Field guide: Types of people behind today's corporate security threats

From organized criminals and state-sponsored actors to your own employees and IT staff, this field guide fills you in on the people who are attacking your network, and provides tips on how to fight back.
Written by Bill Detwiler, Contributor

Behind every botnet, phishing scheme, malware infection, DDoS attack, and advanced persistent threat is a person or group of people. Their motives range from financial gain and revenge to political activism and national security, but their actions are similar — enter your network and either collect/manipulate data and/or damage your systems.

To help you recognize these security threats when you see them in the wild and defend against them, we've compiled this field guide.


Whether it's Bob in accounting, Carol the engineering contractor, or Janice in HR, your own employees are often your greatest security threat. Sometimes, it's deliberate. Disgruntled employees can express their anger by hurting your computer systems, stealing data, or holding information hostage. And of course, it's possible for even well-meaning employees to slip up. All it takes is an employee bringing in malware from a personal device or on a USB drive to nullify all your forward-facing security measures.

Good governance, education, setting (and enforcing) policies, and knowing your employees are your best steps to avoiding these security landmines.

Tech Pro Research's New Employee Checklist and Default Access Policy and New Employee Orientation slides help you simplify the process of accommodating new hires.

IT workers

We'd like to think that all IT pros are ethical, reliable and always act in the organization's best interest. But that's not realistic. In fact, a 2008 survey conducted by Cyber-Ark Software found that one third of IT pros admitted snooping on confidential files, including salary information. Even worse, some suggested that they would steal company secrets if they believed their job was in jeopardy.

To help protect your company secrets from the very people who should be keeping them safe, use the following security best practices:

  • Follow the rule of least privilege
  • Not all IT staff should be domain admins
  • Monitor additions to admin-level groups
  • Log all administrative activity
  • Immediately revoke admin rights for terminated IT staff

Tech Pro Research's Malicious Software Reporting Policy template will help you define requirements and implement practices for ensuring that employees and IT staff take the proper steps when a malicious software infection occurs.

CEOs and small business owners

CEOs and small business owners aren't typically 'behind' attacks, and they face the same attack vectors as regular employees (phishing, social engineering, infected USB drives, weak passwords, etc.). But high-level employees can be greater security risks. First, chief executives and owners are often the most well-known individuals within a company. That makes them a larger target than your average worker. Second and more importantly, high-level executives are many times exempted from normal security policies. If their accounts or devices are compromised, the attacker may have full run of the company's network.

Companies can protect their executives with the same security techniques used for regular employees, but IT must be sensitive of the political implications when dealing with a CEO or owner. It may not be possible to tell the CEO 'no' (President Obama kept his BlackBerry), so IT must figure out a way to say 'yes' and maintain security.

Organized criminals

According to Verizon's 2013 data breach investigations report (DBIR), financially motivated attacks accounted for 75 percent of all 2012 data breaches. And the costs of this illegal activity are significant. In their June 2013 report, The Economic Impact of Cybercrime and Cyber Espionage, security firm McAfee estimated that losses to the U.S. economy may hit $100 billion a year. Annual losses to the global economy are probably around $300 billion.

As the losses have grown, so has the sophistication of the criminals and their attacks. Ring leaders plan attacks and recruit others to conduct their operations. Skilled programmers write malware and sell their software and services. Botnet operators rent their networks for DDoS attacks and email spamming campaigns. Hosting providers give criminals a place to store their software and communicate with each other. And mules launder the money.

Fighting organized cybercriminals is a never-ending task for IT and there's no silver bullet, but companies can start by:

  • Securing their devices (critical in the BYOD and M2M age)
  • Securing their networks
  • Establishing and enforcing strong security policies (e.g. password, access, encryption, etc.)
  • Educating their employees about IT security

State-sponsored actors

State-sponsored attacks took the second spot on Verizon's 2013 DBIR data breach list, accounting for 20 percent of all breaches. And whether the attack is conducted by the U.S. National Security Agency (NSA) or China's People's Liberation Army, they have the same basic intent — to further the country's national interests. Attackers often seek military or classified data, national economic plans, trade secrets, personal information on leaders, and diplomatic communications.

Unfortunately, state sponsored attacks are extremely difficult to defend against. Governments have nearly unlimited resources. And when clandestine techniques fail, they have a tool no corporation or individual has — the law. Unlike other entities, government agencies are legally allowed to collect data for criminal investigations and national defense.

There is disagreement over how much information governments should collect, from whom, and by what methods, but that's a discussion for another time.

Encryption is one of the few ways organizations can protect their data from overbroad government surveillance. In response to reports that the NSA tapped into fiber-optic cables connecting their data centers, Google, Yahoo, and Microsoft have taken steps to encrypt traffic between the centers and use stronger encryption keys. But even encryption isn't a perfect solution, some claim that state actors can circumvent or crack much of the encryption used across the internet.

Tech Pro Research's Encryption Policy template includes standards on which encryption algorithms your employees should use and when they should use them.

Corporate espionage

Years ago, a restaurant owner told me how he collected the names, addresses, and phone numbers of a local competitor's customers. He had a friend put a box for a free drawing (not related to his restaurant) on the competitor's checkout counter. The contest was completely legitimate (people did win the promised prizes) and the rival gave his permission to place the box. He just didn't know entry forms would be given to the owner of a competing restaurant. With the information from the contest entries, the original restaurant owner could send coupons to many of his competitor's customers.

The individual in this example used a low-tech attack, but the story illustrates the basic concept behind all corporate espionage — gaining a competitive advantage.  And not surprisingly, these types of attacks are on the rise.

In their 2013 Internet Security Threat Report, Symantec noted that attacks aimed at stealing intellectual property grew by 42 percent in 2012. Attacks against small and medium businesses are also on the rise. In her ZDNet article about the Symantec report, Charlie Osborne wrote:

"Targeted cyberattacks based on IP theft are being conducted against both the manufacturing industry and smaller businesses, which are likely to have less income to invest in shoring up their defenses against attack. Symantec says that SMBs — with fewer than 250 employees — now account for 31 percent of targeted attacks, and are often seen as a means to gain access to larger firms through "watering hole" techniques."

For an example of how serious corporate espionage can be, one need look no further than Nortel, the former telecommunications giant that declared bankruptcy in 2009. In 2012, The Wall Street Journal reported that hackers, who appeared to be working in China, used stolen passwords from Nortel executives to "downloaded technical papers, research-and-development reports, business plans, employee emails and other documents." Brian Shields, a former 19-year Nortel employee and systems security adviser, told the CBC that he felt the attacks were a "considerable factor" to the company's downfall.

"When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size," Shields said.

Combating corporate espionage requires a multi-layered approach. In her ZDNet article, "Countering corporate espionage," Sally Whittle recommends that companies:

  • Close the most obvious loopholes — those that can be exploited without breaking the law, such as using carefully crafted Google searches to find sensitive material exposed on corporate web servers
  • Audit their corporate data, identify sensitive information, and segment that information into dedicated, high-security areas of the network
  • Regularly check logs for unusual network or file activity
  • Use standard security best practices such as intrusion-detection systems, firewalls, regular penetration testing, and even application auditing
  • Educate their employees about social engineering attacks

Tech Pro Research's Media Disposal Policy template provides direction and specific instructions for ensuring your organization's data is properly protected when disposing of old storage media.

Online activists

Motivated by political or social ideology, online activists have defaced web sites, stolen and released sensitive information, and even conducted DDoS attacks. Verizon's 2013 DBIR found that the proportion of incidents involving online activists remained steady in 2012, but the amount of data they stole decreased. The authors suspect this drop is due to many groups changing to other attacks, such as DDoS.

Unlike financially-motivated, state-sponsored actors, or those conducting corporate espionage, online activists will often claim responsibility for or announce upcoming actions. When the latter occurs, it can give IT a chance to prepare for and potentially mitigate the attack--if they are listening. IT should monitor online forums, social media sites, and other communication channels for information about potential attacks.

Wannabes and thrill seekers

In April 2012, Austrian police arrested a 15-year-old student suspected of hacking into 259 companies. According to reports, the boy wasn't a computer wizard, but used tools downloaded from the internet. When questioned by police the boy admitted the attacks, "saying that he was bored and wanted to prove himself." The young man allegedly defaced many of the targeted websites, stole data and published it online, and boasted about his activities under the pseudonym ACK!3STX.

Thrill seekers like this individual aren't as serious a threat as cybercriminals or state-sponsored actors. But they can be dangerous, and shouldn't be ignored.

Software developers

Like CEOs and business owners, software developers aren't normally the source of an attack; instead, they are usually a conduit through which the attack is conducted. And despite years of warnings and education, some programmers still leave common security holes in their software. Even software from the the biggest vendors can include serious vulnerabilities, such as zero-day exploits.

As it's often hard to switch software packages once your company has already purchased and deployed them, make sure you evaluate potential software for security holes. And keep the software you do run up to date.

Know your enemies and yourself

Knowing the types of people threatening your network is a critical first step in protecting your organization. As Sun Tzu wrote in The Art of War:

"It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle."

For more information on defending your networks from these individuals and groups, check out the following resources:

Editorial standards