News Stay informed about the latest enterprise technology news and product updates.

Insider security threats: Negligence is a data loss double bogey

News roundup: Pro golfer Rory McIlroy inadvertently revealed his passcode on live TV, highlighting how easy it is to inadvertently reveal sensitive information. Plus: BlackBerry and Google issue updates, and Gartner hit with Magic Quadrant lawsuit.

During a rain delay Sunday at the PGA Championship, pro golfer Rory McIlroy pulled out his iPhone and entered his...

passcode to unlock it. The act is innocent enough -- but it was also aired on live TV for the entire world to see.

Following the incident, Twitter and other social media outlets lit up with the news of McIlroy's easily viewed "4589" passcode. The golfer quickly caught on to what happened and changed his passcode before returning to the course.

While no harm came from the situation, there are two important lessons to learn. First, McIlroy's passcode was nowhere near strong enough. Despite study after study warning of the risks of weak login credentials, people continue to use common PINs and passcodes -- including 1234, 0000 or easy-to-discover dates (such was the case with McIlroy's birthday, May 4, 1989). Complex combinations are critical to maintaining information security. Experts even admit that touch-gesture recognition passcodes -- where a user connects dots, makes particular motions on a picture or other such actions -- are riddled with issues. Experts agree that enterprises that don't require their users to use secure methods to secure smartphones and tablets are unnecessarily raising their risk of compromise.

Second, and perhaps more worrisome for enterprise IT departments, is that users offer up their sensitive information so easily -- and unwittingly. If a malicious actor knows the passcode of a device that is connected to the corporate network and accessed corporate data, he or she could easily wreak havoc simply by logging in. Even worse, without advanced contextual security mechanisms, most organizations are hard-pressed to identify an attacker using valid credentials.

While the insider threat is an issue most organizations are aware of, the insider may not be a malicious person. The Open Security Foundation's DataLossDB reports that 29% of data loss incidents since 2005 are due to insider threats, with 19% of those incidents labeled as accidental. And according to Forrester Research, 36% of all 2013 data breaches can be attributed to inadvertent insider misuse. Forrester attributes this to lack of security awareness training, unclear data use policies and the proliferation of device usage in the workplace.  

In today's day and age where pictures and videos are so easy to take without a users' knowledge (and we're not even talking about the Google Glass threat yet), it's important to keep secrets safe.

In other news:

  • Following the announcement that it would now support non-Latin characters to promote a more "global" Gmail, Google announced on Tuesday that changes to its spam filters will now detect non-Latin and accented Latin characters. Using the Unicode Consortium's "Highly Restricted" designation, Gmail filters will better detect hackers altering domains names (for example, could be misrepresented as Seɑ and lead users to a malicious site. Users don't often notice the subtle difference in changing the a to ɑ).
  • The Blackphone -- the self-proclaimed "secure smartphone for everything you do" -- is at the center of a "Has it been hacked or hasn't it?" debate. Jon Sawyer (aka Justin Case), CTO of Applied Cybersecurity LLC, claims he rooted the device (it was first reported he achieved this in five minutes, but Sawyer himself admits it took longer). The problem is, the first of three vulnerabilities Sawyer found (re-enabling ADB to gain access to the device) has already been patched -- Sawyer was using old firmware. Blackphone creator SGP Technologies' CSO Dan Ford disputed the assertion, saying that the finding wasn't a real vulnerability. The second vulnerability reported by Sawyer (one that affected the device's remote wipe function) is known to SGP and has also been patched. Sawyer has not yet released details about the third vulnerability, but he admits it is a very hard hack and users are at very low risk.
  • BlackBerry -- often touted as the most secure mobile device platform -- patched a slew of vulnerabilities this week on both its smartphones and enterprise server software. KB36174-BSRT-2014-006 addressed a file-sharing authentication bypass that affects Z10, Z30, Q10 and Q5 smartphones. If exploited, the flaw could allow attackers to access, read or modify device data. KB36175-BSRT-2014-007 fixes an information disclosure vulnerability on Enterprise Service 10 and Enterprise Server 5.0.4. If exploited, attackers could gain access and use logged credentials to impersonate legitimate users. BlackBerry claims that neither of these vulnerabilities are being actively exploited.
  • Gartner Inc.'s Magic Quadrant vendor-ranking reports are widely used as sales tools throughout the IT industry, but not all vendors like the results. That was the cast last week as network security vendor NetScout Systems Inc. filed suit against Gartner, claiming unfair and deceptive business practices related to its Magic Quadrant rankings. The suit, filed in Connecticut Superior Court, alleges that Gartner's "pay to play" business model involves rewards paying clients with high-ranking Magic Quadrant positions, unfairly downgrading companies that aren't Gartner clients. Gartner issued a statement saying the suit is "without merit." However, former Gartner vice president John Pescatore told SearchSecurity earlier this year that many of Gartner's trend and future-focused reports are of questionable value.

Next Steps

Learn more about insider threats and how to mitigate them

Want to know the real impact of insider security threats?

Gain further insight into Gmail security

Join the discussion: Blackphone security

Are Blackberry security features still an enterprise differentiator?

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization prevent and/or detect insider security threats?
Well, there have been little mandatory informational quizzes in an attempt to educate employees and avoid any unintentional inside breaches. 

As for anyone with bad intentions, there's a company security hotline so that you can anonymously tell on them :)

As for the article, I don't necessarily agree that a stringent password policy is the best way to go. What that accomplishes is encouraging users to write down their passwords that they can't remember because of the strict requirements and having to change the password frequently. 
Amazing.. People take so much for granted today. You never know who's watching or recording. You need to use extreme caution when in public or you could lose a lot when your identity could be compromised or stolen.