Data Breach: the Source May Be External, but the Cause is Mostly Internal

By CIOReview | Monday, August 1, 2016

In an attempt to assassinate Kim Jong-Un, satirically, Sony Pictures Entertainment did manage to roll out its most successful digital release. Unfortunately, for Sony the celebration was dim. Retaliating to the imaginary assassination, “Guardians of Peace” (hackers allegedly linked to North Korea) hacked into Sony’s computers and purloined sensitive information belonging to the employees, Hollywood secrets as well as copies of unreleased movies. Sony’s woes didn’t end there. Based on a judgment passed last year, Sony was asked to shell out $8 million as settlement demanded by plaintiffs—its own employees. And, Sony is not alone in the list of victims stung by inadvertent use of technology, in fact it ranks 33rd in terms of number of records breached.

Data breaches stemming from external threats are critical and there’s an exhaustive list to pore upon. Fortunately, minds at the receiving end do keep up and have come up with security solutions custom designed with data in mind—data loss prevention (DLP) products. Unfortunately, when we perceive data breach we tend to emphasize more on external factors leaving internal elements unattended; even when focused upon this avenue of data breach doesn’t feature in the priority list of enterprise security of many organizations.

Perhaps, the perfect example to highlight this is through Edward Snowden case. By leaking classified information that solidifies the suspicions around the shenanigans of the U.S. government’s top brass and the country’s not-so-noble foreign policies, apart from tarnishing brand U.S.A., he proved one thing. One able insider can inflict grave damages that a team of tech-laden outsiders can’t.

Insider Threat

When discussing about insider threats we often tend to miscalculate this threat to be solely of malicious nature. Of course, malicious insiders are in the equation, but it’s not just about the bad apples. The equation should also include negligent and accidental insiders, and day-to-day internal operations that end up unintentionally jeopardizing sensitive company data. Don’t forget, the world cares and talks about data breaches and not about the intentions of the elements involved.

Insider threats are more complex than external ones. It’s very much like trying to locate a black spot in a white canvas, although it’s not as simple as it sounds. A black spot would stand out due to its alien nature within the environment. But, if someone is asked to single out a hue of white that’s a bit different than the rest, the job gets a lot tougher.

As spoken earlier, negligent and accidental insiders, and day-to-day internal operations should also be considered. A negligent insider despite of being aware of organizational policies may adopt unapproved means, say an unapproved Web-based file hosting service to share files with colleagues. And, an accidental insider may be someone who mistakenly keys in a recipient who wasn’t supposed to receive a particular email. This recipient can copy the included information or download any attached file and forward the same to anyone originally not included in the list. This way an organization can lose sight of who’s using a particular piece of information and for what purpose.

Finding the Solution

It’s not unknown, and even realized by external adversaries that it’s very tough to directly break into a company’s servers. On the other hand they know the job is much easier if an insider’s system is leveraged as a point of compromise. Most of the times the job is accomplished by tricking an employee to open an attachment or click a link.

Web browsers and email clients are the most common entry points for malware. One solution to this can be restricting the capabilities of those applications, but that would take toll on the legitimate functionalities as well. One way out can be running vulnerable applications in separate virtual machines (VM). This way, if the application turns out to be malicious, the infection would be restricted to the isolated VM and not spread to the host operating system. This means that the infection will last for a short duration, in a controlled environment. Finally, the adversary’s ability to harm will be significantly impacted.

Limiting executable content is another option. Instead of blocking all files of a certain type, organizations can sandbox a few. Implementing available technology for the purpose, organizations can analyze content by running it in a sandbox; if found malicious the content can be blocked, or if found legitimate the content can be allowed to move forward.

Companies should also emphasize on least privilege that would ensure that a user has access only to the content essential to perform his/her duties. There is a good deal of technology available that companies can leverage in order to gain sufficiently granular control of content access. With more sophisticated solutions one can even restrict access to specific directories in the repository, or to individual documents in a directory, or even to particular sections of a document. But, in order to do that one must be fully aware of the roles of different individuals and the bits of information essential for their duties. Otherwise, some individual might be accidentally blocked from accessing necessary content.

To gain even higher control, organizations can opt for geo-fencing and time-fencing. Geo-fencing is an important tool given the growing mobile nature of our workforce. Geo-fencing uses GPS or RFID, which would deny access to an authorized device once it’s past a particular area, say the company premise. But, if the needs are such that an employee works remotely, Geo-fencing fails, and time-fencing comes into play here. Irrespective of the geographical location of the device, time-fencing can ensure that access is granted only between defined time points.

On top of all, companies should remember a basic idea of medical science—Prevention is better than cure. It’s true that technology can be an important weapon in tackling data breach menace, but what’s truer is that no technology is full proof. It is strongly recommended that organizations run a proper background check before taking any candidate on-board. And, for the existing workforce, regular awareness programs to educate them about the evolving threats would be highly rewarding.