Insiders are people who play a key role in data leaks. Several different insider profiles are examined below.
The careless insider
The careless insider is the most common type of insider. He is typically a negligent, non-managerial employee who causes a breach of confidentiality unintentionally and has no real incentives to violate internal information security rules.
These employees pose an unintentional, non-targeted threat and violate confidential data storage policies despite their best intentions. Data breach incidents involving this insider profile most frequently are the result of taking information outside of the office in order to work at home, on business trips, etc.. The insider often inadvertently loses a media storage device, or family members may accidentally gain access to the data. In spite of good intentions, these types of data breaches can cause damages on the same scale as those committed through corporate espionage. When they realize they are unable to copy data, this insider will follow instructions and speak to their coworkers or the system administrator, who will explain that taking sensitive data outside of the office is not permitted. Companies can protect themselves against this type of insider with simply technical measures covering basic leak channels, such as filtering the content of outgoing traffic combined with the use of an input-output device manager.
The naive insider
Lately the term “social engineering” has been used to describe the various means of conning people on the Internet. However, this type of manipulation is used to do more than illegally obtain personal information: passwords, PINs, credit card numbers, and addresses. The ex-hacker Kevin Mitnick – now known as an “IT security consultant” – believes that social engineering is the weak link in the data system chain. Mitnick’s book “The Art of Deception” includes some examples that demonstrate how, for example, a good secretary with only the best of intentions might copy a confidential e-mail to a non-corporate e-mail address after being asked by a malicious user to do so “just in case.”
In this scenario, the secretary may receive a call from a branch manager, who introduces himself and tells her that some technical problems have made it temporarily impossible to forward the email in question via the branch’s network. Instead, he suggests that she send the email to his personal email address, which is on a public email service. The “manager” is so persuasive that the secretary never suspects any kind of fraudulent intent and immediately sends the email to the alternative personal email address. One can only guess who the alleged manager really was, but one thing is sure: he was after specific information – and his intentions were not so noble.
Naive and careless insiders can both be labeled “non-malicious”: they believe that they are acting for the good of the company, but they often feel as though official procedures only get in the way. While an insider’s actual intent may have no bearing on the damages that are ultimately caused, his intent will determine the actions he takes once he learns he is unable to obtain data. These are loyal employees who will speak with their coworkers, the technical support team, or management members to find out why their attempts to work with data (and thus breach data security rules) have been blocked, and they will be told that the actions in question are prohibited.
The following insider profiles fall into the “malicious” category. That means that unlike the types of employees described above, they are fully aware that their actions will harm the company. Their motives, which will predict their actions after learning that the actions they want to take have been blocked, will put them into one of four sub-categories: the saboteur, the disloyal employee, the moonlighter, and the mole.
Saboteurs are employees who attempt to harm the company for their own personal reasons. They are often disgruntled and feel as though they are taken for granted: their salary is low, they are too far down on the corporate ladder, they aren’t eligible for certain incentives, or they are angry that they don’t receive company “perks,” such as a laptop, a company car, or a secretary.
We can gain a better feel for the saboteur by examining two key differences from other types of insiders. First of all, they have no plans to leave the company. Second, the saboteur intends to harm the company, rather than simply steal information. In other words, he does not want management to find out that he was the cause of the data leak; once he discovers that his attempts to steal certain data are blocked, he may focus his destructive energy elsewhere, such as destroying or fabricating public information or stealing other assets. Furthermore, based on his own assessment of valuable information and potential damages and determine specifically which data would make the most sense to steal, and to whom he should give it. More often than not, potential recipients include the media (which would publish the information) or criminal organizations (which would use it for blackmail). One example would be if an employee responsible for monitoring the condition of sunken nuclear submarines revealed sensitive information to environmentalists or the press.
The disloyal insider
The disloyal insider is another type of malicious insider. Disloyal insiders may include interns and employees who plan to leave the company, but have not yet informed their coworkers or superiors. They plan on acting for their own personal gain, to the detriment of the company. Disloyal insiders are a major headache for managers when it comes to internal threats. For example, it is now common practice for members of a commercial or financial department to take a copy of the company’s client or financial database with them when they leave the company. There have been several incidents in the US and Europe where interns at high-tech companies have stolen intellectual property. The threat posed by this category of insiders isn’t actually targeted – the employees generally try to take as much data as they can with them, and are often unaware of its value and have no specific plans to use it. The most common means of gaining access to information or an opportunity to copy information is to claim that the data is necessary for them to perform their duties.
The difference between disloyal insiders and saboteurs is that disloyal insiders do not try to hide the fact that they have stolen information. Furthermore, the stolen information is sometimes used to blackmail the company into granting extra severance benefits.
The saboteur and the disloyal insider do not, however, pose as great a threat as the next two types of insiders, since they independently decide what data to seal, destroy, or distort, and where to sell it. A commercial director, for instance, who decides to resign, may take the client base with him, but he may later be hired by a company that is not a direct competitor of his previous employer. Information that is disclosed to the media may not turn out to be very titillating and may not even be published. An intern who steals the design for a promising project may not find a buyer. In these cases, the leaked information won’t cause any damage. And if he runs into an obstacle in his attempts to steal information, the insider probably won’t look for a way to get around it, since he likely does not have the technological skills to do so.
If a saboteur or disloyal employee gets in contact with a potential buyer of specific information before the information is stolen (i.e., a competitor, the media, criminal organizations, or the government), then he becomes the most threatening type of insider: the moonlighter. His job, his well-being – even his health, in some cases – now depend on the integrity and relevance of the information he can steal.
Moonlighters and moles are employees who target specific information at the request of their “client.” In both cases, these insiders attempt to conceal their actions (at least until the data theft is successful), although their motives are different. The moonlighter profile can include a wide range of employees who have decided to steal information for any number of reasons: he may need extra money to buy a car, or he may have been recruited from someone outside of the company. In many cases, the employee was originally loyal, but was either bought off or intimidated. This is why moonlighters will try anything they can if they face any complications in accomplishing the task at hand. Depending on the situation, they may stop trying to steal the data, or they may pretend they need it for work purposes. In more extreme cases, they may even try to hack the information or bribe their co-workers.
This last insider profile is named after the notorious spies we know from Cold War-era espionage thrillers. Planting a mole is a common tactic used in government and industrial espionage. For example: a system administrator at a prominent company receives a very attractive offer from another company – a generous salary, excellent benefits, and a flexible work schedule. He would be crazy not to accept. Meanwhile, his current employer’s HR department receives an impressive resume from an IT expert who looks too good to turn down. Or, the IT expert may be suggested as a replacement for the departing sys-admin (similar to the services offered by a recruiting agency). While the original sys-admin is training his replacement, the latter quickly gains access to confidential data and leaks it to his client. Once the damage is done, all traces of both the recruiting agency and the replacement sys-admin seem to vanish into thin air. As a result, the company loses its valuable corporate secrets, and the system administrator loses his job.
Moles are especially dangerous – if there are technical barriers in place making it difficult or impossible to remove data from the corporate network, the “employer” may provide the mole with the devices or software needed to bypass the security system. The mole will do anything it takes to get the information he needs. His arsenal often includes sophisticated techniques and professional hacking skills.
We confront hundreds of thousands of new threats every day and we can see that threat actors are on a constant lookout for new attack opportunities. According to our research, connecting a software license management token to a computer may open a hidden remote access channel for an attacker. Read Full Article
Looking back at a year like 2017 brings the internal conflict of being a security researcher into full view: on the one hand, each new event is an exciting new research avenue for us, as what were once theoretical problems find palpable expression in reality. On the other hand, as people with a heightened concern for the security posture of users at large, each event is a bigger catastrophe. Read Full Article
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the results of its research on the threat landscape for industrial automation systems for the first six months of 2017. Read Full Article
In the field of information security, sandboxes are used to isolate an insecure external environment from a secure internal environment (or vice versa), to protect against the exploitation of vulnerabilities, and to analyze malicious code. At Kaspersky Lab, we have several sandboxes, we will look at just one of them that was customized to serve the needs of a specific product and became the basis of Kaspersky Anti Targeted Attack Platform. Read Full Article
Let us discuss what defines the profitability of bitcoin mining, what principles for mining speed adaptation were initially embedded into it, and why these principles can lead to the failure of the cryptocurrency in the long run. Read Full Article
Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are. And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection. Read Full Article
In July 2017, during an investigation, suspicious DNS requests were identified in a partner’s network. The source of the queries was a software package produced by NetSarang. Our analysis showed that recent versions of the software had been surreptitiously modified to include an encrypted payload that could be remotely activated by a knowledgeable attacker. Read Full Article
According to Gartner, there are currently over 6 billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab’s collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017. Read Full Article
In this research we’ll be revisiting the USB port – this time in attempts to intercept user authentication data on the system that a microcomputer is connected to. As we discovered, this type of attack successfully allows an intruder to retrieve user authentication data – even when the targeted system is locked. Read Full Article
In order to recognize relevant threats, our products collect anonymous statistics about potentially dangerous content that a child encounters. As part of this report, we analyze the collected data in our quest for the answer to the question of what interests the current generation of children online. Read Full Article