I was reading a few articles today and noticed a reoccurring theme; insiders are involved with data breaches happen more frequently in the financial sector. I had been reviewing the 2011 Data Breach Investigations Report from Verizon and noticed that even though insider breaches had dropped from 48% to 17% in 2010 to 2011, they were still increasing in the number of incidents. The difference was not a decrease of insider breaches but a huge increase in external breaches.
I was also reading an article from InfoSecurity.com also discussing the increase in insider breaches, specifically in the financial sector, based on information from US-CERT. I believe both articles touch on solid points. Verizon's report found that more often are breaches conducted by end-users than from managers and CxO's, which was due to insider’s typically not needing highly elevated privileges to get to the data they are after. Both realized that what insiders are after isn't always money but IP has become more and more common to be targeted. I believe this is because they believe that there is more safety in stealing IP than actual account information. I believe they think they can sell IP to competitors with less risk and a higher potential for gain, than if they attempted to liquidate company or customer accounts. Money is a lot easier to track than IP, especially if it is a product or project that can take years to develop.
There are many reasons that these breaches occur, but with the large percentage being end-users, this falls back on many basic security principals. Lest privilege to start with is a very basic principal that tends to either be overlooked or if implemented, it is not enforced. There should be on a small number of cases were an end-user has access to sensitive IP, especially IP that can be sold to a competitor for a large sum of money, access to large corporate accounts, or a large number of customer accounts and payment information without oversight. Another highly overlooked principal is monitoring, I understand that automated monitoring systems or hiring IT staff to manually monitor can be expensive, but it can save hundreds of thousands when implemented. However, monitoring is not good enough, you need professionals who know what to monitor. If you do not have someone who understands what should be monitored, then who knows if you will even be monitoring the right systems or logs when a breach happens.
Finally, change management is another principal that is not usually implemented in an effective way. I don't know how many businesses I have dealt with that either a default password scheme that is easy to predict if the formula is known or has accounts and passwords that span many users, but if I had a nickel for everyone I dealt with, I would be driving a much nicer car. Using a simple password formula across a network is acceptable if and only if it is the initial password upon hiring and is required to be changed on first login, but many companies do not force that. Instead they just have the basic 90 day, four previous password policies in place, so many users keep using the same password they were originally setup with, just adding additional characters to it at the end. This makes guessing passwords extremely easy, that is if they cannot just walk by someone's desk and find it stuck to the bottom of their keyboard. Also having credentials that span multiple users is also an easy way for allowing a breach. First off, with multiple users using a single set of credentials, how do you know who used the credentials in a breach if it is discovered? Second, if multiple users are using one set of credentials, take a guess what happens if someone is let go, you guessed it, nothing. Why, because if they already have laxed policies to allow this in the first place, I sincerely doubt they will be sure to change it if someone leaves the company.
In any case, when you combine the fact that we have a poor economy, easy access to cashable information, and inefficient policies to prevent breaches, you have a recipe for disaster, as the financial sector is finding out the hard way. There is nothing you can do to be 100% secure and have a functioning business, but that doesn't mean a breach has to happen or that you shouldn't be diligent in preventing it from happening. If I have learned anything about security, it is that it is an 80/20 split, 80% policies and management, 20% technology. However, far too many companies believe that it is the other way around, and obviously 80% technology will not cover for only having 20% polices and management.
No comments:
Post a Comment