Typically, a financial services firms’ very business is built on generating and processing the kind of data that cybercriminals dream of. Yet, even at a time when reports of cyber-attacks are at an all time high, too many organisations responsible for handling payment or transactional data are still struggling to confront the challenge of protecting their sensitive resources from those already legitimately inside the company walls or network perimeter.
While the risk presented by ‘insiders’ has long been a concern to business managers – like the rogue, disgruntled or witless employee accessing sensitive information – the nature of the ‘insider threat’ today has morphed to now include malicious privileged insiders as well as the compromise of privileged user accounts by advanced malware.
Arguably, one of the biggest mistakes that businesses continue to make is insufficient control of the actions of ‘privileged users’. Privileged users exist in all organisations – often with titles like Domain Administrator, Network Manager or System Administrator. While these users are essential and require a high level of access to do their jobs – performing tasks like software installation, system configuration, resource allocation and more – a significant security issue arises when they also have access to data stored within systems, and have the ability to read documents, copy or change them. With such powerful access rights, they are an irresistible target for perpetrators of Advanced Persistent Threats (APTs); a variation of cyber-attack that seeks out legitimate user log-in details to steal and use for their own ends. It’s important to bear in mind that APTs can also gain entry by exploiting application compromises – such as stack overflows and/or known security holes that have not been patched are prime examples.
It’s worthwhile to remember that the breach at personal credit ratings firm Korea Credit Bureau (KCB) in early January of this year was the result of an employee stealing data from the customers of three credit card firms while working for them as a temporary consultant. The names, social security numbers and credit card details of 20 million South Koreans, almost half of the population, were copied and stolen. On the other side of the coin, the recent data breach at eBay is a timely demonstration of a cyber-attack whereby the hacker(s) gained unauthorised access to the company by hijacking the credentials of a legitimate employee and gained access to the company database containing shoppers’ data; including their name, encrypted password, email address, physical address, phone number and date of birth. Unfortunately, because hackers abuse valid access rights, and for all intents and purposes look like trusted users, attacks can be very difficult to spot. It’s a bit like trying to find a needle in a haystack, except the needle is disguised as a piece of straw.
Against this backdrop, it should come as little surprise that according to research – recently conducted with analyst firm Ovum into how European IT decision makers are tackling insider threats – 85 percent of financial services organisations reported that they feel vulnerable to the abuse of this kind. Further compounding the issue is that data protection mandates are also being rewritten to include some teeth – like the proposed fines of five percent of annual global revenue for those that fail to adequately protect customer data. As such, many businesses are being pressed to revaluate all the ways in which their data can be touched.
A particularly interesting aspect of the research to note here is that controlling legitimate network access by third party contractors was dubbed a primary concern within the sector; 55 percent of IT decision-makers at financial organisations rate this type of user as posing the biggest risk. Often, temporary contractors or partners lower down the supply-chain can be the low hanging fruit for cyber-criminals looking to get their foot in the door. As such, no entry point can be underestimated; each must be taken into equal consideration and protected accordingly.
This can seem easier said than done given the widespread adoption of cloud computing technologies and big data initiatives. Indeed, 45 percent of European financial organisations surveyed declared that insider threats were harder to detect because of increasing use of cloud resources. And, when it came to big data rollouts, a technology area where financial services firms are leading the charge, 69 percent of respondents cited the security of reports from big data projects that may include sensitive data was their leading big data concern. Given the myriad of ways in which insider threats can surface, and as IT assets swell and business data becomes increasingly distributed, the most effective way to practically defend systems against this kind of threat is to protect data at its source and provide access on a truly ‘need to know’ basis, which can be achieved by implementing encryption combined with tight access controls as a method of carefully separating users’ network access from their ability to actually view, edit or destroy files. Having adequate security intelligence tools in place to monitor access patterns is essential to spotting any anomalous pattern or access behaviour that may indicate the start of an insider attack or be a warning shot that a legitimate user account has been compromised by malware.
Fortunately, 76 percent of organisations surveyed plan to increase spending to specifically address insider threats. And, data encryption and key management, followed by identity and access management, and then network protection are seen as the most important deterrents available. As systems have become more closely interconnected and with increasing amounts of private data being shared between networks, establishing who classifies as an ‘insider’ and managing their access rights is more important than ever.
Ultimately, this means that concerned organisations need a solution that protects data at its very root and can detect, defend and control access to digital assets from malicious and unauthorised individuals. While there may be initial challenges in identifying or implementing certain technologies that serve to control and dictate the parameters within which users can access documents, the risk of not doing so far outweighs this.
Paul Ayers, VP EMEA, Vormetric