Stop Data Leaks


Published on

All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

Published in: Education
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Stop Data Leaks

  1. 1. Next >> R Previous Next Previous Next Previous Next DECEMBER 2013 STOP Data Leaks Previous Next Download Subscribe The NSA data breach showed that one rogue insider can do massive damage. Is your information safe from internal threats? >> By Robert Lemos PLUS If you see something, say something >>
  2. 2. Register Previous Next DARK DOMINION Previous Next Previous Next Previous Next Download Subscribe Get The Credit IT Deserves Apply now for the InformationWeek Elite 100, which recognizes the most innovative users of technology to advance a company’s business goals. Winners will be recognized at the InformationWeek Conference, March 31 and April 1 in Las Vegas. Click Here If You See Something, Say Something This special digital issue on enterprise data leaks focuses on the technology of detecting and stopping insider threats. The technology element is critical to the prevention of data dumps like those perpetrated by the likes of Edward Snowden, but it’s also important to recognize that corporate culture plays a central role in stopping a big breach. A decade ago, a DuPont research scientist named Gary Min was offered a job by a competitor in the chemical industry. Min decided that he might take a few DuPont files with him to his new job: about $400 million worth of trade secrets. He downloaded them late at night from his office computer. He carried out boxes and boxes of files from his building. In the end, he had to rent a separate apartment because his own place didn’t have room for all his stolen files. How was Min caught? Through a routine IT audit of file transfers. Someone in IT finally noticed that Min had been downloading tens of thousands of documents to his work computer. Min, who had been with DuPont for 10 years and seldom worked late, had begun staying in his office all through the night, downloading files and making copies. Yet despite his unusual behavior, none of Min’s co-workers spoke up. No one wanted to get involved. This is why corporate culture plays such an important role in stopping insider threats. In most companies, employees are told that if they see something, they should say something. But not enough companies take this advice seriously. At most companies, employees want to avoid “ratting” on a fellow employee, and this is understandable. No one wants to be responsible for getting another person in trouble. And if Min had been stealing pencils or watching porn on his computer late at night, a look-the-other-way attitude would be acceptable. We all sometimes look away from what our fellow employees are doing, mostly because we don’t want them ratting on us for our occasional policy breaches. TIM WILSON @darkreadingtim But what Min was doing was not just out of bounds, it was out of character. He was in the office late, something he had rarely done in 10 years with the company. He was carrying boxes of files out to his car, using the copy machine at odd hours, downloading thousands of files from servers. It seems likely that he was seen doing these things — but never reported. And as a result, DuPont nearly lost $400 million of intellectual property. Stopping leaks like those created by Min and Snowden will require tighter controls and better technology. But in the end, it also requires the vigilance of co-workers, and the willingness to report behavior that may threaten the safety of your enterprise data. Would your employees have reported Gary Min? The answer to that question may be critical to your defense against insider threats. Tim Wilson is editor of Write to him at December 2013 2
  3. 3. Register Previous COVER STORY Next Previous Next Previous Next Next Previous Download STOP Data Leaks Subscribe The NSA breach showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. By Robert Lemos @roblemos A s a contractor and low-level system administrator, Edward Snowden likely didn’t initially have access to the resources he needed to leak National Security Agency documents to the public. Instead, one theory is that, by convincing colleagues to give him their passwords — and by generating authentication keys that gave him access to NSA computers and servers — Snowden leveraged his relatively low status to explore the data troves inside the NSA. That’s the conclusion of researchers at certificate management firm Venafi, which has been analyzing publicly released data about the NSA breach since it happened earlier this year. Reuters last month also reported that Snowden convinced colleagues to give him their logins and passwords by saying he needed them for his admin work. Neither the NSA nor Snowden has given details about how the former contractor was able to steal the classified data, but Venafi’s theory is that he “hopped December 2013 3
  4. 4. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Download Subscribe Get Smart Our Threat Intelligence Tech Center provides in-depth information on collecting and analyzing data on emerging cybersecurity threats. Click Here Next from server to server using this technique, identifying the data that he wanted to exfiltrate,” says Venafi CEO Jeff Hudson. “He then moved the data from server to server, until he got to a point from where he could exfiltrate the information.” Debate all you want about whether the NSA should have been monitoring American citizens, but no one is arguing the significance of Snowden’s huge data leak. The fallout shows that what makes a breach significant to the victim is not the volume of data stolen, but the importance of the data. Chelsea (formerly Bradley) Manning’s theft and leak of US State Department memos — more than 250,000 — was much larger, but it was the impact of those memos that counted. And the threat is not unique to government agencies. Large companies — in fact, any business that relies on its intellectual property or trade secrets — could be at risk for a major data leak. One large financial firm, for example, discovered that an internal developer purposely created code to let a cyber-criminal group in South America steal financial and account data. The developer created a subroutine that sent every new financial record to an email box disguised as a quality-control measure that was accidentally left in the code, says Bryan Sartin, director of the Verizon RISK team. “As the system was running and all this data that belonged to customers was siphoning through this database, it sent a copy of the information to him,” Sartin says. “It was incredible. We had to re-create his tracks to find the email inbox and link him to the actual breach.” Venafi’s Hudson says large companies have an average of 17,000 digital keys tied to authentication — from certificates to SSH encryption keys — and, in many cases, they have few ways to manage the chaos, making them vulnerable to attack. “We want people to wake up and close these open doors,” Hudson says. Insider-Outsider: Who Cares? Companies spend the majority of their security resources preparing for attacks from external actors: hacktivists, cyber-criminals, and, in some cases, nation-state spies. About seven out of every eight IT security dollars are spent on perimeter defenses, according to Hewlett-Packard. This approach makes sense on one level: 92% of breaches involve external attackers, while only 14% have an insider component, Verizon’s 2013 Data Breach Investigations Report finds. (Some attacks involved insiders and outsiders, which is why the total figure is greater than 100%.) But three factors suggest companies should focus more on insiders than they do. First, companies may be underreporting insider attacks, since employees know how to game the network’s defenses to avoid detec- December 2013 4
  5. 5. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Download Next tion, or because malicious employee behavior may be hard to separate from regular behavior. Theft by employees, contractors, and suppliers also often goes unreported, since companies prefer to handle it internally rather than publicize a breach. Second, not only are insider attacks more common than the stats suggests, they’re also more damaging on average than external attacks. “Insiders know where the dead bodies and crown jewels are,” says Craig Carpenter, senior VP of strategy for AccessData, a maker of e-discovery and computer forensics software. “And in most cases they have trusted access to what they are trying to get at.” And third, looking to stop insider threats is a good strategy for limiting the damage an outsider can do. External attackers generally need time to hunt down critical information and determine Company Insiders Are Accounting For Fewer Breaches In 2013, breaches connected with a person inside a company fell to 14% from a high of 48% in 2009. Subscribe External Internal Partner 6% 48% 6% 2% 1% 1% 12% 72% 86% 98% 4% 14% Data: Verizon’s “2013 Data Breach Investigations Report” 78% 39% 92% which data is most important. Once they have been in the network for extended periods of time, their behavior starts to look like a malicious insider. One sophisticated group of Chinese attackers resided in the average victim’s network for 356 days, nearly a year, before being detected, according to a study of more than 140 attacks attributed to a single group and published in February by incident response firm Mandiant. To catch this type of insider attack, companies need internal visibility and controls that give employees access to the data they need while preventing them from accessing sensitive data that isn’t necessary for their work. Companies that find the right balance have a good chance of detecting potentially malicious insider behavior and, as a bonus, will be more prepared to detect outside attackers because an outsider’s first action is to compromise an internal system and then compromise valid user credentials. Here are three steps to spot that kind malicious insider activity or outsiders attacking like rogue employees. Step One: Visibility Companies obviously need to allow workers data and app access to do their jobs, but to detect rogue behavior, they also need deDecember 2013 5
  6. 6. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Download Next tailed knowledge of what those employees are doing. “You have to monitor and sniff all traffic at all endpoints at all times, and you need to flag anomalous behavior and activity,” says AccessData’s Carpenter. “You don’t need to necessarily shut it down, but you need to have a policy that any activities outside these bounds are unacceptable.” Yeah right, you might be thinking. Getting visibility into user activity across the network in near real time is a massive project for large companies, and few small and midsize businesses have the resources to tackle the problem. But companies can start by tracking a few types of log data to get general visibility across the network. As they identify the most sensitive data, companies can expand their efforts to get focused intelligence on access to that most important information. “Start with more visibility, get eyes across the en- Break The Insider’s Kill Chain Subscribe T raditionally, companies have designed their security to stop attackers at the perimeter. But security pros have started analyzing threats based on the seven steps attackers need to take before achieving their objective: the cybersecurity “kill chain.” This technique attempts to pinpoint what attackers might do at each step of an operation and suggests defenses. The seven steps are reconnaissance of the target; creating, delivering, and executing the attack (three steps); establishing control over the compromised machine; communicating with the operator; and pursuing objectives. Insiders have a distinct advantage in the kill chain. Reconnaissance is a low-risk endeavor since the worker is already gathering intelligence during the workday. The three subsequent steps may not be necessary, as a malicious insider already has access to a machine in the network. Using kill chain analysis to head off malicious insiders also lets you detect the signs that an authorized user may be doing something beyond his or her authorization. “Companies need to develop indicators of compromise to catch the insider in the kill chain as early as possible,” says Tim Keanini, CTO with Lancope. — Robert Lemos vironment, and then focus on specific areas,” says Chris Petersen, chief technology officer for LogRhythm, a security information and event management provider. Understanding what provides the best insight will take time, “and you don’t want to be sitting on your hands while you are trying to do data discovery.” Just monitoring network traffic isn’t enough; you also need to know what’s happening on specific devices, contends John Prisco, CEO of Triumfant, a maker of endpoint protection software. Unlike external attackers, internal attackers are most likely using a companyowned machine to conduct the attacks, so having data on what’s happening on those machines can be extremely helpful in detecting anomalous activity. Tracking endpoint use may let you model normal behavior and spot behavior outside the norm that could be malicious. Protecting and monitoring endpoints becomes more difficult with bring-your-owndevice programs. Companies that allow employee-owned devices on the corporate network should limit the data that employees can access on those personal devices, at least until appropriate data loss prevention technology has been deployed to monitor December 2013 6
  7. 7. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Download Subscribe Next their activity, says Steve Hunt, president of database protection firm DB Networks. Step Two: Identify Key Data While visibility can help flag the bad actors, rogue insiders can hide in the noise of day-to-day operations unless a significant analytics software deployment is brought to bear. A more cost-efficient approach is to focus on protecting the data that’s most critical to the business. If business executives and security managers can come up with a list of the 10 data sets that are most core to the business, the leak prevention effort becomes much more manageable, says Eric Schou, director of product marketing for enterprise security products at Hewlett-Packard. While some companies can easily identify their crown jewels — e.g., source code for software vendors, exploration data for oil and gas firms, or the secret recipe for Coke — other companies may have trouble. In addition to protecting the data itself — the secret recipe — security teams also should focus on the information that an attacker would need to get access to sensitive data, such as credentials, authentication keys, and privileged accounts. Zeroing in on any activity related to those areas can help a company keep tabs on accounts with the most dangerous permissions. The keys that Snowden theoreti-
  8. 8. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Download Subscribe Next cally used to jump from machine to machine are a perfect example of such information. Step Three: Controls Measuring intent is difficult. Is an employee being malicious, or breaking security policy inadvertently? Is the employee’s account being used by an external attacker? Yet separate from intent, companies must decide what behavior is risky to their business. The best ways to do that are to implement security controls that enforce policies, monitor critical data to detect anomalies, minimize the number of privileged employees, and remove unnecessary rights for workers who don’t need to access sensitive data or applications. “It’s critical that companies contain information to the smallest group possible,” Hunt says. “Make sure that you have an audit record as well. While that will not protect the data, it will tell you who is accessing it and where it may have gone.” Minimizing the privileges assigned to a worker might have saved global financial conglomerate UBS billions of dollars. Between 2008 and 2011, Kweku Adoboli, a trader at the firm, bypassed controls intended to separate the trading and approval functions and lost more than $2.3 billion. The bank’s CEO, Os- wald Grübel, resigned following the incident, and UK authorities fined the bank nearly $48 million for its lack of adequate controls to stop what amounted to a hack of the trading process. “The same risk and the same level of scrutiny is applicable, whether you are talking about business applications or business data,” warns Vick Viren Vaishnavi, CEO of Aveksa, a maker of identity and access management tools that was recently acquired by security giant RSA. Perhaps the most effective control, however, is to encourage employees to police their colleagues. Co-workers are more likely than technical tools to notice strange behavior and catch actions that might not set off other alarms. In Verizon’s 2013 Data Breach Insider Attacks Take Longer To Resolve Malicious insiders 65.5 Malicious code 49.8 Web-based attacks 45.1 Denial-of-service 19.9 Phishing and social engineering 14.3 Stolen devices Malware 10.2 6.7 Viruses, worms, and Trojans 3.0 Botnets 2.9 Average number of days to resolve attack Data: Ponemon Institute’s “2013 Cost Of Cyber Crime Study: United States” December 2013 8
  9. 9. Register Previous Next DATA LEAKS COVER STORY Previous Next Previous Next Previous Investigations Report, employees reporting suspicious activities ranked as the No. 1 way that companies detected breaches internally. Companies should educate employees on policies and highlight what suspicious activ- ity looks like. For example, employees that report a phishing email campaign can help the IT group block the messages quickly before less-savvy people click on attachments and allow leaks. In addition, a group outside Next Sensitive Corporate Data Takes Hit In Breaches Download What types of data were potentially compromised or breached in the past 12 months? Personally identifiable information (name, address, phone, Social Security number) Intellectual property 19% Other personal data Subscribe 22% 13% Other sensitive corporate data 12% Authentication credentials (User IDs and passwords, other forms of credentials) 11% Website defacement 10% Corporate financial data Account numbers 6% 5% Payment/credit card data 3% Don’t know 8% Data: Forrester Research’s “Understand The State Of Data Security And Privacy: 2012 To 2013” report on 583 North American and European IT security decision-makers at companies that have had a breach in the past 12 months of the cadre of privileged users and system administrators should also audit those users’ activities. “If you look at some companies, you have the cops watching the cops,” says AccessData’s Carpenter. “You need to be using people outside of IT.” Companies that give employees more understanding of malicious behavior, identify the most critical data, and implement controls to protect that data have a much better chance of discovering insider leaks before they do damage. Once companies detect insider activity, they’re much easier to investigate and stop. “When we do get an inside job, we always find out who it is,” says Verizon’s Sartin. But companies frequently miss potential threats because they aren’t monitoring for changes in behavior. “It may be the same IP address or user account that goes from good actor to bad actor, and the question is, ‘When did that happen?’ ” says Tim Keanini, CTO for Lancope, a network security and application monitoring provider. If that change happened on your network today, would you know? Too many companies can’t answer yes to that question. Robert Lemos is a veteran technology journalist and former research engineer. Write to us at December 2013 9
  10. 10. Register Previous Next Online, Newsletters, Events, Research Next Previous Next Previous Previous Download Next Tim Wilson Dark Reading Site Editor 703-262-0680 Kelly Jackson-Higgins Dark Reading Senior Editor 434-960-9899 Rob Preston VP and Editor In Chief 516-562-5692 Chris Murphy Editor 414-906-5331 Lorna Garey Content Director, Reports 978-694-1681 Jim Donahue Managing Editor 516-562-7980 Shane O’Neill Managing Editor 617-202-3710 Mary Ellen Forte Senior Art Director Subscribe SALES CONTACTS—WEST STRATEGIC ACCOUNTS UBM TECH Account Director, Jennifer Gambino (516) 562-5651, Paul Miller CEO Strategic Account Director, Amanda Oliveri (212) 600-3106, Scott Mozarsky President, Media and Partner Solutions Account Director, Ashley Cohen (415) 947-6349, Account Director, Vesna Beso (415) 947-6104, Account Director, Matthew Cohen-Meyer (415) 947-6214, SALES CONTACTS—EAST Events Get the latest on our live events and Net events at How to Contact Us Western U.S. (Pacific and Mountain states) District Sales Manager, Vanessa Tormey (805) 284-6023, Electronic Newsletters Subscribe to Dark R ­ eading’s daily newsletter and other newsletters at Reports for original research and strategic advice Business Contacts VP National Co-Chair, Business Technology Media Sales, Sandra Kupiec (415) 947-6922, READER SERVICES The destination for the latest news on IT security threats, technology, and best practices SALES CONTACTS—MARKETING AS A SERVICE Director of Client Marketing Strategy, Jonathan Vlock (212) 600-3019, SALES CONTACTS—EVENTS Marco Pardi President, Events Kelley Damore Chief Community Officer David Michael CIO Simon Carless Exec. VP, Game App Development and Black Hat Lenny Heymann Exec. VP, New Markets Angela Scalpello Sr. VP, People Culture Senior Director, InformationWeek Events, Robyn Duda (212) 600-3046, Midwest, South, Northeast U.S. and Canada MARKETING VP National Co-Chair, Business Technology Media Sales, Mary Hyland (516) 562-5120, VP, Marketing, Winnie Ng-Schuchman (631) 406-6507, Eastern Regional Sales Director, Michael Greenhut (516) 562-5044, Director of Marketing, Monique Luttrell (415) 947-6958, District Manager, Jenny Hanna (516) 562-5116, Copyright 2013 UBM LLC. All rights reserved. Editorial Calendar createyournextcustomer. Back Issues E-mail: Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) Reprints Wright’s Media, 1-877-652-5295 Web: E-mail: List Rentals Specialists Marketing Services Inc. E-mail: Phone: (631) 787-3008 x30203 Media Kits and Advertising Contacts Letters to the Editor E-mail Include name, title, c ­ ompany, city, and daytime phone number. Marketing Assistant, Hilary Jansen (415) 947-6205, Subscriptions E-mail: Phone: 888-664-3332 (U.S.) 847-763-9588 (Outside U.S.) District Manager, Cori Gordon (516) 562-5181, December 2013 10