Numerous information security studies and surveys have found that the majority of attacks upon information systems actually originate in whole or are contributed to in a significant way from sources located within the information systems organization itself. This falls into the general category of “subversion from within”.
These internal threat sources can be as simple as duly authenticated authorized users attempting to exceed their access rights and permissions or unauthorized users trying to go where they should not be at all. Part of these types of attack can be relatively unthreatening and in no way exhibit or infer malicious or malevolent intentions on the part of the source of the attack.
For example; it may well be that a duly authenticated authorized user is attempting to perform an action that exceeds their current logon account's specific user access rights and privileges such as trying to install a piece of software. As an information systems administrator; I too must confess, that I have been guilty of absent mindedly using inappropriate logon credentials. It just goes to show that those things we don't do or are not reminded of “day in, day out” quickly gather cobwebs in the cogs of our minds.
One can very easily forget that the general purpose logon account credentials one uses in the production network environment outside of the higher security administration administrator only access room has considerably fewer access rights and privileges than ones full administrator account credentials has. For a Microsoft Windows-based network this is the full access rights and privileges administrator account or as “root” in the Linux/UNIX world.
Danger Potential is Relative
The insider attack is potentially more dangerous than an outsider attack because the insider (he, she or it) already has a level of access to both facilities and systems that the outsider does not. If nothing else the insider has physical accessibility options the remote or outsider does not usually enjoy. Not all insider originating or complicated attacks are perpetrated by members of the organization the attack is directed against.
False Sense of Security - One area in which “insider” attacks have recently been proliferating is in the exploitation of unsecured internal wireless networks. In many cases these attacks exploiting the not so truly secured, fully patched, locked up and locked down internal wireless networks have been perpetrated against wireless networks considered to be “safe“ by their owners on the assumption that this sector of the corporate network is entirely “internal”. It cannot be connected to by randomly passing external wireless traffic. Wrong again.
Subterfuge - Attackers have been using various ploys to gain physical accessibility to such vulnerable supposedly secure internal wireless networks for quite some time now. Generally some form of deception or teams of perpetrators implementing quite elaborate ruses such as the impersonation of maintenance or utility workers to gain access to restricted areas and then either taking advantage of their now more privileged location to install a device to which they can later connect in relative safety (from a distance) to initiate their attack against the victim network.
Non-Exclusive Access - Organizations with shared areas or multiple tenant scenarios are prime candidates for these types of ploys. I have even seen situations where the plant could be done from the other side of a hollow core wall without the target even knowing they had been penetrated.
The Plant - Placing a wireless enabled device in the suspended ceiling in a company's toilet facilities has long been a favorite here. Persons accompanied by infants will simply ask to use the toilet on behalf of the infant. Smelly nappies do not promote business in areas where the general public is served. Law enforcement has even reported that some of these tricksters are using hydrogen sulfide (rotten egg gas) to enhance their deception.
Traditional “Insider” Attacks - Even the more traditional “insider” attack where an employee, business partner, associate or other individuals with authenticate accessibility credentials does; for one reason or another, decide to partake in subversive activities is difficult for most organizations to foil. Quite simply many organizations lack the internal preventive controls and other countermeasures to adequately defend against attacks from insider instigated threats.
Beyond Public Access - Once beyond publically accessible areas; networks are often wide open. Servers might even be sitting in physically unsecured areas, system patches might be out of date, and system administrators might not review security logs or have the time to review them properly.
Inside/Outside Collusion - The greatest threat, however, arises when an insider colludes with a knowledgeable structured outside attacker. The outsider's skills, combined with the insider's access, nearly always results in substantial damage or loss to the victim or victim organization.
Attack Categories
