The new year has started with a clear example of why it is so important to keep an eye out for insider threats. It came by way of news yesterday from investment firm Morgan Stanley that it fired a wealth advisor who accessed data on about 10% of its client roster and publicly posted details for 900 of them online.
"We are only five days into 2015, and already we are seeing insider breaches with the recent news at Morgan Stanley," says Eric Chiu, president and co-founder of HyTrust. "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage."
In this case, the damage was minimal. The company was able to find and remove a Pastebin dump with the data and figure out how it was exposed before much injury was done. According to Dave Frymier, CISO for Unisys, the incident seems to have been handled quite well.
"As far as I can tell, it looks like Morgan Stanley has a pretty good handle on what happened here," Frymier says. "As long as they know what happened -- and it seems like they do -- there is no downside to it for them."
He believes the only lurking question is how a mid-level employee could have accessed hundreds of thousands of records.
"On the management path, there would only be very few -- and very trusted -- high-level managers with access to 350,000 records. At any company like Morgan Stanley with over 3 million clients, there is a wealth of data that can be mined from their customer database for their competitive advantage," he says. "However, mid-level financial advisors typically aren’t qualified (or allowed!) to do this sort of work. There are 'big data' gurus who do this sort of thing, and they are the only ones who should have access to the entire aggregation of data."
The incident should serve as good warning that organizations should be looking for ways "to detect toxic combinations of people, activities, and applications" that could put them at risk, says Matt Zanderigo, product marketing manager for ObserveIT. This includes IT users, everyday business users, and contractors who may be engaging in activities unusual for their role -- for example, an everyday business user making configuration changes.
"Each of these toxic combinations has one thing in common: They introduce substantial, unaddressed, user-based risk," says Zanderigo. "Security-conscious organizations must monitor user accounts to reduce the impact of this type of user-based risk."
Additionaly, dedicated incident response and forensic teams need to be at the ready to interpret those monitoring alerts when they pop up. As Scott Hazdra, a principal security consultant at Neohapsis, puts it, the Morgan Stanley incident appears to be amateurish compared to many other insider incidents.
"It appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively," says Hazdra, explaining that, regardless, incident response is crucial to finding the tracks, however well hidden they may be. "Security analysts in a security operations center that hunt for abnormal activity can often spot this type of data movement based on quantity, destination, or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.”