Beruflich Dokumente
Kultur Dokumente
Research Report
Contents
2 Executive overview
3 Motivations and methods
5 Data breaches: an inside look
9 Recommendations and mitigation techniques
10 Protect your enterprise while reducing cost and complexity
10 About IBM Security
11 For more information
11 Author
11 References
11 Contributors
Executive overview
Imagine a scenario: In a single day, a disgruntled employee
opposed to the practices of your company downloads sensitive
or confidential company documents, announces his or her
resignation, and tells the inside story to a journalist friend. The
revelations become front-page news, and the companys legal
and public relations teams spend millions trying to repair the
companys tarnished brand. Perhaps they succeed. Perhaps
they dont.
Or another scenario: A trusted third party with which your
company conducts business is compromised. Information
garnered from this breach is then used to target your company.
Research Report
Motivations
The motivations of insiders with malicious intent vary, but
financial gain is clearly more common than any other. The
largest insider breach recorded by the PRC involved the
compromise of 17 million records from a large financial
institution by a senior financial analyst who downloaded and
sold customer profile information, including Social Security
numbers, for two years.
Scenarios like that have played out time and time again
over the past two decades. Sensitive information yields the
attacker a high return on the black market; more victims mean
more money. Unfortunately, thats also true for the targeted
companymore victims mean greater financial loss. Once the
breach is disclosed, class-action suits surface with charges of
negligence. Companies often have to pay for credit monitoring
services for each victim, typically for up to a year or more, and
then there may be reimbursement of out-of-pocket costs or
identity theft expenses along with other legal fees. It all adds
up. According to the most recent findings from the annual
Ponemon Cost of Data Breach study, the average cost to a
company is $3.8 milliona two-year increase of 23 percent.1
Financial gain is a popular motive, but its not the only one.
Dissatisfied employees or angry ex-employees may want
to retaliate by causing a Denial of Service (DoS) attack or
defacing a companys website. In May 2013, for instance, a
breach was disclosed involving a company in the retail industry.
More than a year before the disclosure, a disgruntled employee
announced his resignation and then was caught copying
files from his computer to a flash drive. Transaction and
intranet disruptions ensued following his departure from the
company. Even in this sort of scenario, however, what begins as
discontent may morph into a desire for monetary gain.
Methods
Once they have a motive, insiders need a method. Selling or
destroying sensitive information or systems is a popular avenue
of attack. A technically savvy insider could target known
vulnerabilities in a business-critical application, either to obtain
information or to cause other damage. Another alternative
is disrupting or interfering with the flow of information
via a DoS attack; though easily traced and detected if its a
cyber attack, a physical DoS is difficult to trace back to the
perpetrator. Someone could pour water into a server, place a
magnet near a hard disk, or simply steal a systempick it up
and carry it away.
Research Report
20
40
Insider disclosure
60
80
100
120
Unintended disclosure
Industries targeted
Among industries targeted, the government and military
institutions have been by far the most seriously affected
by unintended disclosure, with nearly 20 million records
compromised between 2005 and 2014 (see Figure 2). But
given this sectors secretive nature, under reporting is more
than likely and the real number may be much higher. The
general business category is in distant second place with less
than 5 million records compromised. Across all industries, just
over 29 million of the nearly 736 million records reported as
compromised fall into the unintended disclosure category.
Not surprisingly, finance and insurance was the sector most
seriously affected by intentional insider breaches, accounting
for 88 percent of all records reported compromised in this
way (Figure 3). These institutions house a wealth of profitable
information for insiders looking to capitalize on their position
within the company. Unlike the unintended disclosure
category, government and military institutions ranked a far
second in intentional disclosures.
Research Report
1,280,711
4,785,882
General business
208,756
Retail/merchant
1,865,525
Educational
Government/
military
19,413,391
1,559,363
Healthcare
Nonprofit
1,441
29,128,245
641,241
General business
Retail/merchant
Educational
84,960
187,820
Government/
military
Healthcare
Nonprofit
1,048,866
685,610
1,000,317
Research Report
Recommendations and
mitigation techniques
Many of the steps taken to mitigate external threats also
apply to internal threats. Monitoring employee activity to
identify misuse and suspicious activities is critical and can
be accomplished in several ways. Products that monitor
behavior and anomaly detection, such as IBM QRadar
Security Intelligence platform, are a must. Most commonly,
companies use this type of detection to monitor for anomalies
in connectionsan increased number of connections between
a host computer and an internal client computer, for example.
An outside threat detected could be malware propagating itself
and communicating with its associated command and control
servers. IBM Securitys QRadar customers have discovered
anomalies such as strange file transfers in the middle of the
night to countries with which theyve never done business.
Some organizations leverage this detection to profile specific
applications. A financial organization might monitor a
custom trading application to identify substantial or abnormal
increases or decreases in quoting or trading activity.
Access management should be another top priority.
Users access should be managed throughout their entire
employment, not just after theyve left the company. When
an employee changes roles or responsibilities within the same
organization, his or her access should be assessed with each
change and unnecessary privileges revoked. When employees
leave, the employer must obtain all their usernames and
passwords before they depart and verify, there and then, that
10
That last item is often the hardest to address. Custom, build-ityourself malware toolkits are easily acquired, so organizations
would be wise to take hosts used by former employees offline
immediately. A backup should be made on an external storage
device and the host completely rebuilt from trusted media
before being reconnected to the network and passed on to
another employee. Host intrusion monitoring is the key to
ensuring that devices are behaving as expected.
An organizations data is one of its most vital assets. A
comprehensive encryption strategy should be applied to
protect confidential information and maintain compliance.
Protecting data involves covering all the basesdata at rest,
in transit and in useand special attention should be paid to
how information is disposed. Also, a comprehensive security
strategy to prevent insider threats needs to address physical
security requirements. Deploying a digital video surveillance
system or employing a security guard should help reduce
physical threats. A complete data lifecycle management (DLM)
approach including data loss prevention (DLP) software is
essential both to guard against insider threats and to address
government and industry compliance requirements.
If an organization has in place a comprehensive security
solution that incorporates the mitigating tactics noted in this
report, it has taken the important steps to protect itself against
insider threats. At a minimum, corporations should be able to
spot such threats quickly and respond before too much damage
is done.
Research Report
Author
References
Contributors
Diana Kelley, Executive Security Advisor
Jason Corbin, Director, Security Intelligence Strategy and
Product Management
Jay Bretzmann, Segment Marketing Specialist, IBM Security
Systems
11
Please Recycle
SEL03036-USEN-00