Security experts have called 2015 a watershed year for cybercrime, with the number of cybersecurity incidents on the rise while organizations are struggling to keep up with the growing sophistication of cyberattackers. One alarming trend that came to the top was how many breaches had an element of insider threat, whether it’s insiders acting maliciously or negligently.
End users that violate security policies can become easy prey for social engineering attacks — in other words, insiders are the weakest link to security. A recent study we at Skyhigh Networks conducted, based on actual cloud usage, found that 90 percent of organizations experience at least one insider threat each month, with the average being 9.3 incidents.
And a recent Verizon report found that in 1,931 incidents that involved protected health information (PHI), inside actors were responsible nearly as much as outside actors. This is important because under its Breach Notification Rule, HIPAA explicitly states that all covered entities — and their business associates — must notify the press, among other groups, of any PHI data breach affecting more than 500 individuals. Combine that with the fact that a recent Cloud Security Alliance survey discovered that loss of reputation and trust is the greatest concern companies have when it comes to cyberattacks, the problem of insider threat becomes even clearer.
The problem will not be going away, especially considering the exponential growth in cloud use, the BYOD trend and the growing mobility of the workforce. Gartner forecasts that cloud-based software, for example, will become the norm, with the use of desktop-based apps declining to 18 percent in 2017 (from 34 percent in 2014). At the same time, market-intelligence company International Data Corp. forecasts that 72 percent of the U.S. workforce will be mobile by 2020, growing to 105.4 million workers (compared to 96.2 million in 2015).
Considering these trends, it’s not surprising that another Gartner prediction is that by 2020, 95 percent of cloud-security failures will be due to the organizations themselves, not a third party (like hackers or cloud providers).
Stories abound of privileged-user threats
Among the insider threats, privileged users should especially be a concern for organizations. There are plenty of examples of why that is.
In one of the most recent insider threat cases, the former director of the St. Louis Cardinals pleaded guilty in January to hacking into the system of rival team Houston Astros. He obtained access because one of his team’s former employees moved on to work for the Astros and before leaving the Cardinals, had to turn over a company laptop (and password) to him.
The Cardinals’ director used variations of his ex-employee’s password to hack into email and other systems. All in all, he was able to obtain a variety of proprietary information, and the loss to the Astros was quantified at $1.7 million.
The highly publicized Anthem breach, of course, remains the poster child of long-term consequences suffered as a result of a breach. The extent of the ripple effects may not even be completely understood yet for the 78 million customers — including children — whose personal data was compromised. As for the company itself, it will take years to recover from the damage to its reputation, if it’s recoverable at all. And the full financial damages are yet to be realized, as lawsuits in several states are ongoing.
With Anthem — one of the largest publicized breaches to date — the insider threat wasn’t because of an employee’s low scruples. But it involved a privileged account user nonetheless. Investigators found that bad actors accessed the data after obtaining the credentials of five tech workers, including a computer system administrator who discovered the breach after realizing his credentials were hijacked.
Mitigating privileged-user access
IBM’s 2015 Cyber Security Intelligence Index found that in 2014 insiders carried out 55 percent of the attacks. Among the patterns discovered by IBM: shared admin accounts, easy passwords and passwords set to never expire.
It’s not uncommon for organizations to have users who have long left but whose credentials — and access — were never revoked. And system administrators are frequently not aware of how to restrict users’ access rights and instead grant them complete privileges.
The first most basic step is to monitor and log user behavior. This will allow for an identification of patterns and the detection of anomalies. Unlike credentials, the behavior of a user, including an administrator, cannot be easily replicated by hackers. By establishing a baseline user profile, it’s easy to spot deviations, which are likely to be caused by an identity thief posing as the user.
It’s also important to have a clear understanding of who all the users are, what kind of access each of them has and what any person could do with that access. Excessive administrative rights should be promptly revoked.
For example, IT personnel shouldn’t need access to HR systems, while HR wouldn’t need access to customer information, and so on. Detecting rogue behavior could either mean an insider is accessing unauthorized data or an attacker is using hijacked credentials to get at certain data.
As errors and negligence are more likely to be a factor rather than outright malice, a multi-layered defensive approach can’t be emphasized enough. That includes practicing basic cybersecurity hygiene (like a robust password policy), implementing an ongoing employee training program and having a recovery and backup system and processes in place.
Breaches pose a significant risk to organizations, considering that on average, downtime following a breach costs enterprises $1.4 million and SMBs $66,000, according to Kaspersky Labs — which also found that 60 percent of businesses had a severely reduced ability to function following a breach. Add to that numerous other direct costs such as recovery and government penalties for some sectors, and indirect costs like lost business opportunities, and the consequences are quite damaging.
The good news is that insider threats are on the radar of IT practitioners, according to the SANS Institute. But at the same time, SANS also found that prevention was more “a state of mind than reality.” It’s time for organizations to rethink how they approach security intelligence and address what may be their biggest weakness — privileged users.
Sekhar Sarukkai is a co-founder and the chief scientist at Skyhigh Networks, driving the future of innovation and technology. He has more than 20 years of experience in enterprise networking, security and cloud services development.