Blog · 19 Feb 2019

Is Dr. Evil working in your organisation?

The importance of hacking your internal IT systems and defending against the insider threat.

Bas de Graaf
Head of ethical hacking services

I’ve already talked about the importance of security testing, but one area which is not always given the right attention is the threat from within your own organisation – the insider threat.

These are malicious activities carried out by your own people, consultants and suppliers or partners who may work for you and have legitimate access to your IT systems and data. 

Why this is neglected by most people

The fact that this important threat is overlooked by the majority of the people may have to do with the belief that most attacks are launched from the internet by criminals who are financially motivated and run their operations like a business.

The reason I started to think about this was a recent experience during a project where several members were of the opinion that security testing was not needed, as the applications were only published on the intranet and not accessible from the internet. Knowing the internal network infrastructure is already protected, one should not bother about it. This way of thinking completely ignores the risk of the malicious insider.

But the insider threat does exist, and is difficult to defend against. The network perimeter security which protects your internal network and applications against the outside world is not helping if your colleague has the same aspirations as Dr. Evil.

According to IBM, two thirds of total data records compromised in 2017 were the result of malicious insiders, and insider threats are the cause of 60 per cent of cyber-attacks. Based on the 2018 Cost of Insider Threats report from Ponemon Institute, the average cost of insider-caused incidents was $8.76 million in 2017 – more than twice the $3.86 million global average cost of all breaches during that same year. Your most valuable asset – your people - has become your biggest risk.

Types of insider attacks

In general there are three categories of insider threats used, although every malicious individual has their own reasons, but I’ve added a fourth one to this list: the ones who introduce risk without knowing.

1.       Theft of data: the most well-known category, this can vary from stealing competitive information (sales plans, customer contacts, trade secrets, designs, CRM exports, etc.) to Personally Identifiable Information data (like credit card data, passport number, full name etc.). This type of information can be really useful for insiders who may leave the company and start their own company or move to a competitor. It may also be used to ruin the organisation by leaking the information to the public.

2.       Sabotage: This type of threat results in the unavailability of data on IT systems and/or the equipment itself and is mostly related to disgruntled employees who are looking for a way to damage the organisation.

3.       Fraud: In general this is the result of insiders who are looking for personal gain. It may be related to a better financial situation or even trying to get themselves a better position. Business processes and controls which are simply not in place or are easy to bypass make it easy for malicious insiders to execute their plans.

4.       Unintentional threats: Those introduced into the organisation without the individuals involved even being aware, for example employees using a private mail account for business related correspondence, use of unencrypted USB sticks, or connecting a wireless access point to the corporate network because it is more convenient. This type of insider threat has a lack of awareness and seems almost innocent but can have very serious consequences.

Why we must test our internal systems

It’s not just the people and business processes which introduce a threat, it’s also the IT systems themselves, which is why we must test our applications and internal networks, even though these may not be internet facing. Anyone who works with IT systems needs to consider that a weakness caused by ignorance, limited skills or awareness might result in disclosure of data, financial or reputational damage. This can happen during the development phase, but also during implementation or lifecycle management.

To understand the risks associated with this type of threat, you need to evaluate the security posture of internal IT systems like you do for external ones. Some examples of issues we have identified when testing internal facing applications and associated network infrastructure were:

  •  Administrative web interfaces accessible via the production network for all users on the network (instead of a dedicated isolated management network, also called an out-of-band network).
  •  Default credentials still active, these are accounts which are generated during the installation of an operating system, application, database, network component, etc. Although several products have a procedure during the installation in place to enforce a password change, some don’t.
  •  Weak password policies which allow users to use easy guessable credentials.
  •  Both vertical and horizontal privilege escalation: when a lower privilege user accesses functions or content reserved for higher privilege users (vertical) or when a user accesses functions or content reserved for other users with the same privilege (horizontal).
  •  Unpatched software releases, meaning the software has known security vulnerabilities. Once a notable vulnerability has been identified, a vendor may issue a patch. Such a patch also contains detailed information about the vulnerability and helps those with malicious behaviour identify and exploit the vulnerability.
  •  Active Directories with weak configuration and administration procedures. Although Active Directories, if used correctly, can help an organisation secure and maintain their systems, it is very easy for poor operational practice to give an insider access to far more systems than intended. Skilled insiders very often attack Active Directories, and extensive tooling is freely available to help them.

Security testing is an ongoing activity which never stops, just like attacks launched by malicious individuals never stop, whether it is from the outside or the inside. Our team of ethical hackers can identify your weak spots and then work with you to fix them. Find out how secure your organisation is.