Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/6/2015
03:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Morgan Stanley Insider Case Offers New Year Insider Reminders

Employee accesses 10% of customer files in investment database, exposes hundreds on Pastebin.

The new year has started with a clear example of why it is so important to keep an eye out for insider threats. It came by way of news yesterday from investment firm Morgan Stanley that it fired a wealth advisor who accessed data on about 10% of its client roster and publicly posted details for 900 of them online.

"We are only five days into 2015, and already we are seeing insider breaches with the recent news at Morgan Stanley," says Eric Chiu, president and co-founder of HyTrust. "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage."

In this case, the damage was minimal. The company was able to find and remove a Pastebin dump with the data and figure out how it was exposed before much injury was done. According to Dave Frymier, CISO for Unisys, the incident seems to have been handled quite well.

"As far as I can tell, it looks like Morgan Stanley has a pretty good handle on what happened here," Frymier says. "As long as they know what happened -- and it seems like they do -- there is no downside to it for them."

He believes the only lurking question is how a mid-level employee could have accessed hundreds of thousands of records.

"On the management path, there would only be very few -- and very trusted -- high-level managers with access to 350,000 records.  At any company like Morgan Stanley with over 3 million clients, there is a wealth of data that can be mined from their customer database for their competitive advantage," he says. "However, mid-level financial advisors typically aren’t qualified (or allowed!) to do this sort of work. There are 'big data' gurus who do this sort of thing, and they are the only ones who should have access to the entire aggregation of data."

The incident should serve as good warning that organizations should be looking for ways "to detect toxic combinations of people, activities, and applications" that could put them at risk, says Matt Zanderigo, product marketing manager for ObserveIT. This includes IT users, everyday business users, and contractors who may be engaging in activities unusual for their role -- for example, an everyday business user making configuration changes.

"Each of these toxic combinations has one thing in common: They introduce substantial, unaddressed, user-based risk," says Zanderigo. "Security-conscious organizations must monitor user accounts to reduce the impact of this type of user-based risk."

Additionaly, dedicated incident response and forensic teams need to be at the ready to interpret those monitoring alerts when they pop up. As Scott Hazdra, a principal security consultant at Neohapsis, puts it, the Morgan Stanley incident appears to be amateurish compared to many other insider incidents.

"It appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively," says Hazdra, explaining that, regardless, incident response is crucial to finding the tracks, however well hidden they may be. "Security analysts in a security operations center that hunt for abnormal activity can often spot this type of data movement based on quantity, destination, or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:16:03 AM
Re: Morgan Stanley got lucky or were they prepared?
With the prevailng industry view that breaches are going to happen, & the best defense is limit the exposure to your most sensitive and critical data,I'd say Morgan Stanley was both lucky and prepared. But the fact that the source of the breach was an employee "wealth manager" should be a serious wakeup call about the insider threat to all, not just the financial industry.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 7:07:35 PM
Re: Morgan Stanley got lucky or were they prepared?

@Marilyn   Cohodas -  Good question, no doubt in my mind and we can only imagine what they would do with this data and how Morgan Stanley would react to it ?   Would they use the Sony defense ?   Where we argue it is every taxpayers problem or would they use the Chase Method and not say anything for months ?

Either way it is oddly fascinating to see the "Damage Control Psychology of the Breech" evolve as we speak. 

Now if we can get someone to be accountable - we just might be getting somewhere.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 6:58:42 PM
He's No Snowden.......

So now the financial industry has to worry about the would be hacker within ?  Already on the long rebound from the Chase debacle now Morgan Stanley ?    

From the narrative it sounds like Morgan Stanley got lucky or perhaps this person couldn't afford to flee to Russia.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2015 | 4:29:25 PM
Morgan Stanley got lucky or were they prepared?
Interesting that the the alleged perpetrator "was not very sophisticated or adept at hiding his activities." Makes me wonder if a more intreped attacker would have caused more damage.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps
Mathew Newfield, Chief Information Security Officer at Unisys,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19604
PUBLISHED: 2019-12-11
Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
CVE-2019-14861
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permiss...
CVE-2019-14870
PUBLISHED: 2019-12-10
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authent...
CVE-2019-14889
PUBLISHED: 2019-12-10
A flaw was found with the libssh API function ssh_scp_new() in versions before 0.9.3 and before 0.8.8. When the libssh SCP client connects to a server, the scp command, which includes a user-provided path, is executed on the server-side. In case the library is used in a way where users can influence...
CVE-2019-1484
PUBLISHED: 2019-12-10
A remote code execution vulnerability exists when Microsoft Windows OLE fails to properly validate user input, aka 'Windows OLE Remote Code Execution Vulnerability'.