Companies are increasingly forced to spend thousands of dollars on cybersecurity systems to keep outside hackers from getting in. But what happens when the threat comes from the inside?
Attacks from inside your own network are becoming more and more common now that incredibly valuable information is being kept digitally. Yahoo is the most recent example of a company that had to learn this lesson the hard way.
On Monday, as reported by ZDNet, former Yahoo engineer Reyes Daniel Ruiz pleaded guilty to hacking into the accounts of 6,000 Yahoo users in search of private sexual images and videos. He used his access to Yahoo’s internal network to download images and video from mostly young women.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
“Insider threats are some of the biggest threats we face. When its a pure insider like this, it’s very difficult to stop and identify because you trust your employees. It’s even harder because a systems engineer or administrator might also know what you’re looking for or how to go under the radar,” said Etay Maor, chief security officer for threat intelligence firm IntSights.
“I feel for the security team that had to find something like this because when you’re looking at a systems engineer or administrator, finding anomalies is the definition of what those accounts usually do.”
Companies need to better protect themselves from such threats. Security experts hone in on five things companies can do to try and protect themselves from insider threats.
1. Vet and train your employees
The Yahoo attack highlighted how difficult it can be for companies to protect themselves from insider threats. As a reliability engineer for the company’s Yahoo! Mail service, Ruiz had wide ranging access and used it to gain access to even more accounts with other services.
While it is difficult to know what someone will do after they’re hired, security analysts said companies had to make sure to vet their employees before giving them the kind of administrative access that Ruiz had.
“There may not be any indicators of things like this but at the end of the day, every company will have computer information systems administrators and engineers that have access to a lot of different things,” Maor said.
“As a business you don’t really have a choice, so you really have to trust your employees will not take advantage of the power they have to do things like this.”
Get Ahead of Your Next Security Breach
Privileged accounts are a necessity in any enterprise IT environment but increases the risk of a security breach.
By taking these five concrete steps, you can help protect your organization from the risks inherent in privileged accounts.
White Papers provided by One Identity
Companies also have to do a better job of training all of their employees in basic cybersecurity measures. Now that most systems have moved online, everyone at a company is now a digital access point for hackers to use as a way to get in.
Having sophisticated security teams is not enough to protect a company with thousands of employees. Everyone has to regularly change passwords and have a basic understanding of how to avoid certain threats.
“Security is always a people problem,” said Mike Matchett, an IT industry analyst at Small World Big Data.
“Despite widely publicized breaches like this, companies would still be well advised to offer staff training on not just use of corporate computing resources, but also the dangers inherent in personal use of the internet. This could include direct training on such topics as proper password management in both personal and corporate services, and the risks inherent in public and third party service usage.”
Matchett added that companies should even consider providing security services for the personal devices of employees at work and at home.
Enterprises could also provide password managers, ransomware/backup protections and other third party security services for not just work related resources, but all of an employee’s digital experiences.
2. Have anomaly detection systems
In order to protect data and customer information, companies need to have sophisticated anomaly detection systems, according to multiple analysts.
These kinds of systems help with both external and internal attacks, flagging the kind of behavior that would indicate someone is up to something nefarious.
Matchett said there are SIEM-related machine learning solutions emerging in the market that are able to learn normal data access behaviors and patterns, and use those to spot and identify abnormal usage.
“Of course using these effectively requires active security implementation and operations,” he said.
“It’s one thing when someone ‘accidentally’ visits a NSFW website at work, but quite another when an administrator is, with some diligence, accessing and reading thousands of personal email accounts.”
But Maor said these kinds of anomaly detection systems can be difficult to manage, especially when system administrators and engineers are supposed to be doing the kinds of things that would set alarms off.
People in these kinds of IT roles also know the ins and outs of a system, giving them ample opportunity to learn the weaknesses of a system before exploiting it like Ruiz did with Yahoo.
“If you raise an alert every time an administrator logs in at 2 a.m. because there’s some alert, or every time they touch different parts of the network, you’re gonna get false positives out the roof,” Maor said.
“It’s easy to say to use these systems but it’s hard sometimes. If somebody from finance is logging in at 3 a.m. and is going into source code servers, that’s obviously an anomaly. But when its an administrator or engineer, anomalies are the definition of what those accounts usually do. You usually have somebody who will go on at weird times or download and upload large amounts of data from your network. That’s what system administrators do.”
Maor added that it was confusing Ruiz even had access or the ability to get into Yahoo email accounts. Just the attempt to read and download content from emails should have set off red flags and alerted other Yahoo administrators that there was a problem.
3. Isolate administrators
A number of security analysts echoed Maor’s comments, saying it was key to isolate administrators and put restrictions on what parts of the system they can freely access.
In the case of Yahoo, Ruiz should never have been able to access and download as much content as he did without setting off some kinds of alarms.
Ray Walsh, data privacy advocate at ProPrivacy.com, said big companies like Yahoo needed to do a better job of siloing administrators and putting checks on certain functions within a network.
“This case highlights the need for firms to work harder to properly secure user content on their servers in such a way that it is not accessible even to employees who have been granted privileges within those systems,” Walsh said.
“For consumers, this is a stark reminder of the need to use end-to-end encryption on any emails or messages that contain sensitive information, images, or videos. Consumers need to remember that any emails or messages sent without end-to-end encryption are potentially accessible by employees at those services.”
Walsh added that whenever messages or emails are stored on the cloud using server-side encryption, it is possible that a hacker or company insider could break into those accounts, especially because they have the master key.
Matchett told TechRepublic there were concrete security solutions that could isolate root administrator actions and provide full access rules as well as auditing capabilities for specific roles.
“If there is no policy preventing QA engineers from accessing production accounts, at some point they will,” he said.
Maor made similar suggestions but said that like the others, this was not infallible. Any system administrator or engineer would be able to figure out ways around a siloed system after a few months or years working within it.
The key for companies like Yahoo was to figure out where the main threats in their system could come from, according to Maor.
“You’re talking about an insider who can probably game the system if they really want to. Where was the access to the accounts performed? Even though you’re an employee of the company, you should not have access to private information like that. I’m sure Yahoo engineers are not allowed to read user emails,” he said.
4. Add extra steps to everything
Restricting administrators and engineers can often be difficult for companies because it limits their IT department’s ability to do their job. System administrators need full access in order to protect the company from outside threats, but this kind of power can be easily abused.
Security expert Kayne McGladrey, who serves as director of security and IT at Pensar Development and is a member of the Institute of Electrical and Electronics Engineers, said companies need to add extra steps to everything.
“The company could choose to add friction, whether it’s multi-factor authentication or an email link just to put a little additional scrutiny and raise the bar so it is materially more difficult for threat actors who have obtained someone’s credentials to be able to reuse those,” he said.
“The benefit of this strategy is that it applies universally. All of the automated attacks these days around credential stuffing and credential spraying do what the Yahoo hacker had done on a much larger scale. They get compromised credentials and test them across a whole bunch of websites using a distributed botnet.”
Matchett added that this was why some companies opted to hire outside entities to manage their security systems, removing any chance that a disgruntled employee would have the ability to access systems undetected. But this was just as rife with similar concerns, Matchett said.
“Theoretically, a service provider’s super-admins are not going to be subject to the same issues that can arise from internal challenges like layoffs, personal issues, re-assignments and personality conflicts,” he said.
“However, a service provider administrative role has far greater opportunity for bad behavior and offers great potential for systemic abuse. The bigger the pie, the greater the temptation.”
5. Have an incident response plan
The unfortunate reality for most companies of a certain size is that they will undoubtedly face a cybersecurity problem at some point in the future. McGladrey said it was integral for companies to have an intricate incident response plan that describes in detail what to do in the event of a hack.
After an attack, it is important for companies to involve technical departments as well as legal, insurance and communications teams in order to address a situation holistically, according to McGladrey.
“If its a well crafted incident response plan, it will include things like doing analysis to check in to see the severity and scope of the attack, and then convening a meeting with people who have expertise in legal, insurance and crisis communications,” McGladrey said.
“It can’t just be a technical response but a full organizational response cause as we’ve seen with these little technical leaks, you can’t just focus on the thing that’s in front of you. You have to go and find out if the threat actor moved laterally, if they compromised anything else.”
Before you can address containment, companies have to coordinate with their legal teams and have a statement ready about the hack to control the narrative in some way.
If not, you end up with a PR disaster on top of a technological one. It was also important to coordinate with legal teams in case the hack was considered criminal and warranted the involvement of federal, state or local authorities.
If the authorities get involved, they bring with them certain expectations about how evidence is handled. According to McGladrey legal teams needed to lead the way in terms of public statements and dealing with law enforcement.
“As an industry, we’re getting better about taking this kind of holistic approach, if only because the consequences of not involving your insurance or legal teams early on have resulted in very bad days for companies that have had that type of event,” McGladrey said.