Malicious Insider Attacks Increase 66%: Are You Prepared? November 20, 2012Posted by Subhash in : Uncategorized , trackback
The Ponemon Institute recently published a research paper sponsored by HP Enterprise Security titled “2012 Cost of Cyber Crime Study: United States”. The study was both thorough and insightful.
Interestingly, among the top most costly cybercrimes quoted in the study are denial of service, malicious insider and web based attack. As much as the malicious insider threat was down played in the past with the belief that authentication systems with password vaulting capabilities are good enough protection for trusted employees, the number of malicious insider attacks grew a whopping 66% year over year in 2012. The Ponemon study points to the fact that the largest costs of a cyber-attack are in detection and recovery. In fact the study says that the cost of a malicious insider attack is the second highest and the number of days to recover from a malicious insider attack is the highest at 57 days.
The threat and severity of the consequences of a malicious insider attack grows with the size of an organization and unless the vulnerabilities are addressed the risk levels for a malicious insider attack will continue to rise. Many enterprises address such vulnerabilities through authentication mechanisms, password vaulting solutions, access governance and monitoring tools such as SIEM solutions. However what is lost in this discussion is the fact that each of these solutions is only part of the solution to the threat of a malicious insider attack. SIEM solutions are very good at enabling detection of a malicious insider attack after it has been perpetuated which may be too late from a severity of the consequences perspective nor do such solutions help much in reducing the cost of recovery. Access Governance tools are very good at modeling roles and entitlements per stated business policy but they neither have the ability to enforce the policy proactively and at best can highlight that a governance policy was violated through a SIEM solution but again after the malicious insider attack has happened. This approach may be good enough to meet compliance standards from an internal and external auditor’s perspective but it in no way reduces the risk levels of a malicious insider attack.
There needs to be at least a few other layers of defense from a malicious insider attack that is preventative. Some of the most sensitive information can be encrypted as long as enterprises can bear the computing power costs to encrypt and decrypt such information. Data loss prevention solutions also provide some aspects of preventative controls. However, a malicious insider who may have extraordinary privileges, such as a system administrator, may have the ability to decrypt such sensitive information or have the privilege to disable DLP solutions.
The new layer of defense that is needed is to control the privileges of a potential malicious insider through proactive, automated enforcement of access control authorization policies. These policies can include enforcing who is allowed to access what, when, and using which protocols and methods. As well, the policies can control what commands a privileged user can execute. Such a solution is not only preventative but its user access activity audit logs would ease detection of problematic behavior by user and provide proof of controls to auditors. As well, since the breach does not occur, organizations can avoid the recovery costs associated with an insider attack, which can cost millions.