The Inadvertent Insider Threat: A CISO Confronts a Breach From Within

The following story illustrates what happens when a chief information security officer (CISO) encounters an inadvertent insider threat. While Marie Addison isn’t real, the challenges she faces are hardly works of fiction. Even the most secure companies have employees who forget to follow best practices. Human error, credential misuse and disgruntled employees may not cause the statistical majority of security incidents, but they do pose a genuine risk for any CISO. Read on to discover the choices Marie makes as her story unfolds. Did she follow the best path?

“The speaker for today’s Women in Technology lunch and learn is Marie Addison, a CISO, cybersecurity leader and big data expert,” announced event host Sara Cheema.

“Marie’s company is an industry leader in data-driven buyer persona profiles,” Sara continued. “Her role includes protecting a variety of fast-streaming data sources, including user behavior, social media sentiment and market research.”

Marie walked to the podium, adjusted the microphone and arranged her notes carefully before starting her speech.

“Thank you, Sara. What I’ve prepared today isn’t going to be your standard talk, but I hope it’s a refreshingly honest look at the challenges I face,” Marie said. “I’ve drawn up some notes about the realities of my role as a CISO.”

After a brief pause she continued, “Sometimes, I’m too busy playing whack-a-mole with high-risk security threats to plan and implement the right preventive measures. But, thankfully, we’ve never had a data breach — and I’m here to tell you how.”

An Inadvertent Insider Threat

Back at the agency, the junior database analyst (DBA), Ross Silver, felt like banging his head against his desk. The internal server the company used to aggregate data was reaching capacity. Based on how slow his queries were running, there wasn’t much time left before capacity was maxed out.

Ross knew uptime was crucial for the agency to do its most important work: using an analytical engine to marry data with insights into social media sentiment, message board text scrapings and third-party market research.

However, the capacity (or lack thereof) wasn’t the source of Ross’s frustration. His irritation stemmed from the fact that he was the only data operations staffer on site that afternoon. The chief information officer (CIO), Rai Kagome, was unreachable for the next two weeks, as she was on a cruise with her family. The senior DBA was attending an event where the CISO, Marie, was the featured speaker. Last, the IT director was taking a few days of medical leave.

Not only was Ross the lone data staffer on site, but his database credentials were also relatively limited.

A Goldmine of Exposed Admin Credentials

Ross walked into the IT director’s empty office and opened the top desk drawer. It didn’t take him long to find what he needed: a sticky note labeled “admin,” which listed a username and password. Ross snapped a quick photo of the note with his mobile device.

Ross used the admin credentials to access the server when he returned to his desk. Clicking on users, he scrolled down until he saw his username listed. With a few more purposeful clicks, he escalated his account privileges — and when he logged back in as Ross Silver, he was both a junior DBA and super admin user of the central database.

A Temporary Cloud Storage Solution

As he worked to connect to an external third-party cloud service, Ross wondered why the organization was using an on-premises database to store such a critical workload — especially when there was so much capacity in the cloud. While it wasn’t cheap to store such a massive amount of data, the service offered a free 30-day trial.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt.

Ross knew temporarily escalating his credentials was risky business, but he didn’t want to be held responsible if the internal server hit capacity and the agency’s productivity slowed to a halt. This storage solution wasn’t permanent, he thought. The IT director would be back in the office before Ross’ company credit card got hit for the next month’s subscription fee.

Ross logged back into the admin account to restore his usual junior DBA permissions and felt satisfied that he’d created a temporary bandage for their big data volume problem. Besides, he had heard on a podcast that all of those rumors about public cloud security issues were greatly exaggerated.

Default Access Disaster

Despite Ross’s ability to resourcefully navigate access management for the agency’s on-premises server, he’d left a few crucial boxes unchecked in the cloud. He failed to notice that when he blindly accepted the default access settings for the cloud storage service, it left the repository fully open to anyone searching for open data sets.

Since Ross had labeled the data with his agency’s name, the date and the details “full buyer data backup,” it was practically a pot of gold for cybercriminals.

One Security Researcher’s Discovery

Security researcher Lexi Milic couldn’t believe what she’d found while browsing unprotected data sets on a popular cloud storage service. Right in front of her was bytes upon bytes of personally identifiable information (PII), labeled with an organization’s name and backup.

Lexi was one of the good guys. Sure, she’d built her brand on exposing real companies’ cloud security snafus — but it wasn’t like she sold unprotected data when she uncovered it. Lexi always notified companies about her discoveries, which sometimes netted her a bug finder’s fee. However, her blog and massive social media following were the real pillars of her cloud security influencer brand.

This digital marketing agency was foolish to use its entire name, but that made it easy for Lexi to locate the company’s website. She used the online contact form to write a short, informative email about the exposed data in the cloud, including a direct link to the cloud repository and screenshots.

Glancing at the time on her laptop, Lexi was relieved to see it was only 6 p.m. This meant she might be able to get the blog post published before 7:30 p.m. to get some exposure that evening.

She had already drafted the majority of an article about the perils of the popular cloud security service’s default settings. With a real-world example of a company exposing its own PII, she was in solid shape. In fact, she’d probably spend the following morning on the phone doing interviews with reporters from the big security blogs. She was excited about getting more exposure.

A CISO’s Cybersecurity Nightmare

Marie’s work device buzzed as she sat in gridlocked traffic during her morning commute. Still exhilarated from her speech at the conference the day before, she glanced down and saw a text message from Rai, the CIO: “We’ve had a breach. It’s bad. All over the news. Head to the conference room as soon as you’re here.”

Marie’s hands shook as she typed out a quick response: “Got it. Stuck in traffic, be there in 15 minutes.” She wished the other cars would disappear as she sent a follow-up message: “Will let you know when I’m parking.”

The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai met Marie in the parking lot and briefed her during their walk to the conference room. The previous evening, a popular security blogger had published an article about the company, complete with links and screenshots. The article said the company’s buyer persona profile data — its proprietary product — was fully exposed in the cloud.

Rai had received search alerts for the agency’s name based on data exposure throughout the night, but her phone didn’t wake her up. And the email from Lexi was only discovered when Rai woke up at 7 a.m. By then, the issue was all over the news — and the company’s CEO was blowing up her phone.

Not All PR Is Positive Exposure

The next few weeks at the agency were the worst of Marie’s professional life. She sat in countless incident meetings, chewing her lip while the client-facing C-suite fretted about client churn. The agency hired public relations experts to collaborate with legal counsel as the organization scrambled to address the incident publicly.

Marie and Rai were tasked with fast forensics. There was no shortage of pressure from the CEO to provide a better explanation than, “We’re working to investigate the cause of this incident and improve our controls.”

More than two-thirds of the records compromised in 2017 were caused by an inadvertent insider.

Unfortunately, the forensics were far from simple — especially since the exposed data carried an alleged date on which the vast majority of the IT team was out of office. Marie’s team wasn’t able to pinpoint the cause until the IT director performed a manual log review.

Before long, the junior DBA, Ross Silver, found himself sitting down with human resources for an interview.

Better Ways to Protect PII

Real organizations face data exposure from the well-meaning actions of inadvertent insiders every day. In fact, more than two-thirds of the records compromised in 2017 were caused by an inadvertent insider. Even though this is not the most common type of incident organizations face, it’s still among the most complex threats that security leaders like Marie must face.

As a CISO, Marie was well aware that humans are risky endpoints. She’d worked hard to protect the agency’s digital perimeter as it became more porous. She’d collaborated with the CIO to ensure the right people had the right access. Unfortunately, the IT director had ignored the agency’s policy and written down his credentials anyway.

A Happier Cybersecurity Epilogue

Fortunately for security leaders in the real world, the story doesn’t have to end this way. To avoid a public relations fiasco and frustrating forensic investigation, Marie could have done a number of things differently. First, her agency could have leveraged identity and access management (IAM) services to manage identity governance and technology deployment. Then, there wouldn’t have been a credentials-based nightmare.

In addition, Marie could have used a mainframe security solution to effectively delegate and automate the CISO’s constantly expanding role. She could have also monitored employee behaviors with user behavior analytics (UBA) and insider threat protection tools. Deploying a data protection solution would have helped her keep tabs on high-risk behavior in real time. Plus, a resiliency and compliance platform would have allowed her to restrict attempts to change configurations with a resiliency and compliance platform.

It also goes without saying that proper training for security personnel on incident response and remediation could have helped her team handle the issue. In the case of a future breach, Marie might consider hiring incident response experts to work alongside the company’s own public relations team.

Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets.

Despite the fact that CISOs like Marie Addison are investing heavily in cybersecurity awareness training, users like Ross are still clicking the links in phishing emails and uploading PII to external cloud storage services. Considering the sheer volume of external and internal threats CISOs face daily, Marie’s whack-a-mole reference is not an exaggeration.

Yet the actions of well-meaning insiders who forget to update security settings don’t need to escalate into highly visible security disasters. Humans will always make occasional mistakes, but organizations can prepare for the inevitable with the right security arsenal of solutions to monitor users, automate IAM and protect data assets. With an ecosystem of solutions, CISOs can stop feeling like they’re constantly chasing down threats and instead take a more proactive, secure stance.

 

Read more articles about identity and access management