Welcome!

Industrial IoT Authors: Liz McMillan, Yeshim Deniz, Elizabeth White, SmartBear Blog, Pat Romanski

Related Topics: Industrial IoT, @CloudExpo, Cloud Security

Industrial IoT: Blog Feed Post

Insider Security Threats By @Vormetric | @CloudExpo [#Cloud]

It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head

What We Talk About When We Talk About Insider Threats

What does the term “insider threat” mean to you? It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head. Snowden was an insider, and he proved to be a threat. He also had malicious intentions.

But, you would be shortsighted in thinking that malicious insiders are the biggest risk to your data. While Edward Snowden may be considered the “insider threat” poster child, not all employees have malicious intentions. In fact, it’s likely the vast majority of your employees have completely innocuous intentions (after all, most of us like our paychecks and want to keep them coming!) Counted among those employees, however, are your “privileged users.”

Here at Vormetric, we define privileged users as high-level computer operators who often have powerful, privileged access rights. They can include – but are not limited to – root users, domain administrators and system administrators.

More than just traditional insidersSimply by having access, privileged users may unwittingly put data at risk – or be used by an outside actor as a conduit for siphoning data. Unsurprisingly, privileged accounts are very attractive targets for attackers seeking to leverage access privileges for their own nefarious purposes. Therefore, it’s completely accurate to say that all privileged users – regardless of whether or not they have bad intentions – can be considered an “insider threat.”

Let’s take a look at a couple examples of high-profile data breaches and see where insider chips fell:

Sony Pictures

While there are still questions to be answered, CNN has reported hackers infiltrated the system by stealing the computer credentials of a Sony systems administrator. That’s right, a systems administrator. Although investigators have not ruled out the involvement of a malicious insider or former employee, they have not found evidence to indicate this was the case.

The ramifications for Sony from a financial, legal, and professional standpoint are unprecedented. Leaked information includes medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories.

Sony employees now suing the company for negligence have termed the hack an “epic nightmare.” This dramatic language is being echoed by Gartner cybersecurity analyst Avivah Litan, who believes the breach may very well be “the costliest ever for a U.S. company” and one that “went to the heart and core of Sony’s business.”

The attack also stirred unwanted memories for South Carolinians, which brings me to the next “insider” breach.

The South Carolina Department of Revenue

In October 2012, more than 3.3 million unencrypted bank accounts and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue. The attack started when a state employee responded to a phishing attack that enabled cyber criminals to use the employee’s (a privileged user) credentials, access the state’s databases, and steal sensitive data. While almost all of the credit and debit card numbers were encrypted, the social security numbers were not – leaving South Carolina citizens vulnerable to identity theft scams.

Did the employee intend for this to happen? No. Did the employee have access to a host of very critical, private data? Yes.

Where Do We Go From Here?

The breadth and depth of private and public sector breaches in the past few years further indicates there is a major disconnect when it comes to organization’s handling of data security – and how they treat insiders. Breach after breach we’ve seen insiders, or someone who has obtained insider privileges, wreak havoc.

Organizations that don’t properly control privileged user or system administrator access are setting themselves up for infiltration by malicious insiders or crafty outsiders looking to take advantage of the wealth of data at their disposal. Our 2013 Insider Threat data report found that only 27% of US organizations blocked privilege user access to sensitive data, whereas our 2014 European version of the report saw that number basically double. There is increased focus on the insider and their behavior within the organization, yet there is far too little emphasis on the data an insider can access with their privileged account access.

Here’s a hypothetical: an interviewee comes in with the desired experience and background a company is looking for, but they’re secretly hell-bent on eventually pulling a Snowden. Do you think it will be easy to identify them as a malicious insider during the vetting and hiring process? Smart agents aren’t going to give something away that would arouse suspicion; it’s pretty unlikely they will walk in brandishing, say, the North Korean flag or talking about their love of a Chinese competitor.

At the end of the day, once a malicious insider is in, he or she is in. What matters is the type of data said insider has access to.

This mantra also applies to non-malicious insiders. Like privileged user Susan up on the 9th floor. Susan, a systems administrator, is as loyal as they come. She feels passionate about her company, its ethos and her work. She’s smart, hardworking and would never intend to do something that would put company data in jeopardy.

While we can sing Susan’s praises all day long, it’s not her attitude that matters. It’s her access. It’s that she has the keys to her company’s kingdom, and if her company don’t have the proper precautions in place, there’s only so much she can do to hold onto them.

Compliance as a Crutch

“But, my company is up-to-date on compliance standards!” you say. Well, congratulations. You get to dodge government fines for at least another year. And by the way, so was Target.

If you really think being compliant means your data is safe, well, I have a bridge to sell you in China.

Since I’m on the subject of bridges, I’ll try to put this in terms that are easily understandable. Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter into the castle. But, what’s protecting invaders from also crossing that bridge? That’s right, you need guards, and a moat, cannons, and maybe some dragons if you’re into that sort of thing.

My point is that compliance is not enough. It remains and will likely always remain a baseline standard for protecting information. But it should never be confused with security.

Oh, This Again: Encrypt Everything

If I sound like a broken record, it’s because this isn’t my first time at the rodeo. How many more of these breaches are we going to tolerate before we start to make changes to how we handle our data?

Back in October, I wrote a post about the strategy of “encrypting everything.” While I certainly won’t recap all of it, my opinion about the below adages remain the same:

  • Realize that your data is the target, not your network. Yes – attackers do penetrate firewalls and exploit application security holes, but they do so to get to high value data, just as an inside attacker would
  • Rein in your privileged users: if your employee doesn’t need access, they shouldn’t have it just because they have a certain title
  • Solutions exist that allow you to restrict access to sensitive information while still giving privileged users to the tools they need to perform their work, such as encryption with access controls linked to your identity management systems
  • While no company or CEO wants to discuss a data breach, having a broad-based “data first” protection strategy plays well from both a security and marketing perspective. It’s important to keep your fiscal and reputational house in order. If you need more assurances of this, I suggest you speak to a C-level executive at Sony, Target or Home Depot. While you’re at it, you might want to sit in on one of the many post-data-breach-government-oversight-committee-hearings on Capitol Hill. Pick your poison; you’ve probably got a few options.

Bottom line? With proper data controls, you can have your cake (sufficient use of privileged accounts) and eat it too (simultaneous protection of the data).

To close out, earlier I noted our 2013 Insider Threat report found that U.S. businesses were sorely lacking when it came to privileged user access restrictions. We’re excited to report we’ll soon be able to tell you if that statistic has changed in the past two years. But in the meantime, you’ll have to wait to just a little bit longer…

The post What We Talk About When We Talk About Insider Threats appeared first on Data Security Blog | Vormetric.

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

@ThingsExpo Stories
Existing Big Data solutions are mainly focused on the discovery and analysis of data. The solutions are scalable and highly available but tedious when swapping in and swapping out occurs in disarray and thrashing takes place. The resolution for thrashing through machine learning algorithms and support nomenclature is through simple techniques. Organizations that have been collecting large customer data are increasingly seeing the need to use the data for swapping in and out and thrashing occurs ...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists will examine how DevOps helps to meet th...
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs oft...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
The 21st International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
SYS-CON Events announced today that Interoute has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Interoute is the owner operator of Europe's largest network and a global cloud services platform, which encompasses over 70,000 km of lit fiber, 15 data centers, 17 virtual data centers and 33 colocation centers, with connections to 195 additional partner data centers. Our full-service Unifie...
Everywhere we turn in our industry we can find strong opinions about the direction, type and nature of cloud’s impact on computing and business. Another word that is used in every context in our industry is “hybrid.” In his session at 20th Cloud Expo, Alvaro Gonzalez, Director of Technical, Partner and Field Marketing at Peak 10, will use a combination of a few conceptual props and some research recently commissioned by Peak 10 to offer a real-world consideration of how the various categories of...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
SYS-CON Events announced today that Carbonite will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Carbonite protects your entire IT footprint with the right level of protection for each workload, ensuring lower costs and dependable solutions with DoubleTake and Evault.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo Silicon Valley Call for Papers is now open.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA
The hot topics in the industry today seem to center around Digital Transformation and Mobile Apps. While a digital transformation strategy is crucial to keep up with the chaos in your industry, customer demands, and other disruptions, the need to create mobile apps to remain relevant in your market and to your customers is equally a no-brainer. Regardless of the approach, the next question always seems to pop up: What architecture should I chose? Native? Hybrid? Managed? Hosted?
SYS-CON Events announced today that EARP Integration will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. EARP Integration is a passionate software house. Since its inception in 2009 the company successfully delivers smart solutions for cities and factories that start their digital transformation. EARP provides bespoke solutions like, for example, advanced enterprise portals, business intelligence systems an...
SYS-CON Events announced today that Ocean9will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Ocean9 provides cloud services for Backup, Disaster Recovery (DRaaS) and instant Innovation, and redefines enterprise infrastructure with its cloud native subscription offerings for mission critical SAP workloads.
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search and...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...