When former government contractor Edward Snowden gained access to more than a dozen National Security Agency systems to pilfer potentially thousands of classified documents, his actions highlighted a number of fundamental security lapses. The proper technologies would have kept tabs on employee behavior and signaled a problem, experts told CRN.
Since the NSA security breach, much of the attention prompted by the subsequent data leaks understandably has been focused on the extent of the NSA's surveillance program. But solution providers tell CRN that the incident also has prompted some business owners to request ways to reduce insider threats. They want to quickly spot a rogue employee who steals files prior to their departure or block careless workers from mishandling data when sharing files with remote colleagues.
"If the organization is not really thinking about what is worth protecting, most of the time they're setting themselves up for failure," said Chris Camejo, director of consulting and professional services at NTT Com Security, Bloomfield, Conn. "Conducting an assessment to determine what information is your most valuable asset, where it resides and who owns it is a good place to start."
The NSA leaks are the latest in a long line of high-profile security incidents that highlight insider threats. The security lapses often put the spotlight on the holes in fundamental security best practices, configuration weaknesses as well as security controls that may have been in place to prevent an incident but simply weren't being monitored, Camejo said. Too often, experts say, access control is not being proactively maintained, passwords are inadequate, and role-based management is not automated when an employee moves to a new position but maintains access to systems he or she no longer needs.
In 2008, a disgruntled IT administrator for the city of San Francisco held the city hostage for days, holding the passwords to the city systems that are critical to day-to-day operations. After hearing his job was in jeopardy, the worker created his own passwords to the network and blocked others from gaining access to email, payroll and other systems. The employee only gave them up after the mayor visited his jail cell and pleaded with him.
The incident highlights the need of activity monitoring -- checks on critical system logs by multiple people are necessary to prevent an incident, said J.J. Thompson, managing director and CEO of Indianapolis-based security consultancy and managed security service provider Rook Security. Someone needs to ensure that IT security isn't asleep at the wheel, Thompson said.
"We're gluing together the events and incidents being spit out of devices to find indicators of compromise," Thompson said. "Our clients are more concerned than ever and they want to know what anomalous activity is occurring."
One solution provider conducting the computer forensics investigation following a major breach at a financial firm said a monitoring system that triggered an alert on suspicious activity sent it to an email account of the former employee who set up the system. The mailbox was full of alerts generated by the system. Simply configuring it to send an alert to another source could have stopped an employee from stealing millions of dollars, the consultant told CRN.
"It happens all the time," said the consultant, who wished to remain anonymous. "Companies gain a false sense of security when they deploy systems, but ultimately all they get is a shiny new box that doesn't get the attention it truly needs."
RESEARCH REPORTS TALLY UP THE TOLL
The rising toll caused by insider threats has been borne out in several reports. Researchers at Kaspersky Lab found that cybercriminals were targeting contractors to steal data in an effort to leverage the stolen information when attacking the ultimate target. Cybercriminals understand that they can trick employees into giving up their account credentials or manipulate their actions, forcing them to mistakenly leak data that can be used in a successful attack, said Tiffany Rad, a senior researcher at Kaspersky Lab.
In one 12-month period, spam and phishing attacks accounted for a vast majority incidents against businesses, the report found. Malware accounted for 66 percent of all attacks on businesses surveyed.
"Insider threats can come from a variety of attack vectors and that's why employees need to be made aware of how their actions impact the business from a security perspective," Rad said. "You can have the best, most sophisticated information security network of systems protecting your corporate infrastructure, but it only takes one person on the inside that has made a mistake to bring it all down."
A Forrester Research analysis of data breaches that took place between January and August 2013 estimates that insiders were responsible for about 36 percent of the breaches. Most of the security incidents were employee mistakes, the research firm found. User security awareness training can help raise mindfulness about data security within the organization, but organizations are not adequately training employees, said Heidi Shey, an analyst at Forrester.
A Forrester survey of more than 4,000 information workers in the U.S. and Europe found that only 42 percent of the workforce indicated they had received training on how to stay secure at work. Many indicated that they were unaware of their organization's current security policies, Shey said.
"These are issues that can be greatly reduced if the breached organization had done a series of sustained training programs to instill awareness about security," Shey said. "Employees need to know how the data they are handling can impact the entire organization."
Shey said the breaches she reviewed typically involved the inadvertent misuse of data by an insider that ended up in the loss of backup data or a lost or stolen laptop or a smartphone that contained sensitive customer information. Employees also are consistently falling for carefully crafted phishing messages, clicking on links in emails or opening file attachments, Shey said.
Business partners are sometimes attacked by cybercriminals to get account credentials or other data that could be used to gain access to the organization that ultimately is being targeted, Shey said.
Part of the problem, according to security experts, is that organizations do a poor job of balancing implemented security restrictions and worker productivity, said Jim O'Brian, chief information security officer at Overland Park, Kan.-based solution provider Choice Solutions.
O'Brian said organizations with compliance commitments focus on protecting personally identifiable information or encrypting credit card data, but fail to address personnel problems or adequately address processes that can open up security weaknesses.
"If you only focus on the data, you'll miss how data moves throughout the network and how the employees do their jobs," O'Brian said. "If restrictions introduce serious inefficiencies, employees will go around them every time."
More than half of the information workers surveyed by Forrester said they understood the policies in place for data handling. But for many executives and managers, data handling was virtually unfettered, enabling them to access and manipulate data on any device. Surprisingly, they were less aware of the polices for data use and handling than the employees who had more restrictions, Shey said.
Forrester uncovered a consistent theme of employees using a USB flash drive or CD to carry work home. Some were sending email attachments to themselves via a personal webmail account such as Gmail or Yahoo Mail. Others used Box or other file storage and sharing services, Shey said.
IT security teams are responding. A Forrester survey of more than 1,400 North American and European enterprise and small and midsize business IT security decision-makers estimates that in 2014, organizations plan to increase their data security budgets by 5 percent to 10 percent while 10 percent of organizations plan to increase their data security budgets by 10 percent or more.
Spending on network security and security operations also is estimated to significantly increase, Shey said. The key areas of focus are on data loss prevention technology followed by database vulnerability assessment, monitoring and auditing, network storage encryption and data discovery technologies. Before investing in data loss prevention technologies, however, organizations need to get a better handle on the core data assets, Shey said.
"Data discovery and classification is an important step that should be undertaken before deploying many of these technologies," Shey said. "You can't apply security controls if you don't know what you're protecting and why you're protecting it."
More firms also are conducting proactive system monitoring, Shey said. Collecting logs from security systems and analyzing them for suspicious activity could have helped detect a breach in progress, say security experts. At the NSA, Snowden reportedly used a variety of credentials to gain access to various systems, scraping data that he later took via flash drives. Most security experts are convinced that if behavioral analysis had been correctly applied, his actions would have been more difficult to carry out. The system would have been alerted or a human could have detected patterns of behavior that were out of the ordinary, said Arthur Hedge, CEO of Morristown, N.J.-based managed security service provider Castle Ventures.
Castle Ventures focuses on monitoring solutions with a strong emphasis on monitoring and analyzing data fed into HP ArcSight security information and event management appliances. In addition to data loss prevention, the company sees a rising interest in file server monitoring technologies, such as Varonis, which can monitor and log who has access to sensitive data.
"We're figuring out what goes on in the environments of the clients we serve," Hedge said. "Compliance is a big driver for why they did things four years ago or so, but I think that has changed. Most CSOs are worried about the threat landscape and they're thinking about it from a risk perspective."
PUBLISHED DEC. 23, 2013