Morrison theft shows insider hacks a security weakpoint  

Comments from security industry specialists suggest that there are ways of guarding businesses against a hack from within the employee ranks

  • 10 years ago Posted in

Last week’s theft of staff payroll data from UK supermarket chain, Morrison’s, has led some security specialist organisations to venture opinions and advice for other businesses that may fear they, too, might suffer an `insider’ attack as is suspected with the Morrison case .

They also raise the issue of what can be done if the attack is geared to a motive of revenge on the part of an employee – or more likely, an ex-employee.

For example, Paul Ayers, VP EMEA at enterprise data security firm Vormetric, offered these thoughts:

“Even in the wake of the mammoth Target and Neiman Marcus data breaches, this latest incident suggests that organisations are still struggling to protect their data resources from those already legitimately ‘inside the fence’. It is often a case of ineffective management of ‘privileged’ users on corporate networks that causes this type of data breach incident. Every organisation will have employees or contractors who have far reaching, privileged, computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework.

“The question therefore needs to be asked, why do so many organisations still have such inadequate policies in light of recent Insider Threat headlines and incidents worldwide? Our own research from last October showed that a significant 73 percent of organisations fail to block privileged user access to sensitive data. 

“Organisations must be regularly assessing their security position and, more importantly, constantly monitoring their IT systems to detect and respond to data breaches as soon as they happen.  In turn, encryption of all data must be viewed as a mandatory, life-saving seatbelt. It’s only with a deep level of security intelligence and data-centric security that businesses will be able to spot suspicious activity as and when it occurs, and stop outside attackers and rogue employees alike in their tracks.”

Tim 'TK' Keanini, Chief Technology Officer of Lancope, identified revenge as a possible motive, a potential factor with any employee who might, for example, part company with a business under something of a `cloud’.

"This breach is not the first and certainly not the last of its kind. By the tactics used, the behaviour is more of revenge or hacktivism because the perpetrators wanted the stolen data to be public. If they were cybercriminals, it would have been harder to find in the initial stages because it would have been for sale on some darknet and for a price. Also, the data being sent to a newspaper is another telling sign of the attacker wanting it to be a very public event.

“Stolen information is not like a head of lettuce where, if you take it from me, I am one less a head of lettuce. Information when stolen is a property that you still have so this statement about it only being available for a short period of time is nonsense. The data could have been copied and circulated everywhere so, to be on the safe side, these employees should be extra sensitive to fraud caused by the disclosure of their personal data.

“I also find it interesting that the attackers only went after the employee data when all the customer data that is stored could have been stolen and monetised. Either it was taken, and they don’t know it yet, or this is clearly not the cybercriminal profile in that this prize would have been much larger in numbers and would yield a higher price on the dark-markets.

“When you look at this event and you ask yourself, `is this what good incident response looks like?’ I’d give them a B- in my book. They are working with law enforcement, they are communicating with the victims, but the lower grade in my book is the fact that they probably did not have the advance telemetry installed prior to the event to aid in the forensic investigation.

“Particularly if this was insider threat, security tools like Firewalls and IDS’s don’t alarm because the attackers are using valid accounts to move around your network. Which account accessed this HR system in the past 60 days? Why is the employee snooping around these file systems when they have never done this before? All of these behaviours show up like a red flag if you have the right incident response readiness."

If the hack was driven by a motive of revenge it is easy to assume that there is little or nothing that technology can do to prevent it. But this is an area where some of the newer thinking on policy-based security can be beneficial. Establishing policies which are then applied to the output of activity monitoring tools can identify unusual or out-of-parameter behaviours by staff or trusted contractors.

What is more, the granularity of the factors that can be identified is getting finer, making it possible to be more precise about when and where connections are made by individuals, regardless of where they are on the planet, and even if it was them making the connection.

That combination of policy, monitoring and real-time analysis can not only identify and prove the culpability of an individual, but increasingly stop the action taking place.

Fifty-three percent of technology companies say they need a cloud strategy for emerging...
New state-of-the-art data centre features Vultr’s first AMD GPU supercompute cluster.
Only a quarter (25%) think their approach to the cloud is carefully considered and successful.
Moving to AWS Cloud will enable The Co-operative Bank to adopt cutting edge IT Infrastructure.
The global airline group will upgrade the value of its data and get its AI & generative AI ready...
Barracuda Networks’s award-winning Email Protection and Cloud Backup security solutions will be...
Leading company in renewables to leverage HPE’s unique turnkey AI infrastructure solution to...
The four-year project extension focuses on cloud transformation and enhanced operational efficiency...