Posts Tagged ‘insider threat’

Cisco recently released a whitepaper about data leakage and insider threats. Several predictions for 2009 have indicated that, particularly with the uncertain economic climate, insider data breaches would become more of an issue. With 88% of respondents admitting they’d take sensitive information if they were laid off, this is a clear and present threat to data security.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

Last month we mentioned that Lanxoma was conducting a survey about insider threats and how companies are tackling that issue. The results of the survey came out, and were quite interesting!

The press release does not indicate how many people took the survey, so the results must be read with that in mind. Nonetheless, like many similar surveys, Lanxoma’s survey revealed that 43% of respondents had experienced fraud, theft or losses that are a direct result of employees with access to sensitive information.

Given the economic situation, many companies involved in the survey have had to make layoffs, cut raises or defer promotions. 72% of the respondents feel this has increased their risk for insider attacks.

The survey also revealed that 28% of respondents believe that employees with a technical background are more likely to commit insider attacks. However, industry experts have shown that it is not technical know-how that increases risk of attack, but rather the dissatisfied employee who simply has access to information. Employees with existing access to sensitive information do not need to know much in order to take it.

Of those surveyed, only 20% of respondents say they have processes and security measures in place to combat insider threats. Most respondents believed they could do more. One area needing improvement would be in user privileges, which determines which type of user has access to what kind of data. This helps restrict sensitive information to only those employees that need it. Most companies interviewed had no such safeguards, nor were they consistently monitoring what data was accessed and by whom.

Cisco recently released a whitepaper about data leakage worldwide and the resulting costs. The global study, polling more than 2000 employees and IT professionals in 10 countries, indicated that insider threats were far more prevalent than previously thought.

Cisco commissioned the security study from InsightExpress in order to understand if social and business cultures had any impact on data leakage. The results indicate that “insider threats”, caused by uninformed, careless or disgruntled employees accidentally or purposefully doing something which breaches data, have the potential for greater financial losses than outside attacks to the company. In the context of this survey, they also considered that every device capable of storing data added to “insider threats”, given that the loss of these devices pose a high risk.

Cisco put together two papers focused on employee behavior that could put corporate data at risk. The papers found that IT professionals are often unaware of the employee behaviors which put data at risk – this obviously makes preventing loss quite the challenge.

The study examined the effectiveness of security policies – how they are created, communicated and how compliance is enforced. The lack of a policy and compliance with existing policies were large factors in data loss. Unfortunately, the survey showed that IT professionals lack an awareness of how many employees understand and comply with security policies.

Highlights from the study:

• 39% were more concerned about the threat from their own employees than the threat from outside hackers
• 33% were most concerned about data being lost or stolen through USB devices
• 27% admitted that they did not know the trends of data loss incidents over the past few years
• 43% said they are not educating employees well enough
• 19% said they have not communicated their security policy to employees well enough
• 9% reported that they have lost or had their corporate device stolen (26% of those experienced more than one incident in the past year)
• IT professionals believe that employee behaviors slipping, in terms of safeguardint intellectual property, stem from too much information being dealt with (48%) and a growing apathy towards security stemming from faster-paced jobs (43%)
• 11% reported that they or fellow employees accessed unauthorized information and sold it for profit, or stole computers

The study concludes that a lack of awareness and of diligence, as well as purposeful defiance, place a significant risk to data loss. The report lumps the loss of laptops and other portable devices in with the “diligence” section, for the most part. Sadly, most lost laptop reports back up the findings: that employee behaviors are to blame for a lack of data safeguards in laptops. Leaving laptops logged on, leaving passwords in sight, leaving laptops in cars, etc.

“Preventing data leakage is a business-wide challenge. IT professionals, executives, and employees at every level of responsibility must work together to protect critical data assets…

Like outsider threats, addressing the insider threat demands a comprehensive approach that includes education, policy, and technology.”

The recommended approach focuses on education and accountability. Technologies can help, such as Absolute’s Computrace solutions, which solves some compliance issues by tracking assets and even monitoring software.

Download link: Data Leakage Worldwide White Paper: The High Cost of Insider Threats [PDF]

Network World’s Mark Gibbs has posted a great article about how to exorcise the “ghosts” of past employees that haunt your systems.

Employees, whether they work for you for a short or long period of time, leave a trail of digital information behind. Emails on your mail servers, files, information on desktops, laptops and perhaps even smartphones, customized application settings, contributions to shared spaces like blogs, and much more.

When an employee leaves a company, most (sadly, not all) companies will think to restrict their user access. To delete mail accounts, remove FTP access, restrict privileges and so on. But, what do you do with the rest? And are there issues surrounding any of that clean up (well, of course, there always are!).

“Remove their files without understanding how their work related to the bigger business picture and, for example, the design and supportability of an entire product line could be compromised. Dump their e-mail messages and your ability to be in legal compliance could be lost. There are hundreds of potential consequences to removing their data and it adds up to what we in the pundit business call “a crap shoot.”"

The solution is not just to restrict access privileges, as that doesn’t tell you what the data is used for. Or if any ex-employees have left any surprises behind. The solution that Mark Gibbs poses is not an easy one, but it’s one that improves data security overall. The solution is to rethink data handling architecture - a centralized ID system that defines roles and access from the start. This way you can spot issues, as well as manage exit cleanup.

“This is a combination of identity management and strategic, top-down planning that displaces the old “strong passwords are good enough” approach because they aren’t.”

Of a related note, make sure you read our recent post: Passwords are Not Enough. Absolute Software can also help with some user issues, including software inventory management - knowing what’s installed, tracking machines as they change hands, sending alerts if users operate outside policies, & monitoring data changes.

Also of note, Lanxoma is conducting a survey about insider threats and how companies are tackling that issue. Since that’s something we talk about often on the Absolute blog, perhaps you’d like to take the survey here. Looking forward to seeing the results!

Clipart via Microsoft / Presentation Pro

Who Breached: GS Caltex
Number Affected: 11,000,000
Information breached: Social Security Numbers
How: Insider stealing data

Four people have been arrested in connection with a major data breach at GS Caltex, a Total Energy Service provider based out of South Korea. This is being called the country’s largest data breach to date.

Earlier this month, CDs and DVDs containing the names, Social Security numbers and email addresses of 11 million GS Caltex customers were found in the garbage in Seoul. The data included information on government officials, lawmakers and politicians.

Investigators on the case say one of the suspects exposed the leak to the media in a publicity campaign aimed at boosting the market value of the data! This is the first time I’ve heard of such a tactic.

The four people arrested on Sunday included two employees of a GS Caltex subsidiary. One suspect is alleged to have copied the data base while working at a call center.

The data was copied onto several CDs and DVDs, which presents several issues: that sensitive data could be accessed by a call center employee, that data could be copied to external devices, and that none of this was being tracked internally.

Other recent large data breaches:

• National Technical Institute for the Deaf, 13,800 Affected, Stolen Laptop – more here
• Louisiana Real Estate Commission, 13,000 Affected, Insider Accident – more here
• InterActive Financial Marketing Group (IFMG), 92,095 Affected, Hacker – more here

Via datalossdb.org, AFB

Cyber-Ark Software has released the results of a new survey indicating some disturbing facts about insider data breaches by exiting employees.

Cyber-Ark interviewed 300 IT security professionals for their annual survey. This year, 88% of respondents said that, “if laid off tomorrow, would take valuable and sensitive company information with them.” And that’s just counting the respondents who were honest enough to admit they’d act unethically!

When asked what information employees would take, the target information includes: CEO’s passwords, customer database, R&D plans, financial reports, M&A plans and a list of company passwords.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” – Udi Mokady – president and CEO of Cyber-Ark.

Most companies may be unaware of the full list of admin passwords that an IT employee has access to, and this could prove dangerous. Privileged passwords that access sensitive information should be secured and routinely changed, particularly when IT employees leave.

Other interesting survey results:

• One third of companies believe internal espionage and data leaking has resulted in data going to competitors or criminals
• One quarter have suffered data breaches by internal sabotage and/or IT security fraud
• 35% send sensitive or confidential information via email (an insecure medium, most of the time)
• One third of IT administrators admit to keeping passwords on post-it notes
• One third admit to snooping on the network to look at confidential information like salary details, personal emails, meeting minutes, etc

Via network world ; Clipart via Microsoft / Presentation Pro