Companies are faced with a two-fold problem: protecting their data from those who have access to it from the inside, and from those who exploit the human factor to access it from the outside. With the rise in remote working, cloud computing and bring-your-own-device, we examine the changes needed to address the insider threat.
To breach a company’s security requires sophisticated software, huge computing power and a crack team of coders, right? Wrong- writes Joyrene Thomas..
A company’s own staff pose a bigger threat to its security than malicious outsiders. Insiders are responsible for around 43 percent of data breaches, half of which are intentional and half accidental, an Intel report found.
The world’s best-known data breach was an inside job. In 2013 former CIA employee and US government contractor Edward Snowden leaked thousands of classified documents revealing government surveillance activities. US soldier Chelsea Manning is currently serving a 35-year prison sentence, after disclosing classified as well as sensitive military and diplomatic material to WikiLeaks.
National security leaks aside, a SaliPoint survey found that 20 percent of people would sell company passwords for cash. 25 percent of employees would be prepared to risk both their jobs and criminal convictions by selling company data for less than $8,000, according to a survey by data loss prevention firm ClearSwift.
So much for the intentional. As to the accidental, human error is still behind the improper disposal of company information, misconfiguration of IT systems, and lost and stolen assets, such as laptops and smartphones. According to Verizon’s 2016 Data Breach Investigations Report, around a quarter of human errors involved sensitive information being sent to the wrong person.
THE HUMAN THREAT
“The ‘insider’ is a broader church than people think,” explains Piers Wilson, head of product management at Huntsman, a cybersecurity firm providing defence-grade security. “You have employees, but even within this group there are layers. You have the aware and unaware, the deliberate and accidental, internal and external insiders.”
“There are people who are malicious and try to gain access to information or steal data. Then you have people who are doing something they don’t see as serious, such as taking a list of contacts when they leave a job. There’s also the accidental — people who leave data lying around or store a file on Dropbox so they can work on it from home.”
Another data security challenge is the extended enterprise. Companies may have a large contractor workforce, plus third-party partners accessing information via a portal or shared system. So the risk surface posed by the insider is growing. At the same time, it is not always possible to impose the same level of education and awareness on everyone an organisation deals with. Staff awareness training may not touch a whole group of people accessing corporate data and systems. This adds to the risk posed by the insider.
THE TECHNICAL THREAT
As well as the human threat, companies also have to contend with a growing technical threat. The change in the way IT is delivered within the enterprise exacerbates the insider threat. There is more cloud computing, more bring-your-own-device (BYOD), more shadow IT and more mobile devices, compared to even five years ago. The challenge for corporate IT departments is that consumer technology prioritises simplicity and convenience, not necessarily security.
The consumerisation of technology means employees may by-pass IT department constraints. Employees may not necessarily want to wait for their IT department to give them access to shared file storage or an extranet, when it is easier to source this via cloud providers. If a small sales team in a remote office needs a way to track and exchange contact details, they can easily source their own web-based CRM system. If the company imposes a size limit for e-mail attachments, numerous providers allow users to send gigabyte files via the web for free. In all three of these examples, data is being stored outside the corporate data centre.
“You have to recognise that people are increasingly using cloud, whether it’s file storage or shadow IT. You need a way of controlling, policing or at least monitoring that kind of cloud access.” Piers Wilson, head of product management, Huntsman
The growth of mobile devices means that employees are increasingly creating and accessing data via their mobile phones. When it comes to joiners and leavers, managing privileges in a world where a company-issued laptop or mobile phone is not the only way to access data is challenging. Almost a third (32 percent) of UK respondents to a survey conducted by Centrify believe that it would be easy for an ex-employee to log in and access systems or information with old passwords. This compares to 53 percent of respondents in the US. Half (49 percent) say ex-employees, contractors and third parties are ‘off-boarded’ the day they leave, yet over half also admit that it can take up to a week or more to remove access rights.
THE WEAPONISATION OF THE INSIDER
The overlap between the human and the technical threat is where phishing sits. “Phishing is not really an insider attack, but it’s where an outsider compromises internal staff with an e-mail or attachment that looks genuine. Before you know it, the attacker has used one of your insiders to gain access to your systems and data. Phishing is the weaponisation of the insider,” says Wilson.
CEO scams as a form of phishing or social engineering are on the rise. It is estimated to have affected 12,000 businesses worldwide at a cost of more than $2 billion in the last two years, according to the FBI. Criminals spoof the e-mail address of the CEO or CFO and instruct the recipient to transfer funds to a bank account (usually controlled by the criminals), settle an outstanding invoice or update supplier bank account details.
Phishing is also used as a delivery mechanism for malicious software and ransomware. This infects a user’s computer as a precursor to compromising and exfiltrating data, or rendering it un-usable until a ransom is paid. According to Verizon’s 2016 Data Breach Investigations Report, 30 percent of phishing messages were opened, up from 23 percent last year. Around 13 percent of those went on to open the malicious attachment or click on the link.
Attackers exploit human weaknesses and vulnerabilities. In a study conducted by the University of Luxembourg, almost 50 percent of people revealed their password in exchange for chocolate. Scientists asked passers-by about internet security, including questions about their password. Those who were not given chocolate at the beginning of the interview revealed their password 30 percent of the time. Those who were did so 44 percent of the time.
“We investigated the psychological principle of reciprocity. When someone does something nice for us, we automatically feel obliged to return the favour. This principle is universal and important for the way we function as a society,” said Andre Melzer, co-author of the study.
That is how social engineering works. The attacker can be as convincing as they want to be. And as they have got the knowledge, skills and patience to be, if that means they are successful in getting access to data.
COUNTERING THE INSIDER THREAT
To combat the insider threat, organisations need to shift their focus from the perimeter to the data itself. “Traditionally companies have been using the metaphor of the castle, where you defend your perimeter with a moat or a gate — an impenetrable outside. Once you get inside, you have free access,” says David Gibson, vicepresident, strategy and market development, Varonis, a provider of software solutions for protecting data.
“If banks were to secure money the same way as people secure data, they would put a lot of guards on the door but the vault would be open to anyone within the bank. There would be nobody watching who was taking money in and out.” David Gibson, vice president, strategy and market development, Varonis
“Over the last ten years, the frequency of breaches has increased. A lot of them have a couple of things in common. Firstly that the attacker was usually someone inside already, or got in through stealing a valid insider’s credentials. Secondly, what is taken is usually unstructured data, such as files and e-mails. Protecting data from the inside out is flipping the metaphor. Instead of focusing from the perimeter in, it is building concentric security rings around the data itself,” explains Gibson.
In addition to a change in focus, user behaviour analytics (UBA) and Big Data techniques have helped to invert the traditional detection problem. Baselining normal user behaviour helps anomalous behaviour to stand out. A company needs to know who is accessing which files. Who is creating, opening and deleting them? Who is sending e-mails to whom? Gibson explains that modelling this behaviour helps flag if a user deletes an important file or directory, changes access rights, or modifies 500 files in a five minute period. Similarly, it can detect ransomware and exfiltration of files.
“Having preventative controls is the right thing to do. But detective controls are much faster to implement and will work even if your preventative controls are not in place.” David Gibson, vice president, strategy and market development, Varonis
“Before, we were using UBA to augment preventative controls; now we are putting emphasis on the detective aspect. This is important because when you talk about getting to a least-privileged model, there is a lot of work to do. But to turn on the detective controls takes a couple of hours,” concludes Gibson.
Almost one-third of respondents to a PwC cybercrime survey said that insider crimes were more costly or damaging than those committed by external adversaries. Yet less than half had implemented a plan to deal with insider threats. This has to change. To do otherwise is unlikely to be commercially sustainable over the medium to longer term. If companies do not act now to protect data under their own terms, they may find the regulator steps in. Those in Europe, trading with Europe or storing the data of European citizens will have to comply with the EU General Data Protection Regulation in less than two years. The data clock is ticking.
Data security is about just that — securing data. Almost every company holds data about customers, staff or partners. Almost every company has intellectual property, strategic documents, operating procedures or manuals, marketing plans and so on. If something has commercial value to a company, it more than likely has commercial value outside the company. Re-visiting first principles is beneficial as they are still valid. What data does the company have? Where is it? And who has access to it?
“Too much in the past has been around identifying things retrospectively. Moving from a historical, retrospective model to something which is more real-time, immediate and on-demand is a challenge.” Piers Wilson, head of product management, Huntsman
Speed is important in countering the insider threat. Companies must be able to respond quickly to minimise the time-at-risk. Focus needs to move from being retrospective to predictive, and controls from preventative to detective and restorative. Companies should not underestimate the challenge of the agile adversary. Attackers are unconstrained by change control, organisational processes or budget cycles. They can be as convincing as they want to be. And as they have got the knowledge, skills and patience to be, if that means they are successful in getting access to data. Once the attacker is inside, they are an insider.
THE INSIDER ATTRIBUTION TRAP
What motivates people to steal data? The reasons are many and various. They range from political, ideological, financial or malicious motives, to carelessness and the accidental.
An ex-Morgan Stanley adviser was sentenced to three years’ probation last year and ordered to pay $600,000 restitution to his former employer for taking company data. The employee in the private wealth management division transferred confidential data on 730,000 customers to a private server in his home to advance his career.
Meanwhile a senior employee at British supermarket chain Morrisons was jailed for eight years in 2015 after posting details of nearly 100,000 colleagues online. Disgruntled at being disciplined for using the company mail room to send out personal packages, the employee stole payroll data, including salaries, national insurance numbers and bank account details. He posted this online and sent it to newspapers.
Computer users would trade WiFi access for their first born child for the duration of eternity. Six people failed to notice the so-called ‘Herod clause’ contained in the terms and conditions when they signed up at a free WiFi hotspot in London.
Understanding the motivations behind data theft and loss may help prevent future losses. However, assigning attribution can be difficult and detract from business response and continuity efforts. It is probably more worthwhile to focus on threat prevention, detection and recovery plans. After all, robust plans will be effective irrespective of the attacker or motive.