Information security expert and author Jason Coulls often keeps an eye on cybersecurity issues related to Canadian banks and telecommunication companies in his spare time. In June 2017, while browsing Github, an online code sharing and version control service where coders often share their open-source projects, he spotted a huge trove of sensitive documents of several American, Canadian, and Japanese financial institutions on the platform. The repository in the public domain contained migration plans, estimates, presentations, and other sensitive data that could have put those companies at risk. He counted the data of six Canadian banks, two American financial organizations, a multinational Japanese bank, and a multibillion-dollar software company.
By Augustin Kurian, Senior Feature Writer, CISO MAG
Further research into the breach revealed that the data leak was either an accidental mistake or a rather enormous failure of the common-sense of a developer working with Indian IT service giant Tata Consultancy Services (TCS). Coulls immediately notified the banks about the leak. “This was a new level of monumental head scratching activity, as you could literally fork or clone an entire repository of containing architecture details and roadmaps for some of the largest financial institutions in North America,” he wrote in his blog.
“The good news is that none of it was banking customers’ data, it was mainly auxiliary data,” Coulls told The Register post the incident. “But there was still a lot of useful stuff there – not just for hackers but for the firm’s competitors. The first bank that gets in to look at it gets to see what everyone else is doing.” Coulls also roasted TCS for not firing the employee immediately once the incident was discovered.
There are some takeaways from this incident. First, you’re only as strong as your weakest link. And sometimes your weakest link can be your employee making horrible mistakes, or it can be someone working for a third-party organization or a vendor.
The incident highlights what havoc accidents can wreak, but it might be even more staggering to find out that one in four employees have intentionally leaked confidential data. This surprising stat was discovered when data privacy and risk management company Egress Software Technologies did a survey of 2,000 UK workers. It’s probable that even the researchers didn’t anticipate such a dramatic result.
The report highlighted that employees who leaked information were likely to share data with their new or former employers or even competitors. The shared information, according to the report, ranged from bank details to customer information. Nearly half the respondents also stated that they had either already deleted or will delete emails from their sent folder if they felt the need for a cover-up.
Whether intentional or unintentional, insider threats are way bigger than we anticipate. A survey by Vanson Bourne concluded that insider threats pose a greater risk to companies than external threats by vectors like breaches and hackers. In fact, it pointed out that 74 percent of cyber incidents occur from within organizations. Here, 42 percent of the threats come from employees alone. “When considering the extended enterprise, meaning employees, customers, suppliers, or even previous employees, the number increases to 74 percent. Although most companies, 65 percent, believe that these inside incidents are accidental, that data still suggests a serious need for more extensive security education within businesses,” a report on ITPRO suggested.
According to an earlier Insider Threat Report by CA Technologies, nearly ninety percent of organizations feel vulnerable to attacks from insider threats. According to the report, the major risk factors were users with excessive access privileges, employees bringing their own devices to work, and the increasing complexity of the information security space. More than half of the respondents confirmed insider attacks against their organization in the last one year, where a quarter felt the insider attacks are becoming more frequent.
On the brighter side, a vast majority of companies are deploying insider threat programs. Companies are shifting their focus to the detection of insider threats, as well as deterrence methods, analysis, and forensics. “Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program,” the survey suggested.
Nipping it in the bud
Threats like insider attacks need to be nipped in the bud right from the beginning – in other words, during the hiring process. This is where the role of HR becomes crucial. “As with many organizational behaviors, HR has a role to play in ensuring the workplace culture is aware of issues around data. One thing HR could do to minimize the malicious leaking of information is ensure concerns are both raised and dealt with in a fair way that does not compromise the overall employee experience,” said David D’Souza, the CIPD’s head of London to People Management. “There will always be a minority of people who are opportunistic, so there should be a shared responsibility between HR and IT on how to deal with such incidents, depending on their severity. Steps that can be taken to minimize the risk could be as simple as reminding people at the point they resign about rules on data protection around other organizations and information.”
There are several touch-points throughout an employee’s career that HRs must focus on. The CERT Insider Threat Center has listed best practices to be adopted by organizations to safeguard themselves from insider threats. These include: maturing your insider threat programs, tracking terminated employees, improving employee engagement, developing a watchlist of employees with behavioral indicators, and adding insider threat awareness training to overall security awareness training.
Renee Brown Small, CEO, Cyber Human Capital, and Author, Magnetic Hiring in her earlier columns in CISO MAG talked about methods on new hire on-boarding.
“During on-boarding, the new employee is provided with mandatory training. Insider threat awareness training should be added to the training deck an employee must complete. It can also be administered during the times of the year that there may be higher cases of security breaches or insider threats,” she writes. She also writes about the importance of expanding mandatory vacation policies, “Many organizations have roles–– typically in finance, payroll, or trading––where the employee is subject to mandatory vacation. These policies should be expanded to some high-risk IT roles where employees have access to admin rights that could be a threat to the company if used maliciously.”
Authentication and the future of biometrics
As far as insider threats are concerned, it is evident that they are as big as any other threat. To counter this, there is the need for risk-based authentication technology that relies on things like proximity, behavior, biometrics, and more. Jeff Carpenter, Vertical Market Director – Authentication, Crossmatch, in one of his interviews with CISO MAG explained how authentication technologies like behavioral keystroke might be helpful in combating insider attacks.
“It works like this: as you’re typing your password, the software can look at how you’re typing a password, your lift, your movement across the keyboard, your stroke, your press. With this keystroke behavioral biometric, we are able to distinguish between one user and another. To a casual observer watching two users type in the same password, the differences are almost impossible to detect; but to a computer algorithm, the difference between the two users is completely distinguishable. We can again feed that into the risk engine and that becomes one more factor that will determine whether that user should get the access or not.”
According to him, behavioral biometrics will also enable continuous authentication and will gradually eliminate the need for the user to log in time and again.
He also discusses how several other innovations are driving the authentication space, where unique actions by the users are tracked and traced to create exclusive biometrics using artificial intelligence and machine learning. These can be simple tasks like how you hold your cell phone. “The gyroscopic sensors inside of your mobile device create a unique biometric with how you hold that phone. Mouse movements are another biometric: how you move your mouse, for example, to wake up your PC when it goes to sleep, is very unique to you. Machine learning can pick up the differences. Innovations like this are very exciting in the future and have the potential to provide even more convenience for users and more security for organizations,” he elaborates.
AI has already been deployed for the greater good. AI can be taught to understand the behavioral patterns of employees and companies, these may include regular file transfers off corporate networks onto physical media. It can also be taught to find those strange anomalies which often may seem very different from regular work shifts. It may be a rather newer phenomenon, but unsupervised machine learning is catching up. “This method is much like learning by observation, whereby a computer ingests data and distinguishes patterns on its own,” suggests Venture Beats.
Aaron Tuor, Samuel Kaplan, of Western Washington University Bellingham, and Nicole Nichols, Sean Robinson of Pacific Northwest National Laboratory Seattle in a study titled “Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams,” presented an online deep learning architecture which produced “interpretable assessments of anomaly for the task of insider threat detection in streaming system user logs.”
They pointed out that insider threats don’t tend to fit one particular template, many at times takes new and different forms, which was why it was impractical to model it. The system they deployed developed instead modeled “normal” behavior and uses finds anomalies to highlight potential malicious behavior. “Our approach is designed to support the streaming scenario, allowing high volume streams to be filtered down to a manageable number of events for analysts to review. Further, our probabilistic anomaly scores also allow our system to convey why it felt a given user was anomalous on a given day (e.g. because the user had an abnormal number of file uploads between 6 pm and 12 am). We hope that this interpretability will improve human analysts’ speed and accuracy.”
In conclusion, insider threats are very real and complex. Having a healthy relationship with employees and monitoring their actions during and after their tenure can contribute toward a certain level of security. Authentication and innovation in the realm can also compliment many of the already existing standard security methods most companies deploy today.
In the aftermath of an insider threat incident, organizations spend an average of $4.3 million annually to mitigate, address, and resolve incidents. In the most severe cases of insider threat, organizations spend up to up $17 million annually. Many times post an incident, companies end up appearing less attractive to hostile bidders due to lower values on the stock market and higher level of debts post an incident. There will be causalities in process, and it may seem like the only option left is to adopt a scorched earth policy. But here’s the thing: A scorched earth policy might sometimes end up being a suicide pill for the company. While insider attacks may seem inevitable, always build higher walls, have a plan of action, and never resort to a scorched-earth policy post an incident.
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.