Welcome!

Industrial IoT Authors: Yeshim Deniz, Liz McMillan, Elizabeth White, Stackify Blog, SmartBear Blog

Related Topics: Industrial IoT, @CloudExpo, Cloud Security

Industrial IoT: Blog Feed Post

Insider Security Threats By @Vormetric | @CloudExpo [#Cloud]

It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head

What We Talk About When We Talk About Insider Threats

What does the term “insider threat” mean to you? It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head. Snowden was an insider, and he proved to be a threat. He also had malicious intentions.

But, you would be shortsighted in thinking that malicious insiders are the biggest risk to your data. While Edward Snowden may be considered the “insider threat” poster child, not all employees have malicious intentions. In fact, it’s likely the vast majority of your employees have completely innocuous intentions (after all, most of us like our paychecks and want to keep them coming!) Counted among those employees, however, are your “privileged users.”

Here at Vormetric, we define privileged users as high-level computer operators who often have powerful, privileged access rights. They can include – but are not limited to – root users, domain administrators and system administrators.

More than just traditional insidersSimply by having access, privileged users may unwittingly put data at risk – or be used by an outside actor as a conduit for siphoning data. Unsurprisingly, privileged accounts are very attractive targets for attackers seeking to leverage access privileges for their own nefarious purposes. Therefore, it’s completely accurate to say that all privileged users – regardless of whether or not they have bad intentions – can be considered an “insider threat.”

Let’s take a look at a couple examples of high-profile data breaches and see where insider chips fell:

Sony Pictures

While there are still questions to be answered, CNN has reported hackers infiltrated the system by stealing the computer credentials of a Sony systems administrator. That’s right, a systems administrator. Although investigators have not ruled out the involvement of a malicious insider or former employee, they have not found evidence to indicate this was the case.

The ramifications for Sony from a financial, legal, and professional standpoint are unprecedented. Leaked information includes medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories.

Sony employees now suing the company for negligence have termed the hack an “epic nightmare.” This dramatic language is being echoed by Gartner cybersecurity analyst Avivah Litan, who believes the breach may very well be “the costliest ever for a U.S. company” and one that “went to the heart and core of Sony’s business.”

The attack also stirred unwanted memories for South Carolinians, which brings me to the next “insider” breach.

The South Carolina Department of Revenue

In October 2012, more than 3.3 million unencrypted bank accounts and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue. The attack started when a state employee responded to a phishing attack that enabled cyber criminals to use the employee’s (a privileged user) credentials, access the state’s databases, and steal sensitive data. While almost all of the credit and debit card numbers were encrypted, the social security numbers were not – leaving South Carolina citizens vulnerable to identity theft scams.

Did the employee intend for this to happen? No. Did the employee have access to a host of very critical, private data? Yes.

Where Do We Go From Here?

The breadth and depth of private and public sector breaches in the past few years further indicates there is a major disconnect when it comes to organization’s handling of data security – and how they treat insiders. Breach after breach we’ve seen insiders, or someone who has obtained insider privileges, wreak havoc.

Organizations that don’t properly control privileged user or system administrator access are setting themselves up for infiltration by malicious insiders or crafty outsiders looking to take advantage of the wealth of data at their disposal. Our 2013 Insider Threat data report found that only 27% of US organizations blocked privilege user access to sensitive data, whereas our 2014 European version of the report saw that number basically double. There is increased focus on the insider and their behavior within the organization, yet there is far too little emphasis on the data an insider can access with their privileged account access.

Here’s a hypothetical: an interviewee comes in with the desired experience and background a company is looking for, but they’re secretly hell-bent on eventually pulling a Snowden. Do you think it will be easy to identify them as a malicious insider during the vetting and hiring process? Smart agents aren’t going to give something away that would arouse suspicion; it’s pretty unlikely they will walk in brandishing, say, the North Korean flag or talking about their love of a Chinese competitor.

At the end of the day, once a malicious insider is in, he or she is in. What matters is the type of data said insider has access to.

This mantra also applies to non-malicious insiders. Like privileged user Susan up on the 9th floor. Susan, a systems administrator, is as loyal as they come. She feels passionate about her company, its ethos and her work. She’s smart, hardworking and would never intend to do something that would put company data in jeopardy.

While we can sing Susan’s praises all day long, it’s not her attitude that matters. It’s her access. It’s that she has the keys to her company’s kingdom, and if her company don’t have the proper precautions in place, there’s only so much she can do to hold onto them.

Compliance as a Crutch

“But, my company is up-to-date on compliance standards!” you say. Well, congratulations. You get to dodge government fines for at least another year. And by the way, so was Target.

If you really think being compliant means your data is safe, well, I have a bridge to sell you in China.

Since I’m on the subject of bridges, I’ll try to put this in terms that are easily understandable. Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter into the castle. But, what’s protecting invaders from also crossing that bridge? That’s right, you need guards, and a moat, cannons, and maybe some dragons if you’re into that sort of thing.

My point is that compliance is not enough. It remains and will likely always remain a baseline standard for protecting information. But it should never be confused with security.

Oh, This Again: Encrypt Everything

If I sound like a broken record, it’s because this isn’t my first time at the rodeo. How many more of these breaches are we going to tolerate before we start to make changes to how we handle our data?

Back in October, I wrote a post about the strategy of “encrypting everything.” While I certainly won’t recap all of it, my opinion about the below adages remain the same:

  • Realize that your data is the target, not your network. Yes – attackers do penetrate firewalls and exploit application security holes, but they do so to get to high value data, just as an inside attacker would
  • Rein in your privileged users: if your employee doesn’t need access, they shouldn’t have it just because they have a certain title
  • Solutions exist that allow you to restrict access to sensitive information while still giving privileged users to the tools they need to perform their work, such as encryption with access controls linked to your identity management systems
  • While no company or CEO wants to discuss a data breach, having a broad-based “data first” protection strategy plays well from both a security and marketing perspective. It’s important to keep your fiscal and reputational house in order. If you need more assurances of this, I suggest you speak to a C-level executive at Sony, Target or Home Depot. While you’re at it, you might want to sit in on one of the many post-data-breach-government-oversight-committee-hearings on Capitol Hill. Pick your poison; you’ve probably got a few options.

Bottom line? With proper data controls, you can have your cake (sufficient use of privileged accounts) and eat it too (simultaneous protection of the data).

To close out, earlier I noted our 2013 Insider Threat report found that U.S. businesses were sorely lacking when it came to privileged user access restrictions. We’re excited to report we’ll soon be able to tell you if that statistic has changed in the past two years. But in the meantime, you’ll have to wait to just a little bit longer…

The post What We Talk About When We Talk About Insider Threats appeared first on Data Security Blog | Vormetric.

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

@ThingsExpo Stories
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, will discuss how they bu...
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
SYS-CON Events announced today that N3N will exhibit at SYS-CON's @ThingsExpo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. N3N’s solutions increase the effectiveness of operations and control centers, increase the value of IoT investments, and facilitate real-time operational decision making. N3N enables operations teams with a four dimensional digital “big board” that consolidates real-time live video feeds alongside IoT sensor data a...
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that Avere Systems, a leading provider of hybrid cloud enablement solutions, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere Systems was created by file systems experts determined to reinvent storage by changing the way enterprises thought about and bought storage resources. With decades of experience behind the company’s founders, Avere got its ...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, will discuss how from store operations...
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, will discuss how by using...
In this strange new world where more and more power is drawn from business technology, companies are effectively straddling two paths on the road to innovation and transformation into digital enterprises. The first path is the heritage trail – with “legacy” technology forming the background. Here, extant technologies are transformed by core IT teams to provide more API-driven approaches. Legacy systems can restrict companies that are transitioning into digital enterprises. To truly become a lead...
SYS-CON Events announced today that Daiya Industry will exhibit at the Japanese Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ruby Development Inc. builds new services in short period of time and provides a continuous support of those services based on Ruby on Rails. For more information, please visit https://github.com/RubyDevInc.
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
As businesses evolve, they need technology that is simple to help them succeed today and flexible enough to help them build for tomorrow. Chrome is fit for the workplace of the future — providing a secure, consistent user experience across a range of devices that can be used anywhere. In her session at 21st Cloud Expo, Vidya Nagarajan, a Senior Product Manager at Google, will take a look at various options as to how ChromeOS can be leveraged to interact with people on the devices, and formats th...
SYS-CON Events announced today that Yuasa System will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Yuasa System is introducing a multi-purpose endurance testing system for flexible displays, OLED devices, flexible substrates, flat cables, and films in smartphones, wearables, automobiles, and healthcare.
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...