How Important is Data Loss? Ask Iceland’s Former Prime Minister
By Doug Copley, Forcepoint Deputy CISO
It’s hard to look at any tabloid or newspaper today and not see some sort of repercussion from the infamous “Panama Papers” breach – one of the largest leaks of confidential data in history. But why is this pertinent to public and private entities, and what if anything, should companies be doing differently to protect themselves?
Consistent with other major data leaks, it’s unclear at this point in time exactly how the data was leaked, and Ramon Fonseca, founding partner of the Panamanian law firm at the center of the story, Mossack Fonseca, says the firm is a victim of hacking and this was not a leak from someone inside the company. What’s significant about the Panama Papers is that the implications of the exposed information has global reach. As best we know right now, the information “revealed links to shadowy offshore financial transactions by world leaders2” which included some 140 politicians from more than 50 countries. All of these activities were transacted through Mossack Fonseca, a law firm in Panama which specializes in setting up offshore tax shelters for the elite. So far, and less than one week from disclosure, there have been three leaders who have stepped down after this information became public: the prime minister of Iceland Sigmundur David Gunnlaugsson resigned, Michael Grahammer, the CEO of Austrian lender Hypo Landesbank Vorarlberg resigned, and Gonzalo Delaveau, the president of Transparency International in Chile, resigned. Another important point from this story is that no one has accused anyone mentioned in the disclosure of having broken any law.
This was no ordinary leak, and the ability for journalists to maintain secrecy until the official release was quite astonishing. According to the International Consortium of Investigative Journalists, there were some 11.5 million documents leaked from the Panamanian law firm Mossack Fonseca roughly a year ago. The Panama Papers leak represented a joint, coordinated effort by 376 reporters at more than 100 news outlets in nearly 80 countries. The make-up of the records disclosed was outlined by Süddeutsche Zeitung as follows3:
What Caused This, and What Can My Company Do?
Companies around the globe should be asking themselves “how did such a mass amount of records get exposed, and how could we prevent a similar outcome with our information?” In the Panama Papers exposure, Mossack Fonseca indicates this particular exposure was the result of a hack. Other similar data breach stories in the headlines have been caused by insider threats. A strong cyber security program using multiple layers of defense is key to defending against both internal and external threats, but let’s take a closer look at how insider threats can cause significant data loss, and outline what companies can do to prevent them.
Data from a 2014 Ponemon Institute study1 indicated that 88% of organizations recognized that insider threats are cause for alarm, yet less than 40% actually had budget for insider threat protections, and only 16% were very confident they had visibility to privileged user access. So if insider threats are a known concern for companies, why does it appear so few companies are addressing it?
What is an insider threat? Depending on which expert or analyst you speak to, there are generally three types of insider threats: (1) Malicious insiders, (2) Accidental insiders and (3) Inadvertent insiders. Let’s look at each to understand the seriousness of the threat.
-
Malicious Insider – The malicious insider is most commonly recognized as the most significant threat among the three. This refers to the individual who may be unhappy in their job, may be angry at their manager or the company because they were passed over for a raise or promotion, or may have philosophical or ideological differences with the company or its leadership. It may also be an employee who is encountering deep financial difficulties. These individuals purposely cause physical harm to the company or its employees or steals data to use in malicious ways for either personal gain or to harm the company. The actions are taken with intent, and in most cases knowingly violate company policies and direction to do it.
-
Accidental Insider – Like the malicious insider, the accidental insider actually takes action to transmit or store data and in most cases understands the actions they have taken. Unlike the malicious insider, however, this user has no intent to cause harm to the company and doesn’t take action looking for personal gain. In most situations, the accidental insider is just trying to do their job the way they know how to do it, but doesn’t realize that they are putting data at risk in the process. Examples could be someone transmitting sensitive data to other companies insecurely because that’s always been the established process, or someone who clicks “Reply-All” to an email and mistakenly sends sensitive company information to others on the distribution list who are outside the company and not authorized to view that information. The exposure in these cases is typically accidental.
-
Inadvertent Insider – Sometimes viewed as a subset of the accidental insider, the inadvertent insider is someone who is a threat to the company, but has no knowledge that they are a threat and doesn’t take action to transmit data outside the company. They may be someone working on their laptop at home in the evening, who opened a file infected with malware and spread it to their organization’s network or files. They could also be someone who clicked on a phishing attack and revealed their login credentials or opened a backdoor to their PC where hackers or others could use their PC or credentials to steal data from the company. In either case, the user has no idea their credentials or computer are being used maliciously.
Why are insider threats so difficult to address?
Insider threats, like the leaking of huge amounts of data in the Panama Papers breach, originate from inside the company. Even in today’s day and age, most security budgets are still spent addressing external threats. One of the reasons for this apparent misalignment of budget dollars is the difficulty in recognizing insider threats. It’s much simpler for security teams to detect denial of service attacks from outside the company or malicious network activity coming or going through the company firewalls because they either use incorrect user credentials (repeatedly) or try to access resources outside the company that are known to be malicious or at least suspicious. Insider threats on the other hand, originate from inside the company and use valid user credentials with legitimate access to company data. Identifying the user logging in, and the data being accessed itself would not be an indicator of compromise. To detect an insider threat, organizations need to look deeper into user behavior, not just user access. Monitoring user behavior can be a difficult task, especially without the right tools in place.
We don’t care if most users steal company data.
Often, I see and hear about companies who don’t seem to be concerned with employees taking company data with them. Leadership and the culture either convey the mentality that “we trust our people – they would never steal from the company” or “most employees don’t have access to data that would cause the company material harm if it were exposed.” To them, I ask how confident they are that none of their users have fallen for phishing attacks. Even if the individual doesn’t try to take data with them before they leave the company, someone else may be using their credentials to steal data from the company. For those who feel employees do not have access to data that would cause harm to the company if exposed, maybe they are right? But depending on their industry, I ask who in their organization can change user passwords; who can take a credit card payment over the phone; and who can access a patient or customer account? The answers can be some of the lowest paid and most transient positions in a company. In short, companies need to be concerned with data theft from inside the company.
How to Monitor User Behavior
Let’s use a fictitious character “Joe” in the software development team as an example. The fact that Joe logs in at 3:00 in the afternoon and accesses the system that manages the source code of an application would not set off any alarms. But if Joe starts copying source code to a removable SD card in his laptop or starts printing large volumes of source code, that should set off alarms. Would your organization recognize if this activity is occurring?
As with many other threats, the best way to defend against insider threats is by using multiple layers of security. To prevent threats from coming in or leaving the company via email and the web, companies should apply appropriate filtering and sandboxing technologies to evaluate and mitigate those threats. When it comes to user behavior monitoring, there are two effective tools that can be used, and they work best when used together – data loss prevention (DLP) and behavioral analytics. Data loss prevention tools can do a very good job of identifying when sensitive data is attempting to leave the organization – via company email, removable media, printing or uploading to web or web mail programs or consumer network storage programs like OneDrive and Google Drive. Forcepoint’s data loss prevention tool is even intelligent enough to identify sensitive data in photos and screen capture images. Behavioral analysis tools look at user activity over a period of time and baseline that activity (determine what is “normal”). When a user begins taking actions or performing activities outside of the “normal” baseline activity, alerts are generated and the user is identified as being at a higher level of risk. This could be normal, such as financial analysts working more hours than normal and outside normal business hours at year-end, but it could also be an indicator of potential data theft that has occurred or may occur very soon. When used together, a typical DLP event may not raise a concern, but if the user is also behaving out of the ordinary, this risk will be elevated to a higher level to be investigated.
Over What Period of Time is Information Typically Leaked?
What we don’t know from most insider breaches is over what period of time the data was taken. Did tens of thousands of documents go out daily over the course of a year? Did a million documents a day go out over the course of 2 weeks, or were hundreds of documents stolen every day over the course of several years? Was the source of the breach a malicious insider, a broken business process or an inadvertent insider? Regardless which scenario it was, companies need their DLP and behavioral analytics tools tuned to detect such activity, and should have blocks in place to prevent the removal of sensitive data from both company and non-company devices. In addition, companies need to make sure their security and privacy training is relevant, timely and periodic so that users do not fall prey to phishing and similar attacks and find out they are the inadvertent insider.
Your Breach, Your Failure?
Even the best defended companies and executives can fall victim to insider threats, and they may not even be from your own organization. Like the Ashley Madison breach, the Panama Papers event occurred at a specific company, yet the ramifications were felt around the world by individuals who placed their trust in that company. Not all effects of breaches can be prevented, but government regulators, industry groups and cyber insurance companies are paying close attention to make sure your company isn’t the source of the next breach affecting individuals or companies across the globe. As a positive outcome of the Panama Papers event, expect government regulators from around the globe to push for stronger financial transparency from both individuals and corporations.
Are you doing everything you should to identify and address data loss from within your organization?
References:
1 – Privileged User Abuse & The Insider Threat report conducted by Ponemon Institute May 2014 – commissioned by Raytheon https://www.forcepoint.com/resources/industry-analyst-reports/privileged-user-abuse-insider-threat-ponemon-institute-may-2014