Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/6/2015
03:50 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Morgan Stanley Insider Case Offers New Year Insider Reminders

Employee accesses 10% of customer files in investment database, exposes hundreds on Pastebin.

The new year has started with a clear example of why it is so important to keep an eye out for insider threats. It came by way of news yesterday from investment firm Morgan Stanley that it fired a wealth advisor who accessed data on about 10% of its client roster and publicly posted details for 900 of them online.

"We are only five days into 2015, and already we are seeing insider breaches with the recent news at Morgan Stanley," says Eric Chiu, president and co-founder of HyTrust. "Data is the new currency, and employees have easy access to steal sensitive data for profit or to inflict damage."

In this case, the damage was minimal. The company was able to find and remove a Pastebin dump with the data and figure out how it was exposed before much injury was done. According to Dave Frymier, CISO for Unisys, the incident seems to have been handled quite well.

"As far as I can tell, it looks like Morgan Stanley has a pretty good handle on what happened here," Frymier says. "As long as they know what happened -- and it seems like they do -- there is no downside to it for them."

He believes the only lurking question is how a mid-level employee could have accessed hundreds of thousands of records.

"On the management path, there would only be very few -- and very trusted -- high-level managers with access to 350,000 records.  At any company like Morgan Stanley with over 3 million clients, there is a wealth of data that can be mined from their customer database for their competitive advantage," he says. "However, mid-level financial advisors typically aren’t qualified (or allowed!) to do this sort of work. There are 'big data' gurus who do this sort of thing, and they are the only ones who should have access to the entire aggregation of data."

The incident should serve as good warning that organizations should be looking for ways "to detect toxic combinations of people, activities, and applications" that could put them at risk, says Matt Zanderigo, product marketing manager for ObserveIT. This includes IT users, everyday business users, and contractors who may be engaging in activities unusual for their role -- for example, an everyday business user making configuration changes.

"Each of these toxic combinations has one thing in common: They introduce substantial, unaddressed, user-based risk," says Zanderigo. "Security-conscious organizations must monitor user accounts to reduce the impact of this type of user-based risk."

Additionaly, dedicated incident response and forensic teams need to be at the ready to interpret those monitoring alerts when they pop up. As Scott Hazdra, a principal security consultant at Neohapsis, puts it, the Morgan Stanley incident appears to be amateurish compared to many other insider incidents.

"It appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively," says Hazdra, explaining that, regardless, incident response is crucial to finding the tracks, however well hidden they may be. "Security analysts in a security operations center that hunt for abnormal activity can often spot this type of data movement based on quantity, destination, or classification level and react in hours versus discovering data out in the wild when it’s much harder to limit exposure.” 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2015 | 9:16:03 AM
Re: Morgan Stanley got lucky or were they prepared?
With the prevailng industry view that breaches are going to happen, & the best defense is limit the exposure to your most sensitive and critical data,I'd say Morgan Stanley was both lucky and prepared. But the fact that the source of the breach was an employee "wealth manager" should be a serious wakeup call about the insider threat to all, not just the financial industry.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 7:07:35 PM
Re: Morgan Stanley got lucky or were they prepared?

@Marilyn   Cohodas -  Good question, no doubt in my mind and we can only imagine what they would do with this data and how Morgan Stanley would react to it ?   Would they use the Sony defense ?   Where we argue it is every taxpayers problem or would they use the Chase Method and not say anything for months ?

Either way it is oddly fascinating to see the "Damage Control Psychology of the Breech" evolve as we speak. 

Now if we can get someone to be accountable - we just might be getting somewhere.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
1/7/2015 | 6:58:42 PM
He's No Snowden.......

So now the financial industry has to worry about the would be hacker within ?  Already on the long rebound from the Chase debacle now Morgan Stanley ?    

From the narrative it sounds like Morgan Stanley got lucky or perhaps this person couldn't afford to flee to Russia.

Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/6/2015 | 4:29:25 PM
Morgan Stanley got lucky or were they prepared?
Interesting that the the alleged perpetrator "was not very sophisticated or adept at hiding his activities." Makes me wonder if a more intreped attacker would have caused more damage.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.