• United States




Anatomy of an insider attack

Sep 30, 20164 mins
Business ContinuitySecurity

Manage insider attack risks with scenarios and application of common sense.

07 insider
Credit: Thinkstock

Insider threats are often addressed in blogs, articles, and books. But it isn’t always easy to tell the story to business leaders and their employees. An episode of one of my favorite shows included a character taking steps any employee can complete in an unprepared organization. Let’s run through the plot (a good scenario for management) and then take a look at what would have prevented each step in the attack.

The attack

Chris was tasked by an external attacker, one who had leverage over her, to steal legal documents related to a civil action. The attacker—we’ll call him Bill—provided Chris with a USB drive loaded with malware. The malware was designed to extract login information from a target system.

In the first step of the attack, Chris inserted the drive in the target attorney’s desktop computer. He was at lunch at the time, and the legal floor was accessible to everyone in the organization; the target workstation hadn’t reached its 15-minute inactivity lock. Chris executed the malware, which extracted all locally stored files related to the case, writing them to the USB drive. It also found related files on network shares and copied those, too.

Chris then removed the USB drive and proceeded back to her cubicle. There, she quickly plugged in the USB drive and uploaded the files to an FTP server Bill provided. Breach complete without detection.

Needed controls

This attack should never have happened. If Chris’ organization had practiced due diligence, all steps of the attack would have been stopped or detected. Let’s start with the physical security.

Large organizations should isolate systems handling sensitive information. Physical access to desktops is one of the best ways to compromise a system. So people not working in the legal department should never have access to the legal department offices. This is no different from doing whatever is necessary to prevent people not working in accounts payable, HR, and other departments handling sensitive information from accessing those areas. A physical barrier like a locked door would have provided a good barrier to Chris, but let’s assume she should penetrate into the office.

The plot did not include taking what was on the desk, but I would be remiss not at least mentioning the need for enforcing a clean desk policy.

Another physical security control is a reasonable and appropriate user interface inactivity lock. When desktops are relatively safe from just anyone walking by, a 15-minute timeout before locking a user device is fine. In our example, 15 minutes is far too long. When physical controls are inadequate, a two- to five-minute timeout is more appropriate. Yes, this will frustrate users. When you are considering your options, just remember Chris.

[ MORE ON CSO: Review: Hot new tools to fight insider threats ]

Once Chris gained access to the target computer, she shouldn’t have been able to use a USB storage device. In general, no one should be able to use USB storage. This is easily controlled in a Windows environment via proper configuration of a Group Policy Object setting. When use is allowed, all data written to the USB drive should be encrypted (also forced by policy). If this would have happened in our example, Chris would have obtained the files, but access to those files would have been difficult to impossible. Chris would have also had to steal and crack the target user’s password… or hopefully two-factor authentication.

The restricted use of USB storage and the forced encryption of allowed USB storage would have also stopped the upload to Bill’s FTP server. If all of these controls failed (and we always assume they will), user and network behavior analysis should detect the copying of many sensitive files to portable storage and the attempt to upload them to an offsite server.

Finally, firewalls or IPS should prevent the transfer of files to FTP servers not explicitly allowed by policy.


  • Insider threats are always present. We must assume they will eventually become active.
  • Best practices today include everything needed to stop and detect insider threats.
  • Scenario planning with examples like I used above is a valuable tool for evaluating risk associated with insider threats.

Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.