Earlier this year, Andy blogged on Carnegie Mellon University’s Computer Emergency Response Team (CMU CERT) research on insider attacks: specifically their motivation, means and opportunity, and what we can do to prevent them. To quickly review, insiders know that information is an asset. They often have access to the data, know where the data is stored, and have context as to why it’s important. Then a trigger event happens—“you missed your quotas this quarter”—and they steal it!
The CERT sample was small, so I became curious how their model and data aligned with recent insider threat data breaches. I searched for insider data breaches that occurred within the past two years, and I filtered out “catastrophic” and “severe” cases (ones with one million to over 100 million records breached).
A quick glance at the search results reminded me that data breaches happen globally and affect all verticals – healthcare, financial education, government, etc. These recent incidents also support many aspects of the CMU research.
But here’s a pattern in my own quick research that’s worth noting: insiders can quickly and anonymously sell bulk PII to a well-established black market. In other words, it’s easier than ever to monetize the data.
Here are five insights I learned from my own research:
1. Who are the insiders?
These stealthy insiders are former employees, current employees, as well as unscrupulous contractors. What’s most alarming is that it just takes only one individual or a couple of people to steal a few records, up to over 100 million records!
2. What did they steal?
These insiders took trade secrets, customer data, financial data, credit card numbers, government- issued ID card numbers, sensitive patient and organizational data.
And what do these insiders do with the data after it’s stolen? In hopes of financial gain, one sold it to various online data brokers, who then sold it to other data brokers. Some teamed up to extort their former employers. Another insider wanted to move back to his home country, stealing company data with the intention of taking it to a competitor.
These insiders exploited vulnerabilities, abused their credentials, or simply emailed stolen data from their work email.
3. When does the breach happen?
It can happen at any time. One took over the course of a year and a half. Another had regular access to personal information of customers from around the country and took the data intermittently.
4. Where are the stolen data stored?
Insiders downloaded valuable data they knew were important to the company and then copied it onto an external drive. Afterwards, some might enlist their family members to hold the devices. Others simply sent it to their personal email accounts.
5. Why do insiders get away with it?
Because employees and contractors think they can. This is one of the most important points of the CMU research! When employees see that the employer doesn’t view their data as valuable and worth protecting, they’ll draw their own conclusion—“no one cares if I copy this customer database.” One even wrote to management to admit that he stole company data while he was an employee.
Even though it was reported that some insiders weren’t authorized to use the data and that the data wasn’t necessary to their work, they did have access to the data. In fact, all insiders had access to the data.
Paging all CEOs, CTOs, CIOs, CISOs, and security experts: monitor employee access and use UBA to alert on anomalous behavior!
Insider threat data breaches are very real. They’re expensive—PWC says they’re more costly than outside attacks—and in the case of IT sabotage or public exposure of internal records, the attack can be catastrophic, destroying reputations and disrupting operations.
Need a refresher on data security best practices for insider threats? CMU CERT research team came up with these top five tips.