Predicting Insider Data Breaches

A ticking time bomb of sorts is hidden away in the cubicles and workstations of many businesses. When it goes off, the personal financial information of customers and workers could be laid bare. So can sensitive corporate data.

The potential for both accidental and deliberate breaches of personal information and intellectualproperty by workers is a growing concern for corporate executives. Sometimes employees just get careless or do not know all that they should about data security. Other times, the breaches are intentional, perpetrated by disgruntled workers.

Data security products spearheaded by regulatory compliance dictates help IT managers monitor outgoing e-mail and block sensitive data they contain. Other data security products encrypt designated data types to protect against loss if the data is stolen.

New security software systems are helping corporate executives monitor and prevent insider data breaches. Insider data breaching occurs when an employee steals sensitive — often personal — financial and corporate information.

Knowing the telltale signs of insider breacher behavior is a necessary first step in catching adata breach before it happens.

“People need to be attentive on all levels. If managers don’t watch their workers’ behavior, they willmiss the clues,” Dan Sarel, vice president of product management at Sentrigo, told TechNewsWorld. Sentrigo is a database security software company.

Inside Jobs

A Carnegie Mellon University report last year estimated the number of breach incidents caused by insiders is increasing by 3 to 5 percent annually. The figures apply to companies of any size. However, because many insider attacks go unreported and many companies do not know they are happening, more definitive figures are not available.

Also last year, a CSI/FBI security survey disclosed that insiders are responsible for more than 70 percent ofnetwork abuse. This figure, however, is based on only the number of insiders who were caught.

U.S. organizations lose about six percent of their annual revenue to insider fraud, according to areport issued last September by the Association of Certified Fraud Examiners and Ernst & Young’s GlobalSecurity Survey.

Insider theft poses a unique problem to security chiefs. Existing endpoint security systems have noeffect because there is no intrusion to prevent. The data thief does not have to get inside. He or shealready has legitimate access to the data stored on the corporate network.

Plugging Potential Leaks

Like several other software security solutions available, Vericept‘s data loss prevention product monitorsaccess to databases and other files stored on corporate networks. The software enforces policies set bythe company tailored to its type of sensitive data.

“Most employees try to do the right thing but don’t always know about all the components of the database. By receiving a notification from our software, the employee actually learns about the error,” Paul Pillotte, senior product manager at Vericept, told TechNewsWorld.

Vericpet’s system prevents data breaches by encrypting or blocking the sensitive information at the pointthe employee attempts to send it, he said. It also places a monitoring client on corporate laptops somobile workers can not send out unauthorized data.

The security software’s enforcement policy allows a worker to open a document but not save it anywhere.In essence, Vericept does not block access to USB drives. Instead, it allows full use of the USB storagefor non-sensitive data.

The software sends alerts of the potential breach to the employee. Rules allow for either blocking therelease or allowing the action with a justification for the action recorded so when monitoring occursthere is an explanation, explained Pillotte.

To Catch a Thief

From Pillotte’s view, the bigger problem is stopping accidental data breaches. Sometimes mistakeshappen and employees send sensitive information without knowing it.

For example, a person in the human resources department could e-mail a client or a contractor a spreadsheet with specific information, not knowing that there is a tab with 100 social security numbers included, he explained.

“We find that deliberate data breaches are a much smaller part of the problem, but the damage done whenprivacy is unknowingly violated by workers is much greater,” Pillotte said.

Not all security experts agree, however. Corporate databases are far too tempting for some workersto resist, asserted Sentrigo’s Sarel.

“We see databases as the prime target for data breaches within a company. It is the crown jewel. Databases are so huge that it is easy to move data around unnoticed,” he said.

To ensure the safety of sensitive data, company officials must be proactive in monitoring all theiremployees.

Telltale Signs

“The answer [to preventing insider data breaches] is not only in IT. Coworkers and managers at all levelscan see warning signs. The goal is to catch a potential insider breacher early enough to prevent furtherprogress,” said Sarel.

One key sign is the office worker who never takes vacations. It is widely known that people who do databreaches do not take vacations, he explained. Taking off for a few days and leaving their desk unguarded would leave a window open for someone to discover their illicit activities.

Supervisors also should be aware of sudden escalations in a worker’s network privileges. A big warningsign is when a worker requests additional access for a document not normally needed, Sarel said.

Many breach methods are technology based. However, insider data breachers also use social engineeringtechniques on their coworkers and supervisors to gain passwords or additional access rights, he added.

Guarding the Database

In normal circumstances, a database should only be accessed by one or two applications. The IT staff should monitor for any deviation. The use of unusual programs within a database is a big warning sign, explained Sarel.

Until an actual breach occurs, theives have to do lots of preliminary work. They have to scout out thedatabase and learn what they can do. Usually, a breach is not a one-time event. It requires quite a lot of casing and prep work, he explained.

“There are lots of tools to block privilege escalation. IT security needs to look every few days forchanges that could indicate tampering in preparation for a breach. This depends on the degreeIT is willing to spy on workers,” Sarel noted.

Forceful Figures

Learning the details from reports on insider breaches is useful, but companies still have to usetechnical support, Paul Henry, vice president of technology evangelism at Secure Computing, toldTechNewsWorld.

According to the CSI/FBI security survey, 86 percent of data breachers discovered on the job worked in technical positions, and 38 percent had jobs as system administrators.

“This is why companies need technical support to monitor for breaching attempts,” Henry said.

Other disclosures from government reports on insider data breaches revealed that 80 percent of insidertheives showed negative behavior before committing a breach. Nintey-two percent had negative work evaluations. Fifty-nine percent were former employees or contractors, he said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

LinuxInsider Channels