A recent study produced by Verizon and the US Secret Service delivered a surprise finding: in last year’s electronics record breaches, nearly half were inside jobs, or, required insider cooperation. In the merged Verizon/Secret Service data set, 48 percent of breaches were attributed to users who maliciously abused their right to access corporate information. An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
The report covers 900-plus breaches involving more than 900 million compromised records. The majority of the Verizon investigations evaluated in the study took place outside the US whereas the bulk of the Secret Service investigations occurred within the US. While external threats still run high at 69 percent, insider threats are an increasing challenge to IT. A challenge that is further complicated by the need to allow employees and other insiders access to the very network IT works so hard to block from outsiders.
“Provisioning, the very act of providing the workforce with network access, is a major factor with internal security threats,” explained Martin Hack, EVP of NCP Engineering. “The problem is, for too long, IT departments have isolated account provisioning, making it a stand alone process, ignoring how destructive and costly a provisioning error can be.”
So how is it, exactly, that employees get the data outside company walls despite IT’s best efforts? “A better question would be ‘What methods aren’t available to an insider?’,” said Ryan Smith, principal research scientist for Accuvant Labs.
Indeed, malicious types find creative means to steal or destroy data. The information can be photographed by a smartphone, copied to a USB device, faxed to a .pdf file, printed from a copier or printer hard drive, emailed, staged down to lesser and lesser secure storage files, or captured via key logging malware … to name but a few choices in the malefactor’s repertoire.
If they sell the stolen data to a competitor the action is typically considered traditional corporate espionage no matter how they executed it. Employees can also sell the data to criminal elements who want to do steal identities, bank accounts, and other sensitive data for personal gain. There is a third set of malicious actions designed to destroy data which is typical of angry current or former employees who mean to extract revenge. A fourth set of employees will hold data hostage in some way as a means of job protection. The thinking is that if only one person can access the data then that person is indispensable.
“We do know that the affects of down economies, such as an employee’s fear of being laid off or a desire to have some IP [intellectual property] to make them more marketable to the next firm, are recipes for increased focus on the internal threat,” said J. C. (Cal) Slemp III, managing director and leader of Security and Privacy Solutions at Protiviti, a global business consulting and internal audit firm.
Lastly, there is a group of employees that mean no harm whatsoever to the company and yet manage to do exactly that. Essentially, they are just trying to get the job done and have no idea they are putting the company in danger. For example, a good employee may email files to their personal accounts in order to continue working from home. Or they may carry laptops and mobile phones with weak passwords, use insecure Internet connections at home or while traveling, email files to the wrong email address, lose mobile devices, dispose of old CPUs and devices improperly, or provide too much information in casual conversation with someone outside of the company, perhaps in person or via social media.
“They don’t mean to cause harm, but they get right into the heart of a corporate network from the inside, causing potentially untold havoc, or more disturbingly, silent but critical ex-filtration of sensitive data that could (and does) go on for months before anyone notices,” explained Steve Santorelli, a former Scotland Yard detective who is now the director of Global Outreach for Team Cymru, a non-profit Internet security research firm.
Quite often, employees are too hurried and harried to think how their actions create security problems. Just as often, they find little motivation to take the extra steps true security requires.
“The bond of commitment between a company and its employee has eroded as benefits have been reduced, workloads have increased and salaries have stabilized or been cut,” said Slemp. “Firms have to ask themselves honestly if they have created an environment that fuels the probability that someone will not treat the company IP as they want it treated.”
Inside jobs, outside sources
While employees and ex-employees are most commonly seen as key to internal threats, there are other elements lurking inside company walls that can create havoc too.
“One novel and still unaddressed way bad people get in is via contractors,” warned John Bambenek, an incident handler with the SANS Internet Storm Center. “Too many head hunters simply find a good resume and shove people into open positions. No real background check is done. This is how the World Bank was compromised in 2008 by two people brought in to do desktop support. They installed malware everywhere and got data out.”
Part of a solid security plan has to address providers of all types, and yes, that includes security providers. Security policies and practices must extend to cloud and hosted services as well. Wherever there is one or more contact points with company data, there is opportunity for internal threats.
“To remedy the threat, both poor employee practices and bad business processes need to be prevented,” said Rich Dandliker, Symantec’s director of Product Management. “In reality there tends to be a fusion of risks which forms a toxic combination of the two, so remedies may be complex and different for different organizations.”
While there is no silver bullet with which to shoot the bad guys from within, there are specific steps IT can take to minimize damage and shrink the threat. Indeed, the Verizon/Secret Service study found that “simple actions, when done diligently and continually, can reap big benefits.” Here are best practices for securing the enterprise against internal threats, as determined by the Secret Service and Verizon’s findings:
Restrict and monitor privileged users – The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
Watch for “minor” policy violations – The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies. Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
Implement measures to thwart stolen credentials – Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
Monitor and filter outbound traffic – At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
Change your approach to event monitoring and log analysis – Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes. Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
Share incident information – An organization’s ability to fully protect itself is based on the information available to do so. The availability and sharing of information are crucial in the fight against cybercrime. Consult credible data-sharing programs such as the Verizon VERIS Framework to remain updated on the latest threats.
A prolific and versatile writer, Pam Baker’s published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).