Insider Threats Pose the Biggest Security Risk

An anonymous reader shares a report: According to a new study 91 percent of IT and security professionals feel vulnerable to insider threats, and 75 percent believe the biggest risks lie in cloud applications like popular file storage and email solutions including Google Drive, Gmail and Dropbox. The report from SaaS operations management specialist BetterCloud also shows 62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.

Among other findings are that 46 percent of IT leaders (heads of IT and above) believe that the rise of SaaS applications makes them the most vulnerable. In addition 40 percent of respondents believe they are most vulnerable to exposure of confidential business information such as financial information and customer lists. Only 26 percent of C-level executives say they've invested enough to mitigate the risk of insider threats, compared to 44 percent of IT managers.

This is stupid

[WindBourne]

Right now, American companies are putting on the newest version of Windows, and yet, they are getting cracked more often. Why?
Is it because Windows is worse? No. Windows is actually getting more secured.
So, are the Russians simply moving to America and cracking it here? No. If that was the case, then we would be arresting MORE, not fewer Russians.
So, how are the Russians getting into many of our Business computers?
What has businesses increasingly done? OUTSOURCED. Who to? India and China. We do not hear of India cracking our systems, but China has increased it.
BUT, how does one of these connected with Russians cracking American businesses? Simple. Who is India's best friend in the military? It is not the west. It is Russia. Many many Indians are employed by Russian defense companies and then go work on western, esp. American businesses. And those Indians are then paid around $10-20K, while we fat Americans are paid 100+K. So, if a Russian approaches an Indian friend of his and says, "look, we will pay you $150K just to leave a back door in code.", what do you think that he will say?
Yeah, getting paid 10x your yearly tends to make ppl jump esp when it does not harm their family, nation, etc..

As to the Chinese? Well, we employ them here and we outsource there as well. What do you expect.

The west deserves what it is getting because we refuse to acknowledge what is happening. We will allow political correctness to control us. Fools.

Re:This is stupid

[guruevi]

Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.

We have an entire industry where people just don't care or in many cases don't even know or get educated about security because they need to get the thing out of the door faster, so they set up things like memcached and S3 containers because they're easy without ever locking them down because that would insert all sorts of extra code and delays in the project, and then we turn them on the Internet and a few months later everyone is surprised.

I have clients that are the exact same way, they want the prototype of software out of the door because it's functional and it's a minimal spend. The "behind the scenes" cleanup and security just doesn't happen so they can save a few thousand dollars. So there are entire web apps that have a login page but nothing beyond it is encrypted or secured, pure luck and lack of deep web scanners is what keeps some of these afloat. I've had a client that hadn't updated Drupal in 3 years, they were only lucky enough they didn't get hacked until that point because they were on a subdomain with no direct links to the system.

Re: This is stupid

[WindBourne]

You are missing the point. In a secured situation, the last thing you would do, is pay somebody greatly less than others for doing the same job. Then add to that a situation where you hire a company that then hires local ppl without really checking their background, or perhaps, just does not care. Some that has worked for Indian defense has worked closely with Russians. It would be like Americans working in defense industry would work likely closely with Canadians, and UK. Russia and India share an entire defense industry due to Nixon's stupid threats as well as china's numerous invasions of India and Russia.

Re:This is stupid

[Tom]

Nice conspiracy theory but if anything Windows and general IT security has gotten worse over the years, not better, not because of technical flaws per se but because the stuff is explicitly built to be easier and thus also easier to exploit.

Most purely technological challenges have been solved when it comes to IT security.

We haven't solved the management and usability challenges.

I can lock down a Linux system so much that I can give you remote root SSH access and you still can't damage it. In fact, I've done exactly that at hacker conferences. And the resulting system is still useable enough that I will give my presentation from it, after it's been on the conference wifi for the whole day and while it's still open to SSH during my talk with the root password posted in sight.

But it won't be a system where you can deploy a new docker container with a few clicks or where you can run "composer install" without jumping through some hoops. Or where your random office application will run without extensive configuration of the security policy.

As long as every office worker needs a fully functional general purpose computer at his desk, the challenge to combine security and usability is insurmountable. If you can tell me what your people are actually doing and what they need to do their work, I can give you a secure machine for them. But in the real world one half of managers doesn't have half a clue what and more importantly how their people are actually working and the other half has people doing so many different and constantly changing tasks that the definition of their job is in constant fluctuation.

And that's not a technical challenge, that's a management challenge.

I have clients that are the exact same way, they want the prototype of software out of the door because it's functional and it's a minimal spend

We know how to build secure development into software development. In fact, we've known it since the 1960s. It's not even expensive when you consider TCO. But speed to market is impacted and most software development today doesn't even have a clear understanding of the end product (no matter if you call that agile or not-having-a-clue), which makes it hard to make a proper architecture and define proper security requirements.

People who copy documents

[AHuxley]

with a photocopier and give it to the media.
to a USB stick and walk out with data for political reasons.

The well-meaning worker who hands your documents/data to a waiting journalist?
Who collected data on the crimes of the company, a side of politics, brand, gov, NGO, movie studio, bank, mil they work for and tells the world.

Want security?
Is the person who they say their are. Fake ID? Sharing an ID? Not a citizen? No security clearance found but they present as having a gov/mil past and a security clearance?
Dont hire people with a past that is fictional and created.
Investigate your staff. Their background in education. Their ability to learn. Their use on non academic considerations to get an education.
Could they pass their exams at every stage of their education?
Who they are friends with. Their friends politics. Are their friends criminals? What their hobbies are. Any lifestyle problems that are beyond their wage? Gambling? In debt? What do they read, watch, publish?
Addiction that cost more than their wage? Health problems? Medical issues not covered by their wage and health insurance? An alcohol problem? Found faith? Looking for faith?
Have they worked in a trusted setting before? Did they report problems? Talk to journalists? Create problems in past jobs?
A split loyalty to another nation, faith, cult? Getting work in your nation to spy for anther nation over decades?
A change in online political views to become an activist? Talking to and seeking out journalist? Discovered looking up advice on accountability and whistleblower laws?
Meeting with journalists? Got a new lawyer who has a security clearance and who works with whistleblowers?

Mitigate the risks by hiring on merit and doing a full background investigation.
Then give your new staff some fictional project. See who is tempted to walk to the media with fake project documents.
See who made a copy. Who transferred out a copy. Why contacted a journalist to talk about aspects of the fake project?
Advance the trust worthy staff.
Move the trusted and tested workers to important projects. Keep staff who can't be trusted on projects that are in the open.
Stop adding staff who bring complex problems to your company/brand/gov/mil.
Look for the best quality workers who can be trusted. Dont hire workers you have to trust you know nothing about.
Hire on merit and do much more research before accepting new staff.
Stop telling your staff project details they have no reason to know about.
Stop putting project details on networks and computers anyone within a secure company network can "find" and copy.
Look over what your staff search for in internal computer networks. Do they know project names/details they never got told about/are not working on?
Understand your staff. Secure your documents. Dont let internal data security become one large plain text data set.
Not on a network? Staff who are politically motivated can copy data out.

bullshit

[Tom]

I call massive bullshit on the conclusion.

I do risk analysis for a living, among other things. I'm the Senior Information Security Architect at my company and I train risk managers and CISOs. Most importantly, I do quantitative risk analysis using actual numbers and statistics, not the "green, yellow, red" nonsense that most IT consultants sell you because it's the only thing they (barely) understand.

One of the most consistent findings I have almost every time is that expert intuition is wrong about risk. That's not exactly news, almost every book ever written about the topic confirms it. But the conclusion is just as obvious: What IT security experts feel is the biggest threat has a low correlation coefficient with what is actually real.

That doesn't mean insider threats aren't real, they definitely are and they typically do rank high in a properly conducted risk assessment. But there are almost always two types of risks that outrank them. First, the low-probability but high impact risks that more often than expected turn out to be existence-threatening and that fact makes them more important than their statistical value indicates. And secondly the bothersome low-impact but high-frequency (yes, probability becomes meaningless if the number of events can be higher than one) ones. They add up, and much more than you'd think.

Insider attacks are just the high-impact with sufficiently high probability events that come to the top of our intuitive understanding. Which has been empirically proven to be wrong in so many ways that books have been written about that alone.

62 percent of respondents believe the biggest security threat comes from the well-meaning but negligent end user.

Have the same respondents checked their incident management report to validate their feeling against recent events? How much damage have those end users actually caused and is that value within the confidence interval of your expectation? Do they know that you can take historic data and actually calculate the probability that your assessment of the risk is true given that data? Have they done it?