Verizon DBIR: Identify insider threat warning signs, safeguard IP

Tomado de: http://searchsecurity.techtarget.com

Nearly half of all reported instances of intellectual property (IP) theft involved trusted insiders, according analysis conducted by the Verizon RISK Team, who issued a report with new findings gleaned from the company’s 2012 Data Breach Investigations Report (.pdf) published earlier this year.

Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable.

Jeffrey Carr, security consultant

In the Verizon DBIR Intellectual Property Snapshot, (.pdf) the researchers found that while the majority of breach events were executed by external actors, 46% of all events which culminated in the loss of proprietary data involved an employee, highlighting the challenges enterprises continue to face in protecting sensitive information from insider threats.

“The take-home message here is that protecting IP from ‘them’ is an incomplete and inadequate strategy. Understanding that ‘we’ are sometimes our own enemy—and sometimes the enemy targets its own —is important to building good policy and practice for defending the crown jewels,” the report states.

What defines the insider threat?

Most often insider threats materialize in the form of employees who are experiencing higher than average levels of distress, a sign management should be on the lookout for, according to security consultant Jeffrey Carr.

The impetus for the theft of intellectual property by an employee can include a combination of factors including greed, moral ambiguity, or temptation fueled by unfettered access to valuable information.“A company's defensive posture to confront the insider threat needs to include management training in observing early warning signs of employee stress such as financial problems, marital problems, poor job performance, etc. Once an employee is showing signs, increased monitoring of their email and web surfing habits may be advisable. Most companies' employee agreements include provisions for this level of monitoring as long as the employee is using company assets,” Carr said.

“Insider threats are motivated by self-interest and influenced by personal preferences, social context and local culture. As Prospect Theory predicts, trusted insiders are hungry for the possibility of personal gain by stealing IP. Like any other crime, a person needs a combination of means, opportunity, and intent in order to steal intellectual property,” said Danny Lieberman, CTO of Software Associates, a software security consultancy based in Israel.

Defending against the insider threat

One of several technologies available for protecting IP from theft by insiders are Identity Access Management (IAM) tools, which allow companies to control access to sensitive data by assigning legitimate user accounts with variable degrees of permissions for certain databases, applications, and systems. IAM software offers a measure of protection, but it has its shortcomings, according to Lieberman.

“IAM is the most basic security countermeasure for mitigating the risk of insider security breaches, but paradoxically IAM can also provide the means for trusted insider theft of IP. Insiders typically have knowledge of how the system works, the business processes, the company culture and how people interact. They know who administers the rights management systems and who grants permissions. With the right knowledge and social connections, access to sensitive data can be obtained even if it was not originally granted by design in the IAM system,” Lieberman warns.

Another available solution involves implementing Information Rights Management (IRM) tools which use cryptography to protect information contained in sensitive documents and communications from unauthorized access both within as well as outside of an organization’s network.

But IRM also has some drawbacks as well, as it requires the organization to always know in advance which information it specifically wants to control and protect by way of the IRM system. “IRM mitigates the vulnerability of means to an extent, but does nothing to lessen the threat posed by opportunity. Once rights are granted by the IRM system – the user is trusted and has access to the controlled document,” Lieberman said.

A more comprehensive strategy for the protection of intellectual property against misappropriation by trusted insiders is the deployment of a Data Loss Prevention (DLP)solution, which can prevent unauthorized access and the transfer of sensitive corporate data, as well as issue alerts if any attempts are made at either.

“DLP is a data-centric security control, agnostic to permissions controls and applications. Agent DLP runs on the user PC, whereas network DLP runs in the enterprise network. DLP enables the organization to monitor information flowing in and out of the company in order to detect and prevent information leaks. Compared to other solutions, DLP actually mitigates all three vulnerabilities – means, opportunity and intent, since it measures movement of data to unauthorized destinations and is independent of any rights management,” Lieberman said.

Even with basic controls in place, the risk of sensitive data loss by way of trusted insiders will persist. “Insider threats are a serious problem, with no good off-the-shelf solutions,” Carr added.

The Verizon report recommends enterprises make a concerted effort to practicepre-employment screening of employees, enforce separation of duties, and regulate user network privileges in addition to implementing monitoring systems in order to prevent the theft of intellectual property.

------------------------------------------------------------------------------------------------------------

Apreciación Personal

Una de los peligros de las empresas grandes es la filtracion de su informacion valiosa, como es informacion de clientes, datos contables, contraseñas de acceso a información. Pero hay un peligro al que muy pocos le prestan atención, sin embargo es uno de los mas peligrosos. El ataque desde dentro. 

En efecto es mucho mas sencillo para un atacante entrar a un sistema si lo hace directamente, es por esto que aparte de cuidarse del exterior las empresas deberian de preocuparse por el interior, sus trabajadores son un peligro latente, siempre deberian estar vigilados como menciona el Consultor de Seguridad Jeffrey Carr. 

Redes sociales: consejos básicos para no caer en las trampas de los ciberdelincuentes

El Instituto Nacional de Tecnologías de la Comunicación (Inteco) ha advertido esta semana de que las redes sociales están en el "punto de mira" de los ciberdelincuentes, que aprovechan el auge de estas comunidades para conseguir datos personales de los usuarios y propagarvirus, timos y estafas.

Inteco ha informado de que, según la cuarta oleada del Observatorio de Redes Sociales de la Oficina de Seguridad del Internauta (OSI), los ciberdelincuentes están buscando cada vez más a sus víctimas en las redes sociales.

Ha subrayado que la "falsa sensación de seguridad" del usuario, al recibir los mensajes de contactos conocidos, abre muchas oportunidades para explotar trucos de ingeniería social, como la creación de cuentas falsas y el envío de mensajes engañosos.

A este respecto, ha apuntado que, aunque los usuarios de redes sociales están preocupados por la seguridad, "la mayoría no toma las precauciones necesarias para protegerse".

Para evitar engaños, Inteco ha recomendado "usar el sentido común", no hacer clic "en cualquier cosa", no seguir los enlaces que aparecen en páginas sospechosas y no permitir acceder a datos de perfil a aplicaciones de dudosa credibilidad.

Ha incidido en que "ninguna red social" solicita a través del correo electrónico el nombre de usuario y la contraseña, y que si se recibe una comunicación de esas características debe eliminarse.

Además, ha aconsejado comprobar adónde redirigen los enlaces antes de pulsar en ellos, no abrir mensajes de usuarios desconocidos o que no se hayan solicitado, y ser "selectivo" con las personas que se agregan a la lista de amistades.

Apreciacion Personal

Como bien se sabe, una red social es un medio por el cual nos damos a conocer ante el mundo entero, en algunos casos mostrando mayor o menor informacion dependiendo de la persona. Es por eso que se debe prestar especial cuidado en la seguridad que se le presta. La empresa Inteco (Instituto Nacional de Tecnologias de la Informacion de España) recomienda usar el sentido comun, ser mas desconfiado al momento de ingresar a enlaces sospechosos y de esta manera evitar los ataques de ingenieria social.

Age-old vulnerabilities, attack techniques consistently trip enterprises

Tomado de: http://searchsecurity.techtarget.com

TORONTO --- The vulnerabilities of the past are consistently haunting some enterprises, according to a penetration tester who explained Tuesday that enterprise IT security teams often know about persistent weaknesses and system configuration issues but are doing little to correct them.

There's been a whole lot of gaps out there in how we defend systems and they've just remained in place.

Jamie Gamble, senior security consultant, Accuvant Labs

"There's been a whole lot of gaps out there in how we defend systems, and they've just remained in place," said Jamie Gamble, a senior security consultant at Denver-based Accuvant Labs. "We are ignorant as an industry. We still have ignorance toward a lot of things in security."

In his presentation at the SecTor security conference, "The More Things Change: The Vulnerabilities that Time Forgot," Gamble summed up longstanding weaknesses in Windows and Unix systems that continue to go unaddressed at many firms.  Security researchers Dan Farmer and Wietse Venema authored a 1992 paper that challenged conventional thinking, prompting network analysis and some of the first penetration tests. The paper described attack techniques that are still relevant today, he said.

Network segmentation issues such as VLANs that are poorly configured are contributing to a continuous pattern of holes that can be targeted with attack tools and techniques that were built more than a decade ago, Gamble said. Many are not configured to support proper role-based access control, or RBAC.

"We've seen improvements in system architecture, but VLANs are not being implemented from a security perspective; they're being implemented with a functional perspective," Gamble said. "Even though network segmentation works, it's still very difficult to put it in place."

System to system trust has also opened persistent weaknesses, Gamble said. It started with Rlogin, which allows the user of one system to log into another system without a password. An old technique that still used by pentesters is to target the Rlogin file, exploiting it to allow anyone to log in without password.  SSH was added to improve security, but it has actually done very little to correct the trust weaknesses, he said. A lot of organizations fail to put passwords in the SSH keys. "It's encrypted," he added, "but it doesn't matter."

Weak, poorly protected and mishandled passwords can also be a common way in, according to Gamble. Unix-based systems that use NIS for network authentication may have conditions set exposing a list of user directory passwords to an attacker. Using Lightweight Directory Access Protocol is not necessarily better. An attacker can attempt to root the box and if successful can pull out LDAP passwords from regions of memory, according to Gamble. It is easy to do as long as you can compile on the system, he said.  Even if shell password files are being used to hide distributed passwords from users, they can be cracked easily, he said.

Security researchers say man-in-the-middle (MiTM) attacks are also commonly used by cybercriminals. Tools have gotten better at automating the process, but the attack technique has been known and available before the modern Internet was invented, Gamble said. The attack is very successful today because people often accept connections that have bad certificates, he said. There are many programs designed to create a MiTM condition, eliminate encryption and start stealing credentials.

"Most mitigations in place haven't worked at all," he said. "This stuff has been made so easy that anyone can do it."

Local Unix issues are also a major problem enterprises commonly don't address. "You can do great things with configuring Unix, but if you want to get practical about how it's being set up in big companies, you've got big problems," Gamble said. 

Basic techniques designed in 1992 to target Unix configuration issues are still in use today. Insecure cron jobs or tasks, specifying privileges in the sudoers file could also lead to information exposure. Some firms configure read/write access on everything in the home directory. Gamble said as a result, getting elevated privileges on a Unix box is pretty easy if the attacker has access to it.

Local Unix configuration issues are not being tested and detected. Some weaknesses such as Address Resolution Protocol or ARP poisoning, a network attack, are expensive to fix. Organizations can begin by teaching Unix administrators proper security and proactive auditing to not only look for weaknesses, but address them.

------------------------------------------------------------------------------------------------------------

Apreciacion Personal

Se han hecho grandes avances en cuanto a la seguridad en las empresas pero muchas veces los errores y puertas abiertas simples son dejados de lado y en ocasiones incluso olvidados, esto trae consigo huecos que pueden ser intervenidos por personas con malas intensiones. 

Segun se explica en la noticia anterior, a pesar de conocer estas deficiencias, el equipo de seguridad en TI, no lo toma en cuenta y esto es algo que debe de corregirse si se quiere llegar a una optima protección de la información.