IBM Security Services

Research Report
Managed Security Services

Battling security threats from within

your organization
How insiders can evade detection, compromise data and damage your reputation
2 Battling security threats from within your organization
Contents
2 Executive overview
3 Motivations and methods
5 Data breaches: an inside look
9 Recommendations and mitigation techniques
10 Protect your enterprise while reducing cost and complexity
10 About IBM Security
11 For more information
11 Author
11 References
11 Contributors
Executive overview
Imagine a scenario: In a single day, a disgruntled employee
opposed to the practices of your company downloads sensitive
or confidential company documents, announces his or her
resignation, and tells the inside story to a journalist friend. The
revelations become front-page news, and the companys legal
and public relations teams spend millions trying to repair the
companys tarnished brand. Perhaps they succeed. Perhaps
they dont.
Or another scenario: A trusted third party with which your
company conducts business is compromised. Information
garnered from this breach is then used to target your company.
These arent just hypothetical accounts, but realities many
organizations have faced. Would your company be able to
quickly discover massive downloads from an individual PC, or
any other insider activity resulting in compromise and
data loss?
Phishing, malware, hacking, Distributed Denial of Service
(DDoS) attacks and the like are often the focus of security
professionals efforts, but they arent the whole threat equation.
Insiders can also cause significant damage and financial loss.
What is an insider? For the purposes of this report, its anyone
who has physical or remote access to a companys assets:
information in transit or tangible items such as hard-copy
documents, disks, electronic files, laptops and the like. Often
the insider is an employee of the company, but he or she
could also be a third party such as a business partner, client or
maintenance contractor. These individuals are often thought of
as being in a position of trust, or are trusted as an employee.
It might be unpleasant or even taboo to refer to a company
employee as a potential threat, but thats the reality of the
workplace today. Perhaps it always was; spies and industrial
espionage existed long before the dawn of the Information Age.
Individuals inside your organization may have an understanding
of the companys weaknesses or access to areas an outsider cant
penetrate, and that gives them an obvious advantage. Already
inside, they dont need to bypass protection systems.

Fortunately, a number of solutions can mitigate the insider
threat. Products that monitor behavior and provide anomaly
detection are key. Focusing on access management, specifically
Privileged Identity Management (PIM), is an important
step towards preventing data breaches. And an organization
can go a long way towards an effective defense against
malicious insiders by implementing a complete data lifecycle
management (DLM) approach.
About this report
This report was created by the IBM Managed Security
Services Threat Research group, a team of experienced and
skilled security analysts working diligently to keep IBM clients
informed and prepared for the latest cybersecurity threats.
This research team analyzes security data from many internal
and external sources including event data, activity, and trends
sourced from tens of thousands of endpoints managed and
monitored by IBM for Managed Security Services accounts
around the globe.
Research Report 3
Motivations and methods
What motivates an insider to commit a crime against a
company? Often the breach is unintentionaltheres no
malicious objective, just carelessness on the part of the
employee. The 2015 IBM Cyber Security Intelligence Index
reports that 55 percent of attackers are insiders, and of
those, nearly half are inadvertent actors. According to the
Privacy Rights Clearinghouse (PRC), there have been over
29 million records compromised by unintended disclosure
breaches during the past ten years (2005-2014) in the United
States and 32 million records compromised intentionally
by insiders with legitimate access to sensitive information.
Unintended disclosure can come in the form of accidentally
posting information on the companys public-facing
website, improperly disposing of clients records, or sending
information to the wrong party via fax, mail or email.
While the statistics around unintended disclosure are
unsettling, this avenue of compromise can be mitigated quite
effectively through stricter policy controls and improved user
education. Malicious insiders are another story; people who
want to purposefully take advantage of the company they work
for can be very dangerous. Theyre harder to thwart because
they go to extraordinary measures to circumvent access
controls and arent concerned with corporate policies or the
potential consequences of their actions.
4 Battling security threats from within your organization
Motivations
The motivations of insiders with malicious intent vary, but
financial gain is clearly more common than any other. The
largest insider breach recorded by the PRC involved the
compromise of 17 million records from a large financial
institution by a senior financial analyst who downloaded and
sold customer profile information, including Social Security
numbers, for two years.
Scenarios like that have played out time and time again
over the past two decades. Sensitive information yields the
attacker a high return on the black market; more victims mean
more money. Unfortunately, thats also true for the targeted
companymore victims mean greater financial loss. Once the
breach is disclosed, class-action suits surface with charges of
negligence. Companies often have to pay for credit monitoring
services for each victim, typically for up to a year or more, and
then there may be reimbursement of out-of-pocket costs or
identity theft expenses along with other legal fees. It all adds
up. According to the most recent findings from the annual
Ponemon Cost of Data Breach study, the average cost to a
company is $3.8 milliona two-year increase of 23 percent.1
Financial gain is a popular motive, but its not the only one.
Dissatisfied employees or angry ex-employees may want
to retaliate by causing a Denial of Service (DoS) attack or
defacing a companys website. In May 2013, for instance, a
breach was disclosed involving a company in the retail industry.
More than a year before the disclosure, a disgruntled employee
announced his resignation and then was caught copying
files from his computer to a flash drive. Transaction and
intranet disruptions ensued following his departure from the
company. Even in this sort of scenario, however, what begins as
discontent may morph into a desire for monetary gain.
Nation-state hactivism perpetrated by an insider has become
more prevalent. Insiders sponsored by a national government
to perform cyber-espionage pose a significant threat not only
to the targeted institution but also to a nations security and
economy. Their goals may vary from web defacement to more
serious attacks such as the destruction of critical infrastructure.
Many experts have speculated that the extremely sophisticated
Stuxnet worm, designed to attack industrial programmable
logic controllers (PLCs) and used to infect numerous industrial
sites in Iran in 2010, was written by a nation-state. Companies
can be infiltrated by insiders who come from foreign countries
looking for employment, then slowly harvest internal business
and technical documents about the companys intellectual
property. As for cyberterrorism, the sad reality is that more and
more of it is expected.
Methods
Once they have a motive, insiders need a method. Selling or
destroying sensitive information or systems is a popular avenue
of attack. A technically savvy insider could target known
vulnerabilities in a business-critical application, either to obtain
information or to cause other damage. Another alternative
is disrupting or interfering with the flow of information
via a DoS attack; though easily traced and detected if its a
cyber attack, a physical DoS is difficult to trace back to the
perpetrator. Someone could pour water into a server, place a
magnet near a hard disk, or simply steal a systempick it up
and carry it away.
 Research Report 5

Companies often have problems controlling the network

privileges they give their employees, or they give them
privileges that arent necessary to their work. Unauthorized Total number of breaches
users may be able to log in to applications to which they really reported annually
shouldnt have access, and even authorized users might present
a problem if their actions are not monitored. A web developer 2005
could purposefully introduce malicious code into source code
during software development to allow for a backdoor once 2006
the software is operational. Network administrators could
leave a port open as an entry point for their partners in crime. 2007
As a best practice, employees should have access only to the
resource they need to do their jobs, and nothing else. 2008

Rogue or insecure WiFi access points are another area

2009
of concern. Remote workers may be more apt to access
a companys network or files via non-compliant devices.
2010
Whether working remotely or from the office, employees often
unwittingly open malicious emails and attachments which allow
attackers to exploit the targeted system. Not everyone is trying 2011
to steal credit card numbers; the security risk from employee
negligence can be just as big as the threat from malice. 2012

Data breaches: an inside look 2013

The insider threat doesnt necessarily result from nefarious
actions. An employee may unintentionally leave a physical or 2014
virtual door open. As Figure 1 illustrates, far more breaches
have been recorded by the PRC as unintended disclosure 0 20 40 60 80 100 120
than as insideralthough the insider threat certainly did Insider disclosure Unintended disclosure
gain momentum from 2010 through 2013.

Source: Privacy Rights Clearinghouse.

Figure 1. Total number of unintended disclosure and insider breaches reported.

6 Battling security threats from within your organization
The sharp downturn of insider threats in 2014 following an
upsurge during the four previous years is curious, but not
without explanation. The influence of the recession beginning
in December 2007 appears to have continued for several
years after its official end in June of 2009. As noted in Chart
Book: The Legacy of the Great Recession, The relatively
modest pace of job growth over most of the recovery kept the
unemployment rate high long after the end of the recession,2
and during those years, the hardships of job loss or pay cuts may
have tempted normally upstanding individuals to break the law.
Its also probable that in times of economic downturn, criminal
gangs capitalize by stepping up their efforts to bribe insiders
into committing fraud or leaking confidential information.
When the unemployment rate in the United States dropped to
under six percent in 2014for the first time since 2008, before
the recession beganthose negative incentives pushing insider
breaches probably lost some of their power.
Another reason for the decline in reports of both unintended
disclosure and malicious insider incidents may be that although
incidents might still be happening and even increasing, theyre
not being reported. Most companies dont want to air their
dirty laundry and tend to keep internal matters internalif
theyre not mandated to report an incident, they wont.
Internal incidents can lead to human resource actions, and a
companys legal team is usually very cautious about any action
that might involve external third-party vendors. Theyre
unwilling to prosecute because once they do, everything
becomes public information. They might even have to turn
company material over to a non-friendly law enforcement or
government entity in another country.
Industries targeted
Among industries targeted, the government and military
institutions have been by far the most seriously affected
by unintended disclosure, with nearly 20 million records
compromised between 2005 and 2014 (see Figure 2). But
given this sectors secretive nature, under reporting is more
than likely and the real number may be much higher. The
general business category is in distant second place with less
than 5 million records compromised. Across all industries, just
over 29 million of the nearly 736 million records reported as
compromised fall into the unintended disclosure category.
Not surprisingly, finance and insurance was the sector most
seriously affected by intentional insider breaches, accounting
for 88 percent of all records reported compromised in this
way (Figure 3). These institutions house a wealth of profitable
information for insiders looking to capitalize on their position
within the company. Unlike the unintended disclosure
category, government and military institutions ranked a far
second in intentional disclosures.
 Research Report 7

Total number of records compromised, unintended disclosure 20052014

Finance and
insurance
1,280,711

General business 4,785,882

Retail/merchant 208,756

Educational 1,865,525
Government/
military
19,413,391

Healthcare 1,559,363

Nonprofit 1,441

Source: Privacy Rights Clearinghouse.

Figure 2. Number of records compromised by unintended disclosure.

8 Battling security threats from within your organization

Total number of records compromised, insider disclosure 2005 2014

Finance and
insurance
29,128,245

General business 641,241

Retail/merchant 84,960

Educational 187,820
Government/
military
1,048,866

Healthcare 685,610

Nonprofit 1,000,317

Source: Privacy Rights Clearinghouse.

Figure 3. Number of records compromised by an insider.


Recommendations and
mitigation techniques
Many of the steps taken to mitigate external threats also
apply to internal threats. Monitoring employee activity to
identify misuse and suspicious activities is critical and can
be accomplished in several ways. Products that monitor
behavior and anomaly detection, such as IBM QRadar
Security Intelligence platform, are a must. Most commonly,
companies use this type of detection to monitor for anomalies
in connectionsan increased number of connections between
a host computer and an internal client computer, for example.
An outside threat detected could be malware propagating itself
and communicating with its associated command and control
servers. IBM Securitys QRadar customers have discovered
anomalies such as strange file transfers in the middle of the
night to countries with which theyve never done business.
Some organizations leverage this detection to profile specific
applications. A financial organization might monitor a
custom trading application to identify substantial or abnormal
increases or decreases in quoting or trading activity.
Access management should be another top priority.
Users access should be managed throughout their entire
employment, not just after theyve left the company. When
an employee changes roles or responsibilities within the same
organization, his or her access should be assessed with each
change and unnecessary privileges revoked. When employees
leave, the employer must obtain all their usernames and
passwords before they depart and verify, there and then, that
Research Report 9
those passwords actually work. Perhaps most importantly,
the company must disable all of an employees accounts
immediately upon departure. IBM Privileged Identity Manager
provides a solution for organizations with the above concerns.
It includes an identity manager and account provisioning
component that helps an organization centrally manage and
audit the use of privileged IDs across different scenarios. An
enterprise single sign-on component provides privileged users
with a seamless user experience for access to resources using
privileged IDs.
By closely monitoring employees actions, an organization
may be alerted to unusual occurrences such as the
unexpected changing of an administrative password to
critical infrastructure. Other actions that should raise a red
flag include:
The enablement of full-disk encryption on company
desktops and laptops (if this is not corporate policy) without
centralized recovery key storage
Restrictive access control lists (ACLs) on shared file systems
and directories that are controlled by single-user accounts
Activation of system-level password protection, for example
basic input/output system (BIOS) passwords
The use of in-file password protection on critical
business documents
The installation of new software and unauthorized
applications, which could contain backdoors and remote
access functionality
10 Battling security threats from within your organization
That last item is often the hardest to address. Custom, build-it-
yourself malware toolkits are easily acquired, so organizations
would be wise to take hosts used by former employees offline
immediately. A backup should be made on an external storage
device and the host completely rebuilt from trusted media
before being reconnected to the network and passed on to
another employee. Host intrusion monitoring is the key to
ensuring that devices are behaving as expected.
An organizations data is one of its most vital assets. A
comprehensive encryption strategy should be applied to
protect confidential information and maintain compliance.
Protecting data involves covering all the basesdata at rest,
in transit and in useand special attention should be paid to
how information is disposed. Also, a comprehensive security
strategy to prevent insider threats needs to address physical
security requirements. Deploying a digital video surveillance
system or employing a security guard should help reduce
physical threats. A complete data lifecycle management (DLM)
approach including data loss prevention (DLP) software is
essential both to guard against insider threats and to address
government and industry compliance requirements.
If an organization has in place a comprehensive security
solution that incorporates the mitigating tactics noted in this
report, it has taken the important steps to protect itself against
insider threats. At a minimum, corporations should be able to
spot such threats quickly and respond before too much damage
is done.
Protect your enterprise while reducing cost
and complexity
From infrastructure, data and application protection to cloud
and managed security services, IBM Security Services has the
expertise to help safeguard your companys critical assets. We
protect some of the most sophisticated networks in the world
and employ some of the best minds in the business.
IBM offers services to help you optimize your security
program, stop advanced threats, protect data and safeguard
cloud or mobile. With IBM Managed Security Services,
you can take advantage of industry-leading tools, security
intelligence and expertise that will help you improve your
security postureoften at a fraction of the cost of in-house
security resources.
About IBM Security
IBM Security offers one of the most advanced and integrated
portfolios of enterprise security products and services. The
portfolio, supported by world-renowned IBM X- Force
research and development, provides security intelligence
to help organizations holistically protect their people,
infrastructures, and data and applications, by offering
solutions for identity and access management, database
security, application development, risk management, endpoint
management, network security and more. IBM operates one
of the worlds broadest security research, development and
delivery organizations, monitors 15 billion security events per
day in more than 130 countries, and holds more than 3,000
security patents.
 Research Report 11

For more information Author

To learn more about the IBM Security portfolio, please contact
your IBM representative or IBM Business Partner, or visit:
ibm.com/security
For more information on security services, visit:
ibm.com/services/security
Follow @IBMSecurity on Twitter or visit the IBM Security
Intelligence blog.
References
Countrywide Financial Corp., Privacy Rights ClearingHouse
https://www.privacyrights.org/node/2547
Michelle Alvarez, Researcher/Editor
Contributors
Diana Kelley, Executive Security Advisor
Jason Corbin, Director, Security Intelligence Strategy and
Product Management
Jay Bretzmann, Segment Marketing Specialist, IBM Security
Systems
John Kuhn, Senior Threat Researcher, Threat Research
Group

The Real Story of Stuxnet IEEE Spectrum Lance Mueller, Senior Incident Response Analyst
http://spectrum.ieee.org/telecom/security/the-real-story-of-
stuxnet Nick Bradley, Practice Lead, Threat Research Group

Pamela P. Cobb, Market Segment Manager, X-Force and

Threat Portfolio
 Copyright IBM Corporation 2015

IBM Corporation
IBM Security
Route 100
Somers, NY 10589

Produced in the United States of America

June 2015

IBM, the IBM logo, ibm.com, QRadar and X-Force are trademarks of
International Business Machines Corp., registered in many jurisdictions
worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on
the Web at Copyright and trademark information at
ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may

be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED

AS IS WITHOUT ANY WARRANTY, EXPRESS OR
IMPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF NON-
INFRINGEMENT. IBM products are warranted according to the terms
and conditions of the agreements under which they are provided.

Statement of Good Security Practices: IT system security involves

protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service
or security measure can be completely effective in preventing improper
use or access. IBM systems, products and services are designed to be
part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE
FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM,
THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

1
Ponemon Institute, 2015 Cost of Data Breach: Global Analysis
http://www.ibm.com/security/data-breach

2
Chart Book: The Legacy of the Great Recession http://www.cbpp.org/cms/
index.cfm?fa=view&id=3252

Please Recycle

SEL03036-USEN-00