Tackling the insider threat
Daily FT-CICRA Holdings fourth annual Cyber Security Summit’s inaugural session sets the stage for sharing of new knowledge and insights
The EC-Council Cyber Security Summit 2016 organised for the fourth consecutive time kick-started on Tuesday with high-profile international IT security experts from Sri Lanka and the region. The EC-Council Cyber Security Summit 2016 is co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT.
The main objective of the summit was to create awareness on the importance of cyber security and to provide top officers in the Government, top private sector leaders and IT professionals with best practices in acquiring, implementing, managing and measuring information security postures of their organisations and counter-measures.
Not every villain wears a mask
The first session of the summit which had the theme of ‘Not Every Villain Wears a Mask: The Insider Threat’ discussed about how organisations get blown away by their own staff, when organisations fail to put efficient cyber security policies.
Starting the session, Cisco Head of Security Sales in India and SAARC Pravin Srinivasan derived the keynote speech, where he talked extensively about insider threats and how to defy them.
“It is a huge headache when you think of protecting ourselves against someone who we really know very well in the cyber security sphere. We let that person know about all the best-kept secrets of the organisation and they have turned against us. Cyber security has reached the agenda of every boardroom, government, bank and startup. Digitisation is playing a pivotal role presently and every public and private entity is looking at transforming their businesses with digitisation. This leads to new security challenges as well.”
“For the sake of efficiency, power, productivity and technical feasibility; businesses adopt cloud and mobile devices. We spend half of our time with our smartphones. We consume mobile networks, Wi-Fi and cloud instances every day and the reality is, you cannot guarantee a 100% protection from all the security challenges coming from these mediums. You cannot stop the movement towards cloud or mobile. If you look at these challenges, they have been around for some time but the complexity of them has been increased exponentially. In the past, a security officer of an organisation only had to worry about maintaining 300 or 500 devices but now, it has become a nightmare for them. This has increased the number of challenges people face in terms of security of an organisation,” he said.
Pravin said that fundamentally, every threat is actually an insider threat.
“The origin of the attack may have come from outside but you analyse carefully; some part of the attack has gotten help from the inside of the organisation. If someone’s intention is to steal your organisation data, you could only do it from the inside. It could be on a laptop, mobile device, server or it could be anywhere. In most cases, someone inside the organisation has helped the hacker to sneak into your company data; intentionally or unintentionally. It means that every single threat is an insider threat which has become a huge issue for businesses.”
“Advanced threats that are coming to organisations are very difficult to stop because it is hidden in plain sight. It may be hidden in one of your PDF files or an HTML file. You cannot stop the flow of these documents because it means that you are stopping the business. And these threats are very difficult to find. If you analyse multiple reports, the average time taken for companies to figure out they have been attacked is six to eight months. The time taken out to clean the infection will be a year or more. If you take a well-written malware and analyse its time of execution; it would steal your data within six to eight hours. There is a quantum jump in that and it is creating so many problems for organisations.”
“One of the other biggest issues we are facing today is that you cannot protect from what you don’t see,” he stressed. “We have this huge network, apps and data that are being running around our organisation but we don’t have details about them. Lot of attacks we are seeing today are coming in through various forms and these attacks use mediums in organisations where we actually have no clue whether they existed in the first place.”
Analysis is the key
Pravin suggested that analysis with a proper visibility is the key to reduce these attacks.
“It should not be a normal analysis but an organisation should have a visibility with a continuous analysis. You cannot protect what you can’t see so a perfectly visible analysis will help an organisation to see what is actually happening. It will also help you to assess all your data, applications, endpoints, server flows and help you to place protection mechanisms.”
He also talked about mechanisms which organisations could use to identify threats such as ‘Before, During, After.’ It will look at how a cyber-attack happened by following a set of stages. Pravin said that the first stage should obviously be to not let any malware enter your organisation.
“However, you cannot be 100% secured with all your firewalls and anti-virus software. At some point, some stuff will definitely get in. if you spend all time and money trying to stop the threat at the gate; you are helping insiders to get what they want. Like you spend time to eliminate outside threats; look at stopping all the threats which are coming from inside your organisation. It means that you are looking in and out. Once you do all these and figure out how the organisation was attacked; you need to have a mechanism to take action. Do something about it rather than talking about it. That is why in the ‘After’ stage, you need to analyse your scope, take counter measures and align your cyber security strategy with sound policies. Even if threats still enter your organisation, you need to ensure crystal clear visibility to examine what is happening inside your network and the capability to take action,” said Pravin.
He emphasised the fact that people inside an organisation should get access to limited number of resources, based on what they really need to access. The moment you ensured that only the right set of people have access to the right set of resources; the organisation will be able to prevent an attack and also reduce the scope of it, said Pravin. He said risks could be mitigated through identity management, authentication and proper access as well as analysing traffic patterns of applications, end-users and networks. Pravin also mentioned that an organisation should have a specified level of automation built in so that the organisation could take action when a physical analysis is not possible.
“Visibility is required all the way down to the end-users. You need to know what they are doing, what devices they use and whether they are using updated applications. If they enter cloud platforms, you need to make sure to provide end-to-end security; same level of protection as on premise. That is when you will be able to identify the scope of a threat real time,” stressed Pravin.
The missing 2%
Delivering the guest speech, Cyber Crime Expert of Pune Police and NetConclave Systems Founder and CTO Niranjan Reddy spoke about how insider threats are causing problems for organisations at different level. He started his presentation with an interesting quote – the 98% of cyber-attacks figured out by an organisation is not what is important but the 2% of attacks you missed out completely.
“We have all the layered defences and mechanisms in our network but still incidents take place. This means that we have been missing on that 2%. The landscape of insider threats has risen out of nowhere,” said Niranjan.
Niranjan revealed that as per the 2016 Vormetric Data Threat Report, 91% of global organisations feel vulnerable to data threats; enterprises and governments are focusing on compliance ahead of breach prevention and they also invest in technologies that do not prevent data breaches but the real data breaches are caused due to insider threats. “Insiders generally possess access rights which, together with their authority and knowledge, grant them far greater opportunity than outsiders to bypass dedicated nuclear and radiological security elements or other provisions such as safety systems and operating procedures. Insiders, as trusted personnel, are capable of methods of defeat that may not be available to outsiders. As such, insiders—acting alone or in concert with outsiders—pose an elevated threat to cyber security,” he said.
“Your organisation data could be leaked by people who are working in your organisation. Using a USB drive or an email, information will be sent out to an outsider who is probably a competitor of your organisation. When you found out that you have been breached, this will have an impact on your market reputation, financial status and shareholder trust. Organisations need to have a monitoring mechanism on people who they feel suspicious, staying back late in the office, etc.,” said Niranjan.
Almost one-third (32%) of respondents to a global survey have said insider crimes are costlier or damaging than those committed by external adversaries, yet less than half (49%) say they have implemented a plan to deal with internal threats. The lack of a formal insider risk-management strategy seems short-sighted, given that 28% of survey respondents detected insider incidents within the last two years.
“Insider threats often have a benefit over external rivals because they have authorised access to data and systems, and therefore have no need to breach security controls. Even insiders with access to the network, but no authorised access to certain types of systems and data, are more likely to understand the organisation’s competitive environment. They also may know exactly where to look for the company’s most valuable information, including customer lists, pricing strategies, and research and development initiatives currently in progress,” Niranjan said.
He explained to the audience about different insider threat types – malicious, regressive and compromising. He explained what these threats do and told how organisations could defy these threats by proper encryption mechanisms and embedded passwords for devices. He also dissected two case studies for the audience and explained how organisation filed in protecting their data. Using these case studies, he touched upon the impact of external adversaries such as organised crime groups, which sometimes target vulnerable employees to help steal or gain access to sensitive data. When doing so, they often identify employees who are experiencing financial problems or are obviously looking for financial gains. Niranjan also explained the audience about the impact of former employees and how they would plan out to steal organisation data.
“Minimising and managing crimes committed by inside actors will demand that organisations develop and execute a specific insider-threat management program that is aligned and integrated with their business, cybersecurity, and data-protection strategies. The basic building blocks to such a program are: identify what is most valuable to you and a potential insider threat; protect against insider threats; detect when threats manifest in your organisation; respond to limit their potency and potential damage; and recover to restore your environment to a better state.” Niranjan also spoke about different signs of an insider threat activity where he talked about stolen credentials, malpractices of systems administrators, unauthorised access, unknowingly data movement inside a network and security policy violation. He also talked about several emerging insider threats such as BYOD (bring your own device) and open networks. “Not every employee needs access to every piece of data, so organisations should segment their networks and restrict privileges to ensure that employees can access only files and applications they need. For example, your finance department probably has nothing to with getting access to your software workflows. And employees in one country may not be legally allowed to access customer data from another country. Such controls can be enforced at the network level by encrypting data at rest and using firewalls to physically prevent traffic from flowing between areas. You can also assign specific roles to employees with identity management or data-labeling tools.
The larger the company, the more likely it will need all of these controls,” said Niranjan. Prevention from these threats is always possible, Niranjan opined. “You are talking about insiders. There needs to be a proper background check and understanding of the situation before you form policies. Your company must measure actual, not intended, results of security efforts — you must know when you fail. Effective monitoring programs combine technology with aggressive operational processes to monitor for unusual employee network behavior.
The technology detects suspected violations. The operational processes and skilled staff make sense of the data. Failure to balance technology and operations never ends well.” “It’s important to understand that insider risk cannot be managed entirely by your IT department or the cyber security officer. Nor can technology itself forestall insider threats.
Effective management will require a disciplined, risk-based, cross-functional approach that includes IT, information security, corporate security, human resources (HR), legal, audit, and other stakeholders. It will also demand participation from appropriate lines of business, as well as finely tuned data privacy policies,” he said.
Mitigating threats is a team effort
At the panel discussion, ICTA Sri Lanka Chief Executive Officer Muhunthan Canagey said that the government will always invite every professional body in the country to join them in order to mitigate cyber threats and draw a national-level plan. “If I talk about cyber security, there is nowhere you can have closed doors. Today, the world is collaborative and you can never go back to being siloed. That is something governments have to change. The culture within the government and government organisations with all sorts of territorial boundaries and clearly-defined legal framework is clearly missing out the aspect of a collaborative, open working environment.
We are gradually changing that culture. We want to bring the private sector and the industry together because you can never sort cyber security issues unless you have everybody on the same table,” said Canagey. Adding more, he said, “One of the facts is about having dedicated security personnel within your organisation. It is important so that you can build a culture where there is an openness and that would help us to build defined processes.
From a technology viewpoint, these resources would be very costly. Small and medium-sized business will not be able to afford these resources. This is where I think you need to build more community-based providers who would actually come in and help you solve issues and who would also guide you in these types of crisis situations. For countries like Sri Lanka, this step will be very pivotal as we see many SMEs are coming out.” Answering a question at the panel discussion, Pravin said that cyber security is a valuable opportunity for any organisation to draft a perfect cyber security strategy.
“Cyber threats have been always a C-suite issue; only difference right now is that with the involvement in digitisation process, threats have become a certain roadblock for the top management. If the government puts lot of data in the web and it get hacked; it must have put million lives at stake. One of the ways we could look at this is that because these projects have become so critical to the company as a whole; adding security should be a regular process from day one. Before we start thinking about implementing an application, let us first see how we can make it safer. That is an opportunity we have,” he said.
“If you look at some of the hacks happened globally, they have been done by certain underground hacker communities. There is no point tracing them back and trying to sue them. You need to put sound policies to not let that happen to you or your organisation again. Just look at the roots and figure out how it happened and why it happened. You can’t make anything secure but you can take a proactive approach. You must have a dedicated person to take care of these attacks and you should also have a layered defence approach which means that having different layers of technology. You should not have a single firewall and say I am secured now. You always have to make it difficult for the hackers to exploit your data but coming back, no company could perform a 100% security assessment,” Niranjan said at the panel discussion. T
he EC-Council Cyber Security Summit 2016 was co-organised by CICRA Holdings – Sri Lanka’s pioneering cyber security training and consultancy provider – and Daily FT. Supported by the ICT Agency, the strategic partners of the 2016 Cyber Security Summit were Microsoft and CISCO, the electronic payment gateway was LankaPay, the insurance partner was Sri Lanka Insurance, the creative partner was BBDO Lanka, the printing partner was OfficeMax, the hospitality partner was Cinnamon Lakeside and the electronic media partner was MTV and MBC Radio. Deakin University and EPIC Lanka also extended their support to the Summit.