Category: insider threat

By Sanjay Raja, VP of Product Marketing and Solutions

Insider threats are more dangerous and more top of mind for security pros in 2022 than they’ve ever been. That’s one of the major findings from the 2023 Insider Threat Report from Cybersecurity Insiders. This report (sponsored by Gurucul) surveyed hundreds of cybersecurity professionals to reveal the latest trends and challenges facing organizations related to insider threats and how they are preparing to protect their data and infrastructure.

Let’s break down the top findings from the report.

A Rising Threat

Overall, security professionals are not confident they can reliably detect and block insider attacks. 74% reported their organization was moderately to extremely vulnerable to an insider attack. 74% also say insider threat attacks have been getting more frequent, a 6% increase over 2021. 60% of respondents reported that they experienced an insider attack in 2022, while 8% experienced more than 20. 48% agree that insider attacks are more difficult to detect and prevent than external attacks. Since insider threats use legitimate accounts and credentials and abuse IT tools, it’s challenging for defenders to tell them apart from normal user activity. These results suggest that security teams should dedicate considerable resources to defending against them in 2023.

Insider Threats Under the Hood

This report dug deep into the motivations, types of attacks, and targets that security professionals are most concerned about. Monetary gain was the top malicious motivation for an insider threat at 59%, but many other drivers were close behind. Reputation damage was at 50%, theft of intellectual property was at 48%, and fraud was at 46%. Since no one factor was the clear winner, insider risk programs must take all of these factors into account.

71% of security pros are most concerned about compromised accounts/machines. This is followed by inadvertent data breaches/leaks (66%), negligent data breaches (64%), and malicious data breaches (54%). This is a good reminder that accidents, mistakes, and confusion among employees can create insider risks just as easily as a malicious insider. Among insiders, security pros are understandably most concerned about IT users and admins with elevated access privileges. If these accounts are compromised, attackers will have a great deal of access to sensitive data and important systems. Third-party contractors and service providers come in a close second in priority, followed by regular users and then privileged business users like CEOs. All of these groups present a significant risk (albeit in different ways) and security professionals are taking all of them very seriously.

Insider Risk Program Adoption

With so many security professionals worried about insider threats, one might expect that defensive efforts to detect and prevent them are a high priority. The report found that this was largely true; thirty-nine percent of organizations already have an insider threat program in place. Another 46% are planning to add insider threat programs in the future – a rise of 5 percentage points since the 2021 survey. 13% are fired up and ready to add a program in the next six months. I expect there will be greater demand for products, tools and expertise in this area in the next few years. Some insider risk programs have executive buy-in, but the exact chain of command varies from company to company. 25% report to the CISO, 24% report to an IT security manager, 14% report to the director of security and 13% report to an Information Security Officer.

What is driving the creation of corporate insider threat programs? Again, it varies. Nearly half of respondents reported their insider threat program is part of the overall information security governance program. 44% reported their insider threat program is driven by proactive security team initiatives, and 40% said it came from regulatory compliance mandates. It’s encouraging to see many teams taking the initiative to tackle insider threats without being forced by regulation.

All in all, insider threats are a growing threat and a top priority for security teams in 2023. They include a wide range of motives, types, and targets and defenders are actively working to build programs to detect and prevent them. For the full results, you can access the report here: https://gurucul.com/2023-insider-threat-report

Detecting and Stopping Insider Threats Using Gurucul Behavioral Analytics

For organizations building or updating an insider threat program, Gurucul User and Entity Behavior Analytics (UEBA) can detect suspicious behavior immediately and identify high-risk profiles and threats to manage and monitor insider risk. The Gurucul platform monitors an organization’s environment, natively ingests data across multiple data sources including applications, and analyzes this data using advanced behavioral and insider threat machine learning (ML) models and data science. Then it creates time-based behavioral baselines and continuously learns what is acceptable behavior to identify anomalous behavior and zero in on actual threats. By unifying collection and analysis of telemetry across the entire security stack and applying the largest library of pre-packaged ML models in the industry (over 1500), Gurucul can pinpoint unintended and malicious privilege access abuse, unexpected lateral movement and external communications, and data exfiltration quickly and accurately. Overall, Gurucul UEBA provides unprecedented context, behavioral indicators, and timeline views for automating threat assessment, mitigation, and response.

The post 2023 Insider Threat Report Finds Three-Quarters of Organizations are Vulnerable to Insider Threats appeared first on Cybersecurity Insiders.

Technology companies in recent times have asked most of their employees to stay home because of the fast-approaching recession or by other factors. But security analysts say that such kind of knee-jerk reactions could spell trouble for the organizations as employees leaving the firm could turn into insider cyber threat out of frustration or anger.

Twitter, Facebook, Amazon, HP, Wipro, Oracle, RingCentral, Intel, Microsoft and Cisco have shown the door to most of their senior level employees in the past few weeks. And as human brains are often treated as susceptible links to security breaches, the above listed companies should see that they are proactively ready to face the worst.

Supporting this theory is the research carried out by the Ponemon Institute that claims to have witnessed a 44% rise in threats from insiders in the past two years. And researchers from the institute state that costs per incident are up by two-third account to $15.38 million, up from just $5.6 million in the year 2019. Remember, the year 2020 was left unaccounted as the whole of the world was suffering from lockdowns and immense business losses.

Deactivation of remote devices, changing account passwords as soon as worker gets laid off or deleting their accounts and revoking access to online and offline processes might save a lot from falling deep into a business embarrassment.

Coming to disgruntled employees, cyber actors can make the best use of the mind-set of laid-out workers and so employees must keep a tab of employment satisfaction scale in office environments and try their best to cut down the list of disgruntled employees. A fat pay, half yearly increment, bonuses is all that needs…. isn’t?

And unfortunately, if anyone is desiring to leave the organization, then they should be first relieved of their duties and then asked to submit all the credentials that they were possessing. Then an audit of IT infrastructure must be conducted and then the employees must ask to leave.

 

The post Insider Cyber Threats rise by Tech Layoffs appeared first on Cybersecurity Insiders.

By Hermann Hesse, vice president of solutions, strongDM 

As organizations continue the fight to keep outside adversaries from penetrating networks, it’s also become critical for security teams to make sure employees, partners and contractors are also not threatening the enterprise.

An insider data breach costs companies an average of $15.38 million and takes 85 days to contain. That combined with reputational damage and loss of trust has catapulted the topic of the insider threat to the top of many CISOs’ minds.

In this piece, I’ll take a look at insider threats in cybersecurity and the dangers they pose. By the end, you’ll have a clearer understanding of the entire insider threat ecosystem and the best practices you can use to protect your organization, data, and systems.

What is an Insider Threat?

An insider threat occurs when a person with authorized access—such as an employee, contractor, or business partner—compromises an organization’s data security.

A History of Insider Threats

Insider threats have existed throughout history—in religions, ideological groups, government and financial institutions and more. Those with special knowledge or access to ideas, information, money and even other people often used their advantageous positions to block opposition or to gain power, money and influence for themselves. Espionage is a classic example of an insider threat.

Over time, the nature of insider threats has evolved and expanded. In today’s digital age, insider threats frequently involve a cyberattack or IT incident. These security incidents occur across industries and institutions of all sizes and are growing more prevalent as organizations shift to a remote work approach. In fact, 75% of insider threat criminal prosecutions in 2021 were the result of remote workers.

The Three Types of Insider Threats

There are three categories of insider threats: intentional, accidental and compromised.

An intentional threat is caused by a malicious insider—someone who aims to cause harm to or negatively impact the organization. Typically, malicious insiders are motivated by financial, emotional or political gain. Examples include a recently terminated employee who is aiming to get revenge for being fired or someone who is being financially persuaded by a competitor.

An unintentional insider threat occurs when someone accidentally causes harm to an organization or exposes it to future risk. Common examples are employees or contractors who haven’t been given adequate security training, don’t know how to use a piece of technology correctly or simply make an honest mistake by sending an email to the wrong person.

A compromised insider threat incident is when a legitimate user’s credentials have been harvested by a threat actor. In this circumstance, the adversary is able to gain unrestricted access while remaining under the guise of an employee or partner. One example of this is when an employee falls victim to a phishing attack where a hacker is able to lure the login and then use it to exfiltrate sensitive documents.

The Danger and Risks

Today’s businesses are so reliant on I.T. and systems to operate that any threat—whether malicious or not—opens up your organization to major financial, compliance and legal fallout.

Data breaches can expose a trove of sensitive and confidential information about your company and customers, seriously hurting your organization’s trust and credibility. Once trust is lost, customers take their business elsewhere, leading to lost revenue. If a law or regulation was violated during the data breach or its containment, your organization could face fines, penalties and lawsuits.

Who Is at Risk?

Any organization can fall prey to insider threats, especially if it deals with sensitive data. But while small and large organizations alike can both experience threats, the nature of the insider threat risk is different for each.

Small organizations tend to have fewer IT resources and smaller budgets, which limits how much they can devote to insider threat user activity monitoring and securing networks, infrastructure, and personnel. On the other hand, large organizations have a larger attack surface—with hundreds if not thousands of employees spread out across multiple locations.

Protecting Against Insider Threats

Now that you have a better understanding of what an insider threat is, its important to also know how to protect against them.

One of the easiest ways to protect against insider threats is never putting credentials in the hands of an insider in the first place. Security teams can do this by using a centralized access management platform so that users can only sign onto a single workspace to access all the applications or tools they need. Centralized access management platforms enable authentication, authorization, networking and observability to help protect organizations against insider threats. Security teams get centralized access to user accounts while automated access workflows eliminate time-consuming manual tasks. Role- and attribute-based access control restricts network access to authorized users, and the system’s auditing capabilities provide a clear audit trail of privileged session activities.

The Bottom Line

Insider threats can come from anywhere, no matter the size or makeup of your organization. By having a clear understanding of the history of insider threats, how they might appear and using a centralized access management platform, security teams can stay one step ahead.

The post Insider Threat 101: Understanding The Insider Threat Ecosystem And Best Practices appeared first on Cybersecurity Insiders.

A 40-year-old man could face up to 10 years in prison, after admitting in a US District Court to sabotaging his former employer’s computer systems. Casey K Umetsu, of Honolulu, Hawaii, has pleaded guilty to charges that he deliberately misdirected a financial company’s email traffic and prevented customers from reaching its website in a failed […]… Read More

The post IT admin admits sabotaging ex-employer’s network in bid for higher salary appeared first on The State of Security.

A former twitter employee is accused of leaking user details to a Saudi Prince and is found guilty of accepting a bribe ranging in thousands of dollars and an expensive watch. Ahmad Abouammo, 44, is the person who worked as an engineer of Twitter in the year 2015.

Although he is no more connected to the social media website, his past deeds have now come to light, confirming him as an Insider Threat.

As per the details available to our Cybersecurity Insiders, Ahmad passed on data of twitter users who were indulging in public criticism of the governance carried out in Saudi Arabia.

Investigations revealed Ahmad siphoned users’ email addresses, contact phone numbers, IP addresses, their location details and their tweet content. And passed on the details to a Saudi Royal Family for a luxury goods and currency.

The family linked to a Saudi Prince then used the details to capture those twitter users who were sharing hatred and blasphemy content against the government on Twitter and were captured and tortured in a secret prison in 2016.

After the details emerged in the year 2017, via media, the government of the United States launched an investigation all with the help of a 11-member jury. They finally probed down the matter and found that Abouammo was to receive a harsh penalty for his deeds.

Though the court has obliged his request to remain free from imprisonment, it has taken assurance from him he will not flee the country under any circumstances.

Saudi Government has also investigated the matter on a separate note and admitted that Ahmad was passing on foreign secrets- all for money’s sake and some materialistic luxuries. The government has also notified that Ahmad was working for Bader Al-Asaker, who in-turn was reporting the matter to the family of Saudi Prince Mohammad bin Salman.

NOTE- All such insider threat revelations might make Elon Musk drive attain an upper hand in the legal battle with Twitter.

The post Details about the Twitter’s Insider Threat appeared first on Cybersecurity Insiders.

 

The next time you are firing an employee for their low performance or doing it for any other reason, please make sure that the data they possess has been handover to you perfectly, i.e. scientifically.

Otherwise, they could get involved with threat actors and target your organization with a sophisticated cyber attack that can shut down your organization on a permanent note.

Yes, what you’ve read is right! According to a study carried out by Unit 42, a business subsidiary of Palo Alto Networks, most of the cyber-attacks on organizations usually emerged from Insider Threats.

Usually, disgruntled employees, those who lost key position in a company because of recession, COVID-19 shut downs and usual layoffs for reasons started contacting cyber criminals and were found supporting them in destroying data of their past company, accessing it and stealing it fraudulently and selling that data to cover losses.

In coming days, researchers predict that such attacks arising from ex-employees may rise due to declining economic conditions all over the globe, mainly because of a rise in inflation and a surge in prices of essential commodities.

“Currently cybercrime has emerged into an easy business to make money as it costs low to launch cyber attacks with a guarantee of high returns,” says Wendi Whitmore, SVP and Head of Unit 42- Palo Alto Networks.

Patching vulnerabilities, restricting data access to employees if/when not required, following a data security protocol when an employee is leaving the organization and last, but not the least, taking care of them and understanding their needs can help organizations avoid cyber attack embarrassments because of insider threats.

No matter how good we stay with employees, only the money speaks. So, giving a pay hike to them- based on their performance, keeping a tab of their birthdays and allowing them to celebrate with office colleagues, understanding their work environment needs might also help in making employees happy!

But is it possible in reality?

 

The post Displeased employees leading to 75% of Cyber Attacks appeared first on Cybersecurity Insiders.

A man hacks his employer to prove its security sucks, Telegram provides a helping hand to the Eternity Project malware, and what the heck do mental health apps think they're up to? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Dr Jessica Barker. Plus don't miss our featured interview with Rumble's Chris Kirsch.

A Texas school district has hit Google headlines as one of its employees was caught mining cryptocurrency without permission of the school management or the government officials.

Galveston Independent School District (Galveston ISD) is the educational institution in discussion and the name of the employee found guilty is withheld.

According a source reporting from the IT department of Galveston Independent School District (GISD), an employee has installed cryptocurrency mining hardware and software at 6 of the locations belonging to the school district without the authorization of the school management, IT staff and the government officials.

Dr. Jerry Gibson, the superintendent of the school, acknowledged the media reports as true and confirmed that the employee has been dismissed from duty and has been handed over to the law enforcement.

Going deep into the details, from the past three months, the IT staff was surprised to see an increase in traffic passing through the school districts’ firewall and the amount of power the school servers were consuming.

They launched an inquiry and found that a former employee of Galveston ISD was using the school’s IT resources for his personal needs of mining bitcoins and Monero.

An investigation has been launched on this note and a detailed inquiry into how district students, staff and management were using the IT resources and how such discrepancies such as crypto mining were taking place. And a separate IT probe has been ordered to audit the entire IT infrastructure of the school district to find any malware or botnet operations.

The incident was identified at the end of March this year and on April 8th, 2022; the employee was asked to submit a resignation and now the issue has been forwarded to the district attorney’s office.

 

The post Insider Threat alert as school district employee mines cryptocurrency without permission appeared first on Cybersecurity Insiders.