What does the name “Panama Papers” bring to your mind? Outed tax evaders? Exposed grafters? Money launderers? Or like me, does your mind go straight to the risk and prevention of insider security breaches?
For those of you who don’t habitually pore over the financial or security press, the Panama Papers refers to a massive and lengthy data breach that resulted in 11.5 million leaked banking documents regarding 214,488 offshore entities. The leaks poured into the offices of German newspaper Süddeutsche Zeitung over the course of a year. Documents included confidential emails between lawyers and clients, private financial records, and so forth.
The leaker, who unimaginatively goes by “John Doe,” claims to have never worked for any government or intelligence agency. He simply had access to the documents. This suggests that Mr. Doe is likely an insider at the breached firm, Mossack Fonseca—and not just any insider, but an insider with privileged access to sensitive information.
Setting aside the political implications, the Panama Papers leak is yet another recent example of why organizations need to evaluate the way they address insider risk.
Understanding the Motives Behind Insider Risk
Inside attackers often have different motives and characteristics than outside attackers do. Like outside attackers, some seek financial gain.
For example, an AT&T employee installed unauthorized software that granted a third party the ability to hold customer data hostage in exchange for $20,000.
But others—like John Doe and Edward Snowden (of NSA notoriety)—act out of ethical or political concerns. These attackers, or hacktivists, feel responsible for exposing alleged wrongdoings. Some insiders attack outright, while others create vulnerabilities that outsiders can exploit.
In addition to deliberate insider attacks, organizations must address the risk of inadvertent attacks, which can occur in a number ways. For example, exiting employees can unwittingly exfiltrate company data, as a Federal Deposit Insurance Corp. (FDIC) employee did earlier this year. A data loss prevention tool at the FDIC detected this employee’s download of information for 44,000 banking customers. The employee claimed that the data exfiltration was inadvertent and returned the personal device he used to download the data four days later, along with the downloaded data.
This example illustrates that even users who aren’t necessarily malicious still present risk because of negligence, a lack of cyber security education, or both. How many employees fall victim to spear phishing tactics or store sensitive files in insecure cloud storage services? Answer: a lot of them.
Understanding the reasons for and the mechanics of deliberate or accidental insider attacks can help you formulate an effective solution for addressing the risks these attacks pose to your organization.
Appropriate Security Controls for Insider Threats
The type of security controls you implement should be unique to your organization. But besides the obvious data loss prevention software, there are some additional solutions to consider:
In earlier examples, I mentioned that security personnel didn’t notice that privileged users were abusing their access. One user (the AT&T employee) was even able to install malware with no one the wiser.
To curtail risk, implement controls that limit privileged user commands. Privileged session management software that monitors or records activity can also be effective. If privileged users know security personnel are monitoring them, they’re less likely to act inappropriately.
In addition to preventing data loss, data loss prevention tools can detect data exfiltration and act as important controls. But augmenting these tools is essential. Use group policy to block data transmission via USB ports and use file integrity monitoring to check for unexpected changes.
Reduce the risk of excessive access with an identity governance program. If an insider attack occurs, minimized rights can mitigate the damage. Collecting and certifying entitlements is a preventative measure that can reveal outside-of-policy access and the process of revoking this access should be monitored to ensure the loop gets closed.
Even after you set up controls for insiders, you still need some protection from outsiders who highjack insider credentials. Employing two-factor authentication for access to sensitive information and intellectual property can help fight malicious outsiders. If users fall victim to a phishing attack or have their credentials compromised through social engineering, the attacker will still have to obtain a second factor such as a biometric input.
Make Your Case for Mitigating Insider Threat
Keeping up with the varieties of insider threat, let alone other kinds of cyber threats, is challenging. And not every variation applies to every organization. However, when stories like the release of the Panama Papers break, it’s an opportunity to evaluate the level of risk within your organization. Every organization is vulnerable to insider threat. It’s time to make the case for the appropriate budget to address it.
Do you want to know more?
On the Cyber Security Event 2016 you learn from Micro Focus how you can protect your organisation against cyber crime and other cyber security risks.