Insiders are a major threat, too, and often overlooked. We’re not just talking about hackers anymore as a risk to companies, but people within the company who are both malicious and innocent.
Who is an “insider,” you ask? Key employees that work inside your building are obvious, but what about telecommuters? Are they an insider just because they have login credentials and access to your network? Consultants? Temp workers? What about partners? If they are an insider, how much of an insider are they? Do they have access to all your strategies and pricing? Probably not. The line is quite grey these days between insiders and outsiders and they are all a threat to your business.
The causal hackers aren’t the real threat. Many companies get uncomfortable with me saying so, but hackers actually help us! They trip land mines that are waiting to be exploited. You have much more control about your insider threat – so acknowledge it and act.
Insiders already have access to your systems and know where the crown jewels are. A recent study done by the FBI crime lab reported a staggering statistic: over 80% of all computer crime was committed by insiders.
Companies focus on hackers but this is the wrong assumption. And they always forget it’s their crappy software that allows hackers to exploit them in the first place. These same defects are there for your partners, employees, and consultants to exploit too.
Troubling Case Studies
One client of mine is an organization in the manufacturing sector. This company has an extranet where partners bid on parts, submit quotations, and respond to proposals.
One partner was so paranoid about what their competitors were doing they used a cross-site scripting defect in the extranet to escalate their rights to administrator level. Once they had uber-user privilege, they were able to view all bids and see exactly how competitors were pricing their products.
Another example involved a financial services company that outsourced its application development to a company in the Far East. This was a CMM level-5 company, which means it had a well established and documented process.
This outsourcing company had a few malicious users on the payroll and they coded a back door in the application that was sent off to the client. This error was not caught immediately because the financial services company just did a cursory security scan as part of their acceptance testing.
They made the fatal people assumption their outsourced vendor employed ethical staff and didn’t do any checks on either the employees or the code they wrote. The back door was simply a URL that went undocumented and could be triggered remotely.
Once the program was deployed, the malicious users were able to skim customer information such as account numbers, statement balances, and other information. The company who had deployed the system had no idea until their clients contacted them complaining of fraudulent charges. It was traced back to the embedded URL, but not until months later.
A company must be able to educate its employees on the risks facing it. These risks include writing applications securely, auditing outsourced functions for security holes, and providing training to everyone from your procurement team to your network IT staff.
Unfortunately, we can’t trust everyone implicitly. Background checks are useful, but secure your information systems from the inside out put you in a situation where you can’t be burned as easily.
Consider how to build in checks and balances to your critical data flow to protect yourself from bad people assumptions. Practice threat modeling and brainstorm with your management team about possible abuse case; you’ll be amazed at what they come up with (and how unprotected you might actually be!).
And if you ever hear your team say, “We don’t need any security training,” or “It can’t happen to us!” be afraid … be very afraid.
In the coming weeks look for more expanded articles from Ed Adams covering each of these themes: Over-relying on Network Defenses, Believing the Hype of Technology/Tools, Too Many People Assumptions, Assuming Secure Software is Costly, and Falling into the “Recency” Trap.
Ed Adams is CEO of Security Innovation, an independent provider of application security services that include security testing and training.