Addressing Cybersecurity and the Insider Threat
In the wake of massive data breaches such as those at the U.S. government’s Office of Personnel Management, health insurer Anthem and retailer Target, an enterprise’s initial reaction might be to tighten the security around networks and data. However, you may be forgetting one critical component: the insider threat.
According to a June SpectorSoft report, 62 percent of security professionals polled said insider incidents are up at their organizations, and privileged users are often the prime suspect. The report also found that security professionals could not determine if the enterprise had suffered more attacks or not. Of those who could, the average number of incidents was 3.8 per enterprise. The top insider threats identified were data leaks (63 percent), inadvertent data breaches (57 percent) and malicious data breaches (53 percent).
As enterprises work to lock down their networks, malicious actors will work to find the next best way in – your employees.
This does not mean that all employees are hackers or saboteurs in the making, however. But inadvertent data breaches, such as employees clicking on unsafe links, not adhering to password security requirements or accidentally forwarding a sensitive document, can cause similar damage. According to a June Trustwave report, half of the point-of-sale breaches across 15 countries in 2014 were the result of weak passwords. Also, an outsider can conduct an attack by stealing or manipulating a privileged insider’s credentials to get more access. These actions count as insider threats, both at international enterprises and small businesses alike.
“If you’re a company, and you’re making money, you’re a target,” says Douglas Thomas, Director of Counterintelligence Operations and Corporate Investigations for Lockheed Martin, adding that while a large enterprise might be able to survive the consequences of a major cyberattack or breach, a small or midsized business is much more likely to go bankrupt.
Abuse of Privilege
Credential escalation and credential theft by outsiders is one of the main concerns for Paul Calatayud, the CISO for health information network company Surescripts, which manages health transaction information (patient records, electronic prescriptions) for 900,000 providers, 60,000 pharmacies and 3,000 hospitals.
“Say ‘insider threat,’ and a lot of people automatically think an employee with a will to harm the company, but it could be a nation-state, an external actor… their ability to imitate your employees’ privileges changes the game,” Calatayud says.
“At its root, an insider threat is an abuse of privilege,” he adds. “Recent breaches have shown external actors’ success in obtaining administrative account information, which then lets them create subsequent accounts that they can access and manipulate. Account creation is a threat indicator for us – we watch for new domain administrator profiles, and use network and technology solutions to detect deviations from existing users’ patterns to find anomalies.” For example, if an HR administrator were to create a privileged account at 2 a.m. with no new hires, this would be a bright red flag.
Working with risk management platform LockPath, it takes Surescripts about six months to get an adequate baseline of normal activity on its network, and about three months to get an accurate picture of a user’s patterns and behavior. Depending on the level of sensitivity a user deals with regularly, Calatayud says, you could add more in-depth Big Data gathering, such as click analytics and typing patterns to further detect unusual behavior.
“This Big Data helps us watch for fraud, even for our customers, such as a doctor writing an unusual volume of prescriptions,” he says. “By getting visibility into our data use at a granular level, it helps us make risk-based business decisions, and gather metrics to support those decisions.”
At social networking site Pinterest, bringing some visibility into the unknown is the goal for Security Engineering Lead Paul Moreno’s team. Pinterest combines machine learning and some internal tools to build a baseline of departments’ general activity and get a granular picture of atypical behaviors (such as accessing international sites) that might actually fall within that department’s purview. This helps to squash irrelevant alerts and false alarms. Moreno is using Vectra Networks’ cloud-based analysis program as an additional headcount for his department; the tool helps to filter out some of the noise of false alarms.
Well Informed, Well Prepared
Gaining insight into internal behavior is helpful, but not the end-all of presenting insider threat and other network risks to the C-Suite, of course.
“Never waste a good incident,” Moreno says. “The Heartbleed vulnerability was a game changer at Pinterest, because almost everything is SaaS (Software as a Service) or cloud-based here.” By using the momentum of interest over the Heartbleed Bug, Moreno was able to get employees to adopt and adhere to an incident response plan, which includes a hefty discovery process. “You have to know your attack surface, as well as your third-party vendors’ activities and patching habits. We documented this along the way, so it’s sharable to company leadership, and we can show the data driving our decision-making.”
Mike Belloise, Director of Information Security at healthcare benefits and payroll transaction company TriNet, is also a believer in not wasting bad news. “It takes very, very little to cause a terrible incident at a company of any size. High-profile data breaches such as those of Target, Home Depot and even the federal government make headline news and serve as a gut-check for security professionals. We have to ask ‘Do we have that covered?’ and learn from these scenarios. C-level leaders read these headlines, so we have to be prepared to answer their questions about our own defenses.”
Belloise keeps his department agile by using metadata like an SIEM (security information and event management) tool. Because TriNet deals with sensitive data and must contend with compliance regulations, there are filters on sensitive content sending, so the system will automatically detect and block records from being sent outside the appropriate departments or privilege levels.
TriNet also works with SecurityScorecard to evaluate third-party vendors and tools to understand their security postures and monitor specific threat indicators to keep Belloise informed about potential weaknesses. One major weak link that all enterprises cannot avoid, however, is employees.
“The IT security industry has seen a recent upswing in email phishing scams to get into an organization’s network,” says Belloise. “Education is paramount to information security. We work to educate our employees and the C-Suite with awareness training, in-house phishing testing and annual education modules. ... We’re getting even more interaction from the company, and even more suspicious emails or other issues reported to our teams, which is an indicator our security awareness training is working.”
At French biometrics and access management company Safran Morpho, employees at every level undergo two to three mandatory annual training sessions to gain more security awareness. According to Vice President of Digital Security and Authentication Laurent Porracchia, “Once an employee clicks on an infected document, it’s too late. We want to train our employees to call the help desk as soon as they have doubts about an email, not after. Malware now can steal information without leaving any major trail, and we need to protect our intellectual property and our databases.
“If we want to keep our leading place in the market, we have to keep our secrets,” Porracchia adds. “So we have to know what is really sensitive data and what isn’t.” Safran Morpho is using email classification tool TITUS to rank every document and asset in the company, and it automatically adds security measures to more sensitive documents. For a classified report, for example, only a small group with network privileges can access it, and the policies in place prevent them from forwarding those documents, copying them onto USB drives or printing them.
The Heartbeat of Cybersecurity
In the summer of 2011, the Lockheed Martin CSO sent out a survey to employees about their personal knowledge of threats from nation states and competitors. About 38 percent felt they had some knowledge of their risks. After the implementation of Douglas Thomas’s Counterintelligence division and the subsequent awareness campaign, 82 percent of employees polled in summer 2014 felt they had a good understanding of threats and what to do if they are suspicious.
“There is a shifting threat landscape, and nation states and hackers are targeting corporate America more than the U.S. government,” Thomas says. “Employees themselves are targets for their access privileges, and we needed to get the message out.” The division leverages existing processes to distribute consistent messages. As all Lockheed Martin employees are required to take annual ethics training and obligation to protect intellectual property training classes, each class features a small counterintelligence section. The company’s 65,000 clearance holders also have annual training sessions on protecting classified information, and a small video is included from Thomas’s team.
“We want to encourage a culture of engagement, not ‘snitching,’” Thomas says. “We emphasize the indicators of unusual behavior.”
For example, if the quality of a Lockheed Martin employee’s work suddenly falls a few pegs, or they begin asking for access to unauthorized information, they might be adjusting to a new position or working on a new project, but it’s worth looking into, Thomas says.
“We are going to see more human-enabled cyberattacks as networks get hardened,” he says. “We have to look for the heartbeat (human behavior) along with network activity. The data that our network tools analyze is all objective. We have to assign parameters to that data to get alerts – subjective analysis.”
At the Law Offices of Joe Bornstein, based in Maine, IT manager Chris Berube uses insight from data storage analysis tool DataGravity to determine whether information is in the correct place on the network (company credit card information stays with the finance department and not HR, for example) and to investigate which files an attorney has accessed before they leave the firm.
“The Anthem breach hit home for just about everyone,” says Berube. “The next tier of targets will include industries that deal with both finance and healthcare on a regular basis, so we need to prepare and educate our employees and partners about email encryption and other security measures. If stolen, our data could be used to impersonate clients, so we’re striving to be HIPAA-compliance in our office.”
By analyzing the Big Data that these tools can collect, enterprise security leaders can gather internal metrics for the C-Suite, both on discovered (or prevented) insider threats and exonerations.
Sometimes, however, this requires a culture shift. Just as an insider threat might stem as easily from a careless employee’s email as a nation-state’s corporate spy, so might an insider breach occur from an ill-placed computer screen.
According to Kate Borten of consulting firm The Marblehead Group and the Visual Privacy Advisory Council, careless placement of computer screens, documents or other sensitive materials could result in a visual hacking incident. This includes mobile workers who bring their laptops and documents to the local café, or who are reading up on different documents, patient files or intellectual property information in airports, on trains or other public places. One of the most obvious places for potential visual hacking is healthcare establishments.
“The HIPAA security rule applies only to electronic data, so many organizational security programs in healthcare and other industries are often based in IT and focus on technology,” says Borten. “So you can presume that the technology is implemented on the back end, but sometimes information isn’t being protected on the front end, such as when it is printed or shown on a screen. You have to consider who can see the information where it is displayed to colleagues, other employees, the public… This has the potential to be a HIPAA data breach. Just looking over someone’s shoulder, you might not be able to see large amounts of data, but it still counts as an unauthorized disclosure, a confidentiality breach. That breach could have a life-altering impact on the individual, and it’s incredibly difficult to track and investigate.”
According to a Ponemon Institute study, sponsored jointly by 3M Company and the Visual Privacy Advisory Council, in 88 percent of instances, a white hat hacker was able to visually hack corporate information including employee access and login credentials, confidential and classified documents, financial or budget information, or attorney-client privilege documents. Fifty-three percent of the information gleaned during the penetration test was deemed sensitive.
Borten recommends that security leaders take confidentiality challenges into their own hands and walk around the facility and observe: are there sensitive documents or patient information on counters, in the trash, or waiting on the printer? Can you see computer screens from hallways and corridors? Can you take documents with you outside the enterprise, either on paper or on devices?
“This problem requires a culture change,” she says. “We need strong role models to advocate for privacy controls, including turning computers away from common spaces, adding privacy screens or filters, and getting the C-Suite on board. A visual hacking incident could count under HIPAA violations as willful neglect, and it could easily get into the news.
“People are not often as aware as they should be,” Borten adds.
Keeping up to date with cybersecurity news, insider threat analysis and different attack patterns requires continuous vigilance on the network, as well as employee monitoring and education.