[BreachExchange] 7 Tips to Avoid Data Theft by Ex-Employees

Wed Dec 20 10:03:55 EST 2017

https://blog.netwrix.com/2017/12/07/7-tips-to-avoid-data-
theft-by-ex-employees/

Disabling the user accounts of fired employees right after their dismissal
does not guarantee they won’t break through your defenses. For example,
they can bribe friendly and perhaps sympathetic former colleagues — who are
still current employees with legitimate data access — to help them steal
your data. If you are an IT director, your boss will most likely say you
are to blame for letting suspicious activity go unnoticed. This is exactly
what occurred in my case. Is there a way to prove your innocence, save your
job and prevent such incidents from happening in the future? Let me share
my story.

Here’s what happened

At the beginning of the school year, one of our teachers came to my office
with some disturbing news: Another school, which is 30 minutes away, was
using absolutely the same curriculum maps (syllabuses), as we do — for
every single subject. It was obvious that someone had stolen our teaching
plan for the whole school year.

Such an incident is a nightmare for any school district. State standards
require every school to come up with an authentic curriculum for all
subjects in the run-up to the new academic year. It is like a business plan
— it contains detailed teaching materials, learning strategy, assessment
criteria and so on. In fact, our teachers spend most of their summer
preparing our new curriculum, so it’s natural for them to be upset when
others take advantage of their hard work. But there are bigger
consequences: curriculum maps are trade secrets in the education industry,
and their theft by current employees for profit gives the competing school
they sell it to an unfair advantage, and also calls into question my
competence as an IT director.

Houston, we have a problem

Soon I was standing on the carpet of the superintendent — essentially the
CEO of Whiteriver Unified School District. No surprise, he was ready to
fire me because I am the one who is responsible for securing the data at
our school. Luckily, restoring my reputation was a matter of a couple of
clicks.

I opened the software solution that I use to monitor activity across the
network and generated a report on data access trends for the file share
where the curriculum maps are stored, so I could see who had been accessing
them and what actions they performed. I quickly spotted an unusual spike of
activity: Within the space of just 3–5 minutes, two teachers had accessed
all the documents they could reach on that file share. I realized that I
had probably just fingered the attackers.

With this clear evidence at hand, it was not hard to explain to the
superintendent that these two insiders had most likely committed the crime,
and then to get a confession from them. They admitted that two other
teachers, who used to work at our school and then left for the neighboring
school, gave them money in return for copies of the curriculum maps, so
they could use these strategic plans in their new positions. And since they
had used only their legitimate access rights, it was clear that I had not
been remiss in my duties by allowing, for example, an outside attacker to
breach our network and steal the data unnoticed.

7 Tips to Pin up on the Board

Though the 2 ex-employees orchestrated the data theft, they did not act
directly; instead, they paid insiders to carry out their scheme. Here are 7
key tips that will help you protect your sensitive data from such incidents
and mitigate the risk of the ex-employee threat.

Tip #1. Know where your sensitive data resides. By staying aware of which
data is sensitive, and which data might become sensitive, you can know
which parts of your infrastructure require particular attention.

Tip #2. Enforce the least-privilege principle. Giving people the fewest
access rights they need to do their jobs is a well-known best practice that
really works. It reduces the risk of data misuse by insiders and
complicates the task of data theft for outside malefactors, who might have
to bribe a lot more people to get the data they want, increasing the odds
that they will be caught. Remember the old adage, “Three may keep a secret,
if two of them are dead.”

Tip #3. Continuously review activity around critical data. With visibility
into user actions across the IT environment, you can unmask data theft in
its early stages. After this data theft by rogue insiders, I began
reviewing user activity daily, and it has already helped me prevent data
misuse. For instance, one of our higher-level employees with broad
permissions recently copied a large number of files onto a USB stick. With
the solution for user activity monitoring, I detected the bulk copying
activity the same day. I reached out to him directly, deleted the files
from his USB and explained our security policies to him once again.

Tip #4. Analyze user behavior. However, just reviewing activity is not
enough. To detect misuse as early as possible, I started using the software
solution to also facilitate behavior anomaly discovery and alert me about
risky actions by potentially malicious actors. For instance, I was able to
quickly set up a custom alert that notifies me any time a user exceeds the
number of sensitive file reads I find worrisome.

Tip #5. Communicate and enforce clear security policies. At the beginning
of each school year, I explain our security policies to all teachers and
other staff who deal with important data, so they know how to work with it
properly. I make sure to stress that their level of access requires the
highest level of responsibility and accountability. I also articulate the
consequences of data misuse, such as reprimand, dismissal and even
lawsuits. Do not forget to include your senior management and board.
Because they typically have broader access to your organization’s files and
sensitive data, their accounts are appealing targets for hackers and their
departure (friendly or unfriendly) from the organization poses a much
higher risk.

Tip #6. Validate your backups. In addition to stealing data, departing
employees sometimes also damage or delete the original files. Therefore, it
is critical to take proper backups and keep them safe. In our school
district, apart from doing regular offline and online backups, we
continuously monitor access to the backup files to make sure there is
nothing malicious going on that can leave us vulnerable if anyone deletes,
encrypts or otherwise tampers with our data.

Tip #7. Have a proper off-boarding process. The greatest victory is the one
that requires no battle, so our school carefully follows effective user
termination best practices to cut off avenues that fired employees might
otherwise use to steal data. When my team receives an approved resignation
or termination document from HR, we immediately disable the ex-employee’s
account in Active Directory; each quarter, we delete all the disabled
accounts. If an employee is known to be disgruntled, I either disable his
account before the actual termination or keep a close eye on his activity
the day when he is scheduled to be fired.

Ex-employees know your IT infrastructure and staff, as well as your
strengths and weaknesses, so well that they can turn your life into a
horror story. Though there is no way to completely nullify the threat of
fired employees, by taking these 7 tips to heart, you can dramatically
reduce the chances that their schemes will succeed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171220/f44e0026/attachment.html>