Insider Threats – The Human Firewall
- 25 August, 2016 00:37
As security professionals, we spend a lot of time focussing on external threats. Mega-breaches such as Target and Ashley Madison put the spotlight on threat actors seeking to steal and cause mayhem. But the actions of our own staff, whether intentional or not, is a significant issue.
According to recent research by Mimecast, 40% of businesses say they are ill-equipped to cope with the threat of malicious insiders and more than 90% say malicious insiders a major threat to the organisations’ security. But just 12% of security decision makers view malicious insiders as their number one threat. And that threat often starts in our inboxes.
Ed Jennings, Mimecast’s COO, says “Email security is about protecting individuals that get duped into clicking a link, an attachment”.
A significant element of securing against these kinds of threats, perhaps be exemplified by the rising tide of ransomware attacks we see in Australia, is not just educating users through training programs but actively intervening when they click on links or open attachments.
Mimecast is addressing this through a recently announced partnership with PhishMe. When users click on a potentially dangerous link, a pop-up appears, bringing the potentially dangerous activity to their attention. This also delivers metrics to admins so they can focus attention on helping users who are either being specifically targeted through spear-phishing campaigns or who are particularly vulnerable to these kinds of attacks.
Part of the challenge, says Jennings, is the sheer volume of email people receive and that they often read them on mobile devices, scanning quickly and clicking links.
“There is no way security is a system-alone endeavour,” says Jennings.
Part of the reason attackers are increasing their effectiveness is the widespread availability of personal information. Jennings noted that a recent demonstration at BlackHat in Las Vegas showed how data collected in real-time during a presentation could be used to create highly personalised attacks. Information about an executive was found on a company website. A social media search of that executive revealed the name of their administrative assistant and some other personal information. A domain was registered during the demonstration, that bore a strong resemblance to the company’s actual domain, and used to send a carefully crafted email to the assistant purporting to be from the executive.
“This is why we like the word ‘resilience’. It’s not about pure defence. This stuff will happen because there’s always a human in the loop. And we’ll make a mistake or won’t pay attention. You will get breached. It’s a matter of how quickly you can get up and how much damage was done,” says Jennings.
When it comes to inside threats, it goes beyond traditional threat actors, personified by the likes of Edward Snowden. Jennings says there’s another issue to consider.
“We also see systems that are owned. With some consumer brands, they [threat actors] get control of an email system and start blasting messages from that system. Global brands are terrified of someone taking over an email exchange and manipulating it for their own purpose”.
One of the defensive measures many companies have taken is the use of DLP, or data loss prevention, tools.
“The challenge is,” says Jennings, “they require a lot of effort, and tweaking, documents need to be categorised and classified. It’s a hard thing to do at scale and be diligent about”.
This is where machine learning and artificial intelligence can be used. Rather than looking for specific data being exfiltrated, you look for patterns of movement, such as messages being sent to private email accounts. So, unlike the traditional approach of looking at message content, the analysis is done on network traffic and user behaviour.
“We’re looking at the pattern of the traffic itself, not what is in the material being exchanged,” says Jennings.
In order for security to be effective it needs to avoid “compliance friction” says Jennings. Whenever a security measure impedes a user, they find ways around it. So, finding ways to work with users is critical. This is why sandboxing techniques, that execute files in safe environments are unpopular with users.
Jennings says analysis of what people actually do with attachments reveals in over 80% of cases, people just want to view file contents, rather than actually launch them for editing. So, by making it easier for users to view content, you can reduce the security risk as far fewer files are actually executed.
Users need to be seen as both a potential point of vulnerability but also as an important security asset. They can, given the opportunity and education, help secure your company’s precious data.
