April 9, 2019
It would be impossible to add to this blog every headline about insider threat incidents that publish regularly — there are too many. This week, we want to point out a few that are representative of the overall problem and provide links to resources that offer guidance on how to close insider threat gaps.
First, we want to alert readers that next week, an annual event focused on insider threat defense is taking place where Dtex Systems VP of federal David Wilcox will be presenting. Attendees will have an opportunity to learn about the latest attack patterns and mitigation techniques from a number of government and private industry representatives. To learn more about the event, read: Dtex Systems VP of Federal David Wilcox Presents at Fifth Annual Insider Threat Summit
And now, a look at several recent negligent insider threat headlines.
Miami Herald: ‘She lies to everyone’: Feds say Mar-a-Lago intruder had hidden-camera detector in hotel. This story is about the alleged spy who infiltrated President Trump’s golf retreat destination. It carries an interesting lesson about user negligence that is worth mentioning. According to the writers:
Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified.
Why negligence? It’s a long-held standard in the cybersecurity industry that no one should ever place an unauthorized thumb drive into a computer, especially one taken from a crime suspect. Thumb drives are an easy way for criminals to inject malware into devices and the systems they are connected to. It is not clear whether or not the device that the agent inserted the drive into was connected to other systems. The testimony given by agent Ivanovich implies that it perhaps was. Otherwise, why would the agent have felt the need to immediately shut off his machine?
Moral of the story: if you find a random drive or are handed one that you can’t absolutely verify, then don’t plug it in.
Fortune: Leaky Databases Are a Scourge. MongoDB Is Doing Something About It. According to Robert Hackett:
MongoDB, a database software provider whose stock has been on a tear recently, just hired its first-ever chief information security officer.
The new boss is Lena Smart, a Glaswegian cybersecurity professional. Smart formerly held the same title at IPO-bound Tradeweb, a financial services firm that supplies the technology behind certain electronic trading markets. Prior to Tradeweb, she headed security at the New York Power Authority, where she worked for more than a decade.
People leaving MongoDB and other databases unsecured on the web has been a persistent source of data-leaks over the years. Just this month, a security researcher discovered one such sieve that exposed to public view a trove of sensitive information, including location data, on millions of people in China.
Most of these inadvertent leaks have sprung, in fairness, from people using outdated instances of the company’s so-called community edition software, a free, barer-bones version of the database product.
Why negligence? Adding a CISO to staff is certainly a step in the right direction. There isn’t a database company today that should not have such a person standing on its leadership bridge. However, it is important to remember that all of the features and leaders in the world can’t save organizations from the mistakes that their users will eventually make. Organizations have to take responsibility for their own users actions.
In response to the news, Dtex CTO Mohan Koo commented:
Technology vendors are headed in the right direction when they add CISOs and other security-focused leaders to their staffs to make their offerings more secure. It should be remembered though, that adding more horsepower and controls won’t necessarily reduce risk. This is especially true when it comes to the problem of exposed data bases, which is now an epidemic of sorts.
All of the security features in the world can’t prevent humans from making the mistakes that are leaving billions of records exposed to anyone with enough knowhow of where to find them. A key way to lower the chances of leaving data open to the Internet is to gain visibility over the security errors people make when using cloud data bases and applications.
Motherboard: Third Parties Left 540 Million Facebook Records on the Public Internet. According to Joseph Cox:
For your regular reminder that developers across the world sometimes have real trouble putting any sort of protection on their databases, third party companies left Facebook user data exposed to the open internet, according to cybersecurity firm UpGuard.
Why negligence? The above paragraph speaks for itself.
SC Magazine: VoterVoice database leaks email addresses, messages to elected officials. Writes Teri Robinson:
An unsecured database at VoterVoice exposed a trove of personal information, including more than 300,000 unique email addresses, home addresses and phone numbers of people who have sent messages to legislators or participated in campaigns around hot political topics through “the grassroots advocacy system.”
Why negligence? Again, the above paragraph speaks for itself.
Malicious Insider Threats
Malicious insider threat instances occur less frequently than negligent ones. This doesn’t mean that organizations should not pursue them with equal vigor. Several recent headlines reminding us of this include:
WPTV: Deputies: Man stole from All Smiles Dentistry customers. According to the news:
A Fort Pierce man was arrested on Monday for identity theft, grand theft and fraud.
The St. Lucie County Sheriff’s Office says 23-year-old Demetrius Nolen worked for All Smiles Dentistry and it is believed that is how he identified his victims.
“Come in for a smile, walk out with a frown” — How the news team at WPTV in Palm Beach didn’t come up with this as a headline, we’ll never know.
Dark Reading: The Insider Threat: It’s More Common Than You Think. This commentary by Raj Ananthanpillai, reminds us of three high-profile malicious incidents:
A former Goodwill employee stole $93,000 from the charity by faking payroll records.
A rogue Tesla employee broke into the company’s manufacturing operating system and sent highly sensitive data outside of the firm.
Uber’s 60-person crisis team is dealing with 1,200 severe incidents reported to the company weekly, including verbal threats, physical and sexual assault, rape, theft, and serious traffic accidents.
Last but not least, in Information/Age: The rise of employees stealing data: how do businesses stop this from happening? Sooraj Shah writes:
When people outside of the IT industry hear the phrase ‘data breach’ or a story about cyber security, the initial thought is that it is the result of a sophisticated hacker or organisation ‘attacking’ a business. Enterprises are of course being targeted by sophisticated cyber-attacks, however, there are many unsophisticated data breaches occurring every day, where employees or former employees are stealing data and trying to profit from this in some way.
Check out these Dtex Systems resources for addressing negligent and malicious insider threats: