According to Anonymous, the insider threat is very real.
An Intrinsec Discussion Paper
I’m not a fan of FUD. In fact, I hate it to my own detriment. FUD is something that is used by sleazy salespeople to pitch their wares. The other figure I’m not a big fan of is “80% of security incidents are from insiders”. Concerning the latter point, I read an intriguing article that has forced me to revisit my thoughts on that matter.
This past weekend, the National Post (a national newspaper in Canada for you non-Canadian readers) just ran an excellent interview with “Commander X” of Anonymous (here). For those of you who are responsible for IT security, or the well-being of your systems in general, this is a must read. Is it FUD? Would love to hear your take on it…
Here’s the interview in a nutshell: Anonymous has access to Government department systems around the world. He claims that Anonymous is no longer a hacking group…they don’t need to hack because they have insiders (administrators, DBA’s, senior managers, etc) who have not only supplied them with data (like Private Manning), but with administrative passwords.
“Now people are leaking to Anonymous and they’re not coming to us with this document or that document or a CD, they’re coming to us with keys to the kingdom, they’re giving us the passwords and usernames to whole secure databases that we now have free reign over. … The world needs to be concerned.”
- Excerpt from National Post’s interview with Commander X of Anonymous
When I read the article, I was of two minds. First, I thought “what self-serving tripe”. Here is a guy comes across as a blowhard, full of bluff and bluster. But then I thought, what is he’s telling the truth? I’ve been in the IT game for well over 15 years, and I can tell you that in my expert opinion, yes, it is completely possible. Just think of how many service accounts in your environment have never been changed since implementation, or how many administrative accounts are never changed because legacy apps have credentials hardcoded.
Check out these stats supplied to us by our friends at Cyber-Ark:
21% of surveyed companies don’t change admin accounts on workstations
13% of *NIX servers have admin accounts that are never updated
42% of database admin passwords are never updated
42% of applications use hard-coded credentials and are never changed.
The good news? There are appliances that will control administrative access to your internal systems. Implementing such a system will take the power out of the administrator’s hands and back to the business…which is where it belongs. <shameless plug>Call us at 1-855-732-3348 for more information surrounding this and other security controls to address the insider threat to your environment <end shameless plug>.
Graham Thompson, CISSP, CISA