Apr 02, 2015 By Brian Reynolds In Blog

Insider data breaches: Whose responsibility is it? (Part 1)

Insider data breaches have become a serious cyber threat that every member of the IT community should be paying attention to.  You don’t have to look very far to learn about these breaches and the damage they have caused.  It is all over the news. The harm to A company or agency name—or even to an entire industry—can be difficult to reverse when a breach reaches deep into the personal records, information and lives of consumers and citizens who entrust this data to corporations and government agencies. Insider threats and data breaches come in various forms, making them even more difficult to detect and avoid.

Two widely publicized cases show just how complex and different the threats can be. Edward Snowden started downloading classified government documents while working for federal contractors, first at Dell and then while working for Booz Allen Hamilton.  In this case, the perpetrator was a legitimate and trusted insider stealing and subsequently leaking private, sensitive and classified information in a public forum. Anthem was a nightmare for the healthcare industry and has been deemed a very “sophisticated” attack where hackers were posing as insiders.  In this situation, the bad guys didn’t start their work as trusted employees on the inside.  Instead, they found ways to circumvent the perimeter security measures to gain inside access.  The imposters then acted on the internal network by leveraging administrator credentials to gain access to private healthcare data.

To the naked eye, it would have seemed that the data was being accessed in a perfectly legal manner by authorized and trusted employees. In both cases the crown jewels – the data – were the target of the hack that successfully penetrated security defenses.  Scary stuff, right? For years it has been deemed the responsibility of the networking team, information assurance (IA) team and security officer or security administrator to deal with all things cybersecurity related.  They have done a relatively good job in securing the perimeter of their networks and putting monitoring and logging in place to determine when, why and how a breach has occurred.  These measures have been well funded and policy has allowed the IT members to act upon them.  Unfortunately, as demonstrated by the examples cited above (and many others in the news today), these measures are not enough to prevent sophisticated insider breaches aimed at stealing our data.

So where do we look next for responsibility to combat insider data breaches? What about the data owners themselves, such as the storage administrators, systems administrators, database administrators?  Surely they have implemented a secure method of two-phase authentication where multiple credentials must be validated in order to gain access to the data inside of the network.

In many cases this is true, yet it is still not enough to stop the insider threat from being successful.  The authentication requirements pose no hurdle to the insider or an imposter posing as one.  They have been granted the multiple credentials required to pass all of the traditional authentication phases.  After all, they are trusted users … or posing as such. So the question remains:  Who owns the responsibility to secure the data once and for all?

For the answer to this question, please check out Part 2 this two-part blog on Insider Data Breaches.