Threat of the malicious insider is very real, but accidental data leakage is a bigger problem.
It doesn’t have a super-sexy moniker like KRACK or Heartbleed, but the spectre of the insider threat looms large for organisations, and has done so for as long as electricity, silicon, and computing have been paired up to store information.
While it’s easy to imagine a disgruntled, unhappy employee becoming a malicious actor within an organisation, and dumping the family jewels out of spite, it is much more likely that a well-intentioned employee did something they really shouldn’t have.
In recent times, it seems as though a spate of data leakage has occurred due to the discovery of data left sitting on world-viewable servers. For instance, Accenture left its keys to the kingdom exposed on four servers, Verizon had 14 million subscriber records sitting unprotected on Amazon S3, and even Australia’s national broadcaster, ABC, was found wanting last week when it revealed to have had customer details and 1,800 daily MySQL database backups exposed.
“I always start from the point of view, your biggest threat is the insider threat,” security advisor and former Telstra CISO Mike Burgess told ZDNet. “That’s not because your staff are bad, or people in the supply chain are bad — it’s simply the human can generally do the greatest damage, and we’ve seen many examples of that.”
A recent survey by Thales found that 54 percent of respondents said employee error was the most significant threat to sensitive or confidential data, with the company’s APAC CISO Ben Doyle telling ZDNet that while there are often signs of malicious insider behaviour, it’s harder to detect accidents.
“If you have a strong security culture, and not just information security culture, but an overall security culture, there are generally indications of the change of attitudes and things like that, if it’s going to be a malicious insider, that you are going to have a chance [to pick it up],” Doyle said.
“I guess the threat for the inadvertent one is a lot of cases there may not be any indicators until you find yourself in trouble.”
It’s a view shared across the industry, with Sophos CTO Joe Levy saying an accidental insider is more likely to compromise a company than an outsider.
“They are closer to the data, just in terms of the amount of difficulty and the proximity, it’s much more likely the latter is going to happen,” Levy said.
For McAfee CTO Steve Grobman — who spoke to ZDNet before the company had its own misadventures last week — the definition of vulnerabilities needs to go beyond software.
“When we think about vulnerabilities, we can’t think of vulnerabilities being just software vulnerabilities like Apache Struts — we also need to think of vulnerabilities as misused access controls, so somebody drops content in an S3 storage [bucket],” Grobman told ZDNet.
“Part of the problem with data leakage or data loss is once the data is out there, there’s really no remediation to get it back. When the toothpaste is out of the tube, you can’t put it back in.”
However, while the number of companies caught out by unintentional data leakage continues to rise, for Levy, it’s a by-product of companies having to play in the software space due to an increasingly connected world.
“It is something that is very very new,” he said. “People who have been in business for the past 30 years that have not been in the software business are probably not very familiar with these kinds of concepts and principles.
“There is going to be this window of exposure as people are learning and developing the muscle memory basically of how to do things correctly in software-land that is just going to create a lot of problems — like people putting their AWS keys up on GitHub.
“Hopefully they are happening enough that people are learning about them, and there’s levels of leadership in organisations and even boards of companies now that are beginning to learn themselves these sorts of things.”
According to Burgess, the insider threat is nothing new; it’s just able to occur faster than in the past.
“It’s the downside of the upside of this technology-connected-enabled world,” he said. “Nothing new here, people just need to grapple with the fact technology and connectivity means bad things can happen quickly.
“I am a little surprised, given everything that has happened in the world, that more people are not paying attention to this. But on the upside, more people are paying attention to this, and now they’ve just got to figure out the right way of identifying and managing the risk effectively.”
For Grobman, the challenge in addressing insider threats is that it is more than a technology problem and requires policy as well.
“If you think about what an insider threat is, it’s an insider that is abusing permissions, privileges that they’ve explicitly been given access to, so it is much harder to actually distinguish if this is actually a malicious set of activity, as opposed to something that is legitimate for somebody doing their job,” he said.
“First and foremost, companies have to live by the principle of least privilege. The biggest set of abuses that I’ve seen are typically where there’s lax policies in granting access to capabilities or functions that somebody doesn’t truly need to do their job and it’s just easier to give people carte blanche for all sorts of things.”
As with many other aspects of security, the McAfee CTO said no company will ever be rid of the insider threat, but it is possible to reduce it through behavioural analysis or being able to detect massive data exfiltration.
“Thinking about making things harder is one of the key things that we can do, even if it doesn’t solve the problem completely,” he said.
Grobman said it was important not to go over the top and impose restrictions on users and administrators alike if they are unnecessary.
“The most important thing for people to think is understanding what the different risks in an organisation are, and right-sizing the controls so that you are not over-burdening the things you don’t really care about, but at the same time you are able to put your most critical resources and policies on the things that matter,” he said. “The other element that I think is important is not only the things that matter but things that are more difficult to remediate or repair.
“If you are protecting a piece of network infrastructure, if that is breached from a denial of service perspective, to recover from that, there is basically no long-lasting harm done, which is different from a data breach where if the data is either personal information or intellectual property or something that is going to be interesting for a long period of time, even if you fix the vulnerability, fix the permissions, if the data has already been stolen, the damage is much harder, if not impossible to remediate.”
Since there is always going to be someone in an organisation that knows how the mousetrap is made, and the tolerances that trigger it, Levy said it is important for organisations to be able to investigate an incident after the fact, and to have an inventory of all compute instances and assets.
Burgess echoed a similar sentiment, and in addressing the issue of contractors and third-party providers leaking data, said businesses need to own their risk and not pass it up or down the supply chain.
“It should never be defence [to say] ‘Well I trusted ACME sprocket engineering to do that and it is their problem and their fault’. If you haven’t given to them or stated to them your expectations to them around that information, then you’ve failed, it’s your risk,” the former Telstra CISO said. “You can’t outsource risk, you can’t blame it on your outsourced provider, you own it.”
Like so much to do with insider threats, Burgess said owning risk was a leadership issue, as was the example of pressure being put on an IT department to “just get a project over the line” and do whatever was needed.
“You’ll still have someone do the wrong thing, but that example is just one of bad leadership,” he said. “Good organisations have checks and balances in place — not overly bureaucratic, but you will pay attention to your most valuable data, and you’ll know what is happening to it.
“When instances like that do occur, you detect them to either prevent them, or actually once they do occur, you make it right quickly because that is a fact of you cannot eliminate this problem, but you can manage the risk. And to manage the risk, you’ve got to pay attention to the data and what is happening to it.”
On the recent number of data leaks, Doyle said it would be incorrect to point the finger at the uptake of cloud computing.
“I think this behaviour was protected previously by a perimeter, therefore bad behaviour was less likely to become public. You don’t have external people [looking] unless you have a really bad perimeter with your internal systems,” he said.
“Whereas with Amazon S3 buckets, or any other cloud storage solution, if it isn’t protected then obviously it is public.”
According to the Thales APAC CISO, with the mobility of data in the modern world, it’s important for enterprises to know where their information is and to understand the value of it.
“We’ve moved to a world where you’ve got to protect that valuable data at rest, in use, and in motion,” Burgess concurred. “That’s a very different mindset.”
Across the board, the CXOs interviewed said handling and putting plans in place to deal with insider threats is a task that will involve all parts of a business — whether that is identifying where sensitive data lives, to what data is sensitive in the first place — and cannot be left to the IT department alone.
If your organisation has not looked into its data buckets in recent times to see what data might be mistakenly world-viewable, then it would be best to get on it before someone else does.