Insider Threat: 'Database Armageddon'Study Says Data Breaches Reveal Growing Internal Risks
"Organizations need to have strict policies in place that insure that their database security standards are perpetuated across all insiders," says Thom VanHorn of Application Security.
Application Security recently partnered with Unisphere Research to survey security measures financial organizations have implemented to guard against insider threats. The results? Most organizations are aware of insider threats, but few are doing much to combat them.
For some organizations, networks are opened up for partners, vendors and in some cases customers, which poses a major security issue. Segregation of duties is one step to protecting databases. "It can be difficult to track who has access to what information within an organization because roles continually change when privileges are assigned," VanHorn said in an interview, alongside Unisphere Research Analyst Joe McKendrick, with BankInfoSecurity.com's Tracy Kitten [transcript below].
By applying least privilege, organizations ensure employees only have access to the minimum amount of information that is necessary to perform their daily duties.
Another concern is with sloppiness in the way data is managed and handled. Many organizations are performing audits of their data logs, but the problem lies in how infrequently those audits occur. In many cases, the audits are performed every quarter, and if a breach occurs sometime in-between, security professionals may be too late. "The issue with this is a lot of times it's closing the barn after the horses are stolen," McKendrick says.
Organizations need to bake in technologies and approaches that protect the data from being compromised, including encryption, masking the data and de-identification.
During this interview, McKendrick and VanHorn discuss:
- The evolution of inside threats;
- The electronification of data and increased vulnerability;
- Automation and stronger fraud-detection technology.
McKendrick is an analyst with Unisphere Research, a division of Information Today Inc. McKendrick has conducted research for a wide range of IT user groups, including the International Sybase Users group, SHARE [IBM large systems user group], Oracle Applications Users Group and International DB2 Users Group. He also is an author and independent analyst who tracks the impact of information technology on management and markets. McKendrick is a co-author of the "SOA Manifesto," which outlines the values and guiding principles of service orientation. He also speaks frequently on Enterprise 2.0 and SOA topics at industry events and webcasts.
VanHorn is the vice president of Global Marketing for Application Security Inc., where he oversees the development of the organization's go-to-market strategy. VanHorn has worked with start-ups and Global Fortune 100 corporations to build results-oriented, bottom-line focused marketing operations. Prior to AppSec, VanHorn held positions with Neteos, Compaq, Microcom [acquired by Compaq], Motorola and Concord Data Systems [acquired by Memotec]. He holds a bachelor's degree in economics and English from Saint Olaf College and attended Boston University's School of Management.
International Sybase UsersTRACY KITTEN: Joe and Tom, we've invited you here today to talk about a recent survey Application Security and Unisphere Research conducted of the International Sybase Users Group. The study focused on insider threats. Could you give us an overview of some of the survey's highlights? What stood out?
JOE MCKENDRICK: We've partnered with AppSec on a couple of different surveys now. A part of the surveys look at different user groups. In this case, we looked at the Sybase User Group. We've also worked with the Oracle Users Group and the Sequel Server User's Group, essentially asking them the same questions about their database security. And we found across all three major technology platforms there's a consistency in the responses. In each case, there's difficulty I should say with corporate culture. There's a management disconnect in terms of addressing security, especially from an insider perspective. There's a great awareness that internal threats, internal hacks and insider privilege user access all constitute a greater threat to data security than outside hackers. But there isn't a lot being done yet in terms of securing data internally against abuse.
TOM VANHORN: When I look at the survey results from this study, as well as previous studies, one thing stands out. That is I think there's a false sense of security out there. People that were surveyed, the vast majority acknowledge themselves as being responsible for data security in their organizations. The vast majority also believe their confidential data is protected and more than half of them believe it's unlikely that they will face a data breach over the next twelve months. In fact, only two percent think the likelihood is evitable. Then, when you drill down into the more specific questions asking about exactly what they're doing and how they're managing data security, an alarming number of responses say, "I don't know." when I put those two things together, I think there may be some rose-colored glasses on here that say, "We think we're okay, but I can't tell you why I think we're okay." If we look at what has been happening in the last several months, you'll see breaches accelerating and accelerating. In the last 60 days we've almost come into a data breach Armageddon. You can't go more than 24 hours of picking up the newspaper and not read about a major breach.
KITTEN: The study polled 216 members of the International Sybase Users Group. Why are perspectives from this group relevant? Why are they a relevant representation of the trends that we're seeing in the industry? Joe I would like you to answer that question?
MCKENDRICK: Very simply, in terms of the industry demographics in the survey, 24 percent of our group were from the financial services industry, which is actually a very high percentage in comparison with other surveys we've done. One out of four is affiliated with financial services firms.
KITTEN: Tom, could you give us a little background on the survey itself, such as when this survey was conducted, and do you think that the results from this survey might differ if you were to conduct the survey today?
VANHORN: This is a recent survey. It was just conducted over the last quarter. It was actually published in the beginning of May, about a month ago. I think a lot of the results would be the same. We've been conducting these surveys with various user groups over the past year on a quarterly basis, and there's been a consistency in what we found. The one thing that may change, given the nature of the most recent breaches, is the belief that most of the threats are from insiders. Historically, if you go back for several years, you'll see that 75 percent or so of the breaches were coming from breaches within the organization. But if you look at the headline breaking news over the past two or three months, you'll see more and more attacks are coming from the outside. Specifically, people are getting through perimeter security and going straight to the database. The database is the place where your most sensitive information is stored. If we were going to conduct this survey after some of the most recent experiences, it would affect people's perceptions of what the threats are, just based on what we've seen more recently.
Evolution of Insider ThreatsKITTEN: It's interesting that you should say that Tom because the next question that I have actually relates to some of the recent breaches that we've seen in the industry. Of course, a lot of the breaches were perpetrated by outside attacks, but they were actually linked to some insider breaches. I would like for both of you to respond to this question and I'm going to pose it in light of some of the recent insider breaches that we've seen - from the Bank of America breach to the RSA hack. How are insider threats evolving, and what trends are you seeing when it comes to maybe this connection between an insider leak, or an insider compromise, that leads to an attack that is perpetrated from the outside?
VANHORN: A lot of this comes down to how you define insiders. In today's world an insider isn't necessarily the company's own employees. We've opened up our networks to partners, vendors and in some cases to customers. It's just basic common sense. If you're going to attack something, you're going to try to find the weakest link. To allow those cases, when you get up to the partners, customers and vendors, the policies that they have in place for data security is less stringent than a major commercial organization may have. Those are going to be the first things that are attacked to break into the system. Organizations need to have strict policies in place that insure that their database security standards are perpetuated across all insiders.
The second thing is ongoing education. We're seeing more and more types of attacks. If you're aware of it even as an individual you know what to look out for. You can better defend yourself. That has to be an ongoing, continuous procedure of an organization.
MCKENDRICK: The company places into these factors as well. You are likely to see more threats emerging when the economy goes sour. There's more, for lack of a better way to put this, desperation out there and people are likely to do things they might not otherwise consider. That aside, I think a big issue that I've seen with a lot of the major data breaches, especially what we might define as internal breaches - and I will extend that to partners, customers and so forth - is just plain sloppiness with the way data is managed and handled.
Tom pointed out that we need more education in the area. If you go to a site called PrivacyRights.org, it gives you a listing of all reported major data breaches all the way back to early 2000. It's usually about 10-15 breaches reported each week. A lot of the ones that you'll see are an employee accidentally posting social security numbers to their websites. A business partner, who for some reason has a customer list on a hard drive on a notebook, leaves the notebook computer in his car and the car gets stolen. There is a case I just saw last month where an employee of a county in Virginia went on vacation to Las Vegas and had his laptop with him, with the social security numbers of the residents of the county. And of course the laptop got stolen. A lot of it you can attribute to sloppiness, lack of management and a lack of education in terms of how to properly handle data.
VANHORN: A big issue in organizations is segregation of duties, or be it simple user entitlements to data. It can be very difficult to track who has access to what information within an organization because roles continually change when privileges are assigned. Over a period of time it becomes very complex. What organizations really need to do is focus on segregation of duties. The bottom line is to employ what we call a principle of least privilege so that you ensure that employees only have access to the minimum amount of information that is necessary to perform their daily duties.
KITTEN: Do you think, Tom, that better employee education or more stringent employee access to sensitive data is the answer?
VANHORN: I think it's a combination of both. I don't think you can do just one.
Internal Fraud PreventionKITTEN: I would like to go back to the survey here for a moment, and this touches on some of what we've been talking about. Joe, I would like to pose this question for you. The survey notes that one of the greatest challenges, or risks, to database security is thought to come from insiders, either through human error or abused privileges, as we've been talking about here. What does that tell you about fraud mitigation and the need for more internal fraud prevention tracking, as Tom has just discussed? And does the survey show that institutions and other organizations are perhaps investing too much in detection for outside threats while neglecting to adequately monitor what is happening in their own backyards?
MCKENDRICK: It goes back to something Tom was saying a little bit earlier. We had a lot of folks saying that they didn't know the answer to a lot of the questions we were putting in our survey. What is distressing is the fact that these are data managers, database administrators. If anybody knows, or should be aware of what needs to be done to protect data within the organization, these are the folks. These are the folks in the front line. These are the folks that have the technical knowledge and the expertise to secure databases. And in a lot of cases half of them said they simply didn't know if they are getting the right amount of budget or conducting the right procedures or polices to guard their data. That suggests a major disconnect between corporate culture, the way management is approaching the issue and the way they are communicating the need to protect data across the organization.
Essentially what it's telling us is management isn't doing a good job of that. In terms of fraud mitigation, fraud prevention and tracking, we ask about auditing. There is monitoring and there is auditing of databases for security, and a lot of our respondents will conduct audits of their data logs to see what kind of access they can place and what has been done with databases. The issue with this is a lot of times it's closing the barn after the horses are stolen. In many cases, these audits maybe take place once every quarter or so. If you had a data compromise in January, you may not find out about it until March. Just as importantly, you need to bake in technologies and approaches to protect the data from ever being compromised - encryption for example, masking of data, de-identification of sensitive data. There is very little of that taking place on the sites we looked at. About 20 percent overall said they will mask or encrypt data that moves between different parts of the organization. That is where the threats occur. A database administrator may be doing a great job, at his or her site, of watching the data and protecting the data. But once that data is sent out to the development side of the house, or if it's sent out to a back-up site, it loses that protection.
KITTEN: Right, and that's a good point. So it's not just ensuring that the data is protected in-house. It's also ensuring that the data is protected as it is being transferred from one location to another, as well as maybe when that data is sent to a third party.
MCKENDRICK: Exactly, and that could be in-house. We could again be talking about moving the data out of the production database over to a test site, or to the development side of the house.
Difficulty with Corporate CultureKITTEN: I would like to go back to a point that you raised here Joe, and that relates to some of the support that fraud departments get from their boards of directors and CEOs. I would like for you to answer this first and then we'll move to Tom. What advice could each of you offer fraud departments that are trying to convince their boards of directors or CEOs that investment and improvements to track employee threats are needed? And that could be convincing them that they need to invest in some of these more automated solutions.
MCKENDRICK: The best way to speak to that would be in terms of the money - the amount of money and the losses your company will incur as a result of a data breach, whether it be inside or outside. The amount of money invested up-front would be far less than the amount of money to be lost in the back-end. We didn't explore it in depth in this survey, but there are some good statistics out there which talk about the loss that can be incurred as a result of data being compromised. I think Potomac Institute has published some good numbers on this as well. It could go as high as two million dollars per incident. And for financial services firms, I'm sure it's at the high end. It could be tens of thousands to hundreds of thousands of dollars, but that's a fraction of what the potential loss may be when something does happen. The sad thing about it is we solicited a response, write-in opinions from our respondents, and one person said their management considers it cheaper to not invest in security and to pay out when something happens.
VANHORN: I totally agree with Joe. He hit the nail on the head. It all comes down to dollars and cents.
KITTEN: Tom, I would like to pose this question to you. When it comes to socially engineered schemes, such as those that are perpetrated by phishing or vishing attacks, what can organizations realistically expect employees to do when it comes to catching those types of attacks?
VANHORN: They are getting more sophisticated. But at the end of the day these phishing attacks are still people that are asking you for information. I've always thought that this comes down to common sense. It comes down to education. The bottom line is, if someone is asking you for information, be very careful what you are providing. Don't provide private information, passwords and stuff.
KITTEN: What would you like to leave our audience with?
MCKENDRICK: In the past ten to twenty years, everything we do, every type of business activity we do, has been digitized. This data coming in from enterprises is data coming in from the outside and social networks. Security is something you actually have to keep in perspective. It isn't necessary to lock down and secure every piece of data that exists across your enterprise. But there are key pieces of data that do need additional measures and additional security. Anything involving customer information, confidential and private customer information, social security numbers and credit cards, for example, need that sort of attention.
VANHORN: The other thing I would leave people with is this isn't a one-time effort. Sure you may get audited once a year and you may fix things after that. But you need continuous security and continuous compliance, and it has to be an ongoing process. The final point is the data is your most valuable asset. It makes sense to really watch that data fully and monitor and protect it where it lives. We've seen time and time again, hackers are able to get onto networks and get into the systems. The most pragmatic approach is to protect that data where it lives in the database itself.