Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2018
10:30 AM
Mark Coates
Mark Coates
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How GDPR Could Turn Privileged Insiders into Bribery Targets

Regulatory penalties that exceed the cost of an extortion payout may lead to a new form of ransomware. These four steps can keep you from falling into that trap.

Businesses have gone to extreme lengths to become ready for the EU's General Data Protection Regulation (GDPR). Some have flooded in-boxes with opt-in requests. Others have swarmed mobile screens with pop-ups that users are forced to click through. There has been no shortage of website banners that consumers have been required to acknowledge.

Estimates from a Forbes article show that Fortune 500 companies have invested as much as $9 billion to achieve compliance. Other analyst firms and research groups estimate that readiness spending varies between $4 million and $25 million per business, depending on size.

Despite all of these efforts, early indications show that organizations still aren't compliant: Regulators already have hit Google and Facebook with more than $9 billion in fines. Some major news outlets, including the Los Angeles Times, ceased online operations in the EU due to noncompliance. UK officials are warning that 5.7 million small businesses there may be in violation of the law.

News outlets have published thousands of stories about GDPR unreadiness. It's hard to imagine that there is anything new to read about. There is. It's the reality of how criminals are going to use the size of GDPR fines to successfully bribe IT workers, with privileged users being their primary targets. A privileged user is an employee, contractor, or partner with access to almost every corner of the corporate network. Edward Snowden is one of the most notable examples of what happens when a privileged user goes rogue. Why is this class of insider going to become a bribery problem? Great question — read on …

GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators' annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know.

Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.

Bribing Insiders
Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom's keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.

Bribing insiders will only get easier. According to Ian Thornton-Trump, cyber vulnerability and threat-hunting lead at Ladbrokes Coral Group, writing in Tripwire, GDPR privacy regulations will actually shield criminals' operations in some cases. Other studies have shown that employees are willing to sell passwords. The promise of a reduced risk of getting caught combined with getting a piece of a substantial extortion payment may be more than many people can resist. Luckily, there are steps that organizations can take to avoid falling into this trap. Here are four:

Step 1: Visibility. Privileged users have greater and deeper access to organizations' IT assets and data than anyone else. They also tend to be the savviest when it comes to understanding how systems work and, especially, how security controls and policies can be circumvented. Five years ago this month, The Guardian broke the story about the National Security Agency's powerful surveillance programs based on top-secret information supplied by Edward Snowden. It was eventually proven that Snowden used his technical expertise to avoid detection as he moved deeper and deeper into the agency's systems. Businesses that want to avoid becoming victims of GDPR-era Snowdens need to keep an eye out for what their privileged users are doing, both on and off the network.

Step 2: Alerts. Organizations need to have an early-warning system in place. Forensic investigations add value, but they follow incidents. To stop privileged users who may decide to go rogue before it's too late, businesses need tools that sound alarms when suspicious behaviors occur. There are some caveats. Many times, alarms end up being false positives. Effective early warnings must be powered by technologies that understand behavioral context and that know the difference between what's normal and what's not.

Step 3: Communicate. In the modern global enterprise, thousands of employees are spread across as many business units. Distributed employees include privileged users. Anyone with a stake in security and compliance within their organizations should work with HR and other divisions to understand how many privileged users there are, what they are responsible for, and how they are accessing data.

Step 4: Account. Knowing who and where privileged users are is only a first step. Organizations also need to know how many privileged user accounts they have and how they are being protected. In a recent survey published by privileged access account security provider Thycotic, it was revealed that up to 70% of respondents fail to fully discover privileged user accounts.

In most businesses, the vast majority of privileged users would never even think about cooperating with cybercriminals. Most are trusted, well-intentioned individuals who recognize the importance and sensitivity of the role they fill. The sad reality, though, is that there are some who will opt for a weighty payout. Security and compliance professionals need to be ready to defend against this scenario.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Mark Coates is vice president of EMEA for Dtex Systems. Mark is a seasoned leader with many years of experience in developing new markets, building high performance teams, and in helping global organizations to overcome cybersecurity and insider threat challenges. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.