Insider Threats

Let's talk about insider threats. First, malicious insiders. Insider data theft and what's called privilege misuse are to blame for 15% of all breaches according to the 2017 Verizon Data Breach Investigations Report. Verizon Enterprise does these reports annually and they're actually pretty well respected in the industry. If you're curious to read them, they're actually relatively plain English, too. This problem is especially pronounced in the healthcare industry where 68% of the "threat actors" are insiders. Threat actors are the people who actually endanger a network. So what are the risks? There's theft of protected health information, PHI and/or office data, unauthorized fund transfers, and believe it or not, sabotage. So the threat effectively begins inside your network. This basically gets around what are called your perimeter defenses like an outside firewall or something like that. And the network perimeter defenses by nature are designed with outside attacks in mind.

 

An unfortunate side effect of this is that these attacks can sometimes take months or even years to detect. Also, for starters, make sure you include departing employees because if you immediately revoke access for any ex-employee, as soon as he or she leaves, it makes it much less likely or less easy for he or she to get into the system should they wish to do so. This includes revoking any network access including email and any passwords or connectivity for say a VPN if they were working remotely that way. And also don't forget deactivating physical badges or keys or anything else allowing unauthorized entry into your office space. Countermeasures for some of these dangers include prevention. This is basically from the start properly vet your new hires. Make sure that you know what you're getting, in effect. And also we mentioned a bit earlier the Principle of Least Privilege.

 

The idea is that anyone on the network should only be able to access that which they absolutely have to access and no more. Now then you want to look at detecting things on your network. That's done with network monitoring for things that are weird, behavioral anomalies. You can do that with an intrusion detection system - we talked about in the network segment - where it's looking at what's a bit out of the ordinary. Why is data flowing out at two in the morning, that kind of thing. A couple of other things we've also spoken about briefly earlier were honeypots and what we'd call the data loss prevention systems or DLP systems. Honeypots basically look like a tempting target on the network and the idea there is that no one legitimately using the network would have any use for a honeypot, but an attacker is going to look at it and say, "oh, that looks interesting" and when they go look, that effectively let's your network administrator know, okay, someone's fishing around who shouldn't be.

 

That's a little warning. Data loss prevention systems basically monitor and block things from going outside your system, which are tagged - something like say social security numbers, PHI, etc. The thing is, as with all systems that monitor data, it works against data that's not encrypted. So if an attacker really knows what he or she is doing, they'll encrypt it and take it out. But if it's done by accident, it's a good way to catch things before they accidentally slip out of the system. Also, you want to look at procedures. In particular, mandatory vacation, rotating duties and requiring multiple people for certain sensitive actions. A mandatory vacation means that someone can't stay in the same job doing the same thing all the time all year. Because if they are doing something fishy and there's no way anyone else is doing that job, they might not catch it. In a similar vein, rotating duties mean, "okay, you're doing a, she's doing b, he's doing c." Let's say at a certain point you switch each of them over. That way you have someone else looking over the work, so if something is a little fishy, there's that much more chance you'll catch it. And also for certain sensitive actions, like financial actions, make sure it's not just one person doing it because, while you hopefully can trust that person, sometimes that's not the case and if more than one person is there, it makes it a lot easier because there's someone to keep an eye on the other person. Also generally speaking, you want to keep your systems up to date and make sure you're using what's called application whitelisting, which again is like an invite only party to your network. It won't let something on your network until it's already been preapproved to do so.

 

And this can counter attempts to introduce something like malware inside the system because it's basically blocking it. Also, awareness training is pretty important. You want to make sure you include warning signs for personnel to keep an eye out for, effectively what looks weird or out of place - make sure they actually report it. So mistakes are also a concept which can be a bit of a problem. There was a breach response report from a company called Beazley, which is a well respected cyber insurance company. It came out in 2017 and referred to accidental data breaches by vendors and employees as a "major problem." The healthcare industry in particular was especially susceptible with a full 42% of breaches coming as a result of accidents, which is well ahead of any other cause. This includes what's called misdelivery. That's one word, misdelivery. And that means sending data via email, regular mail, etc., to the wrong person.

 

Then there was publication error, which is effectively inadvertently exposing something to the Internet like a database you think is safely stored in the cloud, but surprise, surprise, it can actually be accessed normally by just about anybody, or like a private conversation unintentionally posted on social media. Another one, you can look at is disposal error. Effectively, improperly disposing of data like an old computer with data still on it or PHI or something sensitive simply thrown in a dumpster rather than shredded. Keep in mind there are companies which can do this for you, take care of the disposal of old stuff. Just make sure when you're doing it, you actually have some record of what they're doing. Some of them will actually film it step by step to let you know "here are the drives, here we are taking them to the office, here we are dropping them in the shredder. Boom." It's best to just know because otherwise if it shows up later, you're still liable. Related problems. One thing in particular, data leakage, which can be an intentional or unintentional effort to get more work done at home. Sometimes it's something like emailing work to yourself on a home computer or to a non work email account. You know, you'll get to it later or maybe it's on portable storage or maybe it's even in a personal cloud account. Simple problem relates to this is simply forgetting that you've put the office data on there in the first place. You forget to delete it. Another thing to look at is insecure third party access. Basically, how much access do vendors, consultants, etc., have to your network? I think I mentioned earlier the 2013 Target breach began with a successful phishing attack against an HVAC vendor, which then got into the Target network through the vendor.

 

So you know the classic question, who else has access to the machines you're looking at? So what are the countermeasures for all of this? For starters, this Principle of Least Privilege I mentioned. That should apply to everyone in your office, as well as vendors, consultants, etc. Anyone who's actually on your system should only have access to what they absolutely need to use. Data loss prevention systems, like I say, are very useful as are application whitelisting. And also make sure you have written standards in place and procedures spelling out how data should be accessed, handled and stored. And finally, proper data disposal is laid out by National Institute of Standards and Technology and the SP 800-88, revision 1 standard, which we mentioned in the data disposal section. That relates to the media sanitization with the clear, purge and destroy standards. Purge or destroy is much better for PHI. And at the end of the day, it's always a great idea anytime this data's around, keep it encrypted because if it accidentally goes outside the system in an encrypted state, it's still considered secure.

Malicious Insiders

Potential risks posed by malicious insiders include:

  • Theft of PHI and/or office data
  • Unauthorized fund transfers
  • Sabotage

Departing employees

  • Immediately revoke any system and office access for any ex-employee as soon as he or she leaves

Countermeasures against insider threats include:

  • Prevention: proper vetting of new hires and the Principle of Least Privilege (only have access to what is needed to do the job)
  • Detection: network monitoring for unusual behavior
  • Procedures: mandatory vacation, rotating duties and requiring multiple personnel to complete certain sensitive actions
  • Technical: Keeping systems up-to-date and whitelisting can counter attempts to introduce malware inside the system
  • Training: Awareness training should include warning signs for personnel to keep an eye out for

Mistakes

Potentially reportable mistakes can arise from:

  • Mis-delivery (sending PHI to the wrong place)
  • Accidental exposure of PHI (on the internet, device, or in print)
  • Disposal errors
  • Data leakage (media containing sensitive information is lost and subsequently acquired by an unauthorized party)
  • Insecure third-party access

Countermeasures to reduce the likelihood of mistakes include:

  • The Principal of Least Privilege (the idea that at any user, program, or process should have only the bare minimum privileges necessary to perform its function)
  • Data Loss Prevention (DLP) systems
  • Written standards and procedures
  • Proper data disposal