According to a recent article by Business Insider, hackers in Ireland, stymied by Apple’s information systems security, are taking another approach to gain access to the corporation's data. They are offering Apple employees up to 20,000 euros for valid login credentials. While not all approaches to insiders are so overt, this case nevertheless serves as a great reminder that malicious actors are actively recruiting insiders to exploit their status.
Beyond
that, it demonstrates that the insider threat is not just confined to an Edward
Snowden type who steals a mass of data in one swoop before leaving the company.
Insiders can pose a far more subtle and enduring threat. Because of this, we
should think beyond Snowden when considering how insider threats can manifest.
Thinking
About Insider Threats
It’s
important when considering insider cyber threats to not let the cyber element
distract from the basic problem; hacking is still fundamentally theft of
information. In fact, I would encourage security managers to think about these
insider threats much as they would any other sort of corporate or government
espionage.
Certainly,
those looking to recruit an insider would love to have access to a systems
administrator — essentially the corporate equivalent of an embassy
communications officer. Systems administrators normally hold the keys to the
kingdom, and in many cases they can access a variety of email accounts and
other systems of interest to those conducting corporate espionage, whether they
are motivated by ideology, looking to steal proprietary secrets or seeking
information for insider trading purposes. That said, company IT staffs
are not
the only people who could be recruited to help carry out a
cyberattack.
In
addition to the outright sale of a valid system login, as in the Apple example,
insiders can also perform more subtle tasks to help hackers. One is to fill the
role that an "access agent" would in traditional espionage:
identifying potential sources. Rather than pinpointing and approaching
individuals, in the cyber realm insiders can help hackers understand a
company's systems and security procedures. They can also provide company
organizational charts and examples of company communications. Perhaps more
important, an insider has knowledge of who talks to whom and what topics they
discuss; they may even pass along sample emails that show how people interact.
This
level of detail can be incredibly useful in helping set targets up for a well-crafted
and convincing attempt at spear phishing, an email attack tightly focused on an
individual user. If a hacker learns that Carol regularly sends text documents
or spreadsheets to Bob and even has examples of how Carol normally addresses
Bob, including any company or personal jargon, he or she can then craft a
highly tailored message spoofing Carol’s email address and with it deliver an
attachment loaded with malware.
Access
agents can also be used to help spot troubled coworkers whose financial or
other vulnerabilities, such as anger at the company or drug use, might make
them easier to recruit. Sex also works as a highly effective recruiting tool,
and access agents can identify people most likely to be vulnerable to a "honey
trap."
Non-IT
staff insiders can also be used to introduce malware into a company's computer
system. They may knowingly open a spear phishing tool, allowing them to feign
victimization later if they get caught. As noted above, they have the knowledge
to help craft a plausible spear phishing presentation that can give them the
cover of apparent innocence. They could also, for example, steal a thumb drive
from a coworker's desk and allow hackers to install malware on it before
returning it. There are many ways a non-IT insider can help inject malware into
company systems — even sensitive "air gapped" systems, or secure
networks separated from the Internet.
Persistent
Insider Threat
Insider
threats are not limited to one-hit wonders like Snowden. Insider agents who
make their actions seem innocuous and maintain plausible deniability can stay
in place at the targeted company for a long time. Again, thinking in
traditional espionage terms, it was always a great windfall when someone would
walk into an embassy and hand an intelligence officer a briefcase full of
classified documents. But a good intelligence officer isn't satisfied with just
those documents. Sharp officers protect walk-ins and encourage them to continue
working; that way, they can provide a continuing stream of valuable
intelligence instead of just a single document dump.
But
even when we are dealing with a recruited agent instead of a walk-in, the best
strategy is to leave the agent in place for a prolonged period to maximize the
extracted intelligence. National
intelligence agencies running computer intelligence
operations will follow the same principles in recruiting sources as they
do for other operations. Intelligence services draw little distinction between
an asset recruited for cyber and one meant for traditional intelligence gathering,
and once recruited, agents can serve both purposes.
Anyone
who doubts that intelligence agencies from an array of countries actively
recruit sources from within many different types of companies has not been
paying much attention. States frequently use false-flag approaches, sometimes
presenting themselves as competitors or even criminals rather than intelligence
officers.
But
even beyond intelligence agencies, it is easy to see how ideologically
motivated leakers, competitors and criminals could benefit greatly by having
inside sources embedded long-term within a company.
Bad
Operations Security
Finally,
in addition to knowing collaborators who act intentionally, sloppy
insiders also pose a significant threat — and arguably a larger and more persistent
one. Whether or not the slip-up is as high-profile as the case of an Apple
employee who left a top secret iPhone 4 prototype at a bar, or the case of the
Qualcomm CEO whose laptop was stolen shortly before his company reported its
quarterly results, there's always the chance that a low-level insider will fall
for a clumsy phishing email and introduce malware onto company servers through
a personal laptop.
Of
course, such negligence can play a role in attacks involving knowing insiders
as well. All the potentially threatening actors we've discussed, from
intelligence agencies to criminals, can and do pounce on mistakes made by
unwitting, inattentive insiders. But compared with recruiting an insider, which
requires more effort and is more easily detected, a targeted cyberattack is a
low-cost, low-risk method that can be just as effective. Negligence makes those
attacks easier to execute. Poor operations security is also not just confined
to non-technical employees. Inexperience, laziness or poor practices can
make IT staff negligent as well. In short, employees should be well
informed and on guard. The threat posed by a Snowden-like insider is grave. But
it is far from the only type of insider threat that can harm your company.
fecha |
Título |
20/08/2013| |
|
27/05/2013| |
|
23/04/2013| |
|
05/04/2013| |
|
17/02/2013| |
|
04/02/2013| |
|
28/01/2013| |
|
07/01/2013| |
|
16/11/2012| |
|
01/11/2012| |
|
30/10/2012| |
|
30/08/2012| |
|
25/08/2012| |
|
03/08/2012| |
|
27/07/2012| |
|
27/07/2012| |
|
27/07/2012| |
|
27/07/2012| |
|
12/07/2012| |
|
28/06/2012| |
|
21/06/2012| |
|
07/06/2012| |
|
31/05/2012| |
|
24/05/2012| |
|
10/05/2012| |
|
03/05/2012| |
|
26/04/2012| |
|
19/04/2012| |
|
12/04/2012| |
|
09/04/2012| |
|
22/03/2012| |
|
15/03/2012| |
|
15/03/2012| |
|
11/03/2012| |
|
11/03/2012| |
|
01/03/2012| |
|
01/03/2012| |
|
01/03/2012| |
|
23/02/2012| |
|
23/02/2012| |
|
23/02/2012| |
|
06/11/2011| |
|
03/11/2011| |
|
13/10/2011| |
|
06/10/2011| |
|
29/09/2011| |
|
22/09/2011| |
|
08/09/2011| |
|
08/09/2011| |
|
04/09/2011| |
|
04/09/2011| |
|
25/08/2011| |
|
25/08/2011| |
|
18/08/2011| |
|
11/08/2011| |
|
04/08/2011| |
|
28/07/2011| |
|
08/07/2011| |
|
08/07/2011| |
|
30/06/2011| |
|
30/06/2011| |
|
17/06/2011| |
|
17/06/2011| |
|
11/06/2011| |
|
11/06/2011| |
|
02/06/2011| |
|
02/06/2011| |
|
19/05/2011| |
|
19/05/2011| |
|
14/05/2011| |
|
14/05/2011| |
|
03/05/2011| |
|
03/05/2011| |
|
28/04/2011| |
|
28/04/2011| |
|
07/04/2011| |
|
25/03/2011| |
|
19/03/2011| |
|
10/03/2011| |
|
03/03/2011| |
|
24/02/2011| |
|
10/02/2011| |
|
01/01/2011| |
|
17/12/2010| |
|
03/11/2010| |
|
28/10/2010| |
|
22/10/2010| |
|
13/10/2010| |
|
01/10/2010| |
|
16/09/2010| |
|
27/08/2010| |
|
06/08/2010| |
|
24/07/2010| |
|
18/07/2010| |
|
28/06/2010| |
|
17/06/2010| |
|
11/06/2010| |
|
15/02/2010| |
|
22/10/2009| |
|
05/09/2009| |
|