- Email: [email protected]
The Insider Threat
computer
FRAUD & SECURITY ISSN 1361-3723 August 2017
www.computerfraudandsecurity.com
...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...
Contents
The Insider Threat
F
or many years, organisations have focused on securing the perimeter. Firewalls, intrusion detection, antimalware and many other technologies are designed to keep unwanted outsiders out. But they are of little use against the threat that originates from within your organisation.
The insider threat has always been with us – in the guise of a disgruntled employee, for example, who copies a critical database before quitting the company. But the pervasiveness of IT and the accumulating piles of data deployed in all areas of the modern enterprise have significantly increased the dangers presented by staff with bad intentions. And the threats don’t all stem from malice or greed. Damaging effects caused by the actions of insiders may be accidental – such as the laptop left on a train or a spreadsheet emailed to the wrong person. In fact, a survey of Information Security Forum (ISF) members found that the vast majority of insider-related incidents were the result of accidents or ignorance, with no harm meant. In many cases, the problem was caused by the staff member doing something basic and apparently innocuous, and perhaps even well-intentioned – such as taking sensitive files home to work on them in their own time, and then losing them,
or working remotely via insecure public wifi. In addition, cyber-criminals, industrial spies, nation-state actors and other external players who target your organisation will often seek to find a way past your defences via people already inside the perimeter. That’s why so many major breaches start with a phishing attack. Exactly how much of a threat is posed by the insider depends on which report you read. But clearly organisations are becoming concerned. A recent SANS Institute survey found that 40% of respondents regarded malicious insiders as the most damaging threat vector they face. And while 38% said they don’t currently have effective methods to detect insider attacks, 49% are developing incident response plans to deal with such attacks. In this issue, we look at the many facets of the insider threat. It’s an issue we need to tackle, and it won’t be easy. Staff members need access to your precious data to do their work. And while technologies, such as data loss prevention and data classification, are making some headway into the problem, it’s important to acknowledge that the insider threat derives from that most complex and intransigent of all phenomena – human nature.
Major BUPA breach caused by employee copying files
P
rivate health insurance firm Bupa Global has admitted to a data breach affecting around 108,000 policies that was allegedly the result of a rogue employee simply copying
the data. The employee has not been named but has been fired by the firm, which says it is pursuing legal action.
Bupa said that: “The information does Continued on page 3...
NEWS
Major BUPA breach caused by employee copying files 1 Ransomware menace will grow says Google
3
FEATURES Using data virtualisation to detect an insider breach
5
With big data solutions, it is difficult to detect when data is being altered or accessed without authorisation. George Smyth of Rocket Software explains that one solution lies in data virtualisation, which ensures access controls are enforced and can be monitored. Can artificial intelligence help in the war on cybercrime?
7
It is hard to avoid the buzz in the industry around artificial intelligence and technologies such as machine learning. Danny Maher of HANDD Business Solutions explores how technologies such as user and entity behaviour analytics (UEBA) can be deployed to provide accurate and genuine alerts about troublesome behaviour on your networks. Personal cloud-based apps: the new insider risk
10
Personal messaging apps are bad news for enterprise security because they are totally outside the IT department’s control. Omri Sigelman of NURO Secure Messaging looks at the options available when considering enterprise-grade messaging platforms. The evolution of the digital insider trader 12
Breaches by trusted insiders can have enormous impact because these people have access to sensitive data. Joseph Carson of Thycotic explains how this has brought about the era of the ‘digital insider trader’ looking to profit from elevated privileges. Are employees part of the ransomware problem? 15
Employees sometimes contribute – albeit unintentionally – to ransomware attacks. But training staff to be aware of attacks and what to do to keep data protected is strategically justified and can actually save time and money. Michael Fimin of Netwrix outlines some basic rules for minimising the risk. Employees are lax on cyber fundamentals
17
Research shows that employees often have a poor grasp of the basics when it comes to data security threats and appropriate behaviours. André Mouradian of Wombat Security argues that employees need to be brought up to scratch about best practices and their responsibilities in handling corporate devices, data and systems. Defending against spear-phishing
18
Spear-phishing is big business and often the first stage of sophisticated attacks. But Jason Steer of Menlo Security shows how cloud-based isolation techniques can dramatically reduce the risk of damage as a result of an incautious click. Editorial 2 News in brief 4 Calendar 20
ISSN 1361-3723/17 © 2017 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
FRAUD & SECURITY ISSN 1361-3723 August 2017
www.computerfraudandsecurity.com
...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...SPECIAL ISSUE...
Contents
The Insider Threat
F
or many years, organisations have focused on securing the perimeter. Firewalls, intrusion detection, antimalware and many other technologies are designed to keep unwanted outsiders out. But they are of little use against the threat that originates from within your organisation.
The insider threat has always been with us – in the guise of a disgruntled employee, for example, who copies a critical database before quitting the company. But the pervasiveness of IT and the accumulating piles of data deployed in all areas of the modern enterprise have significantly increased the dangers presented by staff with bad intentions. And the threats don’t all stem from malice or greed. Damaging effects caused by the actions of insiders may be accidental – such as the laptop left on a train or a spreadsheet emailed to the wrong person. In fact, a survey of Information Security Forum (ISF) members found that the vast majority of insider-related incidents were the result of accidents or ignorance, with no harm meant. In many cases, the problem was caused by the staff member doing something basic and apparently innocuous, and perhaps even well-intentioned – such as taking sensitive files home to work on them in their own time, and then losing them,
or working remotely via insecure public wifi. In addition, cyber-criminals, industrial spies, nation-state actors and other external players who target your organisation will often seek to find a way past your defences via people already inside the perimeter. That’s why so many major breaches start with a phishing attack. Exactly how much of a threat is posed by the insider depends on which report you read. But clearly organisations are becoming concerned. A recent SANS Institute survey found that 40% of respondents regarded malicious insiders as the most damaging threat vector they face. And while 38% said they don’t currently have effective methods to detect insider attacks, 49% are developing incident response plans to deal with such attacks. In this issue, we look at the many facets of the insider threat. It’s an issue we need to tackle, and it won’t be easy. Staff members need access to your precious data to do their work. And while technologies, such as data loss prevention and data classification, are making some headway into the problem, it’s important to acknowledge that the insider threat derives from that most complex and intransigent of all phenomena – human nature.
Major BUPA breach caused by employee copying files
P
rivate health insurance firm Bupa Global has admitted to a data breach affecting around 108,000 policies that was allegedly the result of a rogue employee simply copying
the data. The employee has not been named but has been fired by the firm, which says it is pursuing legal action.
Bupa said that: “The information does Continued on page 3...
NEWS
Major BUPA breach caused by employee copying files 1 Ransomware menace will grow says Google
3
FEATURES Using data virtualisation to detect an insider breach
5
With big data solutions, it is difficult to detect when data is being altered or accessed without authorisation. George Smyth of Rocket Software explains that one solution lies in data virtualisation, which ensures access controls are enforced and can be monitored. Can artificial intelligence help in the war on cybercrime?
7
It is hard to avoid the buzz in the industry around artificial intelligence and technologies such as machine learning. Danny Maher of HANDD Business Solutions explores how technologies such as user and entity behaviour analytics (UEBA) can be deployed to provide accurate and genuine alerts about troublesome behaviour on your networks. Personal cloud-based apps: the new insider risk
10
Personal messaging apps are bad news for enterprise security because they are totally outside the IT department’s control. Omri Sigelman of NURO Secure Messaging looks at the options available when considering enterprise-grade messaging platforms. The evolution of the digital insider trader 12
Breaches by trusted insiders can have enormous impact because these people have access to sensitive data. Joseph Carson of Thycotic explains how this has brought about the era of the ‘digital insider trader’ looking to profit from elevated privileges. Are employees part of the ransomware problem? 15
Employees sometimes contribute – albeit unintentionally – to ransomware attacks. But training staff to be aware of attacks and what to do to keep data protected is strategically justified and can actually save time and money. Michael Fimin of Netwrix outlines some basic rules for minimising the risk. Employees are lax on cyber fundamentals
17
Research shows that employees often have a poor grasp of the basics when it comes to data security threats and appropriate behaviours. André Mouradian of Wombat Security argues that employees need to be brought up to scratch about best practices and their responsibilities in handling corporate devices, data and systems. Defending against spear-phishing
18
Spear-phishing is big business and often the first stage of sophisticated attacks. But Jason Steer of Menlo Security shows how cloud-based isolation techniques can dramatically reduce the risk of damage as a result of an incautious click. Editorial 2 News in brief 4 Calendar 20
ISSN 1361-3723/17 © 2017 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.