Survey finds cyber staffs overlook vulnerable target
BETHESDA, MD July 19, 2017 Information security staffs are so single-minded about defending their organizations from external attack that they all but ignore a threat with vastly greater potential for damage, according to a new survey to be released by SANS Institute on August 1.
As security protecting organizations from outside attack gets more formidable, attackers look for easier targets – users who already have access to an organization's most sensitive data, for example, and aren't as hard to fool as security systems.
"While deliberate/malicious insider are always a concern, what many organizations fail to realize is that an external attack will often target a legitimate insider and trick them into causing harm," according to SANS instructor and survey report author Eric Cole, PhD. "This accidental/unintentional insider could be used as an avenue by the adversary to walk out with an organization's most sensitive data without fanfare or drama, and few organizations would be able to even know it had happened."
While these attacks are devastating, few organizations seem to realize that even when the origin of an attack is external, the ultimate entry point for the attacker was an insider who was tricked or manipulated to causing harm. Survey respondents understand the risk. When asked to rank attackers according to the amount of damage they could do, only 23% of respondents said attackers from outside would do the most damage; 36% said the worst breaches would come from unintentional insiders and 40% said malicious insiders would cause the greatest damage.
Few seemed to have any idea how much damage was involved, however. Forty-five percent of respondents said the cost of a potential loss was "Unknown," while 33% said they had no specific estimate of cost.
That seems surprising, but few organizations reported having insider-detection programs thorough enough to reliably detect insider threats, according to Cole. That same lack of visibility would make it difficult to identify the scope of a potential insider attack or estimate the cost of recovering from it.
Data showing 62% of respondents have never experienced an insider attack probably also indicate low visibility, but not low risk, according to Cole. Thirty-eight percent of respondents said the systems and methods they use to monitor insider activity are ineffective, which makes it even less likely that they could identify an insider attack in progress.
Inability to see is one thing; reluctance to prepare is another. Only 18% of respondents said they have formal incident-response plans that include potential insider attacks, though 49% said they are developing such a plan; 31% of respondents said they have no formal program in place or preparations to deal with threats from insiders.
"Malicious insiders have always been a threat, but the risk is increasing from 'unintentional' insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware," according to Cole. "Every organization is only one click away from a potential compromise."
Eric Cole will discuss the full results of the survey and his analysis in a webcast August 1 at 1 PM EDT, sponsored by Dtex Systems, Haystax Technology and Rapid7, and hosted by SANS. Register to attend the webcast at www.sans.org/u/ui9
Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and insider threat expert, Eric Cole, PhD.
About SANS Institute
The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates employee qualifications via 30 hands-on, technical certifications in information security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (www.SANS.org)