In the world of information technology, there are many kinds of markets. Black markets, where illicit products are sold. Commercial markets, which we might call white markets. And grey markets, defined as:
…the trade of a commodity through distribution channels which, while legal, are unofficial, unauthorized, or unintended by the original manufacturer.
The recent RAND Corporation report, “Markets for Cybercrime Tools and Stolen Data; Hackers’ Bazaar,” talks about the maturing cybercrime black market, which is both fascinating and disturbing, especially given the size, scope, and aggressive nature of its participants. The report also calls out the notion of a grey market, particularly for zero-days, in which a “legitimate vulnerability market” supports the buying and selling of vulnerabilities. (Spoiler alert: This is already happening and it will create a new class of millionaires.)
Not only do markets come in shades of grey, but so, too, do individuals. In the world of hacking, we have the notion of “black hats” and “white hats.” As the names imply, the black hats are hackers who do illegal stuff with code. White hats are the good guys—people who do pen (penetration) testing in order to find and fix vulnerabilities in technology and, in doing so, thwart what might otherwise lead to criminal deeds.
But in the middle, there’s another kind of person. I’ll call her a “grey hat,” and she just might implicate regular folks like you or me. A non-criminal insider, she might be an employee, a partner, or, even, part of the weekend custodial crew.
These types of insiders might not self-identify a criminal, and their actions might not start out with overt mal intent, but they can still be very dangerous. For example, a sales person might download a customer database to her laptop, believing it will help her access data more quickly when she’s on the road. She’s not really stealing that data . . . until maybe later, when she leaves the company to join a competitor, and decides to copy that data on a thumb drive before turning in her laptop.
Nobody gets hurt here, right?
Insider threats, in fact, comprise a substantial percentage of data leakage. A recent survey from Carnegie Mellon University reported that a quarter of electronic crimes with identifiable perpetrators were committed by insiders. Twenty-five percent is nothing to sneeze at!
A big problem with insider threats appears to be the fact that employees think they are entitled to the data. A Ponemon survey on insider threats found that employees think it’s acceptable to take and use intellectual property when they leave the company. About 62% said it was acceptable to transfer work documents to personal devices, and 56% did not believe it was wrong to use trade secrets from a former employer at a competitor.
To make matters worse, organizations aren’t always disabling access as soon as employees leave the company (Information Week, May 2013). (A quick aside: Juniper has a killer solution for network access control, something every organization should consider if only for this reason.)
The main point is this: The white hats (that would be us) all want to stop the bad guys/black hats (that would be them).
But how will we deal with the other 48 shades of grey?
And dare I ask, who among us are grey hats?