Insider Threat
If you are anything like me you will find the creation and maintenance of security policies a little tedious, though I cannot stress the importance of them enough. A UK case was recently reported by North Yorkshire Police, which could have been prevented on many levels through effective cyber security controls.
Danielle Bulley of Tockwith used to work as a director for a property marketing business, she left "on a bad note" and the business went into liquidation. A new business was formed which repurposed the assets of the previous business, Bulley accessed the new business's DropBox account using her old credentials and deleted thousands of critical files, causing the second business to also go into liquidation.
What lessons can be learned
The following measures and services should have greatly reduced the likelihood, if not prevented this incident from occurring, I'd like to think that if the business had been one of our clients a number of checks and policies would have been identified which would have prevented the incident, so what are they
Cyber Risk Review
Our Cyber Risk Review is a one day workshop which discusses hundreds of cyber security controls from numerous cyber security frameworks, and cover many issues such as; leaver policies, account registers, insider threat and monitoring, The output is a report on the capability gaps, from what you are doing and where you would like to be. The resources which would be required to implement the controls coupled with their risks are discussed and prioritised accordingly.
There are plenty of security frameworks available for you to review if our Cyber Risk Review isn't for you.
Leaver Policy, Asset Register and User Account Register
Alongside the Acceptable Use Policy, the Leaver Policy should be followed as soon as you become aware that a member of staff might be leaving the organisation, notice I said might. All accounts in use by staff should be tuned to their individual needs and operate under a term known as "Least Privilege". This means that members of staff have just enough privileges and account access to do what they need to do, a review of these privileges should be performed regularly, at least annually. If the privileges required are godlike, such as Administrator or Root, then they should have a completely separate account, which is restricted in other ways.
Whenever it is suspected that a member of staff might be leaving, a risk assessment regarding what damage the member of staff could do to the business should be considered. If significant, the privilege review should be brought forward and any non-essential privileges or account access revoked, take care to document your decisions, involve HR and avoid any actions which might impact the member of staff being able to work and result in a case of constructive dismissal.
- Once a member of staff has confirmed that they are leaving, or that you are letting them go and if they aren't being placed on gardening leave, their privileges and account access should be reviewed again and reduced appropriately and regularly throughout their notice period.
- Hopefully the Physical Asset Register will accurately reflect the business equipment which they are custodians for. Consider requesting that their business phones and laptops etc do not leave the premises.
- Consider withdrawing any unaccompanied access to the office and notify security of their restricted physical access to the office.
- Ask them and their colleagues about why the individual wants to leave and consider any grievances which might have occurred and most importantly, when.
- Review the security logs as far back as when you suspect the decision was made to leave the business looking for suspicious behaviour, take special note of file access and any external connection or undue exfiltration of data, from their accounts, or any other accounts.
- Restrict access to cloud based storage facilities, webmail etc if they aren't prohibited anyway.
- The Account Register should detail all of the access they have to internal and external business services and their levels of privilege. Revoke any access which is no longer required and minimise privileges of any which are required.
Acceptable Use Policy
I cannot begin to stress the value of your acceptable use policy enough, this governs what a user should and should not do and provides a mechanism to prosecute transgressions in a court of law, these are some examples of what could be included with the above in mind.
- Do not use any personal computers or mobile telephones for business use, including emails (some businesses do allow BYOD)
- Wherever possible multi-factor authentication (MFA) should be used for all business accounts, under no circumstances must MFA be set up using a personal device.
- Business email addresses must not be used for any personal accounts.
- Personal email addresses must not be used for business services, this includes iCloud for Apple iPhones
- All passwords must be individual to each account and not re-used, the following password manager is accepted for use in the business <password manager>
- Personal webmail and personal cloud storage must not be accessed from the corporate network (and controls to prevent this should be in place)
Technical Mitigations
Cloud Services Only accessed via VPN
Where external cloud services such as CRM, accounts packages such as Sage or QuickBooks, etc are used, consideration should be given to configure them to only allow access to the Company accounts from your corporate external IP addresses.. If staff are working remotely, then they must use the corporate VPN to access these services, as a result their actions can be monitored and if they leave the business, then their method of accessing these cloud services is removed.Backup
Backup your important data, the above situation could have been avoided if only their data had been backed up, which is important on a number of levels, not least of which is recovery from a ransomware attack. It's also worth noting that Cloud solutions such as OneDrive are Cloud Storage services and not Cloud Backup. Test your backups be deleting some test data and seeing if you can restore it.
Data Loss Prevention and Data Labelling
There are Data Loss Prevention (DLP) products which sit on your servers, endpoints and boundaries looking for staff and attackers who might be exfiltrating information. Whilst this wouldn't have helped with the above scenario as the data was legitimately exported to DropBox, it is a common Insider Threat method for exfiltrating information to take to another business.
Setting data labels on your sensitive information and then setting alerts or even blocks if someone tries to exfiltrate that information is extremely valuable. Office products such as Office 365 come with some Data Loss Prevention capability which can be configured with ease. https://www.cndltd.com/services/prevent/data-loss-prevention
Monitor Your Logs
If you don't open your eyes you cannot see. There is little point in configuring all of these controls if you are not looking at your logs to detect it. Security Information Event Managers(SIEM) are the ideal solution as they apply some intelligence to what they see, though you could also use a more manual mechanism to review your logs. Monitoring your network also acts as a deterrent for users who don't want to risk being caught in the act. https://www.cndltd.com/services/detect/siem
Read and Write Permissions and Audit Granularity
If you have a data repository within the business, it is likely that not every person should have the privileges to delete every document, though this is often found to be the case. Consider segregating data and increasing the number of staff with read only privileges.
It is also worth considering your file access audit policy, who accessed what files, who deleted what files and who failed in their attempts to do so. Be careful as some of these settings consume volumes of log storage.
https://www.cndltd.com/services/detect/insider-threat-detection-and-hunting
Intrusion Detection and Prevention
Certain IDS and IPS signatures will detect the exfiltration of data. For instance we alert/block on any connections to cloud storage services such as DropBox https://www.cndltd.com/services/prevent/ids-and-ips