Attacks/Breaches

1/6/2015
03:50 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Morgan Stanley Insider Case Offers New Year Insider Reminders

Employee accesses 10% of customer files in investment database, exposes hundreds on Pastebin.

The new year has started with a clear example of why it is so important to keep an eye out for insider threats. It came by way of news yesterday from investment firm Morgan Stanley that it fired a wealth advisor who accessed data on about 10% of its client roster and publicly posted details for 900 of them online.

"We are only five days into 2015, and already we are seeing insider breaches with the recent news at Morgan Stanley," says Eric Chiu, president and co-founder of HyTrust. "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage."

In this case, the damage was minimal. The company was able to find and remove a Pastebin dump with the data and figure out how it was exposed before much injury was done. According to Dave Frymier, CISO for Unisys, the incident seems to have been handled quite well.

"As far as I can tell, it looks like Morgan Stanley has a pretty good handle on what happened here," Frymier says. "As long as they know what happened -- and it seems like they do -- there is no downside to it for them."

He believes the only lurking question is how a mid-level employee could have accessed hundreds of thousands of records.

"On the management path, there would only be very few -- and very trusted -- high-level managers with access to 350,000 records.  At any company like Morgan Stanley with over 3 million clients, there is a wealth of data that can be mined from their customer database for their competitive advantage," he says. "However, mid-level financial advisors typically aren’t qualified (or allowed!) to do this sort of work. There are 'big data' gurus who do this sort of thing, and they are the only ones who should have access to the entire aggregation of data."

The incident should serve as good warning that organizations should be looking for ways "to detect toxic combinations of people, activities, and applications" that could put them at risk, says Matt Zanderigo, product marketing manager for ObserveIT. This includes IT users, everyday business users, and contractors who may be engaging in activities unusual for their role -- for example, an everyday business user making configuration changes.

"Each of these toxic combinations has one thing in common: They introduce substantial, unaddressed, user-based risk," says Zanderigo. "Security-conscious organizations must monitor user accounts to reduce the impact of this type of user-based risk."

Additionaly, dedicated incident response and forensic teams need to be at the ready to interpret those monitoring alerts when they pop up. As Scott Hazdra, a principal security consultant at Neohapsis, puts it, the Morgan Stanley incident appears to be amateurish compared to many other insider incidents.

"It appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively," says Hazdra, explaining that, regardless, incident response is crucial to finding the tracks, however well hidden they may be. "Security analysts in a security operations center that hunt for abnormal activity can often spot this type of data movement based on quantity, destination, or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:16:03 AM
Re: Morgan Stanley got lucky or were they prepared?
With the prevailng industry view that breaches are going to happen, & the best defense is limit the exposure to your most sensitive and critical data,I'd say Morgan Stanley was both lucky and prepared. But the fact that the source of the breach was an employee "wealth manager" should be a serious wakeup call about the insider threat to all, not just the financial industry.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 7:07:35 PM
Re: Morgan Stanley got lucky or were they prepared?

@Marilyn   Cohodas -  Good question, no doubt in my mind and we can only imagine what they would do with this data and how Morgan Stanley would react to it ?   Would they use the Sony defense ?   Where we argue it is every taxpayers problem or would they use the Chase Method and not say anything for months ?

Either way it is oddly fascinating to see the "Damage Control Psychology of the Breech" evolve as we speak. 

Now if we can get someone to be accountable - we just might be getting somewhere.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 6:58:42 PM
He's No Snowden.......

So now the financial industry has to worry about the would be hacker within ?  Already on the long rebound from the Chase debacle now Morgan Stanley ?    

From the narrative it sounds like Morgan Stanley got lucky or perhaps this person couldn't afford to flee to Russia.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2015 | 4:29:25 PM
Morgan Stanley got lucky or were they prepared?
Interesting that the the alleged perpetrator "was not very sophisticated or adept at hiding his activities." Makes me wonder if a more intreped attacker would have caused more damage.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
CVE-2019-6496
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
CVE-2019-3773
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
CVE-2019-3774
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.