Failure to adopt a “continuous auditing” approach to security opens organisations to risk of negligent insider threat, warns Philip Lieberman
Despite the fact that since April 2010 a deliberate or malicious data breach can be punished with a fine of up to £500,000, organisations continue to leave themselves vulnerable to attack. A few weeks ago a doctor at North West London Hospitals NHS Trust was found to be in breach of the Data Protection Act for leaving medical information about 56 patients on the London Underground.
As reported to the Information Commissioner’s Office (ICO) by the trust in May 2010, the incident happened when a doctor printed out personal and diagnostic information about his patients in order to carry out an audit. He intended to do this at home outside of normal working hours. Shortly after leaving the underground, he realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport and handed back to the doctor.
A spokesperson for the ICO said: “Most of us can think of a time when we’ve found someone else’s personal belongings, like an umbrella, left behind on a train. But the last thing we should ever expect to find is highly confidential and sensitive material detailing people’s medical history.”
Earlier this year, Internet giant Google announced that it was the victim of a sophisticated attack from China designed to break into accounts of political dissidents hosted by the company. Details are scarce, but one disclosure in particular did stand out. Google reported indications that its employees either intentionally or unintentionally helped make the attack possible. This detail hardly surprised many security experts, myself included, who have long written about the threats that enterprises face from inside the corporate firewall.
Our warnings haven’t gone completely unnoticed; awareness about insider threats has grown in the recent past. But many companies’ responses have the appearance of ineffective security theatre.
One case in point: security training for rank-in-file employees. Some CIOs seem to expect that by educating users about the dangers of clicking risky links or downloading unvetted applications onto their machines, these users will stop their risky behaviour.
The truth is, while employee training can offer some ROI by eliminating a small percentage of IT incidents, it’s hardly a cure-all.
Pouring water on boiling oil
According to many security experts, the most prevalent IT security threat arises from negligent insiders. Malicious hackers prey upon enterprise users with the knowledge that no matter how many times your employee may hear about security policies and risks, eventually that user will click a questionable link on Facebook, respond to a phony mail from the “Her Majesty’s Customs & Excise”, or be duped by a targeted spearphishing attack.
It’s inevitable that costly mistakes will be made because there is a human working at each keyboard attached to those networked PCs and people are fallible. They have bad days. And sometimes they do not stop to think whether they are putting their employer’s assets at risk.
In the case of an employee who has elevated access levels needed to carry out his or her job, an attacker who entices the worker into infecting one computer now also has privileged access into the network. The worker’s account becomes the proxy for the hacker, who knows how to leverage this access for further attacks deeper and deeper into the network.