According to the 2016 Verizon Data Breach Investigations Report (DBIR), now in its ninth year and one of the largest reports, the number of breaches resulting from insider threats accounts for about 15% of all breaches. Per Verizon, “While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it.”
That being said, 15% is still 15%, and Insider Threats are usually easier to prevent than External Threats. Low hanging fruit, so to speak. Following are some facts about Insider Threats, their cause and prevention.
Insider Threat Sources
According to a report from the 260,000+ member Information Security Community on LinkedIn and Crowd Research Partners, 3.8 is the average number of insider network attacks per business each year. These attacks come from the following sources and in the following forms:
Launch Points for Insider Attacks:
- 56% – Endpoints
- 43% – Network
- 42% – Mobile Devices
Top Insider Threats:
- 63% – Data Leaks
- 57% – Inadvertent Data Breach
- 53% – Malicious Data Breach
- 36% – Fraud
- 29% – IP Theft
- 23% – Espionage
- 20% – Sabotage
Most Risky Users:
- 59% – Privileged users, such as managers with access to sensitive information
- 48% -Contractors/consultants and temporary workers
- 46% – Regular, full/part-time employees
Collaboration & communication apps, such as email, are most vulnerable to insider attacks, followed by cloud storage and file sharing apps. Finance and accounting apps come in third.
- Collaboration & Communication 44%
- Cloud Storage & File Sharing 43%
- Finance & Accounting 38%
- Social Media 33%
- Sales & Marketing 29%
What about non-employees? Another alarming number: 89 – The number of different third-party vendors that access an average company network every week (https://www.bomgar.com/vendorvulnerability) No data was given in this report as to how many Insider Attacks came through third-party vendors, and that number reflects very large networks as well as small ones, but still that is a bit of a surprise. More on this in a later Tidbits.
The Insider Threat can come from current employees or vendors, or guests, but what about ex-employees? It turns out that, yes, even though they no longer show up to drink the company coffee, ex-employees can still take a drink from the company data cup. A shocking (and I thought that I could no longer be shocked) 89% of ex-employees still have a valid login and password to at least one business application after they’re let go (“The ex-employee menace” – 2014 – https://www.intermedia.net/Reports/RogueAccess ). That’s most of an organization’s ex-employees with access to company data, of some sort.
How This Affects End Users
Good user management practices is an area where Managed Services can help our clients to reduce risk. We already have employee de-provisioning checklists for some clients and should develop a customized checklist for each Managed Services client. This may be a T&M project, so check with Melody and Aaron before launching on it. The same should go for vendors who are given access to servers, network devices, or the company Secure WiFi network (see below). Secure WiFi network passphrases should be changed periodically, or, in the case of Active Directory-coupled WiFi networks (using RADIUS), the authorized users group should be reviewed on a regular basis.
More Info here: “Insider Threat Spotlight Report” – http://www.veriato.com/docs/default-source/infographics/insider-threat-spotlight-report.pdf
“Hey, It’s MY Phone, I Can Do What I Want With It”
According to surveys from RiskIQ, which specializes in external threat management, information was gathered regarding how many people pirate content online using their personal devices and whether or not they believe that using the same devices in the office poses a security threat. Here is what they found:
- 59% of UK employees are putting their businesses at risk of malware infection by using their personal devices to access corporate networks and illegal pirated content
- 80% of those accessing the content considered the personal security risks of doing so, but only 60% consider the security implications for their employers
- Individuals who stream or download pirated content online are 28 times more likely to get malware than those who use legitimate services to obtain content
- 33% of the piracy sites that were studied during the survey suffered from at least one malware related incident
- 20 of the piracy sites exposed 3 out of 4 of their visitors to malware
- 55% of the malware that was detected infected users through fake prompts to download Flash or other anti-virus updates
- 45% of malware came directly as a result of downloading pirated content
- The top reasons for downloading or streaming pirate content are because it is free (23%), it is available before paid content (13%), the belief that all content should be free (12%) and the content people are trying to access is not available in any other way in the region (10%)
While the study was of UK residents, I think it reasonable to assume that similar attitudes prevail in the U.S.
How This Affects End Users
This is something of which we can make our clients aware and provide solutions. The easiest solution, that employees will accept, is the separation of Guest WiFi traffic, used for personal devices, from Secure traffic that runs on the same network as company workstations and servers. This means two WiFi networks, like we have in the Eugene office, and is nothing terribly new to most people these days. While this does not take care of the legal implications of downloading pirated material, it mitigates the risk of infection for company machines. We already have separate WiFi networks in place for some clients, but can still push this idea out to the rest of them.
More Info can be had here: http://www.itproportal.com/2016/04/19/pirating-content-personal-devices-risks-work-security/
Part of the reason that Insider Threats are still prevalent is that fact that people get tired of being on their guard all of the time. Combine that with the number of news articles spreading FUD (Fear, Uncertainty and Doubt) and vigilance begins to wane. The Rand Corporation conducted a survey, using a nationally representative sample of 2,038 adults, about data breaches and extrapolated the results to find…:
- Higher-income and better-educated respondents were more likely to remember experiencing a breach; younger adults (ages 18–34) and senior citizens (ages 65+) were less likely.
- 51%, or an estimated 36 million individuals, received two or more notifications in the year preceding the survey.
- 44% of those who received a notification in their lifetime were already aware of the breach from a source other than the affected company; typically media reports or notifications from a third party.
- 62% of respondents accepted offers of free credit monitoring.
- According to respondents, three main factors influenced their decision: (1) time and effort required, (2) quality perception and trust (both of the affected company and of the breach notification service), and (3) whether the offer duplicated other services the victim had.
- 11% of respondents stopped dealing with the affected company following a breach.
- 32% of respondents reported no costs of the breach and any inconvenience it garnered; among those reporting some cost, the median cost was $500. Median dollar values were higher if health information ($1,000), social security numbers ($1,000), or other financial information ($864) was compromised.
- 6% said that the inconvenience cost them $10,000 or more. For these, the breach typically involved credit card or health information.
- 77% of respondents were highly satisfied with the company’s post-breach response.
- The steps that would highly satisfy most respondents were (1) take measures to ensure that a similar breach cannot occur in the future (68 percent), (2) offer free credit monitoring or similar services to ensure that lost data is not misused (64 percent), and (3) notify consumers immediately (63 percent). All three of these actions were valued more highly than receiving financial compensation for the inconvenience.
How This Affects End Users
How do we convince people that security is still important even though it seems like so much old news? The answer seems to be to incorporate security awareness as a part of every project and as part of the company culture. Short term awareness campaigns seem to work for short periods of time before fatigue sets in again. Convincing the top business shareholders (owners, leadership and managers) of the value of their data and the cost of its loss is the start. After that, it has to be reinforced from the top folks at each client. If security is important to the company leadership it will take on a greater importance to all staff. This culture of awareness will take on different forms for each client and is something that we can help them to develop and to reinforce with each client interaction.
More Info can be had here: http://www.rand.org/pubs/research_reports/RR1187.html