12/18/18: Dtex, Insider Threat, Privacy News: DoD OIG Insider Threat Warning Provides Powerful Lesson; Boomoji’s Exposed Data Bases Reinforces Need for Insider Oversight; Stolen Credentials are an Epidemic
Beyond the headlines, there are multiple lessons tucked away in the stories that can teach organizations how to detect and mitigate the insider threat. Last week’s top news lineup touched on a range of insider threats that Dtex helps its customers to eliminate on a regular basis. Let’s take a look at a few:
Nextgov: Poor Security Could Leave U.S. Defenseless Against Missile Attacks, by Heather Kludell. This article is about the Department of Defense (DoD) Office of the Inspector General (OIG) audit of security controls used for ballistic missile defense systems. It reports on the presence of a number of classic insider threats that often go unaddressed. According to Kludell:
Inspectors also flagged several situations that a malicious insider could exploit. In general, the network administrators had poor access controls in place. They didn’t require multifactor authentication to access the system’s technical information, nor did they require written justification from users for elevated access. They also allowed users to save unencrypted data to removable drives without monitoring them.
All of these risk factors are present in not only government organizations but also private industry as well. One in particular that Dtex helps organizations to detect on a regular basis is the insecure use of removable drives. In the Dtex 2018 Insider Threat Intelligence Report, we found this risk present in 90 percent of the organizations we assessed. There are a number of mitigation steps that can be taken to reduce risk associated with removable devices. These include blocking use altogether, providing company-approved devices for employees to use, and making sure monitoring is in place detects when, where and how these devices are being used.
SC Media: Report: Boomoji app developer leaves customer data exposed on open database, by Bradley Barth. This news is about how developers of make-your-own-avatar app Boomoji forgot to password-protect two internet-connected databases. This oversight publicly exposed 5.3 million users’ personal data. According to Barth:
The wide-open databases, from Elasticsearch, stored users’ names, genders, countries and phone types all in plain text, TechCrunch reported yesterday. Moreover, the databases also contained unique user IDs, each of which was linked to additional, highly sensitive information that the user either provided or allowed the app to access.
This is another area of risk that has been around a while but is gaining more and more attention in the media lately. In our insider threat intelligence report, we found that in 78 percent of all assessments, company information was completely publicly accessible in the cloud – usually on websites like Google Drive (or Docs, Sheets, etc), DropBox, Box, etc. This means that company information – and oftentimes, very sensitive data – was completely accessible to anyone who had or could find a certain link; credentials not needed. Not to panic though, there is a solution.
Companies need to educate users on native security capabilities and controls built into cloud websites. Make it clear that these websites do not always encrypt information and teach employees never to use the public-share link unless they’re dealing with information that is suitable for open consumption. Some organizations have had success blocking certain cloud sites, minimizing the attack surface, and funneling all employee use to one tool that they can be monitored appropriately. But, once again, this is another example of the importance of the ability to detect the “unknown unknowns.” To remain truly protected, organizations must be able to answer the important questions – like, “How and when are my employees using the cloud to store and share data?”
InfoSecurity Magazine: Over 40,000 Stolen Government Logins Discovered, by Phil Muncaster. This news about government credentials likely for sale on the dark web shows that credentials were stolen from government agencies and legislative bodies across a wide range of nations. According to Phil:
Over 40,000 credentials for accounts on government portals around the world have been leaked online, and are most likely up for sale on the dark web.
Russian security firm Group-IB said usernames and cleartext passwords were available for various local and national government entities across more than 30 countries.
Hundreds of accounts on the websites of the US Senate, the Internal Revenue Service, the Department of Homeland Security and NASA were among those affected, according to Bloomberg.
Also hit were portals of the Israel Defense Forces, the Italian defense and foreign ministries, and Norway’s Directorate of Immigration, as well as government sites in France, Poland, Romania, Switzerland and Georgia.
Credential theft and misuse is an insider threat we witness all too often. It is mostly the result of user negligence and disregard for policies. Malicious insiders are also sometimes to blame. In last year’s insider threat intelligence report, we found a URL exposed publicly that led to a spreadsheet that contained credentials to different financial websites used by the organization. Anyone with the credentials stored in the document would have had full, unrestricted access to company bank accounts and other critical financial accounts. The solution in this case was user education combined with intelligence that revealed the behavior that led to the exposure.
Privacy, Cybersecurity News at the Top of the Charts
Of course, the insider threat isn’t the only cybersecurity news that created headlines last week. To keep up to date on the latest happenings, check out a few of these stories:
Axios: 1 big thing: Admitting what failed in a breach, by Joe Uchill. At a Federal Trade Commission hearing on Wednesday, Malcolm Harkins, chief security and trust officer at Cylance, pitched the idea that government should hold companies that make security software accountable.
SC Media: Save the Children loses $1 million to BEC scam, by Doug Olenick. Maybe nothing is sacred. According to Doug: Save the Children was hit last year with a business email compromise scam that cost the charity $1 million. The cyberattacker gained access to an employee’s email account and then posing as an employee created fake invoices and supporting material to convince the organization to send almost $1 million to a fake charity in Japan.
The New York Times: Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing, by David E. Sanger, Nicole Perlroth, Glen Thrush and Alan Rappeport. The cyberattack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation.
The Wall Street Journal: FBI Says Chinese Espionage Poses ‘Most Severe’ Threat to American Security, by Dustin Volz and Aruna Viswanatha. Chinese corporate espionage has metastasized into a critical national and economic security threat, top federal investigative officials told U.S. senators on Wednesday, issuing stark warnings that Beijing is exploiting American technology to develop its own economy.