

Privileged access management (PAM) means extending access rights to trusted individuals within an organization.

A privileged user has administrative access to critical systems and applications.

For example, if an IT admin can copy files from your PC to a memory stick, they are said to be privileged to access sensitive data within your network.

This also applies to accessing data via physical devices, logging in, and using different applications and accounts associated with the organization.

A privileged user with malicious intent might hijack files and demand your organization pay a ransom.

PAM takes some effort, but you can start simple. For instance, you can remove an employee’s access to the data associated with their previous role.

Consider an employee moving from finance to sales. In this case, the rights to access critical financial data must be revoked because we do not want to risk the organization’s financial security.

By implementing PAM, you can:

  • Make dealing with third-party devices and users safer and more accessible.
  • Protect your password and other sensitive credentials from falling into the wrong hands.
  • Eliminate excess devices and users with access to sensitive data.
  • Manage emergency access if and when required.

3. Mandatory Security Training for Existing & New Employees

Not all insider attacks are intentional; some happen because of negligence or lack of awareness.

Organizations should make it mandatory for all their employees to undergo basic security and privacy awareness training sessions regularly.

Employees can also be quizzed on these sessions to make the training more effective.

Ensuring employees are acquainted with the cost consequences that negligence can cause the organization can help prevent unintentional insider threats significantly.

With so much to lose, it’s a wonder more companies aren’t taking steps to reduce their chance of suffering from an insider attack.

As mentioned earlier, no particular software or tool is behind the security approaches mentioned above.

Rather, your organization must address these aspects while developing a homegrown security solution or utilizing a similar service or product from a vendor.

By doing so, you can protect your organization from bad actors within or outside of your organization.

However, to specifically tackle the threat posed by insiders who regularly misuse their access credentials or bring malicious plug-and-play devices to work, we recommend looking into other security protocols, such as identity and access management and user behavior analytics, to prevent internal security mishaps.

Predicting Insider Attacks: Using Machine Learning & Artificial Intelligence Algorithms


InfoSec tools
 | InfoSec services | InfoSec books

Tags: insider attacks, insider threats


Mar 17 2023

Top 5 Insider Threats to Look Out For in 2023

Category: Insider ThreatDISC @ 9:12 am

Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity and some companies fail to recognize associated dangers.

Cyberattacks are growing more complex as technology advances. Many businesses concentrate their cybersecurity efforts solely on external attacks, which leaves more openings for internal risks. Some companies fail to recognize the danger of losing confidential information owing to employee negligence or malice. Unquestionably, ‘insider threats’ is one of the most neglected aspects of cybersecurity. According to statistics on insider threats, these threats may originate from employees, business contractors, or other reliable partners with simple access to your network. However, insider threat reports and recent developments have shown a sharp rise in the frequency of insider attacks. Because of these, cybersecurity professionals are now paying more attention to the detrimental effects of insider attacks.

In general, security experts need more confidence in their ability to identify and thwart insider threats successfully. 74% of respondents in an insider attack said their company was moderately to extremely vulnerable. 74% of respondents—a 6% increase from 2021—also claim that insider threat assaults have become more regular. In 2022, 60% of respondents said they had an insider attack, while 8% said more than 20. Insider assaults are more challenging to identify and thwart than external attacks, according to 48% of respondents. It can be challenging for defenses to distinguish between insider threats and regular user activity since insider threats employ genuine accounts, passwords, and IT technologies. Overall, insider threats are becoming a more significant threat. These findings imply that security teams should prepare for them in 2023.

Organizations must be able to address the risks from malicious insiders who intentionally steal sensitive data for personal reasons and users who can accidentally expose information due to negligence or simple mistakes. 

Here are the top 5 threats security teams should look out for in 2023:

Employee Negligence

Employee carelessness or ignorance may result in unintentional data leaks, improper handling of sensitive information, or a failure to adhere to security policies and procedures. Negligence is to blame for more than two of every three insider incidents. Workers could not be cognizant of the possible hazards they bring to the company or might not prioritize security measures. They act carelessly, repeating passwords for personal and professional accounts or leaving flash drives with private data at a coffee shop without intending to cause harm. Some are unaware of their involvement and fall victim to social engineering techniques like phishing scams. Others may engage in negligent behavior, such as evading security measures for convenience.

Malicious Insiders

Insiders who intend to cause harm to the company by stealing data, interfering with business processes, or selling confidential information are considered malicious insiders. These people might be driven by greed, retaliation, or a desire to upend the business. These people are currently employed. They might not be the most ardent supporters of your business, and they frequently vent their resentment by erasing or changing important data sets, leaking confidential information, or taking other sabotage measures. Turn cloaks are malicious insiders who consciously do something terrible to an organization. A trustworthy business partner, contractor, or employee could be the insider. Turn cloaks may have ideological, vengeful, or pecuniary motivations. Some engage in clandestine activities like stealing private information or sensitive documents.

Insider Collusion

When two or more employees collaborate to steal information, commit fraud, or participate in other nefarious acts, this is called insider collusion. As a result of the employees’ collaboration and potential ability to conceal their activities, this type of danger might be challenging to identify. Whether intentionally or unintentionally, these threats serve a foreign power. They might be forced to divulge information by outsiders through blackmail or bribery, or they might be tricked into disclosing their login information via social engineering. The most challenging insider risks to identify are moles, which are potentially the most damaging. Moles function similarly to turn cloaks, except they join a firm intending to harm the organization. Whether they support a nation-state or an unknown cause, they are frequently motivated by an intense political motive.

Third-Party Vendors and Contractors

Companies with access to sensitive data or systems may be at risk of insider threats from third-party suppliers and contractors. These individuals might adhere to different security procedures than full-time employees and have a lower stake in the company’s success. Not every insider works for the company. Suppliers, contractors, vendors, and other outside parties with limited inside access can pose an equal threat to staff members with the same rights. Most businesses outsource some of their work to specialized companies or outside agencies. These third parties are occasionally easy targets for cyber attackers because they lack advanced security protocols. Suppose these companies are provided privileged access to part of your company network. In that case, you can bet that the bad actors will infiltrate your system after compromising the partner’s security network, resulting in a third-party data breach.

Security Policy Evaders

The group of workers that prefer to ignore security policies and protocols is last but certainly not least. The business frequently has security policies created to safeguard its personnel and data. Some regulations could be burdensome and inconvenient, and some employees might choose the simple route. Contemporary businesses have security procedures in place to protect their critical data. These safeguards may bother some employees, who may devise workarounds that raise the risk of a data leak. These workarounds could jeopardize the security and data protection of the organization. Policy evaders might be considered insider threats since they purposefully break security policies, procedures, and best practices.

Conclusion

Organizations can employ technological solutions like access restrictions, monitoring, data loss prevention technologies and insider threat solutions “to rein in their insider risk and prevent threats.” A thorough security plan should be in place and periodically reviewed and updated when new risks arise. Your company’s reputation, future growth, customers, and employees can all be protected by knowing how insider threats show themselves.

About the Author: Mosopefoluwa Amao is a certified Cybersecurity Analyst and Technical writer. She has experience working as a Security Operations Center (SOC) Analyst with a history of creating relevant

insider threats

Managing the Insider Threat: No Dark Corners and the Rising Tide Menace

Tags: Insider Threat


Oct 11 2022

Top Cybersecurity Threats for Public Sector

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Conclusion

The top cybersecurity threats are generally a consequence of new technologies the public sector is either looking to implement or is already implementing. It is harder to know all the variables and potential vulnerabilities with anything new.

This isn’t to suggest that old technologies are more reliable, however. Like antivirus software, the virus definitions must be continually updated for the software to remain effective. The public sector needs to stay on the cutting edge of best practices.

The public sector must also remain agile in adapting to new threats, whether offering ongoing cybersecurity training, hiring skilled consultants to keep their new technological infrastructures in check, partnering with experienced cybersecurity service providers like Indusface, or otherwise.

Top Cybersecurity Threats for Public Sector

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: Cybersecurity Threats


Oct 06 2022

Top Cybersecurity Threats for Public Sector

In the private sector, hackers and cybercriminals are prone to leaving organizations with good security infrastructures alone. Because they often go after low-hanging fruit, hacking into a well-protected network is perceived as more trouble than it’s worth.

But the public sector is a different matter entirely. The government and government agencies have access to assets and data that criminals would love to get their hands on, even with the added trouble. So, even though the public sector is well protected, it will not stop cybercriminals from attempting to break in.

The top cybersecurity threats for the public sector are as follows.

Phishing

An IRONSCALES survey published in October 2021 shows over 80% of respondents experienced an increase in email phishing attacks since the start of the pandemic.

Phishing involves the utilization of legitimate-looking emails to steal the login credentials or other sensitive information of a target organization. While it’s just as much a risk for small and medium-sized businesses, in the public sector, phishing attacks could potentially be nation-state sponsored, making it a possible double whammy.

While taking advantage of the latest and greatest software to protect yourself from top cybersecurity threats is par for the course, what makes phishing so pernicious is that it relies on human error. With phishing emails looking more authentic than ever, they are harder to catch.

Distributed Denial of Service (DDoS) Attacks

A recent report says ransom DDoS attacks increased 29% year over year and 175% quarter over quarter in quarter four of 2021. Some of the biggest targets were the public sector, schools, travel organizations, and credit unions.

DDoS attacks are known to bring down some of the largest websites and are quite difficult to prevent. They are considered by some to be the most “powerful weapon” on the internet, easily making DDoS attacks one of the top cyber security threats to the government.

DDoS attacks can happen at any time, affect any part of a website, and disrupt and interrupt services, usually leading to massive financial damage.

Nation-State Sponsored Cyber Attacks

With mainstream media daily broadcasting events as they are occurring to every channel imaginable (cable TV, smartphones, social media, etc.) cyber warfare has become an increasingly common way to launch disinformation campaigns, perform cyber espionage or terrorism, and even cyber-sabotage targets.

Nation-state-sponsored cyber attacks aim to

  • Hinder communication
  • Gather intelligence
  • Steal intellectual property
  • Damage to digital and physical infrastructure

They are even used for financial gain.

Though cyber attacks are sometimes used in tandem with real life attacks, what makes cyber warfare especially challenging is that it happens virtually and often covertly. There usually isn’t any declaration of war. That makes it difficult to prove who is responsible for the attack.

Ransomware

Ransomware attacks may not be an emerging trend by any means. They may not even be anything new. But they do have a history of wreaking havoc on the public sector and therefore need to be taken seriously.

Rewind to 2019 when the U.S. was hit by an unrelenting barrage of ransomware attacks that ultimately affected at least 966 government agencies, educational establishments, and healthcare providers to $7.5 billion (Emsisoft).

These attacks resulted in 911 services being interrupted, surveillance systems going offline, badge scanners and building access systems not working, websites going down, extended tax payment deadlines, and much more.

The threat of ransomware attacks still looms today and is no less a concern in 2022 than they were in 2019. As far as cyber security threats to the government are concerned, ransomware attacks should be kept on the cybersecurity radar.

What The Public Sector Can Do to Stay Ahead?

Beyond taking full advantage of the latest tech, for the public sector to stay ahead of cyber security in the public sector, you have to create a culture of cybersecurity within your organizations, offering ongoing training to their teams.

You need to secure all infrastructure, including cloud, mobile, and Internet of Things (IoT). You also want to improve compromise detection and be fully prepared for any attack. Plans should be documented and practiced regularly, so detection and response are immediate.

Top Cybersecurity Threats for Public Sector

Tags: Top Cybersecurity Threats


Sep 22 2022

How to Spot Your Biggest Security Threat? Just Look out for the Humans

Category: Cyber Threats,Insider Threat,Threat detectionDISC @ 8:04 am

As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.

Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.

Just Look out for the Humans

How to Spot Your Biggest Security Threat? Just Look out for the Humans
What is the biggest security threat in your company?

But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.

Humans: The Biggest Cyber Security Threats

When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?

But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.

Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.

This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.

Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.

Here’s a breakdown of the leading issues:

  • Credential problems account for nearly 50% of non-error, non-misuse breaches
  • Phishing accounts for nearly 20% of breaches
  • Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
  • Vulnerability exploits account for less than 10% of attacks

The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.

3 Types of Internal Threats

The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.

These are the three types of internal threats to be aware of:

  1. Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
  2. Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
  3. Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.

How To Prevent the Biggest Cyber Security Attacks

It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.

So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.

Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.

Naturally, this will mean investing in training. These are the key topics that should be addressed:

  • Password management
  • Phishing attacks, how they work, how to avoid them
  • Encryption and digital signing
  • Authentication
  • Creating backups
  • Best practices in sending personal or sensitive information
  • Account access and privileges as well as oversight and management

Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.

Cyber Security Threats and Challenges Facing Human Life

InfoSec Threats

Tags: InfoSec Threats, Security Threat


Sep 07 2022

Some Employees Aren’t Just Leaving Companies — They’re Defrauding Them

Category: Insider ThreatDISC @ 9:44 am

Here are a few measures your organization can implement to minimize fraudulent behavior and losses.

Fraud_Charlotte_Allen_Alamy.jpg

Since the Great Resignation in 2021, millions of employees across the nation have left their roles with current employers in search of better ones. According to Microsoft, 40% of employees reported they are considering leaving their current roles by the end of 2022. With many still working in remote or hybrid positions due to the pandemic, larger businesses have started implementing measures to gain a better understanding of employee morale and sentiment to prevent turnover.

While most employees leave companies on good terms, some may become extremely unhappy or disgruntled prior to their departure and are more likely to defraud the company either before leaving or on their way out the door. The unfortunate reality is that no business is immune to fraud, but luckily, there are several steps you can take to prevent it from happening.

Understand Contributors to Fraudulent Behavior

According to the Cressey Fraud Triangle, fraudulent behavior often occurs due to three contributing factors. These include pressure or motive to commit a fraud (usually a personal financial problem), perceived opportunity within the organization to commit a fraud (poor oversight or internal controls), and rationalization (the ability to justify the crime to make it seem acceptable).

Very often, a fraudster needs all three sides of the triangle to successfully commit a crime. Therefore, it is extremely important for organizations to do their best to create controls and understand the risk associated with each of these areas. For example, an employee may be disgruntled and also have personal financial issues. However, if internal controls are robust and the employee doesn’t have access to financial instruments, valuable assets or software systems, their ability to defraud the company is extremely limited or will get identified immediately.

Additionally, there are actions an organization can take that may significantly mitigate the risk that an employee would find themselves in a situation where they could justify stealing from their employer, even if internal controls are limited or the employee is in a position of a high level of trust or authority. These including offering strong employee assistance programs, investing in the employee experience, exploring employee enrichment opportunities, surveying employees, monitoring morale, performing adequate exit interviews, and completing frequent anti-fraud training.

Create a Web of Fraud Detectors

There are typically eight key warning signs which may indicate an employee is more likely to commit fraud in an organization. According to the ACFE Global Fraud Survey, the top three are living beyond one’s means, financial difficulties, and an unusually close association with a vendor/customer. Businesses must stay vigilant and identify potentially fraudulent behavior as soon as possible; monitoring for red flags among employees is often a helpful step.

Educating all employees about how to identify warning signs and report fraudulent activity is a beneficial practice for any business. According to that same ACFE Global Fraud Survey, organizations that implement fraud awareness training and other anti-fraud controls have seen quicker fraud detection and lower fraud losses as a result of their efforts. In fact, 42% of fraud is discovered by a tip, and 55% of all fraud is reported by employees of the company. Utilizing company employees to monitor for fraudulent behavior within the organization and creating a culture in which fraud is unacceptable under all circumstances are helpful in creating a team of full-time fraud detectors.

Create and Maintain Strong Internal Controls

There are many aspects about an employee’s personal life that an employer can’t control. And no matter how hard you try, an employer cannot always keep all employees engaged, satisfied and ultimately happy. But employers can control the opportunity side of the fraud triangle.

Establishing and maintaining strong and effective internal controls can greatly improve the chances that an organization either prevents fraudulent behavior or detects it before it can damage the company. Specifically, adequate fraud prevention controls over bank account activity, cash handling, purchasing and vendor management, credit card use, expense reimbursements, payroll, and inventory are crucial in protecting the company against a rogue employee who uses their position to misappropriate company assets.

When employers create enriching work environments where their employees feel supported and can convey internal or external stressors, they’re boosting employee morale and minimizing the risk of fraudulent behavior. Unfortunately, you can’t control all employee behavior no matter how hard you try, so it is crucial to also invest in adequate anti-fraud controls and trainings to protect your company even further. Very often, the cost of anti-fraud activities is far less than the cost of an actual fraud. Unfortunately, many companies don’t discover this fact until it’s too late.

https://www.darkreading.com/vulnerabilities-threats/some-employees-aren-t-just-leaving-companies-they-re-defrauding-them

Insider Threats (Cornell Studies in Security Affairs)

Tags: Defrauding


May 12 2022

How to set up a powerful insider threat program

Category: Insider ThreatDISC @ 9:49 am
Security spend continues to focus on external threats despite threats often coming from within the organization. A recent Imperva report (by Forrester Research) found only 18 percent prioritized spend on a dedicated insider threat program (ITP) compared to 25 percent focused on external threat intelligence.

And it’s not just the employee with a grudge you need to worry – most insider incidents are non-malicious in nature. In its 2022 Cost of Insider Threats Global Report, Proofpoint and the Ponemon Institute found careless or negligent behavior accounted for 56 percent of all incidents and these also tend to be the most costly, with the average clean-up operation costing $6.6m.

Failed fixes

Part of the problem lies in perception: The Forrester report found almost a third of those questioned didn’t regard employees as a threat. But it’s also notoriously difficult to prevent these types of incidents because you’re essentially seeking to control legitimate access to data. Mitigating these threats is not just about increasing security but about detecting potential indicators of compromise (IoC) in user behavior and, for this reason, most businesses rely on staff training to address the issue. Yet as the figures above reveal, training alone is often insufficient.

The same Forrester report found that while 65 percent use staff training to ensure compliance with data protection policies, 55 percent said their users have found ways to circumvent those same policies. Others said they rely on point solutions to prevent incidents, with 43 percent using data loss prevention (DLP) to block actions and 29 percent monitoring via the SIEM (although data can still be exfiltrated without detection by these systems). The problem is that network security and employee monitoring both fail to take into account the stress factors that can push resourceful employees resort to use workarounds.

While prevention is always better than cure, the current approach to insider threats is too heavily weighted in its approach. Consequently, there’s insufficient focus on what to do if an insider threat, malicious or not, is realized. So, while training and network security controls do have their part to play, both need to be part of something much more wide ranging: the ITP.

An ITP aligns policies, procedures, and processes across different business departments to address insider threats. It’s widely regarded as critical to the mitigation of insider threats, but only 28 percent of those surveyed by Forrester claim to have one in place. The reason for this is that many organizations find it daunting to set one up. In addition to getting people onboard and policies in place, the business will need to inventory its data and locate data sources, determine how it will monitor behaviors, adapt the training program, and carry out investigations as well as how the ITP itself will be assessed on a regular basis.

Getting started

To begin with, a manager and dedicated working party are required to help steer the ITP. The members will need to have clear roles and responsibilities and to agree to a set code of ethics and/or sign an NDA. This is because there are many laws related to employee privacy and monitoring, as well as legal considerations and concerns that must be factored into the writing and execution of policy. The first job of the working group will be to create an operations plan and put together a high-level version of the insider threat policy.

They’ll then need to consider how to inventory and access internal and external data sources and to do this the working group will need to familiar with record handling and use procedures specific to certain data sets. Once the processes and procedures needed to collect, integrate, and analyze the data have been created, the data should be marked according to its use and so may be related to a privacy investigation. (Interestingly, nearly 58 percent of incidents that impact sensitive data are caused by insider threats, according to Forrester.)

Consider whether you’ll use technology to monitor end user devices, logins, etc. and document this through signed information systems security acknowledgement agreements. Potential indicators of compromise (IoCs) could include database tampering, inappropriate sharing of confidential company information, deletion of files or viewing of inappropriate content. When such behaviors come to light, discretion is critical, and any investigation needs to be watertight and defensible as it may result in a legal case.

Digital forensics for defensibility

How the business responds to and investigates incidents should also be detailed in the ITP. Consider whether the investigation will be internal and at what point you’ll need to involve external agents and who will need to be notified. Where will the data for the investigation be held? How long will the information be held for? While it’s important to retain relevant information, you don’t want to fall into the trap of keeping more than necessary, as this elevates risk, which means ITP should also overlap with a data minimization policy.

Digital forensics tools should be used to enforce the ITP. You’ll need to decide how you proactively manage insider threats and whether these tools will only be used post-analysis or covertly. For example, some businesses with high value assets will carry out a sweep to establish if data has been exfiltrated when an employee leaves the organization. You should also ensure these tools are able to remotely target endpoints and cloud sources even when they’re not connected and should be OS-agnostic so you can capture data on Macs as well as PCs.

Digital forensics ensure the business can quickly capture and investigate any incidence of wrongdoing. For example, it can determine the date, time and pathway used to exfiltrate data from the corporate information estate to any device, endpoint, online storage service such as Google Drive or Dropbox, or even publication over a social media platform. Once the data has been traced, it’s then possible to narrow down likely suspects until the team have indisputable proof.

Both the way the investigation is done and the evidence itself must be beyond reproach and legally defensible because such incidents may lead to dismissal or even prosecution. If challenged in a legal tribunal, the business would then need to prove due diligence so there must be a forensically sound and repeatable process and a proper chain of custody when it comes to safeguarding the handling of the evidence.

Keeping employees onside

insider threat

Insider Threat Program The Ultimate Step-By-Step Guide

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: insider threat program


Jan 13 2022

Data security in the age of insider threats: A primer

Category: Insider ThreatDISC @ 10:19 am

On the last point, one high-profile case illustrated the potential consequences of this behavior: two General Electric employees started a competing company based on trade secrets that they downloaded at work. These two former GE employees ended up with a prison sentence and a $1.4 million fine – a searing reminder that employees do not have the right to take company data to another company.

While most insider data breaches aren’t quite as malicious or blatant, it’s important to prepare for the worst-case scenario.

What drives insider threat?

An insider threat typically refers to potential attacks from users with internal or remote access inside the system’s firewall or other network perimeter defenses. These “threat actors” can include employees, contractors, third-party vendors and even business partners. In other words, anyone with network access. Potential results include fraud, theft of intellectual property (IP), sabotage of security measures or misconfigurations to allow data leaks.

Of course, not all insider threats come from actual insiders. It’s not hard to imagine instances where, for example, an external party gains access to the physical premises and connects to the network directly, deploying a router in a discreet location for future remote access. This example raises the importance of on-premises security and early detection whenever unapproved devices are added to the network.

A few common examples, like memory sticks or Bluetooth transmitters, can also often pass under the radar. Does your system detect these on insertion? Probably not. This is important because it emphasizes a few key points:

  • There is no single security solution to cover every possible threat
  • Insider threats are difficult to pin down without knowing the motivations or patterns of potential attackers.

What motivates an insider threat?

The Insider Threat: Assessment and Mitigation of Risks

Tags: insider threats, The Insider Threat: Assessment and Mitigation of Risks


Dec 28 2021

External attackers can penetrate most local company networks

Category: Cyber Threats,Insider Threat,Threat detectionDISC @ 9:54 am

These are the results of a new research report by Positive Technologies, analyzing results of the company’s penetration testing projects carried out in the second half of 2020 and first half of 2021.

The study was conducted among financial organizations (29%), fuel and energy organizations (18%), government (16%), industrial (16%), IT companies (13%), and other sectors.

During the assessment of protection against external attacks, Positive Technologies experts managed to breach the network perimeter in 93% of cases. According to the company’s researchers, this figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure.

“In 20% of our pentesting projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those. According to our customers, events related to the disruption of technological processes and the provision of services, as well as the theft of funds and important information pose the greatest danger,” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.

“In total, Positive Technologies pentesters confirmed the feasibility of 71% of these unacceptable events. Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.

Despite the fact that financial organizations are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks we tested, our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds.

An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to our research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main way criminals can penetrate a corporate network (71% of companies), primarily because of simple passwords used, including for accounts used for system administration.

Microservices Security in Action: Design secure network and API endpoint security for Microservices applications

Tags: External attackers


Dec 20 2021

Insider Threat Mitigation for U.S. Critical Infrastructure

Category: Insider ThreatDISC @ 12:27 pm

Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore

Tags: Critical infrastructure, Inside Jobs, Insider Risk, Insider Threat Report


Dec 06 2021

2022 and the threat landscape: The top 5 future cybersecurity challenges

2022 is going to be a year of building greater resiliency and integrating this into all aspects of business operations. This will require organizations of all levels to review how they are responding to a larger scale of sophisticated threats. To build on the efforts of 2021, CISOs need to address how they can implement innovation into their business without making themselves more vulnerable to damaging attacks.

There are five big trends that I see defining the market in 2022 that security professionals should pay attention to:

. The rise of the “assume-breach” mindset

Zero trust applies the principle of fundamentally not trusting anything on or off your network and deploys a “assume-breach” mindset. 

. Innovation and new risk in 5G

. Customization, personalization and getting personal with phishing tactics

. Hackers will go for gold at the Beijing Olympics

. The enterprise API ecosystem will show its vulnerabilities

The Ransomware Threat Landscape: Prepare for, recognize and survive ransomware attacks

Tags: threat landscape


Jan 27 2021

Dutch Insider Attack on COVID-19 Data

Category: Insider ThreatDISC @ 11:18 am

Tags: COVID-19


Jan 25 2021

Insider Attack on Home Surveillance Systems

Category: Cyber surveillance,Insider ThreatDISC @ 11:23 am


Sep 10 2019

Insider Threat Report

Category: Insider ThreatDISC @ 10:05 pm

Insider Threat Report [Verizon]

What is Insider Threat?
httpv://www.youtube.com/watch?v=gwaA2xEPSEs

A Framework to Effectively Develop Insider Threat Controls
httpv://www.youtube.com/watch?v=BDMIOzdVnGE

Insider Threats:
A Worst Practices Guide to Preventing Leaks, Attacks, Theft, and Sabotage

httpv://www.youtube.com/watch?v=tkB4FLEEq74


Subscribe to DISC InfoSec blog by Email




Tags: Insider Threat Report


Apr 14 2019

Insider Threat Report

Category: Insider ThreatDISC @ 3:29 pm

Insider Threat Report – Out of sight should never be out of mind





Tags: Insider Threat Report


Feb 13 2009

Global economic insecurity and rise of insider threats

Category: Insider ThreatDISC @ 6:04 pm

information

According to BBC news article by Maggie Shiels (Feb 11, 2009) the world’s biggest software maker has warned companies to expect an increase in “insider” security attacks by disgruntled, laid-off workers. Microsoft said so-called “malicious insider” breaches were on the rise and would worsen in the present downturn.





Below are the high points:
• With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks

• Insider threat is one of the most significant threats companies face. Said Microsoft Doug Leland

• The malicious insider is classed as the greatest security concern because they have access, and relatively easy access to corporate assets

• During economic insecurity people are motivated by revenge, fear or greed

• 88% of data breaches were caused by simple negligence on the part of staff

• Employees steal information to sell to a third party, to get back at a company for being laid off or demoted or to try and get a job at another company

• Even though Insiders attacks are lower in numbers but they could be more devastating because the employee knew where “the crown jewels” were kept – unlike a hacker who had to go on something of a “fishing expedition” to find a company’s valuable assets

• The outstanding, unsolved, unaddressed risk management problem that has existed for years is that everyone is focusing on the hacker

• Data loss prevention systems specialize in the detection of precisely these events

Here is the article: Malicious insider attacks to rise

To find the correct balance between data security and data availability, organizations are urged to buy a copy Data Breaches: Trends, costs and best practices.

Even in good time management focused on driving shareholder value by increasing revenue and profits. I think during this economic downturn information security will be the last thing on their mind which will not only compound the problem but gives an edge to a attacker and simply a bad business decisions considering the circumstances. It’s about time to start paying attention to regulatory compliance for sake of securing organization assets. Good place to start is to have some sort of baseline based on information security framework and come up with a strategy to improve that baseline. ISO assessment can be utilized to baseline the organization security posture and is a great first step towards ISO 27002 compliance or for that matter any compliance audit.

What do you think board rooms are appropriately prepared to tackle or perhaps slow down the wave of data breaches coming our way?

• Related article
Unstable Economy and Insider Threats
Economic Crisis Tops Security Threats to U.S

Detecting Insider Threats
httpv://www.youtube.com/watch?v=2Ce3S6DkvwY

Reblog this post [with Zemanta]




Tags: BBC, Consultants, Data loss prevention products, Information Security, International Organization for Standardization, iso 27002, Microsoft, Risk management, Security


Dec 16 2008

Unstable economy and insider threats

Category: Information Security,Insider ThreatDISC @ 2:42 am

State of affairs
Image by Pulpolux !!! via Flickr
During the current unstable economy, organizations face increased threats from insiders during tough economic years ahead. During hard time organizations not only have to worry about outsider threats but will be facing an increased threat from disgruntled employees who might see no future with the organization during unstable economy. During these circumstances, when new jobs are hard to come by, revenge or financial need might play a motivating factor for a disgruntled employee.

In July 2008, San Francisco city network administrator (Terry Childs who hijacked the city network) was arrested and charged with locking his own bosses and colleagues out of city network. Basically his bosses got caught sleeping on their jobs because they were not monitoring this guy who happens to have the key to their kingdom. San Francisco city network controls data for its police, courts, jails, payroll, and health services. After 8 days in jail cell Terry Childs finally relinquished the password to Mayor Gavin Newsom in his jail cell. Why San Francisco’s network admin went rogue

Here are some considerations to tackle insider threats

Manage and monitor access
Manage your users through single sign on source like Windows active directory or Sun single sign on directory, which not only enable control access to sensitive data but also let you disable access to all resources when employee leave the company from a single location. Single sign on solution also provide comprehensive audit trail which can provide forensic evidence during incident handling.

Limit data leakage
Intellectual property (design, pattern, formula) should be guarded with utmost vigilant. Access to IP should be limited to few authorized users and controls should be in place to limit the data leakage outside the organization. Protect your online assets, and disable removable media to prevent classified data being copied into USB drives, CDs, and mobile phones.

Principle of least privilege
Which requires that user must be able to access to classified information only when user has legitimate business need and management permission. Sensitive data should be distributed on need to know basis and must have system logs and auditing turned on, so you can review the access is limited to those who are authorized. Proactively review the logs for any suspicious activity. In case suspicious activity is detected, increase audit and monitoring frequency of the target to detect their day to day activity. Limit access to critical resources through remote access.

Conduct background check
Conduct background check on all new and suspicious employees. All employees who handle sensitive data must go through background check. HR should conduct background verification, reference check and criminal history for at least 5 years. What type of checks will be conducting on an individual will depend upon their access to classified information.

Risk assessment
Conduct a risk analysis of your data on regular basis to determine what data you have, its sensitivity and where it resides and who is the business owner. Risk analysis should determine appropriate data classification based on sensitivity and risks to data. Regular risk assessment might be necessary, due to passage of time data classification might change based on new threats and sensitivity of the data.

Digital Armageddon – The Insider Threat
httpv://www.youtube.com/watch?v=FQ4bvCPwFMY

Reblog this post [with Zemanta]




Tags: Background Check, Detect activity, Gavin Newsom, Intellectual Property, Manage access, Monitor access, Online assets, risk analysis, San Francisco, Security, Tough Economy