Hacking Pros Don’t Trust The Internet

As the number of reported data breaches continues to blitz US companies, over 6 million records exposed already this year, according to the Identity Theft Resource Center, IT budgets are ballooning to combat what corporations see as their greatest threat: faceless, sophisticated hackers from an outside entity.

But in reality, a bigger danger to many companies and to customers' sensitive data comes from seemingly benign faces inside the same companies that are trying to keep hackers out: a loan officer tasked with handling customers' e-mail, an attendant at a nursing home, a unit coordinator for the main operating room at a well-regarded city hospital.

According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents, any event that compromises the confidentiality, integrity or availability of an information asset, are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information.

Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else's social security benefits, opening new credit card accounts in another's name, or applying for health insurance by assuming the identity of someone else.

"The Insider Misuse pattern shines a light on those in whom an organization has already placed trust," Verizon said in the report. "They are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose. Sadly, that's not always the way things work."

For the first time since 2011, Verizon found that it's not cashiers involved with most insider attacks, but many "insider" end users, essentially anyone at a company other than an executive, manager, finance worker, developer or system administrator, carrying out the majority of such acts. Most are motivated by greed.

"Criminals have a different motivating factor," said Eva Velasquez, CEO and president of Identity Theft Resource Center, a non-profit charity that supports victims of identity theft. "There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself.'"

Velasquez cites workers in an assisted living facility tasked with caring for patients, a job in close proximity to medical records that can be accessed by a few keyboard taps. According to the Bureau of Labor Statistics, such healthcare support occupations see mean annual wages hovering around $25,000, a salary that might make workers more vulnerable to stealing for self-gain. Or, maybe worse, they fall prey to acting as a conduit for some type of organized crime ring looking to make big money by selling or manipulating stolen personal data.

In one recent cases a Baltimore man is facing federal charges of identity theft and bank fraud after he used personal information of at least three nursing home residents to open multiple credit card accounts without their permission. 

A former employee of Tufts Health Plan pleaded guilty to stealing names, birth dates and social security numbers that were eventually used to collect social security benefits and fraudulent income tax refunds. A former assistant clerk at Montefiore Medical Center in New York who was indicted in June 2015 for printing thousands of patients' records daily and selling them. The information in the records was eventually used to open department store credit cards at places like Barneys New York and Bergdorf Goodman; the alleged actions are estimated to have caused more than $50,000 in fraud, according to the New York County District Attorney's Office.

While the number of breaches and hacks by outsiders has skyrocketed since 2007 in tandem with the surging digitization of information, the occurrence of insider jobs can be a read on the overall economy. It tends to peak during recessions and drop off when times are good, according to the Identity Theft Resource Center. In 2009, the percentage of insider attacks hit a high of roughly 17 percent; after a three-year slide, the amount today (about 10 percent) is slowly creeping back up.

"When the economy isn't doing well, you'll see people that are feeling stressed and taking advantage of opportunities they might not take advantage of otherwise," said attorney James Goodnow from the Lamber Goodnow team at law firm Fennemore Craig.

With the defining characteristic of an internal breach being privilege abuse — employees exploiting the access to data that they've been entrusted with — the best way to mitigate such attacks is to limit the amount of information allotted to workers. 

"As business processes have started to rely more on information and IT, the temptation, the desire is to give people access to everything [because] we don't want to create any friction for users to do their jobs," said Robert Sadowski, director of marketing and technology solutions at security firm RSA.

Terry Kurzynski, senior partner at security firm Halock Security Labs, said that smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. "Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day, that's difficult to track," said Guy Peer, a co-founder of security firm Dyadic Security.

Clay Calvert, director of cybersecurity at IT firm MetroStar Systems, said communication with employees in a position to turn rogue is key. "That's a big deterrent in identity theft cases; if an employee feels like the company cares for them, they're less likely to take advantage of the situation."

Hackers hiding in plain sight

Preventing the display of sensitive data in plain sight — say an employee seeing a confidential record as they walk by a colleague's computer — is the focus of Kate Borten, founder of Marblehead Group consultancy and a member of the Visual Privacy Advisory Council. She recommends companies institute a clean desk policy (ensuring that workers file away papers containing customer data before they leave their desk), implement inactivity time outs for any tech devices, and switch to an e-faxing system, which eliminates the exposure of sensitive patient data on paper that's piled up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. "On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company's fear of embarrassment, reputational damage, or the perceived risk, real or not, that their trade secrets will be exposed in a court proceeding," said Brooke French, shareholder at law firm Carlton Fields.

But she added, "The DOJ and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market."

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it's a costly phenomenon for organizations once they have realized it has occurred, which is often "during forensic examination of user devices after individuals left a company," said Verizon.

That's usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

"That's just the hard costs, what you have to pay for notifying customers or any type of remediation services," said Velasquez. "The bigger, broader cost is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry."

CNBC

« China’s Cyber War Capabilities Alarm The Neighbours
Germany's Intelligence Chief Accuses Russia of Cyber Warfare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

RIVA Solutions

RIVA Solutions

RIVA provides innovative best practices in IT and management consulting, program support services and emerging technologies.

Zerto

Zerto

Zerto provides enterprise-class disaster recovery and business continuity software specifically for virtualized data centers and cloud environments.

Zentera Systems

Zentera Systems

Zentera's CoIP (Cloud over IP) solution offers enterprise-grade networking and security for the emerging cloud ecosystem.

Kernelios

Kernelios

Kernelios is a simulator-based training center and an incubator for cyber experts worldwide.

National Cyber Security Directorate (DNSC) - Romania

National Cyber Security Directorate (DNSC) - Romania

DNSC (formerly CERT-RO) is the Romanian national cyber security and incident response team.

FixMeStick

FixMeStick

FixMeStick is a virus removal device, a USB key that removes malware conventional antivirus software often can’t detect.

Destel

Destel

Destel is a system integrator and provider of IT services focused on Advanced Network & Security Solutions.

SYSGO

SYSGO

SYSGO is the leading European provider of real-time operating systems for critical embedded applications in the Internet of Things (IoT).

Robert Walters

Robert Walters

Robert Walters is one of the world's leading global specialist professional recruitment and recruitment process outsourcing consultancies.

OSIbeyond

OSIbeyond

OSIbeyond provides comprehensive Managed IT Services to organizations in the Washington D.C., MD, and VA area including IT Help Desk Support, Cloud Solutions, Cybersecurity, and Technology Strategy.

Cirosec

Cirosec

Cirosec is a specialized company with a focus on information security. We carry out pentests & audits and advise our customers in the German-speaking countries on information and IT security issues.

Alacrinet

Alacrinet

Alacrinet is an IT and cyber security consultancy. From penetration testing to fully managed MSSP, our team is focused on knowing the latest threats, preventing vulnerabilities, and providing value.

Moss Adams

Moss Adams

Moss Adams is a fully integrated professional services firm dedicated to assisting clients with growing, managing, and protecting prosperity.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

CSIRT-Gnd

CSIRT-Gnd

CSIRT-Gnd provides 24x7 Computer Security Incident Response Services to citizens, companies and government agencies in Grenada.