In recent weeks and months, we’ve seen a slew of high profile breaches gain media and consumer attention. The SEC, Deloitte, Equifax and Bupa stories are just a few of these examples. For most people, two of the biggest questions that come to mind are: “How did this happen?” and “How am I affected?”
To think about this, let’s shift the focus to user intent, and ask “Why?” We often hear that a vulnerability was left unpatched, or an inadvertent mistake led to the leak of confidential information. For those outside of the security industry, catastrophic data loss is often thought to be carried out by devious, malicious actors, such as those in action-packed TV dramas or movies. But reality is rarely so dramatic.
Take the movie Jurassic Park, for example. Dennis Nedry, the brilliant system architect, is a perfect Hollywood example of an insider threat who inflicts dire consequences. First and foremost, Nedry is not suspected by his employer of being an insider threat and has been granted physical and digital privileges within the park. This gives him tremendous opportunity to cause harm. Secondly, he colludes with the adversary to smuggle dinosaur DNA out of Jurassic Park inside a shaving cream can. Lastly, he sabotages the park’s systems to ensure he can continue to carry out his devious plan.
This kind of scenario is probably the most common way insider threats are portrayed in mainstream television and film. However, this is also a very limiting and (mostly) inaccurate way of thinking about insider threat. The truth is, a Dennis Nedry situation, while possible, is in reality the least common type of insider threat.
Let’s circle back to reality. An insider can be any former or current user including: employees, partners, suppliers, contractors, board members and even customers. In other words, the insider threat can be anyone who has access to systems, confidential data, or IP.
As we see in many high-profile breaches, incidents often happen unintentionally by well-meaning employees, partners and contractors trying to do their job. In fact, according to a 2016 study, unintentional breaches are the most common type of insider threat and can be just as damaging. As we look at the entire cyber continuum of intent and behaviors of users, we see that protecting data is a much larger endeavor which must take into consideration the motivations of accidental and compromised, as well as malicious, insiders.
For example, Verizon’s breach is an unfortunate example of inadvertent error: it was due to a partner accidentally leaving 6 million records unprotected in the cloud.
Whenever I hear about cases like this I think, “Really, ‘accidentally’?” But consider all the people — employees, partners and customers — who have access to your data. These people may not know what is sensitive and what is not, and/or just don’t practice common-sense security.
With that being said, if you don’t think an insider breach could happen to you, consider this scenario:
At a supplier partner to a big pharma company, it’s Bob’s turn to pick lunch for his work group. He orders from his favorite Chinese restaurant online via their website. Food is delivered and the group carries on: shipping, emailing, signing contracts, sharing data, etc. Behind the scenes, unbeknownst to Bob, he was also served a side of malware that opened a back-door to the corporate network. The malware spreads by attaching itself to data that is shared beyond the network, opening up back doors to every network the supplier shares data with, including the pharma company.
This example includes social engineering via the Chinese takeout menu, plus a watering hole and a hijacked website. (A watering hole is a targeted compromise of a website in a supply chain. Cybercriminals or nation state hackers can reach a highly targeted group by injecting the site with malicious code, without sending out socially engineered lures, and lie in wait for victims to browse by and then infect them.)
Ultimately, this lunch provided a malicious actor (maybe a competitor) with all the formulas to the pharma company’s IP through a compromised insider. Maybe worse, the pharma company also shared data with other partners like a U.S. government supplier and, in this worst-case scenario, now our national security is compromised.
Now let’s imagine the adversary doesn’t want to steal code, but alter it. The altered code is for a new vaccination specifically meant for troops stationed overseas. You get where I am going with this … “Not possible” you say? Are you sure? If we took a poll in any given company or agency and asked who has ordered General Tso’s Chicken online, how many would raise their hand? Mine is raised.
So, what to do? Let’s look at each of the above examples by order of intent and discuss security approaches and technologies that may have protected the user and data.
1. Accidental (i.e. Verizon): One person misconfigured one system, and 6 million records were exposed. That is unacceptable. So, what else can be done?
- Robust data loss prevention solutions are not simply for blocking data from loss or leaks. They can enforce encryption or trigger other security measure. The level of risk to customers would be much lower if the data in the exposed Verizon repository had been encrypted.
- “Coaching” messages can also be triggered when users attempt to share or store data in unsecured or otherwise improper locations, even when they have the best intentions in mind. While controlling an immediate risk, this also helps improve awareness to proactively reduce future risks of data loss.
Similarly, Deep Root Analytics had 200 million voter records leaked online due to employee error. Our CEO Matt Moynahan commented on the story.
In both cases, DLP enables the secure sharing of sensitive data with business partners throughout the supply chain.
2. Compromised (i.e. Deloitte): As reported, Deloitte had client accounts leaked via a compromised admin account. This is a similar example to the Chinese food example above, and in this instance, it seems as though this data was also exfiltrated.
In the case of malware for lunch, an insider threat program and solution would have prevented Bob, the generous lunch provider, from infecting not only his own company but also the pharma partner or the U.S. government agency. Insider threat solutions can ensure proper information assurance controls are in place, such as up-to-date browsers, that would detect malicious java script often contained in watering holes and hijacked sites.
3. Malicious (i.e. Bupa): Bupa suffered a breach when one of its employees copied and removed sensitive customer information. Some sources have noted that this employee was disgruntled in some way, deliberately seeking to harm the company’s reputation.
If an insider threat solution was in place the Bupa employee (and Dennis Nedry) would have been stopped long before malicious acts were executed.
For example, Nedry was likely conspiring via email. Those emails would have immediately been flagged, and Nedry would have been placed in an employee monitoring group. This would then be explored by a security team, where his intent would have been flagged as malicious before carrying out his damaging acts. This integration with email is important. The efficacy of insider threat programs and technologies multiplies when integrated with DLP and email, web and cloud security. In this alternate world, maybe Nedry could have been rehabilitated and saved as a valuable employee.
Alternatively, let’s just say Nedry is too smart to use email, he still wrote code to shut security systems down. An insider threat solution that provides role definition and division can prevent any one person sole ownership of sensitive code, ultimately preventing that aspect of his malicious actions.
With regard to the Bupa employee, an insider threat program or user behavior analytics engine solution would have flagged that sensitive information was being copied and removed – likely an anomalous behavior for a given employee. It could have been flagged and monitored, then encrypted to ensure it couldn’t be used outside of the network.
Unfortunately, unlike fictional portrayals of good and evil, there is no simple resolution or silver bullet for security that can be tied up like in a movie’s conclusion. Our definition of the insider threat must go beyond the Dennis Nedrys of the world, or our reality will be like what we see in movies. The reality is that any good security program must be multi-faceted, intelligent, comprehensive and most importantly human-centric. It must include policy, procedure, training and tech. In other words, your people have a huge role in securing data and livelihood.