In less than a month, two high-loss insider attacks made big news. In the Capital One breach, an Amazon engineer heisted more than 100 million customer records by using her inside knowledge to break through a misconfigured firewall in a Capital One cloud server hosted at Amazon EC2. Then, less than 30 days later, a former insider from Google was formally indicted for stealing Google's self-driving-car secrets and transferring them to his new employer, Uber.
Many Insiders and Targets
In a new insider threat report conducted at Black Hat by behavior monitoring vendor Gurucul, 24% of 400-plus respondents said that they would take IP with them to a new job.
Finance execs were identified as the biggest risk for fraud, according to the Gurucul survey.
Those with authority working in finance literally hold the keys to the kingdom because they can transfer funds and issue checks. Because of this authority, they are routinely targeted by well-researched, highly-convincing spearphishing scams to transfer money to criminals, and/or expose their organizations to man-in-the-middle attacks or outright credential theft.
In our upcoming SANS survey on advanced threats (publishing with a live webcast on September 25), 35% of respondents said that they lack visibility into insider misuse, while 30% cited the inability to audit for user access are key blind spots in their organizations. Overall, authorized users were considered a greater risk than outsiders.
Get a Plan
Despite all these risks, the vast majority of organizations lack the necessary provisions for responding to insider attacks and threats, based on results from our latest SANS survey on insider threats. In it, only 18% of respondents said that their organizations have a plan for responding to insider attacks, even though the majority also indicated that unintentional insider actions are cause for the most damaging attacks to occur in their organizations.
Prevention should start with good engineering, including strong access controls and good hygiene around user accounts, access rules and credentials, according to Saryu Nayyar, CEO of Gurucul.
"Frequently updating privileged credentials is one of the most basic cybersecurity hygiene tactics an organization can employ to improve their security," she says. "Static credentials allow anyone who knows those credentials, including former employees and contractors, to anonymously access systems for as long as the credentials remain unchanged."
Watch Over Your Kingdom
To protect against insider threat, adds Nayyar, organizations should monitor user and system activities and their access logs against baseline normal behaviors, using analytics and intelligence to tie all the sources of information together for a complete picture of the anomalous behavior.
"Since malicious insiders or external attackers will exploit whatever accounts they can compromise, including user accounts, system accounts, service accounts, it's critical to monitor activity behavior, and also device and identity behavior," she says. "Without this holistic view of activity powered by machine learning and big data, privileged access abuse will go undetected until the damage is done."
