Tag Archives: insider threat

How To Know When It’s Time To Upgrade Your Data Loss Prevention Strategy

Tactics that involve prevention and protection always need constant upgrading, changing and reworking. As technology changes and people find new workarounds, so to do you need to continue finding new ways to upgrade your data loss prevention strategy. Obviously, this can be quite time-consuming and costly for small to medium enterprises, particularly, so a sensible approach is to consider when and why you should be looking to improve your data loss prevention (DLP) strategy. This knowledge will allow you to prioritise your company’s resource effectively to help protect against any breaches.

Know the culprit
While much of the attention about data loss points to outside threats from cyber-attackers, it’s estimated that more than 40% of all data breaches occur internally. These can be intentional, but they can also be due to just a careless click of the mouse. Being aware of how your data could be lost, is the first step to upgrading your strategy.

Assess your sensitive information
It’s not entirely realistic for a small or medium sized company to have a mammoth DLP strategy that protects all of the company’s information to a very high level. Nor do most companies want that as it often comes with an increased level of administration that would significantly decrease an employer’s output, were it to be applied to every file in the company.

So, assessing the files that your company has is crucial to know when to upgrade your DLP strategy. The easiest way to do this is to look at the worst-case scenario for each set of files that your company has. If someone were to accidentally send a file to the wrong person, or maliciously release it to the public, what would the ramifications be for your company, both in terms of financial and that of reputation.

Then, qualify your data files into groups – high risk, medium risk and low risk. Most companies with internet security and data loss protection strategies will have all-encompassing security that includes all files, even those low risk. It’s the high risk and, to a lesser extent, the medium risk files that you need to have a strong DLP plan around.

It’s also worth being mindful of whether the strategy covers new files that are created. Is there a process that qualifies this data into the ‘risk buckets’ mentioned above? Your DLP strategy is only as good as how it’s being implemented. If you find that there are gaps when you go through the process yourself, it’s time to look at an upgrade.

Accepting technological change
It can be difficult for companies who have invested a great deal in a solution to look at making significant changes to it. Often there are stakeholders or other parties who may not realise the necessity in doing this and therefore the cause also has to be justified.

However, one of the biggest weaknesses of all DLP strategies is that they are reactive. They constantly have to be told what to look for – the kinds of encryptions and data formats, for instance. As we all know, technology is changing and progressing at an unprecedented rate. Because of this, those encryptions and formats are constantly changing and therefore an effective DLP strategy should be updated accordingly.

So, when? Well, the answer is constantly, but the good news is that there are plenty of affordable solutions of technology that can fill the gaps in your DLP strategy, rather than completely reworking the entire thing – an unnecessary exercise. Software such as classification software can help to combat the issue above and only serves to strengthen your DLP strategy in a cost-effective way.

Although it would be nice to have a set of rules in place to know exactly when to upgrade your DLP strategy, such a set of rules would be unrealistic and not flexible enough to take into account all of the changing variables. Instead, an approach that involves a full assessment, qualification and reworking is best when considering an upgrade.

When You Should Switch To Biometrics For Data Protection

Once the territory of sci-fi films and fiction, these days, biometrics are a part of everyday technology. This kind of smart technology is all about using sophisticated means to identify an individual. This is especially relevant for data protection within companies, as it can assist to prevent the loss of data by more effectively assigning highly classified data to a specific individual. This individual can then only access the data using biological characteristics unique to them. What we’ll outline today is what exactly biometrics is, how it works, and when it is relevant to assist with data loss protection, particularly for small businesses.

What is biometrics?
Biometric verification is the use of biological traits to verify an individual’s identity. These traits can be both visible and invisible to the eye. Traits that are visible include things such as a fingerprint, retina or iris size, earlobe shape, and even things such as a person’s posture or the way they carry themselves. Less visible traits include things such as a heartbeat, voice waves, and DNA.

How does it apply to data protection?
Particularly with the advent of cloud-based computing and remote working, biometrics can assist with ensuring that end-point devices stay secure. Mobile devices, such as laptops and phones, are often the culprits from which data is lost from internal sources, either by accident or through malicious intent.

Biometric verification ensures that sensitive information can only be accessed by individuals of your choosing. This instills a greater sense of responsibility in those individuals to safeguard classified information, and also creates a disincentive to releasing the data maliciously. If the files are only handled by a certain number of people who can be biologically identified and therefore caught, it’s much less likely that they would release that data intentionally.

When should you apply it?
Biometrics already exist in many mobile devices, such as smartphones and laptops. This means that generalized biometric technology can be implemented across the board by making smart decisions when upgrading these items as part of your business inventory. By integrating standardized biometrics as part of your data loss protection strategy, you can help to protect data loss, particularly from those who work remotely, but also across the board.

Most companies will have a series of files that are highly classified. Whether these contain sensitive personal information, or if they’re the company’s intellectual property, it is imperative to create much stronger incentives and disincentives against the accidental and malicious release of these files. A good way of beginning to integrate biometrics verification is to start with these files only. Unless you’re a large multinational, it’s unrealistic to think that you’ll be able to fully integrate highly sophisticated technology across the board. Instead, focus on ensuring that that technology goes towards protecting that highly sensitive information that only some individuals have access to.

It’s clear that the days of the password as the only method for authentication and verification are numbered. In order to help ensure full protection against data loss, particularly internal threats, integrating biometric technology is the way of the future. If you’re an SMB or SME, the best way to think about biometric integration is by directing the resource and budget you have put aside for it towards protecting the files that are most highly sensitive, or would have the most negative impact if they were internally released. That way, you can start to test methods of using the technology that work for when the technology becomes cheaper and easier to implement across the board.


Major Insider Data Breaches in Government Sector in 2015-16

In our last post, we talked about insider threats being faced by government organizations.

Today, we are sharing examples of data loss incidents that have affected government sector because of insiders. Though sporadic in nature, they give a deeper insight on how vulnerable the government is.

  • In June 2016, The Washington State Liquor and Cannabis Board stated that the personal information of marijuana license applicants was released in response to a public record request. The exposed information included social security numbers, tax and financial information, attorney-client privileged information for an unknown number of records. The License Control Board had accidentally sent in the PII along with the requested information.
  • Virginia State Corporation Commission suspects that a former contractor made copies of PII for an unknown number of people whose license had either expired or lapsed between 1979 and 2004. This came into light in June 2016.
  • In April 2016, the FDIC, Washington, DC notified that 44,000 records of customers were exposed when an authorized employee unknowingly downloaded the classified information of affected people on a personal portable device. When the breach was detected, the employee was contacted, who immediately returned the device and signed an affidavit stating that the information was not used for any purpose.
  • In February 2016, Washington State Health Authority (HCA) notified that 91,000 records of Apple Health (Medicaid) clients were accessed without proper authorization by an employee. Social security numbers, dates of birth, Apple health client ID numbers and private health information was passed to another state agency’s employee. After internal investigation, it has been established that the classified information did not get beyond these two employees but as a precaution, free year-long credit monitoring has been offered to the affected people. Both the employees have been fired since the incident happened.
  • County of San Diego confirmed in January 2016 that the classified records of all employees were sent to Wells Fargo as opposed to only those records who were set up for health savings accounts, HSA. Consequently, the bank set up HAS for all the employees. The county and Wells Fargo are working together to delete unwanted records. A free year-long credit monitoring has been offered to the affected people. The breach is being deemed as an accidental error due to incorrect program code for data transfer by Hewlett- Packard Enterprise Services.
  • In October 2015, the Vacaville Housing Authority (VHA) notified affected individuals that one of their employees unintentionally sent an email to a person with an attachment containing their names and social security numbers. The receiver immediately informed VHA about the lapse and they deleted the email from the person’s computer. As a precaution, VHA has offered free credit monitoring service to affected customers for 12 months.

A 2016 U.S. Government Cybersecurity Report by SecurityScorecard reported the following:

  • Government sector has the lowest security score as compared to retail, transportation, healthcare and other sectors
  • NASA is at the bottom of 600 government organizations, followed by US Department of State, IT systems of Connecticut, Pennsylvania, and Washington.
  • Three areas where government organizations struggle with security are – Malware Infections, Network Security and Software Patching

While government organizations are enhancing their cyber security strategies, there are still many risks that they need to address. A wholistic view of their strengths and weaknesses will enable them to implement the right solution and take proactive measures aimed at addressing the risks posed by internal threats.

Proactive Measures Go a Long Way in Timely Prevention of Data Loss

The challenges to prevent data loss are tremendous but it is imperative to improve our methods to mitigate and avert the theft of sensitive data by an insider. With technological advancement, vulnerabilities to sensitive data are on the rise. Therefore, accordingly one has to come up with efficient and effective solutions to stop data loss. With increasing incidents of data breaches, it is even more essential to adopt the latest solutions and methods for data loss prevention.

Data loss prevention (DLP) solutions are essentially automated controls that protect sensitive data at rest, in transit and in use. Just like any other loss mitigation solution, an effective DLP solution considers the what, where and how of data sets to determine what access controls need to be in place and how.

Determining What Data Needs to be Protected

Classification of data is compulsory in order to correctly deploy the solution and thwart the loss. Once classification of data is completed as per the business rules by a team of experts, comprising business process managers, IT managers, legal and compliance specialists, policies can be defined determine what data is critical and hence needs to be protected. Data classification also helps determine policies on role-based access and how data can be accessed.

Determining Points Where Data Needs to be Protected

The next step is to determine points where sensitive data resides. The access points for data loss are usually the endpoints such as servers, workstations, storage or network access points. Depending on the need either endpoint protection or network protection may be required. In certain instances, both may have to be protected.

Endpoint protection is usually the first level of security that organizations implement to protect sensitive data from leaving the endpoints of a network. With endpoint protection, unauthorized users or devices, that do not comply with the security policies, are denied access. This prevents copying, sharing or storing of confidential information either accidentally or intentionally to a third party outside the organization. Only upon verifying the credentials the user is allowed to have access to the data.

The end-point security solutions are available in various formats and as piecemeal or part of a larger solution – but the underlying objective is the same i.e. to monitor and control the information that is being accessed and eventually take actions against any malicious threats.

Zlock – Control Device

Zecurion, a pioneer in DLP products, offers Zlock which is designed to protect against leaks of confidential information at the end-points of the network. Zlock allows organizations to control the use of devices connected to ports and internal devices – including built-in network cards, modems, Bluetooth, etc. as well as local and network printers. Using Zlock, a user can make or print copies of only those files that do not have any sensitive information. With Zlock, administrators can configure access policies for maximum flexibility. ZLock saves a copy of all documents printed or stored in external drives, thus maintaining a solid trail in case any investigation is needed in future.

No Sector Left Behind – Confidential Data Loss Threat Remains High

April 8, 2015 – Zecurion offers deeper insight into selected incidents caused either by accidental or intentional data breaches. With all such incidents, the common elements describing the impact of this growing problem are financial loss, compromised intellectual property and dwindling customer confidence. The graph below shows that the number of data breaches hit a record high of 761 even before the year ended.

Stats Grapg for 03302015“End users need to be made aware that the threat, posed by increased number of data loss incidents every year, is becoming very real and critical. Confidential information is being compromised at all stages of the data lifecycle because of internal as well as external factors. Organizations need to make sure that their endpoints and networks are secure, data is encrypted and data protection is a priority at all stages – at rest, in motion, in storage or in the cloud,” said Alexey Raevsky, CEO, Zecurion.

*The ITRC tracks seven categories of data loss methods: Insider Theft, Hacking, Data on the Move, Subcontractor/Third Party, Employee Error/Negligence, Accidental Web/Internet Exposure, and Physical Theft.

The ITRC tracks four types of compromised information: Social Security number, Credit/Debit Card number, Email/Password/User Name, and Protected Health Information (PHI).

Total records exposed only include records for which count is available.

Data Breaches Across All Sectors

The excerpts below only provide a glimpse of some of these incidents – the list goes on.


November 2014Prince George’s County Public Schools (PGCPS), Maryland, notified around 10,000 individuals of a data breach which occurred when a file containing personal information was included in a report by mistake which was shared internally and with individuals outside the PGCPS network. The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.

Later, the PGCPS email accounts got suspended so the email report could be removed and PGCPS also offered one year of free credit monitoring services to all impacted individuals.

Source: SC Magazine

November 2014 – The Seattle Public School notified parents about a data breach that involved their children’s information. The breach comprised the information of over 8,000 special education students, which included their names, addresses, student identification numbers, test scores, disabilities, and many more personal details. The school learnt that the law firm retained by the District inadvertently sent personal student information to an individual involved in the case.

The law firm has been removed from the case and the District is trying either to retrieve or destroy the data lost.

Source: Media

August 2014 – The Park Hill School District, Kansas, notified more than 10,000 current/ex- employees and students about a potential data breach. A worker had downloaded staff and students personal data from a computer to his hard drive without seeking approval from the district authority. The information was later made available on the internet.

The information included Social Security numbers, student records, personal information and employee evaluations.

The district has planned to upgrade their systems and policies to prevent unauthorized data access and storage to external devices in future.

Source: Media

June 2014The Riverside Community College District (RCCD), California, suffered a data breach affecting 35,212 students when an employee mistyped an email address while using a personal email account to send a file, too large for college email system, to an employee of the college working from home due to illness.

The information contained in the file included names, addresses, birth dates, Social Security numbers, email addresses, student ID numbers, and telephone numbers.

Source: Forbes

Healthcare and Medical Providers

November 2014 – University Hospital, Ohio, informed 692 patients of a data breach involving their personal information by an employee of the hospital. The employee involved had been accessing the personal information of patients for over 3 years. The information accessed included names, addresses, phone numbers, email addresses, medical and health insurance account numbers, financial information including debit/credit card information and Social Security numbers.

The Hospital System is planning to increase the number of audits to reduce such incidents in future, along with providing one year of free credit monitoring and identity theft protection to the patients whose Social Security number has been compromised.

Source: Cleveland.com

October 2014A medical assistant was sentenced to three years in prison for using her position in an organization to steal the personal information of patients, and later on selling it to an individual who used these IDs to file fraudulent tax returns, including patients’ names, birth dates and Social Security numbers.

The medical assistant sold the personal information of approximately 2,000 people for $1 each.

Source: eSecurity Planet

August 2014 – AltaMed Health, Georgia, notified patients of a data breach by a former temporary employee who had a hard drive potentially containing personal data that could be misused by identity theft rings. About 3,000 patient records were compromised and included names, email addresses, telephone numbers, Social Security numbers, provider information, insurance information, dates of birth, and addresses, of individuals who attended community events in Orange and Los Angeles counties from October 24, 2013 to June 6, 2014.

Source: SC Magazine

August 2014 – CareEvolve Inc, a subsidiary of BioReference Laboratories, Inc. notified 3,334 patients of a data breach which occurred when the organization accidentally exposed the server, while reconfiguring a test server, making all the information accessible via internet. The information exposed included patient names, home addresses, telephone numbers, ages, patient/medical record numbers, clinical tests, collection dates, dates of birth and Social Security numbers.

BioReference is offering free one year of credit monitoring, identity theft protection and other services to anyone whose information may have been exposed.

Source: PHI Privacy

June 2014 – Rady’s Children’s Hospital suffered a data breach when an employee inadvertently sent an email with a confidential file to 6 potential job applicants. The applicants were meant to receive approved information for an internal evaluation whereas they received the original file with the information of 14,100 patients. The file contained information, on the patients admitted to the hospital between Jul 1 2012 and Jun 30 2013, and included names, dates of birth, primary diagnoses, medical records and insurance carrier claim information.

Source: SC Magazine

August 2014 – Memorial Hermann Hospital sent out letters to patients about a data breach by a former employee who had been accessing medical and electronic records of 10,604 patients for 7 years. The data compromised included health insurance information, names, addresses, social security numbers and dates of birth.

Source: Media

Financial and Insurance Services

November 2014Anthem Blue Cross, California, sent text emails with personal details, like individuals’ health information and demographic information including age, language spoken and specific medical test received or not received. The mail was intended to be routine check-up email; however the personal information was shared in subject line instead of Routine check-up.

Blue Cross representative stated that they are still investigating the incident.

Source: Media

October 2014An individual working in a bank as a financial service representative stole the bank account details of customers in order to generate fake transfer slips for transferring the funds from customer’s accounts to his own account.

The individual allegedly stole $100,806.85 from one customer, and $11,137.01 from another customer for which he has been charged with two counts of bank fraud.

Source: eSecurity Planet


November 2014The Texas Health and Human Services department informed individuals that a data breach occurred when Xerox Corporation, at the time of contract termination, did not return computer equipment and paper records containing Medicaid and health information of over 2 million people. The reason for detaining the company’s assets has been attributed to ongoing dispute between both the parties.

The information included Medicaid clients’ names, birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid – reports, diagnosis codes and photographs.

Source: Media

July 2014Stanford Federal Credit Union learnt of a data breach affecting 18,000 members when one of its employees accidentally sent the list of members, who were pre-approved for loans, to an individual with the same name as the employee it was meant for.

The personal information sent included customer names, mailing addresses, member numbers, credit information, loan offers, and tax identification numbers. The Union realized it immediately and removed the list before it could have been read by the recipient.

Source: Media

Business – Retail/ Merchant

October 2014 AT&T informed about 1,600 customers of a data breach by a staff member. The breach involved Social Security Numbers, driver’s license numbers and unique customer numbers i.e. Customer Proprietary Network Information (CPNI). AT&T terminated the employee and personally contacted the affected customers.

Source: Reuters

Suspicious Employee Behavior Holds the Key to Detecting Internal Threat

There are behavioral signs that can help organizations proactively detect insider threat. Reading and understanding employee behavior to identify these simple signs is the key to creating proactive measures that organizations can take to safeguard their intellectual property. What are these signs, and what questions do we need to ask ourselves to understand what constitutes “suspicious” behavior?

The questions organizations need to ask themselves in order to detect these “suspicious” signs are:

  1. Is there any evidence of mass data copying on the file system’s metadata?
  2. Does the system’s registry show insertion of a USB device prior to accessing sensitive files?
  3. Do the link files show that a sensitive file existed on any external media?
  4. Have the files been copied to or from the cloud?
  5. Does the “Internet History” associate the user’s web activity with access to sensitive data?
  6. Do any logs align the timing of user’s remote access to the metadata, showing interaction with sensitive files?

While an affirmative answer to these questions does not necessarily mean that a breach has taken place, asking these questions does help organizations in understanding whether or not there is an immediate threat. The questions also help organizations approach data loss as a business initiative so the goals of both business managers and IT managers are aligned. Further, employees can be properly trained on access rights and data protection policies.

H&R Block Manager Steals Tax Customer’s Identities and Refunds

When it comes to data protection and guarding sensitive information from being leaked, most organizations have policies and tools in place designed to defend against malicious outsiders. The reality, though–which is demonstrated time and time again–is that authorized users on the inside pose a much greater threat.

A manager of an H&R Block tax preparation office in California was arrested for stealing the identities of H&R Block clients and filing fraudulent tax returns on their behalf. A post on AccountingToday.com about the incident states, “He prepared bogus tax returns in their names designed to obtain tax refunds and credits, according to prosecutors, and then used H&R Block Emerald Cards to withdraw the fraudulently obtained refunds from automated teller machines.”

You should have tools and policies in place to guard your data against unauthorized access from the outside. But, don’t forget that authorized users are in a position to intentionally steal or compromise data, or inadvertently share or expose it. You need to make sure you have tools in place to monitor and defend against data leaks from the inside as well.

Protecting Sensitive Information from Inside Threats

I had the privilege of joining host Tom D’Auria for the weekly IMI-TechTalk radio show once again this week. The show airs weekly on KFNX AM 1100 out of Phoenix, AZ at 3pm local time. Because Arizona doesn’t play Daylight Savings with the rest of the country, though, that means that half the year its on Mountain time and the other half its on Pacific time–so for now the show airs at 6pm Eastern / 5pm Central. If you are not in the Phoenix listening area, you can also listen to the show streamed live via the Web.

The topic of discussion this week was Protecting Sensitive Information from Inside Threats. Tom and I talked about the prevailing perception that information security is an ‘us vs. them’ or ‘inside vs. outside’ battle, while the reality is that internal employees pose a much larger threat than malware or malicious attacks from outside. The default security model relies on simple file and folder permissions to determine access rights for sensitive information, but offer no safeguards or protections regarding what the authorized user does with the data once its accessed.

Click here to listen to the recorded MP3 of the show: Protecting Sensitive Information from Inside Threats.

Best Practices for Protecting Against Insider Threat

CERT, Carnegie Mellon University Software Engineering Institute’s center for conducting and coordinating information security research, has written the Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1.

In describing the audience for the guide the document notes “Insider threats are influenced by a combination of technical, behavioral, and organizational issues, and must be addressed by policies, procedures, and technologies. Therefore, it is important that management, human resources, information technology, software engineering, legal, security staff, and the “owners” of critical data understand the overall scope of the problem and communicate it to all employees in the organization.”

At 88 pages, the CERT guide is fairly comprehensive. It provides a range of best practices addressing the different aspects noted above–technical, behavioral, and organizational issues–that impact the insider security threat.


IMI-TechTalk- Enemy Within: The Insider Security Threat

This week, Tony Bradley, Zecurion ‘chief’ product evangelist, joined host Tom D’Auria on the IMI-TechTalk radio show to talk about the internal security threat posed by trusted employees. The show “Enemy Within: The Insider Security Threat” provides listeners with valuable insight into the present and growing internal threat to confidential and sensitive information.

Bradley discusses the issues faced by IT and security administrators and the need to strike a balance between protecting data and enabling productivity. He also stressed how important it is to leverage tools that proactively enforce policies and protect data without further burdening the IT staff.

The show originally aired on Sunday, November 22, 2009 at 5pm Eastern / 4pm Central on KFNX AM 1100 which airs in the Greater Phoenix area. Those outside of the Phoenix area can listen to the weekly show on the live Web simulcast.

Click here to download or play the MP3 recording of the show: Enemy Within: The Insider Security Threat.