Two separate incidents reported this week have once again highlighted how insiders with legitimate access to systems and data can be far more dangerous to enterprise security than external attackers.
On Thursday, the US Department of Justice announced indictments against two former Twitter employees for allegedly accessing private information tied to Twitter accounts belonging to several individuals of interest to the government in Saudi Arabia. A third individual based in Saudi Arabia was also indicted on related charges.
US national Ahmad Abouammo (age 41) of Seattle and Aliz Alzabarah (35) of Saudi Arabia are accused of using their Twitter employee credentials to collect information that helped Saudi officials identify individuals critical of the regime in the country. They are alleged to have provided the information — which included email addresses, phone numbers, IP addresses, and dates of birth — to officials working on behalf of the Saudi government and the Saudi royal family.
The charging documents described Abouammo as a former media partner manager at Twitter responsible for the Middle East and North Africa region.
In that role, he was involved in assisting notable Twitter accounts in the region — including those belonging to brands, journalists, and celebrities — with content and Twitter strategy as well as sharing best practices. Alzabarah was a site reliability engineer, with no authorized access to the Twitter account data. Even so, he is alleged to have accessed nonpublic data associated with more than 6,000 accounts, including 33 accounts for which Saudi officials had previously pressed Twitter for more information.
Abouammo allegedly received a luxury watch valued at more than $20,000 and hundreds of thousands of dollars in cash in return for the information. He was arrested in Seattle on November 5 and made his first court appearance today.
Alzabarah fled the country for Saudi Arabia after Twitter officials confronted him about his illegal activities. A federal warrant has been issued for his arrest and also that of a third individual, Ahmed Almutairi, 30, a Saudi-based individual who is alleged to have facilitated meetings between Saudi officials and the two former Twitter employees.
In a statement, a Twitter spokesman said the company is committed to protecting the privacy of individuals who use its platform to advocate for human rights, equality, and individual freedom. "We recognize the lengths bad actors will go to try and undermine our service," the spokesman said. "Our company limits access to sensitive account information to a limited group of trained and vetted employees."
Meanwhile, in a separate development, cybersecurity vendor Trend Micro on Wednesday said one of its employees had illegitimately accessed personal data belonging to about 68,000 of the company's 12 million customers.
According to the security vendor, one of its employees used "fraudulent means" to access a customer support database containing names, email addresses, support ticket numbers, and, in some cases, the phone numbers of customers. He is alleged to have sold that information to a third-party malicious actor who then used it to attempt to scam Trend Micro customers.
Trend Micro was alerted to the data theft in August after some customers of its consumer security products reported receiving scam calls for people purporting to be the security vendor's support personnel. It wasn't until October, however, that the company was able to identify the source of the leak. The employee has been terminated.
A Long-Standing Problem
Trend Micro and Twitter are the latest in a long and constantly growing list of victims of insider abuse — a problem that many security experts say poses at least as big a risk to enterprise security as external attacks. Twenty percent of the security incidents that Verizon's breach response group handled in 2018, and 15% of the actual breaches it investigated, involved insiders. Nearly half of those incidents (47.8%) were motivated by financial gain and a surprisingly high 23.4% by people seeking "pure fun."
Insider threats present a special challenge because most security is focused at protecting incoming traffic, says Warren Poschman, senior solutions architect at comforte AG. Internal, properly authorized users are expected to be able to access data because it is part of their job functions.
"The premise of 'you can't deny what is granted' applies in that if an insider has legitimate access, then it is difficult to determine if a behavior is allowable," Poschman says. True intent can be hard to determine until after damage is done because legitimate user behavior can often be erratic, he adds.
Several tools are available to address insider threats, including user behavior analytics and risk-based authentication products. Data-centric measures such as tokenization and format-preserving encryption can also help by limiting access to sensitive data for all users regardless of the permissions they have, Poschman says.
Terry Ray, senior vice president at Imperva, says trying to proactively restrict all employees to just the data they need can be complex and even next to impossible for enterprise security organizations. Even a zero-trust approach — where every access request to a network or app is vetted for trustworthiness — has limitations when it comes to malicious insiders, he says. "The only aspect of zero trust that might have benefited Trend Micro would be least privileged access — the idea that each individual should only have access to what they need for their role," he says.
To be effective, insider controls have to be based on a continuous monitoring of all user access to protected data. To spot unusual behavior, organizations need to be constantly analyzing who accesses data, what they access, how they access it, from where, and whether they should they have access to it.
"Monitoring user activity on corporate data is not only fully accepted, it's assumed by employees," Ray says.
Few, though, implement full data monitoring, and when they do, typically only the regulated data is monitored. The reality is that unregulated data is becoming more relevant at companies as well. "Unregulated data may still be highly monetized by attackers and can have negative impact on organizations," Ray notes, "regardless of a lack of regulatory fines."
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What a Security Products Blacklist Means for End Users and Integrators."