Learning from Recent Insider Data Breaches

The security lessons organizations can take from insider attack trends were discussed by Neil Daswani, Co-Founder and Co-Director, Stanford Advanced Cybersecurity Program, during a RSAC 365 webcast.

Daswani, author of the recently published book Big Breaches: Cybersecurity Lessons for Everyone, began by outlining trends there have been in regard to the volume of insider data breaches. From the period 2005-2009, the average number per year was under 25, but this figure subsequently surged during 2010-2014, close to 100 per year. This was largely swelled by the Edward Snowden National Security Agency (NSA) leaks of 2013. Surprisingly, the number dropped significantly in the following years, and incredibly there were no reported insider data breaches in 2019. However, Daswani added that “if something is too good to be true it usually is, because in 2020 we saw insider data breaches picking up again.”

Daswani also highlighted significant variation in the prevalence of insider data breaches among different industries. By far the most affected is the healthcare industry, and as a result “if you work for one of these organizations, you should probably pay more attention to insider attacks than peers at other types of organizations.” The next most impacted was the financial sector, followed by retail and merchant and government and military.

Daswani then went on to analyse how insider data attacks occur, looking firstly at the most famous example of its kind – the Snowden leaks in 2013. It appears that the problem emanated from the fact Snowden was provided with widespread access to highly sensitive data; given contractor access, SSH keys, digital certificates and a smart card. This enabled him to build a “crawler” within government systems and download over one million files. “It was interesting that one system administrator had so many credentials,” commented Daswani.

Another issue was the inability of the NSA to detect the huge amount of encrypted flows of traffic within their networks. “There was a lack of monitoring, a lack of anomaly detection that probably allowed this attack to succeed,” stated Daswani.

Over the past year, since the start of the COVID-19 pandemic, the indications are that insider attacks have become easier to conduct. Daswani quoted figures from Code 42 that employees are more likely to leak files than they were pre-COVID.

The main reason for this has been the shift to home working, according to Daswani, meaning that “CISOs and their teams didn’t have as much visibility into all the traffic.” In addition, organizations were unable to impose security measures on staff who are exposed to high levels of sensitive data. For example, customer service agents would normally have to abide by certain physical countermeasures in the workplace, such as no cell phone and paper/pens, “so they can’t write down things and can only interact with customers using virtual desktop interfaces.” These types of policies are impossible to enforce remotely.

With home working having been in place for over a year for many organizations, it is Daswani’s hope that “companies that have lost visibility will take steps to get back visibility even when people work remotely.”

Daswani also spoke about several recent high profile insider attacks, taking place at Twitter, Tesla and Shopify. From these, a number of lessons can be taken. While traditional approaches to security are focused on prevention and are binary, this model is insufficient for insider attacks, in which perpetrators are already in your systems.

Preventative steps can be put in place for insider threats, mainly centered around psychological profiling of employees to uncover high risk personality traits, and developing usage-based security and user behavior analytics around these insights. This should feed into high-level monitoring and detection capabilities. Daswani said: “You’ve got to have a model that is primarily detection-oriented and is probabilistic.”

What’s Hot on Infosecurity Magazine?