Security breaches did not stop making headlines in recent months, and while hackers still go after credit card data, the trends goes towards richer data records and exploiting various key assets inside an organization. As a consequence, organizations need to develop new schemes to identify and track key information assets.
The biggest recent breach in the financial industry occurred at JP Morgan Chase, with an estimated 76 million customer records and another 8 million records belonging to businesses stolen from several internal servers. At Morgan Stanley, an employee of the company’s wealth management group was fired after information from up to 10% of Morgan Stanley’s wealthiest clientele was leaked. Even more sensitive was the largest health-care breach thus far: at Anthem, over 80 million records containing personally identifiable information (PII) including social security numbers were exposed. Less well-known, but potentially more costly in terms of damage and litigation is the alleged theft of trade secrets by the former CEO of Chesapeake’s Energy (NYSE: CHK).
Morgan Stanley and Chesapeake Energy both involved insider threats in which authorized employees accessed and stole company assets, while JPMC and Anthem were targeted cyber attacks where hackers broke into internal databases and stole customer records containing personally identifiable information. In all four cases, key assets were not sufficiently secured inside the company network because of neglect, or simply ignorance of the importance of oversight required for special assets. The Anthem breach is particularly worrisome because access to very sensitive PII data was neither tightly controlled nor was the data encrypted while “at rest.”
The trends are clear: Nowadays, hackers and insiders think in terms of "key assets." Credit card numbers have been the prime target for thefts and breaches, but enhanced fraud detection by credit card companies and a move to chip-based credit cards has reduced their black market value. In the meantime, the value of more general data records (covering personal data, health information and intellectual property) has increased. As a consequence, personal data sells for 10X of the price of stolen credit card numbers.
More importantly, mountains of seemingly worthless data entries can become valuable information when correlated with other data such as home addresses and Twitter handles. Collecting large amounts of data and applying data mining and data science techniques has enabled bad guys to extract value out of large amounts of unstructured data. According to DARPA, roughly 80% of Americans individuals can be identified with three pieces of data.
Often the value of key assets is not visible at first sight, either because the information content of a resource is unknown (e.g. sensitive files on a specific server), or the content is known, but its value is unknown (e.g. email addresses, Twitter handles and other publicly available data).
In both cases, it is challenging to get a handle on the situation: The former is often due to human error or systemic shortcomings that are difficult to control, while the latter would require companies’ InfoSec teams to estimate the abilities, creativity and motivation of hackers. In either scenario, a complete restriction on data access or a shutdown of network resources is not a practical solution.
The problem boils down to a reliable and timely identification and tracking of key assets. If you know where your key assets (e.g. information of value) resides, you can take appropriate protective measures and react much more precisely to threats. An intrusion into your company network, or an insider accessing machines on the network in an unauthorized manner, can be immediately evaluated and even prevented, if you know the proximity of the threat to your key assets. So, how can you identify, track and update the set of assets that you should track in your network?
There is no universal recipe on how to create this list of key assets and keep it up to date. A good way to start is to use both manual and automatic means to identify what is important in your network. Manual identification will track down information on the network by the value of its content, while automatic identification will expose assets by frequency of duration of use (assuming frequency or duration equate to value).
For manual identification, the first question to ask is what information do you value and what information, if stolen, would be valuable to someone outside your organization. As stated above, it’s not just about credit card numbers and customer records, but sales figures, company presentations, and even activity log files. The more thorough the manual review, the better the final list of key assets.
Once the list is generated, the next step is to track the locations of the identified information and put them at the center of any threat investigation. Does the information only reside on specific servers with remote access? Or could it be copied to less secured file servers or laptops? This should yield a map of the locations of potential key assets.
A similar, but complementary, analysis can be performed automatically by observing network activity. Look for what data is most frequently accessed on the network. The frequency of data access will yield some rather trivial information bits (such as wiki pages), but very often reveals information stored at various locations that have been missed in the manual review. Additionally, the automatic tracking and identification can be done constantly, immediately showing new, critical information sources on the network as they come into being.
The obviously last remaining, and most critical piece in the puzzle, is the efficient monitoring of activity involving the identified key assets. Any malicious activity or damage is likely to occur around these assets, which limits the space to search in and through.
However, for the actual monitoring to be safe and preventive, one needs to look for more than just predefined access patterns (such as large downloads), but for anomalies, as well. Only anomalies will ensure that future malicious activity around the key assets can be detected.
Even though the risk of the insider threat is clear, it remains one of the most under-estimated and under-addressed aspects of cybersecurity. This report covers actions that every organization can take to start on the right path to stopping insider threats.