Q&A: Insider Threat
by HNS Staff - Monday, 14 July 2008.
We’ve heard about some extremely poor security measures that organizations have in place, including: Neglecting to define authentication and role-based access control requirements; neglecting to define security requirements/separation of duties for automated business processes which provides an easy method for insider attack; and neglecting to define requirements for automated data integrity checks, which allowed insiders to carry out their malicious activating knowing their actions would not be detected.

What critical problems can organizations face as a result of not mitigating insider threats?

For one, law suits. These can be very expensive and high-profile, severely damaging a company’s reputation and costing millions of dollars to reconcile. Also, insider threats lead to a significant loss of productivity and revenue through employee sabotage. This is especially true for smaller companies that may never be able to recover from a incident of insider threat.

A third potential problem is the threat to human life. For example, a former Cox Telecom employee recently plead guilty to information technology sabotage, having caused the loss of computer, telecommunications and emergency 911 services for thousands of Cox’s business and residential customers throughout Dallas, Las Vegas, New Orleans, and Baton Rouge, La. The guilty party faces a potential 10-year jail sentence and $250,000 fine, but the future is less certain for Cox. According to the company, services were fully restored and the damage repaired. However, the incident’s affect on Cox’s reputation has yet to be determined.

What type of complications can arise from orphaned accounts?

An orphaned account is an invitation to disaster. When the need for the account passes (i.e, when an employee leaves or is reassigned), that access to systems and data is no longer needed. This is when the account becomes orphaned. It is important to remove this access because it provides an entry point that no longer has a business purpose. Any access through this account is, by definition, a breakdown in the businesses’ protection of its valued data. The orphaned account also provides a more likely attack surface than a current user account, especially when the account becomes orphaned due to an involuntary departure of an employee. A terminated employee may harbor anger or animosity toward the company and their conduct is no longer constrained by fear of losing their job. We like to break orphaned accounts down into three categories: orphaned user accounts, orphaned privileged accounts and orphaned access.

Orphaned user accounts are what you would expect—the official user account that a person was given upon joining the company. These accounts are usually the easiest to manage as they are a known quantity. For example, when “John Smith” leaves a company, most IT organizations should have a straightforward process to remove his user account and any associated items (for example, all email accounts). However, a recent survey we sponsored revealed that many companies actually do not have an effective process to deal with orphaned user accounts. In fact, 61 percent of respondents said it took more than a couple of days to remove orphaned user accounts, and 12 percent said it took longer than one month. These figures are troubling when you consider that a recent Gartner report suggested “most attackers will do all they plan to do with a known password within only a few days,” so the disabling of orphaned user accounts needs to happen within a few hours after the employees departure to avoid exploitation.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th