When it comes to presenting the largest risk to organizations, the insider threat is perhaps the most dangerous. In most cases, it’s not a malicious employee, but rather perpetrators using social engineering techniques to gain insider access.
As evidenced by the hack of more than 10,000 employee records of staff members at the Departments of Justice and Homeland Security, and the compromise of more than 20,000 supposed FBI employees, becoming a faux insider using social engineering tactics is a much easier job for hackers than writing zero-day exploits.
That’s the conclusion of research from Balabit, which found that more than 70% of IT security experts consider insider threats the most risky.
“The highest risk to corporations is when outside attackers gain insider access, as they can stay undetected within the network for months,” said Zoltán Györko, CEO at Balabit. “Balabit aims to support organizations to know their enemy by knowing who is behind their user accounts, and determining whether it is a legitimate user or a masked hacker. This should be the fundamental priority in every kind of organization's IT security strategy.”
The survey also uncovered which methods or vulnerabilities IT security experts think that attackers are using the most—or taking advantage of—when they want to get sensitive data in the shortest time. At the top of the list was social engineering and phishing. Most attackers aim to get a ‘low level’ insider user account and escalate its privileges.
“Trying to identify an existing corporate user and trying to break its password is a slow process and leaves so many footprints behind (e.g. lots of additionally generated logs as a result of the automated attacks) that greatly increases the risk of being noticed that something suspicious is happening,” the report noted. “Therefore, hackers mostly use social engineering attacks when users voluntarily give their account and password.”
Compromised accounts are another big vector. Users commonly use weak passwords, and sometimes the same password is used both for corporate and private accounts. If a hacker can gain such a user's account and password in a less secured system (such as through a private social media account), it can easily be used to log into the company network.
Web-based attacks that use SQL/command injection are also common, mainly because applications are the No. 1 interface for company assets for many insider and outsider users, therefore providing a huge attack surface. Unfortunately the quality of application codes are still questionable from a security point of view, and there are many automated scanners from which attackers can easily detect vulnerable applications.
“Other hacking methods listed can also have the same results for attackers but might be a bit more complicated or time-consuming, for instance, writing an exploit takes time and requires good coding skills,” Balabit explained.
The additional most popular hacking methods were: Client side attacks (e.g. against doc readers, web browsers); exploit against popular server updates (e.g. OpenSSL, Heartbleed); unmanaged personal devices (e.g. lack of BYOD policy); physical intrusion; shadow IT (e.g. users’ personal cloud-based services for business purposes); managing third party service providers (e.g. outsourced infrastructure); and taking advantage of data in the cloud.
In terms of defense, about half (54%) of the survey respondents said that, according to their experience, organizations are still afraid of “hackers” breaking into their IT network through their firewall— but at the same time over 40% of them said that they already clearly see that these kinds of first-line defense tools are just not effective enough to keep the hackers away.
Photo © Rawpixel.com