How ‘human resources’ can help stop insider data theft

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, Third­Cer­tain­ty

After Edward Snowden’s escapades how could any com­pa­ny fail to take sim­ple mea­sures to reduce their expo­sure to insid­er data theft?

Yet large enter­pris­es remain all too vul­ner­a­ble to insid­er threats, as evi­denced by the Mor­gan Stan­ley breach. And many small- and medi­um-sized busi­ness­es con­tin­ue to view insid­er data theft as just anoth­er nui­sance piled on to a long list of oper­a­tional chal­lenges.

I sus­pect too many com­pa­nies are fix­at­ed on out­sider threats, like mal­ware infec­tions and exter­nal hack­ing, to the extent that insid­er threats get over­looked,” says Stephen Cobb, senior secu­ri­ty researcher at anti-mal­ware ven­dor ESET.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

A low-lev­el Mor­gan Stan­ley finan­cial advis­er with sticky fin­gers alleged­ly tapped into account records, includ­ing pass­words, for six mil­lion of the Wall Street giant’s clients. He got caught alleged­ly attempt­ing to ped­al the stolen records on Paste­bin, a pop­u­lar web­site for stor­ing and shar­ing text files.

Finan­cial ser­vices well defend­ed

The finan­cial ser­vices sec­tor has long been very proac­tive defend­ing against all forms of data breach­es for obvi­ous rea­sons, and Mor­gan Stan­ley was able to nip this par­tic­u­lar caper ear­ly on. Big banks and invest­ment hous­es typ­i­cal­ly have high­ly trained teams, using a vari­ety of detec­tion tools and mon­i­tor­ing regimes designed to flush out any indi­ca­tion of a breach.

Often you have ana­lysts in a Secu­ri­ty Oper­a­tions Cen­ter hunt­ing for abnor­mal activ­i­ty,” says Scott Haz­dra, prin­ci­pal secu­ri­ty con­sul­tant at risk man­age­ment firm Neo­hap­sis. “They can often spot sus­pi­cious data move­ment based on quan­ti­ty, des­ti­na­tion or clas­si­fi­ca­tion lev­el and react in hours ver­sus dis­cov­er­ing data out in the wild when it’s much hard­er to lim­it expo­sure.”

Orga­ni­za­tions out­side of the finan­cial ser­vices indus­try, how­ev­er, are still on the low­er end of the curve under­stand­ing this expo­sure, much less tak­ing even basic steps to reduce it.

Giv­en the nature of the expo­sure, human resource offi­cials need to be on the front lines of mit­i­gat­ing insid­er data theft, secu­ri­ty and pri­va­cy experts say. In par­tic­u­lar, HR depart­ment heads should be inte­gral­ly involved in work­ing with a company’s tech and secu­ri­ty teams to define and deploy access rights to sen­si­tive com­pa­ny data.

With this col­lab­o­ra­tion and the right tool sets, com­pa­nies can apply access con­trols that restrict employ­ees to just the infor­ma­tion they need to per­form his or her job,” says Deena Coff­man, CEO of IDT911 Con­sult­ing, which is part of iden­ti­ty and data risk con­sul­tan­cy IDT911. Full dis­clo­sure: IDT911 spon­sors Third­Cer­tain­ty.

Guard­ing priv­i­leged access

It’s a bal­anc­ing act, of course. Quick and flex­i­ble access to com­pa­ny records dri­ves pro­duc­tiv­i­ty gains. At the same time, it cre­ates fresh oppor­tu­ni­ties for grant­i­ng unnec­es­sary access priv­i­leges — and for theft.

Build­ing data and net­work secu­ri­ty poli­cies to thwart the like­ly approach­es to steal infor­ma­tion is a foun­da­tion for lim­it­ing pos­si­ble dam­age,” says Steve Hultquist, chief evan­ge­list at secu­ri­ty ana­lyt­ics firm Red­Seal. “Using automa­tion to ana­lyze and ensure com­pli­ance with a secu­ri­ty pol­i­cy is essen­tial for pro­tect­ing cus­tomer and cor­po­rate data assets.”

There should also be a struc­tured process for com­mu­ni­cat­ing changes quick­ly to ensure that a ter­mi­nat­ed employ­ee or depart­ed con­trac­tor does not retain access priv­i­leges, says Coff­man.

Many of the inside attacks are IT employ­ees with ele­vat­ed priv­i­leges and lit­tle over­sight on how and when those priv­i­leges are used,” Coff­man says. “The use of priv­i­leged accounts should be mon­i­tored and logged. Sep­a­ra­tion of duties should be required on cer­tain func­tions and an annu­al out­side review is a good idea.”

Cut­ting off ter­mi­nat­ed employ­ees and part­ners should be swift and sure. Bet­ter safe than sor­ry.

Too often orga­ni­za­tions don’t have a com­plete pic­ture of what access each employ­ees has, par­tic­u­lar­ly if they have been there a while,” observes ESET’s Cobb. “Get­ting employ­ee depar­tures right involves a coor­di­nat­ed effort from HR, IT and legal.”

A dis­grun­tled employ­ee, who’s not plan­ning on going any­where, is anoth­er type of expo­sure that should be addressed. Amer­i­can Banker is now report­ing that the alleged per­pe­tra­tor of the Mor­gan Stan­ley breach was pro­mot­ed to finan­cial advis­er from sales assis­tant about a year ago, and gained access to the records by manip­u­lat­ing the bank’s wealth man­age­ment soft­ware. The lawyer rep­re­sent­ing the accused advis­er insists in the Amer­i­can Banker report that his client did not post any of Mor­gan Stanley’s data on Paste­bin.

All man­agers need to be aware of morale among reports and there needs to be a process for tak­ing con­cerns to HR in a dis­crete way while increas­ing mon­i­tor­ing of use of IT resources,” Cobb says.

More on emerg­ing best prac­tices

Encryp­tion rules ease retail­ers’ bur­den
Track­ing priv­i­leged accounts can thwart hack­ers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things

 

 


Posted in Cybersecurity, Data Security, News & Analysis