Security experts have been warning enterprises for some time that the greatest security threats come from within: their own employees. And that message has apparently gotten through, according to a new survey. But those results also came with a disturbing twist: malicious employees.
Security vendor Cyber-Ark's "2012 Trust, Security & Passwords Survey" finds 71% of 820 IT managers and C-level professionals interviewed said insider threats were their priority concern. But instead insider threats being unintentional -- employees being careless or simply unaware of security protocols and with the Bring-Your-Own-Device (BYOD) trend -- survey respondents said a significant share of the threat is from malicious insiders.
Insider hostility could be for any number of reasons: being passed over for a promotion, not getting an expected bonus, the threat of being fired or even industrial espionage. But it gains major potency when insider knowledge or access is combined with "privileged accounts," which can be the "keys to the kingdom."
Mark Diodati, senior analyst for identity management and information security at Burton Group, writing on SearchSecurity, notes that such accounts are necessary for platforms to function, for emergency and for day-to-day tasks. "[But] they are notoriously difficult to secure because they don't belong to real users and are usually shared by many administrators," he wrote
"Yet a down economy increases the risk of disgruntled workers, making it more important than ever to have a system in place to control privileged access," Diodati wrote. "[Privileged accounts can] breach personal data, complete unauthorized transactions, cause denial-of-service attacks, and hide activity by deleting audit data."
Udi Mokady, founder and CEO of Cyber-Ark, said that attackers target employees with such privileged access. "It's clear that privileged access points have emerged as the priority target of enterprise cyber-assaults," he said.
However, some experts agree that breaching privileged accounts can cause major damage, but they say the threat posed by insiders -- especially malicious insiders -- is exaggerated.
Mark Baldwin, CISSP and principal researcher and consultant for InfosecStuff, said while 71% of respondents to a survey may believe the insider threat is the greatest, "evidence does not support this belief."
For example, the 2012 Verizon Data Breach Report, which uses empirical data rather than survey data, shows that only 4% of data breaches in 2011 involved insiders, Baldwin notes.
"And the percentage of breaches involving insiders has been declining for years," he said. "This is an example of peoples' beliefs not aligning with reality."
Kevin McAleavey, cofounder and chief architect for the KNOS Project, said he believes some employees may deliberately sabotage their employers, "but they are few."
"The vast majority of 'sensitive leaks' are from people who get 'spear-phished.' Some interloper successfully pretending to be them is a major problem," McAleavey said.
Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, contends that the malicious insider threat is more than just perception. He notes the case in 2006 of a former systems administrator at UBS, unhappy about receiving less of a bonus than he expected, who set off a logic bomb, knocking out 2,000 servers and causing the failure of backup systems, as well as deleting files. He was eventually sentenced to eight years in prison.
"[But] the question is not so much quantity as impact," whatever the raw percentage, Bosnian said. "An insider can have a major impact because they are already inside and have some domain knowledge."
On that point, there is general agreement, which means there is also agreement that enterprises could save themselves enormous amounts of risk and potential grief if they took steps to manage the risk from privileged accounts.
"Obviously, attackers want to gain access to privileged accounts. This enables them to have complete access to the system," said Mark Baldwin.
"This is why it is important to grant staff only the access they need to perform their duties, keep administrative accounts tightly controlled, closely monitor administrative account access as well as access to sensitive data, and use controls such as separation of duties to prevent any one person from having too much access that would enable them to steal data and cover their tracks," he said.
Right now that is not common, according to the results of the Cyber-Ark survey, which found that 43% admitted they did not monitor their privileged accounts or were unaware of them.
"You need to be aware of who should have rights," said Adam Bosnian. "Who really has the access as opposed to who should have access? You need to trust but verify."
That, he said, doesn't require buying a product. "I want to sell product," he said, "but all it really takes is knowing about [privileged account holders] and managing them. When you start automating that process, that's where we come in."
Bosnian said the encouraging thing is that IT managers are becoming more aware that "building a wall" is no longer an effective security strategy. "Companies may have a hard shell," he said, but attackers still get inside, and once they are, things are pretty soft.
"There's a growing awareness that companies need a hard center as well as a hard shell," he said.