[BreachExchange] Insider threats: Suffering from the detective's curse

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 18 18:17:07 EST 2018


Recently, I was watching an episode of the crime drama True Detective. The
character Marty, played by Woody Harrelson, is discussing with his partner
the concept of the ‘Detective's Curse'. This is when the answer to a
complex case is under the detective's nose the whole time, yet they still
can't see it.

In the IT security space, a certain degree of detective work is required.
Think threat hunting and attribution. It's all about working from the big
picture backwards. Examining every log to identify what went wrong, who
gained access to which files and how. While most businesses consider
external threats as one of the biggest challenges to their overall security
and may focus their efforts here, perhaps they should start looking a
little bit closer to home before pointing the finger at third-party

The danger from within
Sometimes when looking for an answer, you search everywhere before you
looking at what's right in front of you. One may be thinking; how does this
apply to enterprise security? One of the biggest threats to business
security comes from insiders, people from within including freelancers and
on-site contractors, who have elevated levels of access to privileged
accounts. According to recent research, the level of trust that businesses
have in their employees is far too high, with 41 per cent of UK respondents
stating that they have complete trust in employees with privileged access.
This isn't a good position to be in and that too much trust in employees is
one of the biggest threats that needs to be addressed. It may be a cliché,
but the weakest link in a business's cyber-defences are often internal.

Placing a lot of trust in employees with privileged access can be a
double-edged sword. Security professionals are aware of the various risks
that these employees pose to the business. Yet rogue employees that plan to
exploit company data for malicious intent don't top the list of concerns
for IT decision makers. The top concerns are that a breach could be caused
by employees unintentionally mishandling data, for example sending
sensitive information via email to the wrong person, or that an employee's
administrative access or privileged credentials could be easily phished by
nefarious individuals.

It only takes one employee to leave a business exposed and vulnerable, and
we are seeing more attacks and incidents being associated with various
forms of insider threat. Earlier this year, Bupa, the UK private healthcare
giant, fell victim to a rogue employee who inappropriately copied and
removed some customer information from the company. The data breach
affected around 547,000 health insurance policies, with the data stolen
including names, dates of birth, nationalities, and insurance membership
numbers. To safeguard against this type of leak, it's crucial that
organisations control, manage, and monitor privileged access to their

Educate, educate, educate
Technology is only one component of a robust security posture. People and
processes also have a key role to play. Any business can invest in new
technology, yet many often come up short when deploying and evolving
security processes and training. The research also revealed that less than
half of companies have reviewed their access policy in the last two years.
This is an alarmingly insufficient approach. Businesses must implement IT
security training initiatives to educate employees on security policies and
best practices. It begs the question: if an employee hasn't been trained to
know what a threat looks like, how will they be able to protect themselves?

Complacency can be costly
One of the more concerning results from Bomgar research was that most
businesses feel reasonably safe most of the time. This feeling is not
unexpected and probably a form of self-defence; you can't live in constant
fear, but in the face of a rapidly evolving risk landscape this complacency
only serves to invite trouble. Is it too much to ask to want to feel
completely protected all of the time? After the recent Yahoo and Equifax
hacks security teams should be rushing to plug any holes.

With tools readily available to businesses, there's no excuse for allowing
internal parties unsecured privileged access to critical systems and data.
With breaches making headline news on a daily basis, the pressure will
continue to mount on businesses to tighten up their defences. Remember,
sometimes the answer to your problem can be found right under your nose.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180118/34113905/attachment.html>

More information about the BreachExchange mailing list