Tag Archives: Insider threat

Morrisons staff suing over data breach. Del Brazil takes a look at what we know and what it might mean.

Advent IM Security Consultant, Del Brazil discusses some of the questions raised by the legal action from Morrisons employees over a data breach that led to their private information being leaked…

It has been reported in Computer Weekly that thousands of Morrisons staff are planning to sue the retailer over a data breach in which a disgruntled former employee published the bank, salary and National Insurance details of almost 100,000 employees, online.

Did Morrisons fail to prevent the data leak that exposed tens of thousands of its employees to the very real risk of identity theft and potential loss?  Only a fully and thorough investigation will reveal the answer along with exactly how the breach was committed and over what period of time the breach occurred.

Any investigation will highlight the security measures deployed at the time of the incident.  A decision will then be made by the Information Commissioners Office (ICO) or other investigative body, as to whether the measures implemented were in line with the Data Protection Act and that any measure was correctly configured, managed and/or monitored.

Advent IM Data Protection ConsultantsThe Data Protection Act 7th Principle says that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

So in simple terms each and every organisation that stores, processes or handles personal data should be able to establish whether they can reasonably do more to protect the personal data they hold.  If the answer raises eyebrows or poses further questions then the simple answer should be yes; however all organisations should be consistently and regularly reviewing their security measures in order to highlight potential weaknesses or areas for improvement. What may be appropriate and adequate at one time, may not always remain the same, so the need for review and testing is key.

iStock_000018385055SmallIn the event that personal data is stolen, changed or misappropriated, then the repercussions to the individual could be devastating.  There is a possibility that their information may be sold on to a third party for spamming purposes or sold on to a criminal organisation with the intent of identity theft. The resulting financial losses to individuals are not only unfair and criminal, on a wholesale basis, but frequently go to fund other criminal and terrorist activities.  Sadly, there is a frequently a somewhat relaxed attitude towards the loss of personal data from an individual’s perspective as they believe that it won’t happen to them. However there is always a risk to your personal information being used for purposes that you are not aware of.  No one should ever be afraid to question an organisation or employer how they protect their information and what measures they are taking to ensure its security.  If there are resulting concerns about levels of protection or safeguards, then the Information Commissioner’s Office (ICO) may be contacted as they may investigate these concerns further.

Individuals can be quick to pass on their details to organisations/companies for genuine reasons; we all live a digital and data-driven life, in the belief that this information will be adequately protected.  Arguably, in some cases you have no choice than to share personal information especially from an employment perspective and it would reasonable to expect your employer to take sufficient care of your information to prevent it being accessed or passed to individuals/organisations intent on committing some form of illegal activity. Being aware of how our information is protected is not unreasonable and employees have a perfectly reasonable expectation that their employers will consider this part of their duty of care.

stick_figure_pointing_north_america_image_500_clrThe UK can sometimes follow the US culturally and the question has been raised as to whether the culture of litigation is one we can expect to see expand in the UK, particularly with this kind of high profile legal action. There are numerous incidents in the US where companies/organisations have been sued for failing to protect personal information, but can we expect this to become part of our corporate life? This is a very tricky question to answer, as the laws governing the protection of data in the US differ from those in the UK; although they do deliver the same message.  Each and every personal data breach is unique but the re-occurring question in any investigation will always be whether the individual, company and/or organisation took sufficient care to protect personal information by the deployment of appropriate technical, physical and procedural measures and what was the impact to individual concerned?  So whilst the regulation may differ, the spirit of the regulation is consistent and whether this is the future for the UK too will remain to be seen. Certainly we are seeing growing numbers of breaches and it is unlikely that this growth will continue without some kind reaction from the victims.

Advent IM Information Security AuditWhat is the likelihood that the Morrisons legal action is successful?  This would depend on the outcome of the ongoing investigation and as to whether Morrisons was deemed to have adequately protected their employee’s data.  Should the legal bid be upheld then the repercussions may potentially have a massive impact on all organisations storing and/or processing personal information.  There is a likelihood that organisations may go massively overboard with extra or increased measures in an attempt to defeat any possible threat of an insider attack without first reviewing and/or assessing the result of the findings of the ongoing Morrisons case.

The Morrisons data breach does raise a few questions though; what measures are deemed to be appropriate and sufficient to detect and/or deter an insider attack?  There is a fine balance between organisations having a high level of protective monitoring that gives employees the ‘Big Brother’ impression or such a low level that pretty much no monitoring takes place.  A very similar tone could be taken to staff vetting as at what point does vetting no longer be seen as an assurance practice but more of an intrusion into personal life?  These are questions that will continuously trouble both employers and employees.

Organisations are generally over reliant on technical solutions for protective monitoring to provide a quick fix rather than looking at the problem and identifying an appropriate solution.  There are a whole raft of technical solutions available, all of which require an element of physical monitoring and response.  It is an organisational decision as to whether to use a more technical solution with little staff interaction to maintain the system, as opposed to relying more heavily on human inspection of various logs; however consideration should also be given to allowing/ensuring that there are sufficient staff available to respond to alerts or discrepancies that may be detected in whichever solution is deployed.  Organisations should also ensure that they have a tried and tested plan in place to maximise their ability to understand, contain and respond to the ever increasing threat to personal information.

It is the opinion of the author that organisations should employ comprehensive protective monitoring procedures, which when coupled with a degree of staff vetting and a good security awareness programme should demonstrate to any governing body an organisation’s commitment to deterring or detecting insider threats.

Unfortunately the insider threat will never go away and with the value and importance of information increasing rapidly so the temptation for employees to sell personal information also increases.  Every level and type of industry relies upon information, no matter what form it takes and as such, every industry should keep an eye on this case as it develops.

Although organisations should pay close attention to this ongoing legal case raised by Morrisons employees and/or organisations shouldn’t be overly concerned until the full details of the investigation and the outcome of the legal case are made public.

Every organisation should ensure appropriate measures are in place (technical and non-technical) to secure and protect personal information to the best of their ability, including continually educating, training and making their staff aware of the insider threats.

Advertisements

“Five Eyes” intelligence document leak – Australian Defence bureaucrat off to jail

This week saw the news that the junior bureaucrat from the Australian Department of Defence, has been jailed for one year, following his guilty plea in the ACT Supreme Court to posting a secret Defence Intelligence Organisation, to an online forum. Julia McCarron gives her take on this quite staggering series of events.

Not a ‘Gooday’ for the Canberra APS

Surprise!

Well this a strange one for sure. So, Michael Scerba, a former junior Defence bureaucrat has been jailed in Australia for uploading secret information online. He downloaded a 15 page document from a secret Defence Intelligence report, burnt it to disk, took it home and posted the first two pages on an on-line forum. The post was viewed and commented on by a dozen people and re-posted but disappeared an hour after its original post.

This is bad on so many levels …

When they say he was a junior bureaucrat, he was actually a 21 year old Department of Defence (DoD) graduate … with only 8 months on the job behind him and a secret (negative vetting level one) clearance … and apparently “his mental health had impaired his judgement”. I accept that the article does not expand on these mental health issues or when these issues occurred, and I am in no way implying that mental health of any kind should be a barrier to employment as I do not believe it should in general. However, we are talking about a position in National security here with access to secret information, so assuming his issues occurred pre-employment. So first question: Why was a 21 year old graduate with mental health issues given a level of clearance high enough to enable access to, and the capability to download, information relating to National security?

You've got to have a system.

Something has to have gone wrong with the vetting process and/or the employment process where access rights and privileges are determined and applied. If he had underlying mental health issues surely these should have been detected prior to his employment or during the induction process. I would presume DoD staff have to go through stringent mental stability checks checks for security clearance purposes to minimise the risk of coercion or subversion? This seeming lack of procedure demonstrates the importance of a robust vetting process, particularly in a role so critical to the security of the nation. It also demonstrates the need to ensure privileges are granted relevant to the job role and on a ‘need to know’ basis. Did he really need to access to information that revealed the identity of intelligence sources, gathering methods and classified aspects of strategic partnerships between Australia and other countries?

Advent IM Cyber SecurityIt also opens up the question of removable media access and control in sensitive areas. Second question: Did he really need to be granted the ability to burn information to disk or USB at the level he was working at? Are there not search facilities at access points a la ‘Spooks’ that detect unauthorised media? I would have thought again that some sort of policy would have existed that meant staff were only allowed use of authorised removable media and that no media was allowed to be removed from the premises?

And finally, the claim by the Judge that, “Scerba had not intended to compromise national security, although he knew the disclosure could cause harm”. I find this claim quite astonishing. So he’s employed in a DoD job, with access to information pertinent to National security and he didn’t know the disclosure could cause harm or compromise National security? Really? Question 3: What kind of induction training was the DoD providing? I can’t believe they do not put employees through extensive security training highlighting how to handle data at various classification levels, the importance of data classification and handling and the consequences of failing to comply with policy. If they don’t then some serious questions need to be asked!

I think I’m with retired Lieutenant General Peter Leahy on this one though; jail time was definitely required for this serious National security data breach. But 12 months with only 3 served does not send out a good message to others employed by the DoD who, like Scerba, believe Julian Assange is their hero. This could just be the beginning unless changes to process are tightened up.

Post comment based on an online article in the Canberra Times dated 5th November 2015.

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

SMEs and Security or How SMEs can impact UK PLC Security (image)

BIS visual v2.0

2013 over the shoulder

Time for a bit of a look back…sort of

The rise and rise of BYOD, the discovery that Ebay is not the appropriate place to divest yourself of NHS Patient data and the increase in malware and not just any malware – mobile malware. These were a few of my (least) favourite things of 2013.

It may seem churlish to poke a stick at the rise of the enormously populist BYOD but its actually connected to the concern around the rise of mobile malware. 2013 saw Blackberry drop off the business cliff and Android devices rise to start to fill the gap. According to the latest stats from Gartner 4 out of every 5 devices in the last quarter were Android powered (driven by growth in China). This proliferation has a knock on effect because this means more employees with be BYODing with Android devices and also more business are choosing them as their business issued device. At the same time, we are reading that Android devices are the top target for malware and malicious apps. I recently heard BYOD described as ‘anarchic chaos’. Let’s see what epithet we can come up with after another year of Android malware…

Looking at Ebay as the place to send your old drives full of (personal) data…hopefully everyone has learned some massive lessons from this incident in Surrey NHS and will be doing due diligence on whoever they procure/source to carry out the destruction of this kind of data in future. Remember, any organisation that has certified to a standard like ISO27001 will welcome an audit so they can prove to you how seriously they take IS processes. This can offer some kind of reassurance and form part of that due diligence.

‘Cyber’ has been a headline grabber all year for many different reasons. Some of the time has been related to the NSA and GCHQ revelations and so Cyber could also have meant privacy. Some of those headlines have related to Cyber Security and the Government commitment to getting UK PLC fully on board with knowledge, understanding and protection. Of course, “hacker” is another word rarely out of the headlines and previously on this blog I have taken issue with media use of both of these words. Largely because it can be misleading, I won’t bang on about it again and you can read the previous blog post if you choose. However, I do think that this continued laziness will encourage people to think that security is an IT issue and therefore, someone else’s problem as opposed to a business issue that needs to be addressed at C-Level.

Phishing and Spear Phishing continue to bleep away on every Security professional’s radar. Whilst scatter gun phishing may not be growing especially, its clear that targeted or spear phishing is increasing. This also relates to my previous point about ‘hacking’ and ‘cyber’ as frequently these can be pre-emptive strikes for a full on attack or part of a broader Social Engineering attack to facilitate or enable a hack or cyber attack. If you want to read more or hear more about that then you can read our posts here and see our presentation here.

The phishing issue is a serious business and employees need proper and regular training on what these attempts look like and how to deal with them. That is not just your standard phishing attempt from someone telling you your bank account is compromised (I had an amusing one recently from Honestly Barclays Security), but a sophisticated phish from soemone who has obtained your email address and is trying to pass themselves off as someone else in order to gain access of information. This requires bespoke training from an employer. Software or a firewall may not protect you from them…

Lastly how our physical world interacts with our cyberworld. 2013 saw Google Glass arrive and the invention of a whole new insult, Glassholes (not mine, don’t shoot the messenger). Some misgivings and some misunderstandings around Google Glass merely serve to remind us that though we are raising a generation that thinks nothing of handing over their privacy in order to get a free app or free wi-fi, there are still enough people concerned about the march of technology ahead of security to make pursuing secure progress worthwhile.

We also saw the mainstream expansion of household items that are web enabled and several furores over TVs that apparently spy on their owners. Add to the list fridges and cars for next year and lets see what else is either causing ‘spying’ headlines or is being hacked by cybercrims. In the business world, smart buildings with IP security and building management systems are becoming increasingly aware of the threat from cyberspace. You can watch our presentation on the topic here. You will need sound. Making sure we buy secure security systems sounds mad, but actually it isn’t happening enough. These systems are sat on networks, needing firewalls and patching and anti virus just like our other systems. We cannot assume because a system is a security system then it is inherently secure.

Remember, everyone in an organisation is part of that organisations’ security. An information asset might be an email or electronic document, but it might also be a fax, a cardboard file,a piece of paper or an overheard conversation about intellectual property. They all have to be protected and a firewall isn’t going to cover it all.

1. Christmas visuals

No doubt we will have some predictions for 2014 soon….

Data Protection and Temporary Workers – the Perfect Data Breach Storm?

This morning bought Security News stories from around the globe as usual. One jumped out at me, not because it was unusual but because the wording highlighted to me some dangerous assumptions and errors in thinking that we are guilty of.

advent IM data protection blog

oops there goes the sensitive data. Image courtesy of freedigitalphotos.net

The story was about a temporary worker at a hospital who had sent letters which contained highly sensitive childrens data, to the wrong addresses. Apparently the temporary workers who had made this series of errors had not received any DP training. The story explained that the ICO had given a warning that  “even temporary staff should have Data Protection Training”

Bear with me. Last year another breach occurred in a hospital when a temp worked downloaded a large batch of patient data onto a data stick and took it home to work on. Apparently on this occasion it was assumed that Data Protection training had been done by someone else.

Firstly, assuming someone has had training in something is always dangerous. Surely if you are going to allow temporary workers access to such sensitive data it is a must have.  Secondly, is it appropriate for a temporary worker to have that access? Obviously this will vary by incident or role.

Its not just the NHS, businesses make this mistake too. I have seen temporary workers who have had no vetting, logged into networks by well meaning employees on their own login credentials. There they have been able to access any sensitive data they wished and the trusting employee has handed over that organisation’s data to someone who may well damage, steal or sell it.

Back to my original point, to say that ‘even’ temporary workers should have Data Protection training seems a bit like looking the wrong way down a telescope. Surely we should be saying temporary workers especially need Data Protection training?