Whenever there is a breach, there is a single burning question: What happened? Here is an industry secret: the initial answer to that question is never the cause. It is just the first potentially culpable event to be noticed – a convenient way to quell the initial wrath of the offended parties – the senior executives and disgruntled data breach victims.
The #1 favorite is: “Somebody clicked on a link” – as though link-clicking was the digital equivalent of using a metal rod to touch a pylon. Are you a link-clicker? When was the last time you did something as stupid as clicking on a link? What do you mean you do it all the time? Are you insane?
Cybersecurity pros all know that clicking on a link is never the real cause. It’s like identifying life as the leading cause of death. Clicking on links happens all the time. It has to happen for work to progress.
With link-clicking, we all know that there could have been sufficient technical and procedural safeguards to stop it from doing anything more than requiring a single machine to be re-built. A phishing link attack to spread like wildfire requires a stunning lack of security configuration, vast numbers of unpatched systems and a generous helping of inadequate segmentation.
In second place is the evergreen go-to favorite when you know that there was substantial under-investment in cybersecurity: “It was a really sophisticated attack.” Except that if it was a really big breach, it never was a really sophisticated attack. Why? Because you can’t sneak millions of records past any effective security system. In the modified words of Oscar Wilde: “To lose one data set is unfortunate. To lose the entire database is just carelessness.”
“It was due to the rogue actions of an insider” is the user event that statistically sits in third place. Here is the question: Is a single rogue insider ever the root cause for a significant data breach – or is it just a symptom? To answer that question, we need to look at the security controls that should identify and defeat rogue insiders and ask if they were in place and operating effectively:
- Are employees and supplier resources subject to appropriate screening?
- Do privileged actions (such as significant financial transactions or releasing volumes of privacy data) use a process that enforces and requires segregated approval?
- Are accounts with privileged access or rights individually accountable, managed and monitored through a privileged account management system? Does this ensure that no single individual can accumulate a toxic/dangerous level of authority?
- Is there a process for anonymously reporting and identifying any disaffected or disgruntled insiders? Is that process adequately resourced?
- Is there an effective data loss prevention (DLP) solution in place to monitor, block and report suspicious data activity?
- Are the lessons learned from DLP and other incidents converted into remediation actions?
Take a look at the top 10 historic insider threat events in this recent article. If you dig inside any of those events, it becomes clear that each situation relied upon some or all of the controls above to be ineffective.
It can look excessive or overly expensive to implement all of these items, but consider this: in these uncertain times with increased working from home and large numbers of people being laid-off from work, the motive for rogue insiders has never been higher.
The next time somebody tells you that an incident is due to a rogue insider, take a deeper look. It might be feasible that someone can navigate some of the security measures – but if all the right security measures were in place, the opportunity to commit a devastating insider action should not have been possible.
Join the infosec webinar on the Insider Threat Landscape on November 26 2020.