The threat of accidental or malicious employees compromising information security has been around ever since there were computer systems. But you would have thought by now that CISOs would have got a handle on it.
Not so, according to a new report from training and research firm the SANS Institute which I’ve just covered for Infosecurity Magazine.
It found that although three-quarters of IT security pros are concerned about the insider threat, a third have no means of defending against it and around a half either don’t know how much they’re spending on it or have no idea what the potential losses would be.
From JPMorgan to Chesapeake, the dangers of failing to properly mitigate internal risks are clear to see, but firms seem to be slow on the uptake.
According to Roy Duckles, EMEA Channel Director at Lieberman Software, it’s a lack of “visibility, accountability and auditability” which is to blame.
“There is an assumption that if a person or group have the ‘keys to the kingdom’ with full admin rights across an enterprise, that this is a viable and effective way to apply security policies,” he told me.
“Where most businesses fail is that due to the fact that this approach not only reduces security, but it makes it almost impossible to see who is changing what, on which systems, at what time, and the effect and risk that it has on a business.”
Firms therefore need to remove privileges where possible, introduce 2FA and prevent admins “knowing” which passwords get them into systems, he advised.
Sagie Dulce, security researcher at Imperva, told me by email that organisations lack “budget, training, technology and an incident response plan” for when a breach occurs.
“Obviously, the first things organizations must do is put some resources into the insider threat. The second thing organizations must do is prioritise: ask themselves what are the most important thing they are trying to protect?
Once they know what they are trying to protect they should consider:
- Is it Personal Information, emails, code etc?
- Is the data structured, unstructured?
- Is it found on databases, file shares?
- Who has access to this data and how (from special terminals, via VPN, 3rd party partners etc.)?”
Finally I asked David Chismon, security consultant at MWR InfoSecurity, who repeated the notion that employees should be given the minimum access necessary to do their jobs.
Investing in systems to spot insider abuse could also help protect organisations against targeted attacks which spearphish users and abuse their access, he argued.
“For example, organisations are able to detect when an employee’s account is used to try and access data it shouldn’t or if a large amount of data is being exfiltrated,” Chismon explained. “It doesn’t matter at that stage if it is the employee misusing their account or an external attacker who has compromised the network.”
It should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.
Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?
According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.
Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:
“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.
Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.
So what’s to blame? Well not necessarily bad coding, according to Mantin.
“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.
Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.
“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.
Here’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.
The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.
Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.
Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.
“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.
“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”
The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.
“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.
“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”
This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.
“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.
Then, of course, there’s the issue of what kinds of flaws the system will root out.
“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”
So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.
One of the first stories of note I covered was news, broken first by The Indy, that a cyber crime boss had released a video to the darknet offering up a Porsche or Ferrari to the cyber goon-for-hire who could come up with the most lucrative scam.
Now, if it’s true, the story is an interesting one in what it tells us, or confirms to us, about the economics of cyber crime.
Namely, that if the bad guys have this kind of money knocking about – to blow on a kind of bizarre “employee of the month” competition – then how can the police, government and even security vendors hope to attract and retain the best talent?
If nothing else, Rapid7 global security strategist Trey Ford told me by email, it shows the sheer professionalism of cyber gangs today and the vast scale of the underground economy.
“With every part of our lives revolving around increasingly connected technologies, the line between physical and virtual is gone, and the opportunities for attackers are immense,” he added.
“The general public needs to understand this is no longer a world of script kiddies and evil foreign governments, where the average person is unlikely to be a victim. Cyber crime is big business, and everyone is a potential target.”
It sounds obvious but it’s worth saying again, and stories like this at least raise these raise these problems in the public eye.
The other alternative, of course, is that it’s a hoax. Amichai Shulman, co-founder and CTO of Imperva, was not convinced by the story.
“I find it odd that criminal organisations resort to ‘advertising’ an ‘employee of the month’ program. I don’t think that we’ve seen this with recruiting skilled chemists for drug making and drug design or astute economists for money laundering schemes,” he argued. “This leads me to speculate that this is a hoax.”