Welcome!

Industrial IoT Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Kevin Benedict, Elizabeth White

Related Topics: Industrial IoT, @CloudExpo, Cloud Security

Industrial IoT: Blog Feed Post

Insider Security Threats By @Vormetric | @CloudExpo [#Cloud]

It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head

What We Talk About When We Talk About Insider Threats

What does the term “insider threat” mean to you? It would be fair to assume Edward Snowden might be one of the first names or faces to pop into your head. Snowden was an insider, and he proved to be a threat. He also had malicious intentions.

But, you would be shortsighted in thinking that malicious insiders are the biggest risk to your data. While Edward Snowden may be considered the “insider threat” poster child, not all employees have malicious intentions. In fact, it’s likely the vast majority of your employees have completely innocuous intentions (after all, most of us like our paychecks and want to keep them coming!) Counted among those employees, however, are your “privileged users.”

Here at Vormetric, we define privileged users as high-level computer operators who often have powerful, privileged access rights. They can include – but are not limited to – root users, domain administrators and system administrators.

More than just traditional insidersSimply by having access, privileged users may unwittingly put data at risk – or be used by an outside actor as a conduit for siphoning data. Unsurprisingly, privileged accounts are very attractive targets for attackers seeking to leverage access privileges for their own nefarious purposes. Therefore, it’s completely accurate to say that all privileged users – regardless of whether or not they have bad intentions – can be considered an “insider threat.”

Let’s take a look at a couple examples of high-profile data breaches and see where insider chips fell:

Sony Pictures

While there are still questions to be answered, CNN has reported hackers infiltrated the system by stealing the computer credentials of a Sony systems administrator. That’s right, a systems administrator. Although investigators have not ruled out the involvement of a malicious insider or former employee, they have not found evidence to indicate this was the case.

The ramifications for Sony from a financial, legal, and professional standpoint are unprecedented. Leaked information includes medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories.

Sony employees now suing the company for negligence have termed the hack an “epic nightmare.” This dramatic language is being echoed by Gartner cybersecurity analyst Avivah Litan, who believes the breach may very well be “the costliest ever for a U.S. company” and one that “went to the heart and core of Sony’s business.”

The attack also stirred unwanted memories for South Carolinians, which brings me to the next “insider” breach.

The South Carolina Department of Revenue

In October 2012, more than 3.3 million unencrypted bank accounts and 3.8 million tax returns were stolen in an attack against the South Carolina Department of Revenue. The attack started when a state employee responded to a phishing attack that enabled cyber criminals to use the employee’s (a privileged user) credentials, access the state’s databases, and steal sensitive data. While almost all of the credit and debit card numbers were encrypted, the social security numbers were not – leaving South Carolina citizens vulnerable to identity theft scams.

Did the employee intend for this to happen? No. Did the employee have access to a host of very critical, private data? Yes.

Where Do We Go From Here?

The breadth and depth of private and public sector breaches in the past few years further indicates there is a major disconnect when it comes to organization’s handling of data security – and how they treat insiders. Breach after breach we’ve seen insiders, or someone who has obtained insider privileges, wreak havoc.

Organizations that don’t properly control privileged user or system administrator access are setting themselves up for infiltration by malicious insiders or crafty outsiders looking to take advantage of the wealth of data at their disposal. Our 2013 Insider Threat data report found that only 27% of US organizations blocked privilege user access to sensitive data, whereas our 2014 European version of the report saw that number basically double. There is increased focus on the insider and their behavior within the organization, yet there is far too little emphasis on the data an insider can access with their privileged account access.

Here’s a hypothetical: an interviewee comes in with the desired experience and background a company is looking for, but they’re secretly hell-bent on eventually pulling a Snowden. Do you think it will be easy to identify them as a malicious insider during the vetting and hiring process? Smart agents aren’t going to give something away that would arouse suspicion; it’s pretty unlikely they will walk in brandishing, say, the North Korean flag or talking about their love of a Chinese competitor.

At the end of the day, once a malicious insider is in, he or she is in. What matters is the type of data said insider has access to.

This mantra also applies to non-malicious insiders. Like privileged user Susan up on the 9th floor. Susan, a systems administrator, is as loyal as they come. She feels passionate about her company, its ethos and her work. She’s smart, hardworking and would never intend to do something that would put company data in jeopardy.

While we can sing Susan’s praises all day long, it’s not her attitude that matters. It’s her access. It’s that she has the keys to her company’s kingdom, and if her company don’t have the proper precautions in place, there’s only so much she can do to hold onto them.

Compliance as a Crutch

“But, my company is up-to-date on compliance standards!” you say. Well, congratulations. You get to dodge government fines for at least another year. And by the way, so was Target.

If you really think being compliant means your data is safe, well, I have a bridge to sell you in China.

Since I’m on the subject of bridges, I’ll try to put this in terms that are easily understandable. Think of compliance as a bridge. It’s the bridge that allows your company to cross the water and enter into the castle. But, what’s protecting invaders from also crossing that bridge? That’s right, you need guards, and a moat, cannons, and maybe some dragons if you’re into that sort of thing.

My point is that compliance is not enough. It remains and will likely always remain a baseline standard for protecting information. But it should never be confused with security.

Oh, This Again: Encrypt Everything

If I sound like a broken record, it’s because this isn’t my first time at the rodeo. How many more of these breaches are we going to tolerate before we start to make changes to how we handle our data?

Back in October, I wrote a post about the strategy of “encrypting everything.” While I certainly won’t recap all of it, my opinion about the below adages remain the same:

  • Realize that your data is the target, not your network. Yes – attackers do penetrate firewalls and exploit application security holes, but they do so to get to high value data, just as an inside attacker would
  • Rein in your privileged users: if your employee doesn’t need access, they shouldn’t have it just because they have a certain title
  • Solutions exist that allow you to restrict access to sensitive information while still giving privileged users to the tools they need to perform their work, such as encryption with access controls linked to your identity management systems
  • While no company or CEO wants to discuss a data breach, having a broad-based “data first” protection strategy plays well from both a security and marketing perspective. It’s important to keep your fiscal and reputational house in order. If you need more assurances of this, I suggest you speak to a C-level executive at Sony, Target or Home Depot. While you’re at it, you might want to sit in on one of the many post-data-breach-government-oversight-committee-hearings on Capitol Hill. Pick your poison; you’ve probably got a few options.

Bottom line? With proper data controls, you can have your cake (sufficient use of privileged accounts) and eat it too (simultaneous protection of the data).

To close out, earlier I noted our 2013 Insider Threat report found that U.S. businesses were sorely lacking when it came to privileged user access restrictions. We’re excited to report we’ll soon be able to tell you if that statistic has changed in the past two years. But in the meantime, you’ll have to wait to just a little bit longer…

The post What We Talk About When We Talk About Insider Threats appeared first on Data Security Blog | Vormetric.

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

@ThingsExpo Stories
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
Organizations planning enterprise data center consolidation and modernization projects are faced with a challenging, costly reality. Requirements to deploy modern, cloud-native applications simultaneously with traditional client/server applications are almost impossible to achieve with hardware-centric enterprise infrastructure. Compute and network infrastructure are fast moving down a software-defined path, but storage has been a laggard. Until now.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. All In Mobile is a mobile app development company from Poland. Since 2014, they maintain passion for developing mobile applications for enterprises and startups worldwide.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
IoT is at the core or many Digital Transformation initiatives with the goal of re-inventing a company's business model. We all agree that collecting relevant IoT data will result in massive amounts of data needing to be stored. However, with the rapid development of IoT devices and ongoing business model transformation, we are not able to predict the volume and growth of IoT data. And with the lack of IoT history, traditional methods of IT and infrastructure planning based on the past do not app...
DXWorldEXPO LLC announced today that the upcoming DXWorldEXPO | CloudEXPO New York event will feature 10 companies from Poland to participate at the "Poland Digital Transformation Pavilion" on November 12-13, 2018.
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...