The now infamous Ashley Madison website has had a pretty successful run at helping its clientele be disloyal. So perhaps some would view it as poetic justice if the website became one of the most scandalous breaches in history at the hands of one of its own.
At least that is the conclusion of IT security analyst John McAfee, who noted recently “yes, it is true. Ashley Madison was not hacked – the data was stolen by a woman operating on her own who worked for Avid Life Media.”
If true, the fact that the Ashley Madison breach was due to an internal, and not external, threat shouldn’t come as too big a surprise. Many IT security studies this year have pointed to the growing threat of insider data theft and corporate breaches.
In some cases, insider threats can be more financially damaging and more difficult to defend against. After all, external threats involve someone trying to break in. The insider threat already has the keys to the front door and knows where the family jewels are stored.
Still, external and internal threats often share one key motive – the desire to profit from data. With external threats, hackers are traditionally looking to steal data that they can sell in the black market. With internal threats, the incident may involve an employee – or former employee – looking to cash in on something they developed or strategic information that competitors want.
That was the case this January in Boston, when the Proctor & Gamble Company filed suit against four former Gillette Company employees, accusing them of wrongfully using and disclosing confidential information and trade secrets to a direct competitor.
In July, an employee of Merit Health Northwest Mississippi was accused of removing patient information from the facility over a two year period without authorization. The employee reportedly stole patient names, addresses, dates of birth, Social Security numbers, health plan information and clinical information, all for the purpose of identity theft.
Perhaps the most difficult to defend against is the disgruntled employee, notes Jane LeClair, chief operating officer at the National Cybersecurity Institute, which tracks data breach incidents. One might be tempted to think the NCI spends the lion’s share of its time on external data breaches, but insider threats have become a top concern.
“Insider threats are something that most organizations don’t have a terribly high focus on today,” LeClair believes. “I think there is a lot to be done in that area. We, as Americans, are really a very trusting people. So it’s hard for a lot of organizations – especially smaller organizations – [to view employees as a primary threat].”
Obviously most aren’t. But enough are, or could be, that employers need to be looking over both shoulders – one facing outside and the other in, LeClair indicates.
“In many cases, when we talk insider threat, the person may no longer be with the company – so if you add that piece to the definition you can see why it becomes pretty big; much bigger than people probably think about,” LeClair notes. “People who leave may be angry or frustrated, or are laid off. You can understand why the company wants to get them out quickly because they can have that need for revenge in some cases.”
Or they may still be with the company but are disengaged.
“They feel unappreciated or unfulfilled. They are hard workers but they don’t feel that the organization is appreciating them or recognizing them, or perhaps not paying them what they feel they’re worth. That’s another level of dissatisfaction that is very frequently thought about. I would say that’s probably one of the bigger reasons.”
Then there is a relatively new insider threat which may prove to be among the most dangerous – the politically motivated perpetrator.
“I’ve always looked at from the human perspective,” explains Candy Alexander, an IT security consultant and former chief information security officer. “It’s important to note if you are a security person or an IT person to pay attention to what is going on in our society with current events. It will be reflected into the electronic world. In our society and culture today there is a lot of intolerance for lots of things. We’re seeing that through sorts of events.”
A different moral compass
Could social conscious be a motivating factor in the Ashley Madison case? It’s still too early to tell, but some IT security experts tell CIO that it is certainly possible.
Since word of the Ashley Madison breach broke in July, many IT security experts and forensics professionals began debating the source of the attack, which revealed the email addresses of millions of account holders and site visitors. Many immediately suspected an insider threat, since the culprit(s) seemed to know too much about the firm’s technology.
“A hacker is someone who uses a combination of high-tech cyber tools and social engineering to gain illicit access to someone else’s data. But this job was done by someone who already had the keys to the Kingdom. It was an inside job,” McAfee stresses.
To support his charge, McAfee cites the following information that was shared by the hacker:
- An office layout to the entire Ashley Madison offices.
- Up-to-date organizational charts for every division in the company.
- A stock option agreement list, including signed contracts.
- IP addresses and the status of every server owned by the company, which amounts to hundreds worldwide.
- Raw source code for every program that has been written for Ashley Madison.
Clearly some individual, or individuals, had an all access pass to the company’s systems.
Many top IT security experts believe that the most common form of insider data threat is that of accidental exposure – an employee unintentionally and unwittingly creating a vulnerable situation or allowing data to be accessed. That certainly accounts for many threat incidents.
“All companies are going to have the possibility of this occurring because accidents do commonly occur, and I do believe that accidental exposure is much more common than intentional harm,” explains Meg Anderson, chief information security officer at Principal Financial Group.
“So lack of awareness is one cause of accidents – such as lost laptops, misdirected email, even paper reports that are still walking out of companies,” Anderson says. “Those are relatively small incidents. But we also have data on all kinds of new devices now, so we’ve added possibilities of iPhones being hacked, tablets, etc.” They all run the risk of financial loss, fines, lost customers, plus the potential loss of reputation.
[Related: UBA vs. the rogue insider]
Insider threats also vary depending on what the organization does and the type of data it collects, Anderson says.
“There are a lot of scenarios and I think a lot of it depends on the organization. You cannot discount financial gain. There are going to be insiders that want to make money on your data and on your intellectual property. It could involve insider trading – having authorized access and passing that along to somebody else. “
“The third thing I can think of is that a lot of times employees think that they own what they work on while they’re at work. One thing that is often compromised is source code – programmers thinking they own their source code. They may also be temporary contract employees that work for us. They take that code from company to company, because you do reuse code, and it makes sense to them that it is their property.”
Still, Anderson agrees that it the disgruntled employee that probably poses the greatest theat.
“When we talk about intentional damage it could be far more impactful because it’s less likely to be noticed and it also could go on for some time – a ‘slow flow’ sort of approach,” Anderson says.
To spot a thief
So how do you spot the potential data thief in your midst?
It starts with observing behavior, notes Ganesan (Ravi) Ravishanker, CIO at Wellesley College, in Massachusetts.
“We do the usual best practices,” Ravishanker says. “Most of us rely on the annual audit. We create the best practice controls and do the best we can. We also rely on the business units to partner with us to be able to develop controls, to develop reports; we do have very comprehensive reports that we generate on which users have access to what data. That gets adjusted because people’s roles change. We need to make sure that we keep people’s access as limited as possible.”
But technology is only part of the solution. It is equally important is to watch for changes in user behavior, Ravishanker says.
“One of the big things is really looking at changes in employee behavior,” LeClair agrees. “Maybe their work performance is dropping off or they’re arriving later. Conceivably it could even be better work performance in that they’re grabbing data. Or behavior toward other employees might be something that you notice.”
Finally, in addition to all the best security practices that an organization should focus on, the bottom line is how well the organization treats its workers.
“The thing I feel best about is that we have a Best Place to Work, and it’s on the Best Place to Work list for a reason,” Anderson concludes. “I do think that if you have fully engaged employees that feel appreciated and that their work is being recognized, they are less likely to feel that they want to commit crime on the job.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.