Top Threats: The Insider Threat Is Proficient
April 23, 2013
When a business begins to think about security, they typically want to know what threats they are facing and how to protect against them. They will hire industry leading security consultants to help them map out what best tools can be purchased and implemented or how to segment their network. All of this is necessary, but will it help solve one of the biggest threats out there, the insider.
The insider threat does not necessarily mean a disgruntled employee that wants to wreak havoc within the company, or a mole sent to disrupt business. The real inside threat comes from the “happy clicker”. The happy clicker is that employee that will open up e-mail from unknown senders, spends a good amount of time on social networking sites, and clicks on links to unknown web pages. These are not the disgruntled employee trying to sabotage the businesses security from within; they just do not understand safe use practices.
According to statistics from the Ponemon Institute, when surveyors where asked, “How significant is the negative impact of each scenario on your organization’s security posture today?”, “Employee negligence or carelessness” ranked fourth out of five responses, with 23% responding Very significant and an identical 23% responding Significant.
Back in late 2009 and early 2010, a red-team hacker created fake profiles on the popular social networking sites of LinkedIn, Facebook, and Twitter and managed to spoof several military intelligence and information security experts into connecting. The name of the fake, twenty-something woman was Robin Sage, and she was an employee of the Naval Network Warfare Command. Robin was able to make connections with members of the Joint Chiefs of Staff, the CIO of the NSA, the Marine Corps Intelligence Director, and a chief of staff for the U.S. House of Representatives. Additionally, Robin made friends with an at-the-time deployed U.S. Army Ranger. Through her friendship with the Ranger, the red-team hacker was able to extract GeoIP data from pictures posted on Facebook, giving away sensitive information concerning that unit’s area of operations.
What is extraordinary about this social engineering campaign is the level of access Robin was able to gain, given her name. Robin Sage is the well-known name of an Army Special Forces exercise that all potential Green Berets go through during the Special Forces Qualifications Course. If leading experts in the realm of intelligence and information security can be duped by social engineering, so can your happy clicker executive assistant or helpdesk analyst. Social engineering is one of the best ways that those with nefarious intentions can gain sensitive data via social networking sites, and be able to target the right individuals in your organization for phishing and/or spam campaigns.
Spam and Phishing:
Chances are you have received that email saying you are lucky enough to have been selected to collect money from your long-lost uncle from Africa? If you have, then you know about spam and the nuisance it is and the threat it poses to your company and employees. Same goes for phishing, either pretending to be your bank or IT support technician, “phishing” for details to steal your identity or account credentials. Spam and phishing are one of the most prevalent threats faced today, and have been for some time. Below are a few industry statistics gathered by top researchers and information security firms:
- Spam in email traffic in January, 2013 was at 65.9%, or 1 of every 1.52 emails globally . The top category of spam emails was Sex/Dating, accounting for 78.13%
- .214% of emails, or 1 of every 466.3 emails circulated globally in February were phishing emails
Outside of social engineering leading to an increase in spam and phishing traffic through a company’s email systems, internet use also opens the company up to a variety of threats, namely exploits that allow the download of malicious code onto a system, or a drive-by download. According to Kaspersky Lab, 56% of exploits were executed against Java (a widely used programming language used to power utilities, games and applications) vulnerabilities . These type of drive-by attacks can happen to anyone, regardless of their role in the company and do not have to be targeted specifically, such as a spearphish or social engineering campaign.
Conclusions and Take a ways:
Businesses looking to enhance their security, regardless of industry, should always protect against industry specific threats, but it is always good to ensure your house is clean. To combat this insider threat, companies should look at enhancing information awareness training for all employees that covers safe and proper use of company resources and information. Companies should also look to ensure that proper patching and maintenance is taken care of on a continuous basis, this includes updating internet browsers and applications used. For the spam traffic, most of this is handled by filters in the email applications and proper information awareness training should educate all employees on how to handle suspicious email if a message makes its way through a filter.
 The State of IT Security, Recent Research Findings & Practice Implications. Dr. Larry Ponemon. Ponemon Institute IT security tracking study, January 2013.
 Symantec Intelligence Report: February 2013, page 2.  Kaspersky Lab, IT Threat Evolution: Q3 2012.