Insider Threats Pose the Biggest Security Risk

An anonymous reader shares a report: According to a new study 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions including Google Drive, Gmail and Dropbox. The report from SaaS operations management specialist BetterCloud also shows 62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.

Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.

The next biggest threat

[bobstreo]

would be reposts of the same news sometimes on the same day.

Re: The next biggest threat

The fourth biggest threat is that the Mueller report will find no evidence of collision, in which case several prominent faggots on this website will commit suicide out of despair from having invested two years and thousands of hours of sniveling into yet another Democrat lie.

Re: The next biggest threat

Except that is already known
https://www.bbc.com/news/world-us-canada-42493918

Re: The next biggest threat

BBC knew WTC7 was going to collapse before it actually did. It's amazing psychic journalism. Look it up on YouBoob.

Re: The next biggest threat

The fourth biggest threat is that the Mueller report will find no evidence of collision, in which case several prominent faggots on this website will commit suicide out of despair from having invested two years and thousands of hours of sniveling into yet another Democrat lie.

Trump asked for Russian help live on TV, then got it.
Trump's family attempted to collude directly with Russia at at least one meeting.
Kushner I believe tried to use russian communication equipment to communicate with Russia.
Manafort handed over key polling data to basically Russian agents.
Trump, inexplicably defends Vladimir from everything, saying his own intelligence agencies are flat out wrong cause vladimir said so.
Trump weakened sanctions on Russia, for not explicable reason.
Trump regularly called our former president weak and all kinds of other names while praising Putin who is a known murderer of his political enemies.
Trump did everything he could to stop any serious effort to stop the next effort at meddling.
Trump's actions weaker our ties with allies and in particular NATO.

I don't know if Trump is actively colluding or not, but the effect is the same. He is a traitor. I don't honestly care about the reason.

Re:The next biggest threat

The biggest threat are the jews. Kikes run everything and are flooding our countries with mudslums and wetbacks.

--
YangGang 2020

Re: The next biggest threat

I don't think you like Trump

Re: The next biggest threat

Lol, the report is out, and NO MORE INDICTMENTS!

You can kill yourself now.

Re: The next biggest threat

2018 you: "It's Mueller Time! In Muller we trust! Muller is gonna hang them for treason! Just wait for the Mueller report!"

2019 you: "I don't care about Muller. Never did. It's not important. I always knew it wasn't going to be anything big. Why did you think I was so invested in it? I wasn't. It's not a big deal."

You lost, you sniveling fucking cunt.

Re: The next biggest threat

Your breath smells like Stephen Colbert's dick, balls, and ass.

Been known for a long time

Except now employees do it for political reasons. For example, the IRS employee who decided to give Michael Cohen's financial info to journalists.

Any private messages on Facebook, Google, or Twitter owned services are liable to be published at any moment by politically involved personnel.

And we just learned that Facebook was keeping millions of user passwords in plain text ;)

Re: Been known for a long time

The Tree of Liberty is parched.

Re: Been known for a long time

The roots have a disease.

Re:No insider time in Federal Prison, Trump Traito

Yep. So....do we get all that taxpayer money back spent on lawyers and special counsel to find out that nothing happened?

Nope.

Schiff can suck my dick.

No shit

Employee loyalty is getting lower all the time thanks to crap pay and terrible working conditions.

Re:No shit

[green1]

Companies haven't been loyal to their employees for decades. Why would any employee feel they should be loyal in return?

This is stupid

[WindBourne]

Right now, American companies are putting on the newest version of Windows, and yet, they are getting cracked more often. Why?
Is it because Windows is worse? No. Windows is actually getting more secured.
So, are the Russians simply moving to America and cracking it here? No. If that was the case, then we would be arresting MORE, not fewer Russians.
So, how are the Russians getting into many of our Business computers?
What has businesses increasingly done? OUTSOURCED. Who to? India and China. We do not hear of India cracking our systems, but China has increased it.
BUT, how does one of these connected with Russians cracking American businesses? Simple. Who is India's best friend in the military? It is not the west. It is Russia. Many many Indians are employed by Russian defense companies and then go work on western, esp. American businesses. And those Indians are then paid around $10-20K, while we fat Americans are paid 100+K. So, if a Russian approaches an Indian friend of his and says, "look, we will pay you $150K just to leave a back door in code.", what do you think that he will say?
Yeah, getting paid 10x your yearly tends to make ppl jump esp when it does not harm their family, nation, etc..

As to the Chinese? Well, we employ them here and we outsource there as well. What do you expect.

The west deserves what it is getting because we refuse to acknowledge what is happening. We will allow political correctness to control us. Fools.

Re:This is stupid

Sounds plausible for just about any nation not just Russia or China. Restated: nation states Western/Eastern have been doing this for years so whats new?
Technically what you're suggesting goes against the grain of capitalism. If labor is cheap outsource will follow. I don't blame the East for a problem created in the West. But as you say "Fools" maybe but its just good business.

Re:This is stupid

[guruevi]

Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.

We have an entire industry where people just don't care or in many cases don't even know or get educated about security because they need to get the thing out of the door faster, so they set up things like memcached and S3 containers because they're easy without ever locking them down because that would insert all sorts of extra code and delays in the project, and then we turn them on the Internet and a few months later everyone is surprised.

I have clients that are the exact same way, they want the prototype of software out of the door because it's functional and it's a minimal spend. The "behind the scenes" cleanup and security just doesn't happen so they can save a few thousand dollars. So there are entire web apps that have a login page but nothing beyond it is encrypted or secured, pure luck and lack of deep web scanners is what keeps some of these afloat. I've had a client that hadn't updated Drupal in 3 years, they were only lucky enough they didn't get hacked until that point because they were on a subdomain with no direct links to the system.

Re: This is stupid

[WindBourne]

You are missing the point. In a secured situation, the last thing you would do, is pay somebody greatly less than others for doing the same job. Then add to that a situation where you hire a company that then hires local ppl without really checking their background, or perhaps, just does not care. Some that has worked for Indian defense has worked closely with Russians. It would be like Americans working in defense industry would work likely closely with Canadians, and UK. Russia and India share an entire defense industry due to Nixon's stupid threats as well as china's numerous invasions of India and Russia.

Re:This is stupid

[Tom]

Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.

Most purely technological challenges have been solved when it comes to IT security.

We haven't solved the management and usability challenges.

I can lock down a Linux system so much that I can give you remote root SSH access and you still can't damage it. In fact, I've done exactly that at hacker conferences. And the resulting system is still useable enough that I will give my presentation from it, after it's been on the conference wifi for the whole day and while it's still open to SSH during my talk with the root password posted in sight.

But it won't be a system where you can deploy a new docker container with a few clicks or where you can run "composer install" without jumping through some hoops. Or where your random office application will run without extensive configuration of the security policy.

As long as every office worker needs a fully functional general purpose computer at his desk, the challenge to combine security and usability is insurmountable. If you can tell me what your people are actually doing and what they need to do their work, I can give you a secure machine for them. But in the real world one half of managers doesn't have half a clue what and more importantly how their people are actually working and the other half has people doing so many different and constantly changing tasks that the definition of their job is in constant fluctuation.

And that's not a technical challenge, that's a management challenge.

I have clients that are the exact same way, they want the prototype of software out of the door because it's functional and it's a minimal spend

We know how to build secure development into software development. In fact, we've known it since the 1960s. It's not even expensive when you consider TCO. But speed to market is impacted and most software development today doesn't even have a clear understanding of the end product (no matter if you call that agile or not-having-a-clue), which makes it hard to make a proper architecture and define proper security requirements.

Re: This is stupid

[Ol+Olsoc]

You are missing the point. In a secured situation, the last thing you would do, is pay somebody greatly less than others for doing the same job.

You aren't exactly wrong. But this doesn't jibe with your comment earlier that it is political correctness.

Paying as little as possible and utilizing any scheme to do it is capitalism, not PC.

Then add to that a situation where you hire a company that then hires local ppl without really checking their background, or perhaps, just does not care.

Real background checks cost a lot of money. Once again, gotta serve the stockholders - can''t have this sort of thing cutting into the bottom line.

Re:This is stupid

[Ol+Olsoc]

We know how to build secure development into software development. In fact, we've known it since the 1960s. It's not even expensive when you consider TCO. But speed to market is impacted and most software development today doesn't even have a clear understanding of the end product (no matter if you call that agile or not-having-a-clue), which makes it hard to make a proper architecture and define proper security requirements.

Because security is less important than the brand of jelly donuts at the board meeting, until it all falls down.

Then there is the cloud. Long touted as an incredibly secure, failsafe way to store and retrieve data. But in reality, just a way to terminate local IT workers and service the stockholders. Yeah just store it outside of the business and allow the bad guys easier access.

Re:This is stupid

Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.

No. The reason is everyone is a script kiddy these days. In the past no one with skill would even dream of using other people's code or exploit implementations. Now we have databases and exploit frameworks. Software has fewer flaws today, but a smaller mountain is still a mountain and exploiting them is easier than ever.

Oh look here is a Linux 4.2 system running Ubuntu LTS 17.4 and an enumerated list of services. Time to search the database, select a few, and execute all in less than ten metasploit commands. No need to know how any of them work, only what they do.

20 years ago that process would take days for a savant to research, learn, understand, write, test, and then implement several tools from scratch. Now we can even automate those frameworks to operate on a block of IP addresses. Technology has multiplied the average person's productivity. The productivity of those who make the automation software is a higher-order of that.

Re:This is stupid

[Tom]

Then there is the cloud.

I don't know who invented the phrase (maybe xkcd?) but as we all know "the cloud is just other peoples computers". Anyone who expects magic from it also believes in Santa Claus and $deity.

People who copy documents

[AHuxley]

with a photocopier and give it to the media.
to a USB stick and walk out with data for political reasons.

The well-meaning worker who hands your documents/data to a waiting journalist?
Who collected data on the crimes of the company, a side of politics, brand, gov, NGO, movie studio, bank, mil they work for and tells the world.

Want security?
Is the person who they say their are. Fake ID? Sharing an ID? Not a citizen? No security clearance found but they present as having a gov/mil past and a security clearance?
Dont hire people with a past that is fictional and created.
Investigate your staff. Their background in education. Their ability to learn. Their use on non academic considerations to get an education.
Could they pass their exams at every stage of their education?
Who they are friends with. Their friends politics. Are their friends criminals? What their hobbies are. Any lifestyle problems that are beyond their wage? Gambling? In debt? What do they read, watch, publish?
Addiction that cost more than their wage? Health problems? Medical issues not covered by their wage and health insurance? An alcohol problem? Found faith? Looking for faith?
Have they worked in a trusted setting before? Did they report problems? Talk to journalists? Create problems in past jobs?
A split loyalty to another nation, faith, cult? Getting work in your nation to spy for anther nation over decades?
A change in online political views to become an activist? Talking to and seeking out journalist? Discovered looking up advice on accountability and whistleblower laws?
Meeting with journalists? Got a new lawyer who has a security clearance and who works with whistleblowers?

Mitigate the risks by hiring on merit and doing a full background investigation.
Then give your new staff some fictional project. See who is tempted to walk to the media with fake project documents.
See who made a copy. Who transferred out a copy. Why contacted a journalist to talk about aspects of the fake project?
Advance the trust worthy staff.
Move the trusted and tested workers to important projects. Keep staff who can't be trusted on projects that are in the open.
Stop adding staff who bring complex problems to your company/brand/gov/mil.
Look for the best quality workers who can be trusted. Dont hire workers you have to trust you know nothing about.
Hire on merit and do much more research before accepting new staff.
Stop telling your staff project details they have no reason to know about.
Stop putting project details on networks and computers anyone within a secure company network can "find" and copy.
Look over what your staff search for in internal computer networks. Do they know project names/details they never got told about/are not working on?
Understand your staff. Secure your documents. Dont let internal data security become one large plain text data set.
Not on a network? Staff who are politically motivated can copy data out.

This Advertisement Paid for ...

by BetterCloud. If you must be stupid and store valuable information in "the cloud", then we sell "Snake Oil" that you can lather all over yourself so you will feel better about your stupidity.

Unfortunately, it is only a "feel better" solution as there is nought that can be done to cure stupidity.

no, the biggest threat is executives

where i work, there have been a wave of security improvements, with super professional it people coming in and making big changes, enhanced security to multiple systems.

the people who are constantly ignoring and violating these rules, because they find them inconvenient, are managers and executives.

i am not sure if i even blame them - the mindset of a manager is kind of inherently incompatible with, say, learning to use a personal logon dongle, changing the way they have done something for 20 years. they view it as a useless impediment and kind of get a thrill out of throwing it in the waste bin.

you are stupid

Clearly a lot of American companies aren't putting on the newest Windows/everything else.

Then you have the NSA purposely weakening encryption. NSA secretly infiltrating Western companies to insert their own backdoors. Everything is becoming more connected. Those things are becoming more valuable.

But it's China and India that are making things less secure?

Wake the fuck up idiot.

You think Windows is fully secure? "More secure" is meaningless if it is still trivial to bypass it.

WindBourne why run away from your lies?

Why do you lie so much WindBourne?
Here, here and herefor example.

You also constantly claim links say what you want them to when they clearly do not.

Why falsely accuse other people of lying, when it's clearly you who is the liar?

Show some honour for once.

bullshit

[Tom]

I call massive bullshit on the conclusion.

I do risk analysis for a living, among other things. I'm the Senior Information Security Architect at my company and I train risk managers and CISOs. Most importantly, I do quantitative risk analysis using actual numbers and statistics, not the "green, yellow, red" nonsense that most IT consultants sell you because it's the only thing they (barely) understand.

One of the most consistent findings I have almost every time is that expert intuition is wrong about risk. That's not exactly news, almost every book ever written about the topic confirms it. But the conclusion is just as obvious: What IT security experts feel is the biggest threat has a low correlation coefficient with what is actually real.

That doesn't mean insider threats aren't real, they definitely are and they typically do rank high in a properly conducted risk assessment. But there are almost always two types of risks that outrank them. First, the low-probability but high impact risks that more often than expected turn out to be existence-threatening and that fact makes them more important than their statistical value indicates. And secondly the bothersome low-impact but high-frequency (yes, probability becomes meaningless if the number of events can be higher than one) ones. They add up, and much more than you'd think.

Insider attacks are just the high-impact with sufficiently high probability events that come to the top of our intuitive understanding. Which has been empirically proven to be wrong in so many ways that books have been written about that alone.

62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.

Have the same respondents checked their incident management report to validate their feeling against recent events? How much damage have those end users actually caused and is that value within the confidence interval of your expectation? Do they know that you can take historic data and actually calculate the probability that your assessment of the risk is true given that data? Have they done it?

Re:bullshit

[Kjella]

But there are almost always two types of risks that outrank them. First, the low-probability but high impact risks that more often than expected turn out to be existence-threatening and that fact makes them more important than their statistical value indicates.

The funny thing is that when these actually happen they usually tend to be a whole chain of mistakes, but the sub-events that don't actually lead to an incident are often grossly under-reported. Like the rules say you are to wear belt and suspenders, but nobody wants to report a broken belt or missing suspenders. Even if you actually lost your pants and nobody saw let's just quickly pull them up and pretend you didn't almost get caught with your pants down. There's a lot of "no harm no foul" going around a lot of places that cover up for a bad process, bad testing and sloppy coding. But it's also because raising a security bug can rain fire and brimstone down on that team and be abused politically.

Re:bullshit

I do risk analysis for a living, among other things. I'm the Senior Information Security Architect at my company and I train risk managers and CISOs. Most importantly, I do quantitative risk analysis using actual numbers and statistics, not the "green, yellow, red" nonsense that most IT consultants sell you because it's the only thing they (barely) understand.

Great, you have read Norman and learned about threat modeling.

Amazing that today high-end security jobs are 90% fluffing executive staff. Most people recognize this and cant be bothered to read a couple widely available books.

I'm on the other end of the spectrum. I'm at the bottom and teach people with fancy titles the likes you have and listed, because nobody promotes unless you are willing to spend 90% of your time fluffing.

Re:bullshit

[Tom]

Great, you have read Norman and learned about threat modeling.

I've read a lot more and threat modeling is a small element in one step (risk identification) of a risk management process. But you've just demonstrated your ignorance.

I'm at the bottom and teach people with fancy titles the likes you have and listed,

...and that twice in one posting, congratulations!

I used to be a sysadmin. I've run many of the systems I talk about at one point or another in my career. That's why I've insisted to not have "consultant" as my job title ever in my career. Because what you say is right when you're talking about them. I've seen so many consultants who make excellent powerpoint slides and don't have the first clue about Bayes or regression to the mean or can't explain what a sunk cost fallacy is or how proper forecasting works.

And yes, fluffing executives is a big part, but you can shorten it by a few clear demonstrations of competence. One of the primary skills of a CISO is to earn the trust of his top management so they don't double-check everything he does.

Re:bullshit

[Tom]

but the sub-events that don't actually lead to an incident are often grossly under-reported.

Oh I couldn't agree more on that. I too rarely see "near misses" as part of the risk management or incident management process and most of the time the part where I talk about them in my workshops it's a cheap "revelation" to sell because it makes so much sense but is rarely done.

But it's also because raising a security bug can rain fire and brimstone down on that team and be abused politically.

That is slowly changing, though. I've seen the same change in culture 25 year ago on the business side with TQM. I was still in university when that happened, but it was basically the same thing. One day soon someone will invent TSM and write a cute book about it and then the whole CxOs will finally listen. I'd love to peer-review that book, but I won't write it, business fluff isn't my thing.

Well, what a surprise!

[The_Other_Kelly]

Who could have guessed it?

Companies which ... ... treat their employees as disposable "resources" bound by highly restrictive overreaching contracts, ... regard their customers with barely disguised contempt, ... treat regulations and laws as optional, ... laugh at taxation as being "for the little people", ... and generally act as douchebags ...

have problems with security due to the lack of loyalty!

How can this be happening?
Why are the (unpaid) natives lazy, the slaves sullen,
the oppressed and exploited unwilling to bend their backs with a smile?

Why the sabotage?

What is wrong with people?

Also from the bad meaning employee

This 'kind of thing' happened to us when I worked for an employer. Some guy was getting laid off - he knew something was going to happen so (whilst I happened to be watching one machines load, noticed a massive filecopy of all our internal material from the server). Looking into it it was the guys PC (who had no business being in that location - yes 'obvious' permissions based security was something IT hadn't gotten to grips with as we were all a 'team' working together)

Anyway, caught this, notified my boss, employee was let go, but nothing ever happened about that USB drive he was copying to. He left with that information for a competitor. Our HR eventually got their finger out and contacted him about *cough* USB drive with info on we 'noticed' ,but obviously can feign ignorance and/or knowledge of entire thing, plus embarrassment for company regarding data breach if it had to be announced.

Moral of the story: Don't trust employees, and don't trust management either. You have to get off your arse and do things yourself sometimes(but also cover yourself in case HR are a bunch of arseholes). I learned a valuable lesson that day.

Said employer is no longer a market leader and has since been sold on. Because of HR engineering a divisive culture it all basically nosedived. Very glad to have got out of there when I did.

You can't help some people/'entities'. If you get into a company like that, get out. It may be hard, but it's better than the stress forced upon you by a company that persecutes and doesn't care about employees. It's basically like an 'abusive relationship'. Awful.

Re:Windbourne is a moron many times over.

hindu dindu

WindBourne why do you always lie?

Why? How much do they pay you?

In other news...

Water is wet.