Many organizations fail to conduct a comprehensive enterprise-wide risk assessment, but a top insider threat expert said even more of them neglect to account for the risk posed by their relationships with third-party partners and technology providers. All too often, this failure sets the stage for a catastrophic data breach incident.
"The broader that an organization expands who has authorized access to its key critical information and information technologies," said Randy Trzeciak, director of the Software Engineering Institute's CERT Program at Carnegie Mellon University, "the broader or higher the potential that someone could maliciously harm an organization."
In this interview, recorded at the 2014 RSA Conference, Trzeciak and Executive Editor Eric B. Parizo review recent high-profile data breach incidents, including the Target, NSA/Snowden and South Korea data breaches, and discuss what went wrong and how enterprises can put insider threat controls in place to prevent similar incidents.
Read the transcript below.
Hi, I'm Eric Parizo from SearchSecurity.com. It's great to have you with us. Joining me today is Randy Trzeciak. Randy is the director of the software engineering institute CERT program at Carnegie Mellon University. Randy, thank you so much for joining us today.
Trzeciak: Thank you. It's great to be here.
Let's talk about lessons learned from various breach incidents for a few minutes. First, the Target breach. The retailer has yet to confirm what actually happened, but based on reports the initial entry point was compromised credentials of a trusted third party contractor. What do you take away from what we know about the incident so far and how common is this sort of scenario?
Trzeciak: It's certainly a vulnerability that should be identified in an organization. The vulnerability would be that the organization boundaries tend to expand when you outsource trusted business partners with critical functions within organizations. So if you are relying upon a cloud service provider to provide some key IT information, security process or practice, that is something you need to consider when developing your enterprise-wide risk assessment. The supply chain is another potential vulnerability that can be exploited as well.
So the broader that an organization expands who has authorized access to their key critical information and information technologies, the broader or the higher the potential that someone could maliciously harm an organization. So every organization does need to consider trusted business partners, cloud service providers, contractors, sub-contractors and trusted business partners in their enterprise-wide risk assessments because again, the more people that have authorized access to what you're trying to protect, the higher chance that someone might do something malicious to harm those critical assets.
So when enterprises really need to offer third party providers trusted access, it seems like finding a way to effectively manage and limit those credentials is important.
Trzeciak: It certainly is a challenge. The challenge exists within an organization. The IT department must control authorized access to the critical assets. When it is expanded to be the contractor's trusted business partners and other suppliers, it is expanded as well. It is certainly a recommended best practice to do a regular security awareness training, to train folks on the protection strategies, but also to do account audits and authorized access compared to the people and their job responsibilities to make sure the people only have authorized access to what they need to do their job.
Many times organizations allow individuals to migrate around an organization. They're at one job today and promoted to a different job tomorrow. Many organizations fail to account for the appropriate privileges as people migrate through or up and around an organization. At any point in time, an organization should be able to confidently say "People only have the minimum privileges they need to do their job."
But unfortunately, in the cases we've seen, people tend to accumulate privileges over the years and it necessarily isn't commensurate to their job responsibilities, which bypasses what organizations do in terms of separation of duties. Many times that's one of the strategies to prevent something unauthorized from happening, but if we don't have the appropriate privileges based upon your job and level of responsibility, separation of duties won't be very effective.
Of course the NSA not long ago encountered what would be the ultimate insider threat scenario with the Edward Snowden incident. Again, the details are somewhat unclear, but obviously there are lessons to be learned regarding limiting administrative privileges specifically. What's your take on that?
Trzeciak: Certainly from the standpoint of protecting critical assets, it needs to be recognized that system administrators or privileged users have authorized access to a lot of what are the crown jewels of an organization. One of the things we would recommend from an organization standpoint is to try to implement dual control or separation of duties in your IT department. Many times organizations will do that in a business process to make sure for example that a person cannot generate a check and approve a check and pay a check. It would require three separate authorized individuals to perform or to complete a business function.
We would like to challenge organizations to see if they can do the same thing in the IT department, so one individual can create an account, one can provision an account and a third may need to disable an account or to modify privileges. That might reduce the likelihood that a system administrator can do something from beginning to end that would cause harm to an organization. That would be the challenge that we would make and one of the best practices that we have documented in our common sense guide to the mitigation of insider threat, which is publicly available on the CERT.org website.
Another recent incident, credit data on as many as half of the people in the country of South Korea, as many as 20 million people, was allegedly stolen by an insider at a credit ratings firm. What strikes you about that particular incident?
Trzeciak: Certainly if you think about what the organization should have been trying to protect. That should have been the personally identifiable information, the PII, should have been what was classified as a key critical asset. And anyone who tries to authorize access or non- authorize access it, there could have been some alerts that could have been provided to that, and the same thing with the tracking of the assets as well.
If someone tries to ex-filtrate it, download it through a media or to send it off through email, there are a number of ways that information can leave the network, there's a number of tools and technologies that could identify, detect when it's happening and alert someone to be, whether it's suspicious or malicious, either way, if that key critical asset being the information is PII, that should be handled just like your key intellectual property, whatever else you're trying to protect in your organization.
We've touched on several different incidents but what are the other common threads that we haven't touched on that you often see in insider threat incidents?
Trzeciak: When we describe the insider threat we try to describe it as insiders, different from the threat posed by insiders. Just like we are all insiders in our organization, are granted authorized access to the networks, the systems and the data and to some degree we all pose a threat to the critical assets in an organization.
When we describe the insider threat we have not found, after 13 years of research, one solution to the insider threat problem. It's really based upon the impact to the organization. So for example, the example that we talked about before: theft of intellectual property. That is when we describe those incidents over time, someone who is leaving one organization, goes to the next organization, a competitor, or to start a competing organization or a foreign government or a foreign organization, they take something with them for a business advantage. That looks different from someone who defrauds an organization as an insider threat.
Those individuals tend to be motivated by a financial gain. Those incidents tend to evolve over a longer period of time and they're usually paid to add or modify or delete data in a critical system to defraud an organization and that looks different from someone who sabotages a network or system. We've seen them where, based upon the case data, disgruntled system administrators, privileged account users who are getting revenge for a perceived injustice, whether it be their passed-over promotion, there's a downsizing, a reorganization, they don't get a raise or bonus. Those individuals tend to be motivated for a revenge against the organization. So in general we try to describe it as not one insider threat, different threats then would have different potential solutions or try to address those particular threats.
Finally, the sad truth is that insiders often get away with malicious actions. In your experience, what makes the difference in apprehending insiders who have committed a crime? What monitoring or forensics capabilities really make the difference in actually making an arrest?
Trzeciak: Certainly again it goes back to what are you trying to protect. If you're trying to protect your key intellectual property, your personally identifiable information and that information were to leave the network, there's categories of tools that may be effective to identify when someone tries to access your key intellectual property, when someone tries to download it or to send it through the email or to ex-filtrate it out the network, those categories of tools will be effective for one of the threats that we have described.
Someone who defrauds an organization again, the detection strategies will be slightly different. The prevention strategy will be slightly different and someone who sabotages a network or system, those will be different as well. But in all of those cases we would certainly recommend that organizations work with law enforcement as soon as they suspect something.
Many times organizations don't do regular investigations on insider threat incidents, whereas law enforcement has probably done it multiple times and can assist you with the forensic evaluation, the prosecution if you decide to prosecute the individuals and the protection of evidence that might be used in a court of law to prosecute someone for doing something maliciously.
So there definitely needs to be a strong tie to law enforcement to involve them as early on as possible and law enforcement is much better today than they were ten years ago of coming into an organization, to assist in the investigation and not have a very big footprint or to disrupt your complete operation. They're not coming in and taking servers and disrupting your entire operation. They're very good at doing virtual images of machines, protecting evidence and it would be a very strong recommendation to involve them as early on in the process just because they've done it many times and they'll be able to assist you very quickly and very efficiently.
Randy Trzeciak, director of the Insider Threat Center at Carnegie Mellon University. Thank you again for joining us today.
Trzeciak: Thank you very much.
And thank you as well. Remember, for the latest information security videos, you can always visit SearchSecurity.com/videos. Until next time, I'm Eric Parizo. Stay safe out there