Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/2/2018
10:30 AM
Mark Coates
Mark Coates
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How GDPR Could Turn Privileged Insiders into Bribery Targets

Regulatory penalties that exceed the cost of an extortion payout may lead to a new form of ransomware. These four steps can keep you from falling into that trap.

Businesses have gone to extreme lengths to become ready for the EU's General Data Protection Regulation (GDPR). Some have flooded in-boxes with opt-in requests. Others have swarmed mobile screens with pop-ups that users are forced to click through. There has been no shortage of website banners that consumers have been required to acknowledge.

Estimates from a Forbes article show that Fortune 500 companies have invested as much as $9 billion to achieve compliance. Other analyst firms and research groups estimate that readiness spending varies between $4 million and $25 million per business, depending on size.

Despite all of these efforts, early indications show that organizations still aren't compliant: Regulators already have hit Google and Facebook with more than $9 billion in fines. Some major news outlets, including the Los Angeles Times, ceased online operations in the EU due to noncompliance. UK officials are warning that 5.7 million small businesses there may be in violation of the law.

News outlets have published thousands of stories about GDPR unreadiness. It's hard to imagine that there is anything new to read about. There is. It's the reality of how criminals are going to use the size of GDPR fines to successfully bribe IT workers, with privileged users being their primary targets. A privileged user is an employee, contractor, or partner with access to almost every corner of the corporate network. Edward Snowden is one of the most notable examples of what happens when a privileged user goes rogue. Why is this class of insider going to become a bribery problem? Great question — read on …

GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators' annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know.

Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.

Bribing Insiders
Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom's keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.

Bribing insiders will only get easier. According to Ian Thornton-Trump, cyber vulnerability and threat-hunting lead at Ladbrokes Coral Group, writing in Tripwire, GDPR privacy regulations will actually shield criminals' operations in some cases. Other studies have shown that employees are willing to sell passwords. The promise of a reduced risk of getting caught combined with getting a piece of a substantial extortion payment may be more than many people can resist. Luckily, there are steps that organizations can take to avoid falling into this trap. Here are four:

Step 1: Visibility. Privileged users have greater and deeper access to organizations' IT assets and data than anyone else. They also tend to be the savviest when it comes to understanding how systems work and, especially, how security controls and policies can be circumvented. Five years ago this month, The Guardian broke the story about the National Security Agency's powerful surveillance programs based on top-secret information supplied by Edward Snowden. It was eventually proven that Snowden used his technical expertise to avoid detection as he moved deeper and deeper into the agency's systems. Businesses that want to avoid becoming victims of GDPR-era Snowdens need to keep an eye out for what their privileged users are doing, both on and off the network.

Step 2: Alerts. Organizations need to have an early-warning system in place. Forensic investigations add value, but they follow incidents. To stop privileged users who may decide to go rogue before it's too late, businesses need tools that sound alarms when suspicious behaviors occur. There are some caveats. Many times, alarms end up being false positives. Effective early warnings must be powered by technologies that understand behavioral context and that know the difference between what's normal and what's not.

Step 3: Communicate. In the modern global enterprise, thousands of employees are spread across as many business units. Distributed employees include privileged users. Anyone with a stake in security and compliance within their organizations should work with HR and other divisions to understand how many privileged users there are, what they are responsible for, and how they are accessing data.

Step 4: Account. Knowing who and where privileged users are is only a first step. Organizations also need to know how many privileged user accounts they have and how they are being protected. In a recent survey published by privileged access account security provider Thycotic, it was revealed that up to 70% of respondents fail to fully discover privileged user accounts.

In most businesses, the vast majority of privileged users would never even think about cooperating with cybercriminals. Most are trusted, well-intentioned individuals who recognize the importance and sensitivity of the role they fill. The sad reality, though, is that there are some who will opt for a weighty payout. Security and compliance professionals need to be ready to defend against this scenario.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info

Mark Coates is vice president of EMEA for Dtex Systems. Mark is a seasoned leader with many years of experience in developing new markets, building high performance teams, and in helping global organizations to overcome cybersecurity and insider threat challenges. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.