Dark Reading has an article on identifying the insider threat, although it seems to be more focused on how to spot a bad employee. The article, which seems to be anecdote-based information from Rob Enderle and RSnake, lists the top ten warning signs that you may have a bad employee, or, as they term it, an "insider."
Sure, the insider threat may be a subset of the bad employee, but these ten warning signs don't seem to indicate anything else. The IP thief is not the same as the disgruntled vandal is not the same as the black market carder. The article conflates all these threats, and winds up with recommendations so broad as to be meaningless. For example:
- Excessive absences
- Unusual behavior / Office romance gone bad
- Employee is terminated / Employee resigns
The real meaty threats and red flags associated with them are a bit more nuanced, and have been hashed out in the fraud investigation field for years. Computer crime is just crime. Vandals are vandals. The computer security industry seems to be genuinely befuddled when encountering a threat that doesn't have a 8P8C modular connector jack.
Image from oronzo.
2 comments:
D-
What do you think of internal honeypots?
I'm trying to think of a practical use for them. Assuming you have an insider problem, and using the SANS definition of honeypot (http://www.sans.org/resources/idfaq/honeypot3.php), are the folks breaking into the honeypot the same as the ones causing your info leakage problems? It seems that you'd have to model the honeypot so close to the production system, other countermeasures might better solve the problem.
Also, I feel it's different to try to deceive hostile outside attackers than to try to deceive people you've hired and trust enough to get legitimate access. Besides ethics, there could be complicated legal & HR issues.
I'd be interested in hearing about a real life examples.
Post a Comment