Insider Threat Rises, Info Security Officers Say
Banks are far more susceptible to insider security threats than they were two years ago, a survey released Tuesday has found.
It's not that banks are hiring crooks. The problem is that insiders employees with privileged access to information, such as IT and security staff and C-level executives have become prime targets for cybercriminals. Much fraud is being perpetrated in the name of insiders whose identity and access to networks and sensitive documents have been socially engineered.
The survey of 707 data security executives at Fortune 1000 firms was conducted by Enterprise Strategy Group. About a quarter of the respondents work in financial services.
"Fifty-four percent believe the insider threat is more difficult to deal with than it was two years ago," says Tina Stewart, vice president of marketing for Vormetric, the security software company that sponsored the study. "They feel more vulnerable because the threats are more sophisticated. They're targeting the privileged user because that user has access to all the critical information."
There are two categories of insider threats, according to Sol Cates, chief security officer for Vormetric. "One is the person doing his job, who is supposed to see and interact with data, who is compromised or decides to go rogue," he says. "But the majority of the risk is on the administrator side, the people who set up infrastructure, applications, storage and data. Here it's not necessarily the people that go rogue, it's the fact that the account exists these functions are the target. Bad actors want to become you."
System and database administrators have too much access to sensitive documents and information, Stewart and Cates argue. "The sys admins just need to add accounts, they're not supposed to see all the information in the document," Stewart says. "Some of these [cybercriminals] are so clever that they come in sideways, they don't log in in normal ways, they're going after servers where all the data is housed. Banks often leave their servers wide open."
Typically fraudsters gain access to these servers through the use of malware or by logging in as a legitimate user. A variant of this method is the advanced persistent threat, in which a fraudster logs in as a user and operates as that user for a long time, working his way through the infrastructure to get to the valuable assets.
Oddly, considering the rise in this perceived security threat, only 39% of respondents in financial services say their feel vulnerable to insider fraud and theft. A majority 61% said they're not vulnerable or don't know if they're vulnerable.
"There's still an industry awareness problem of insider threats," Cates comments. "Is it someone at the call center stealing information or cybercriminals going after privileged access?"
About 34% of financial services respondents said insider threats are harder to detect than they were two years ago.
The first perceived insider threat, among survey respondents, was employees with legitimate access to networks, accounts and documents going rogue. The second was contractors and partners. "Snowden has opened up awareness in the industry," says Cates. "Should a system administrator or network manager be able to see financials, HR documents or transactions to do their job? We warrant they shouldn't. There are ways to take access away while leaving them the ability to do their job." Vormetric offers a "data firewall" of sorts that blinds the contents of documents, databases and email to the IT staff while providing them with the metadata to do what they need to do (backups, patches, etc.).
Asked about their security budgets for fighting insider fraud, 53% of respondents said it would be increasing. However, much of this will be perimeter security rather than techniques such as encryption. "It's keeping the rats out rather than protecting the cheese," says Cates.