Cybercriminals are targeting privileged network users in ways that are increasingly devastating to security efforts across the financial services industry. These types of insider threats have become more prevalent in the past two years due to the combination of:
- Increased network activity volumes that makes pinpointing anomalies more difficult:
- The growing use of cloud computing which increases the attack surface for insider attacks; and
- The fact that more employees and vendors have access to sensitive networks. ((Insider Threats Survey: The Ominous State of Insider Threats. September 2013. Commissioned by The Enterprise Strategy Group. retrieved October 4, 2013.))
And, while the threat is escalating, there is an industry-wide lack of awareness regarding this issue. According to the September 2013 Enterprise Strategy Group (ESG) Insider Threats Survey of data security executives at Fortune 1000 firms, just 39% of the survey’s financial services respondents acknowledge their firms’ vulnerability to insider fraud or theft. And just 10% identified abuse of legitimate privileged user access credentials as a serious threat.
Two insidious ways that advanced persistent threats (APTs) occur are:
- An employee or contractor who has legitimate access to high level data to do their job goes rogue. This is the Edward Snowden profile.
- A high level IT administrator, Security Staff, or C-level Executive with privileged information access has their identity socially engineered. This type of breach can be conducted through malware and may be exacerbated by the fact that servers are often unprotected.
Both means allow individuals to work their way through infrastructure and access valuable assets. And these types of breaches have become harder to detect and are not being adequately addressed. ESG’s report shows that while 53% of the security community surveyed indicated they will increase efforts to fight insider fraud, much of their effort is still being placed on advanced malware perimeter security―an effort that immediately fails at controlling fraud and theft that occurs through the use of legitimate credentials.
This report exposes an urgent need to rethink enterprise security in ways that protect against insider attacks at all levels of threat actors and attack vectors. Well designed security will use the ‘least privilege’ principle of granular access controls that allow IT staff to access the metadata required to perform their functions effectively, without compromising the datasets themselves. For example, ESG recommends data firewalls and monitoring that:
- Afford IT staff with blind content of account files and transaction documents, such as account numbers, emails and financial statements;
- Protect HR document data, such as social security numbers and other personally identifiable information;
- Examine a mix of internal and external users.
- Incorporate encryption technology use for all sensitive data.
The ESG survey provides a financial sector wake-up call―we are falling behind in balancing IT initiatives and risk management that prevent insider credential harvesting and distinguishing suspicious network behaviors. The time to act is now.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @SFGBrad