Insider Threats in the Real World Eavesdropping and Unauthorized Access

Transcription

1 Insider Threats in the Real World Eavesdropping and Unauthorized Access A Visual Data Security Whitepaper Prepared by: OptioLabs Camden Yards 323 West Camden Street, Suite 801 Baltimore, Maryland info@optiolabs.com Keyword: insider threat 2016 OptioLabs Inc. All rights reserved.

2 Table of Contents 1. Insider Threats in the Real World Eavesdropping: What you see is what they get Anti- Eavesdropping Legislation Incident Rates are High Threat Vectors Shoulder- Surfing Unauthorized Access Credential Misuse Examples of Breaches PrivateEye Enterprise Addresses the Threat A New Dimension in Insider Threat Prevention About OptioLabs... 10

3 1. Insider Threats in the Real World National Security Agency contractor Edward Snowden accessed the classified materials he leaked to the media using login credentials and passwords obtained unwittingly from his colleagues 1. The NSA s strong network security and encryption systems were helpless because he bypassed them completely with a simple social engineering security exploit. The impact of this insider breach on the U.S. Government has been enormous, requiring extensive effort to repair the harm caused by one individual. If such a damaging insider breach can occur at the NSA, it can happen in your organization too. The problem at the root of this breach is the absence of systems for detecting and preventing suspicious insider activity in front of the computer. Conventional information security technology only protects data inside the computer and network. Clearly this is not enough. What is also needed is a system that can recognize when the wrong people are looking at protected data, and when their activity in the real world appears to be suspicious. This whitepaper will introduce a solution to the risk present in every office where insiders can peer over their colleagues shoulders, sneak access to their computers when they walk away, and steal login credentials to pose as authorized users. We will describe the scope of threats faced by organizations and describe how OptioLabs PrivateEye Enterprise works to detect, and prevent these insider exploits. You will see how adding PrivateEye Enterprise to your current insider threat management tools will protect you against these kinds of devastating assaults Eavesdropping: What you see is what they get Studies by the Secret Service, Verizon Business, and CERT at Carnegie Mellon have found up to 50% of information security breaches are caused by insiders. 1 us- usa- security- snowden- idusbre9a

4 These are employees with an axe to grind, or who see an opportunity for financial gain. They re not easy to spot demographic analysis shows no easy pattern to finding the bad apples before they spoil. The same studies found an astonishing 42% of insider breaches involved no more than simple observation of computer screens. There were no sophisticated tools involved, just the skill to look around the office and discover the orienting information needed for a successful breach. To a social engineer intent on extracting data, the modern office reads like an open book. Over- the- shoulder reconnaissance reveals what is available, where it is, and who has access to it all the ingredients an adversary needs to succeed at a data breach. Whether it starts inside or out breaches are expensive, costing companies an average of $750,000 per incident Anti- Eavesdropping Legislation In 2010 the U.S. legal definition of Computer Trespassing was expanded to include information gained by looking at a computer screen that an individual was not authorized to view. While the new statute makes it easier to prosecute social engineers, catching or, even better, preventing them remains the primary challenge. What s lacking are technical security solutions to protect information over the last two feet of the network: from the screen to the user s eyes. 2. Incident Rates are High Your network logs show the frequency of external hacking attempts, but they don t say anything about incidents inside your offices. Don t let the absence of evidence fool you into believing you re safe. You need Figure 1: Annual Insider Fraud Incidents

5 the right tools to detect suspicious activities before you ll be able to stop them. On average, organizations experience 55 employee- related incidents per year according to the Ponemon Institute Insider Threat Report 2. Figure 1 shows how many organizations cannot determine when incidents occur. This is because they are lacking the proper tools to monitor and assess employee activity that may indicate the intent to expose sensitive data. Organizations take insider threats seriously, with 44% considering insider fraud to be the top security priority. A closer look at the methods used by insiders to breach security shows the need for improved security tools to match the threat. The Ponemon report also reveals the most prevalent techniques used to subvert security in Figure 2. Notably, misusing a co- worker s credentials tops the list. Figure 2: Insider Threat Techniques 3. Threat Vectors The major holes most organizations need to patch are caused by credential misuse, unauthorized access, and shoulder- surfing: 2 2/49

6 3.1. Shoulder- Surfing Shoulder surfing is the easiest way to compromise data without leaving a trail. Simply looking over a colleague s shoulder while he s working can reveal a lot of valuable information. It does not matter how good your network security and access control is data on display is vulnerable to unauthorized use. Over- the- shoulder observation puts only a fraction of the total data available at risk, but it is often the most important, topical, and timely data that will be found on colleagues terminals. Visual eavesdropping is most often used for reconnaissance revealing what data is available, where it is, and who has access to it. Using these clues an adversary can plan and execute a damaging breach. Traditional security tools cannot detect or stop a shoulder- surfing attack. An organization can raise awareness of these social engineering techniques with regular employee education, but cannot stop a motivated attacker. What is needed is a technology that can identify when shoulder- surfers are present and prevent them from observing the screen Unauthorized Access Employees are told to lock their systems when they are away from their desks to prevent unauthorized access. Organizations may be lucky to reach 60% compliance with this goal. When the user forgets, and they always do eventually, an attacker can use the computer as if he was the user. This kind of breach can cause significant loss. It s easy for an attacker to access any file or application on the machine. It takes only a couple of minutes to send an containing sensitive data somewhere it s not meant to be. As far as conventional security systems are concerned, in these breaches the attacker is the authorized user. What is needed is a technology that can detect when the wrong person is using the authorized user s account Credential Misuse NSA contractor Edward Snowden used his colleagues login credentials and passwords to gain access to some of the classified information he leaked to the media. When an attacker has the credentials to pose as the authorized user he can achieve the most significant breaches. Unlike the scenario above,

7 where the attacker has presumably limited time and opportunity, through credential misuse he can take all the time he needs to steal confidential or classified records. He can send s, post documents to external sites, print, and even change documents at leisure without being detected. To prevent this most damaging type of attack, organizations need a biometric factor to identify authorized users and detect when credentials are being misused. 4. Examples of Breaches There are many cases where highly confidential information has been exposed on computer displays. A quick tour around any modern office will confirm that on- screen data is entirely vulnerable to insider viewing and that there are frequent opportunities for unauthorized access. Several high profile cases have been publicized, including these: Army Private Bradley Manning received a 35 year sentence following his conviction for leaking a vast trove of military and diplomatic secrets to Wikileaks. He copied more than 700,000 sensitive documents while working as a junior intelligence analyst near Baghdad in A senior government executive in the UK fell asleep on a commuter train leaving highly sensitive information displayed on his screen, including one on Al Qaeda vulnerabilities 4. Another passenger took photographs of the information the screen, which were then published in the national media. A Bank of America branch in downtown St. Petersburg Florida exposed their client s banking records for an extended period of time to people walking by in the street. The branch had arranged their computer displays so they were visible through the street- level windows manning- sentenced- 35- years- leaking- secrets/story?id= /The- zzzzivil- servant- fell- asleep- train- laptop- secrets- view.html 5 fix- to- bank- security- breach- close- the- blinds/

8 NSA Analyst Edward Snowden copied and released as many as 200,000 sensitive NSA documents by using colleagues credentials to access their accounts without permission. 6 This approach gave him access to far more documents than his clearance level would allow. 5. PrivateEye Enterprise Addresses the Threat OptioLabs PrivateEye Enterprise has a powerful set of real- world insider threat prevention and detection capabilities. The product addresses the threat of unauthorized insider access to displays and unattended workstations, and gives organizations a tool to monitor and respond to incidents they would otherwise miss. PrivateEye Enterprise uses computer vision to detect suspicious behavior in front of the computer and then sends alerts to the System Event Log or 3 rd party SIEM tools where it can be used to identify and analyze incidents. Using a secured webcam as input, the system distinguishes authorized users from unauthorized users, and discovers visual eavesdroppers. PrivateEye protects against the worst of the insider breaches described above, and provides security analysts with a valuable record for dealing with compliance problems. Of particular value for incident management is the ability to capture and store pictures of the individuals present whenever suspicious activity is discovered. In the Edward Snowden case his misuse of login credentials would have been detected by PrivateEye s background user identity checking. PrivateEye quietly checks to ensure that the person using the workstation looks like the expected user. It performs this check periodically as long as a person is present. When Snowden went to use his colleagues credentials, PrivateEye would have immediately sent an Intruder alert and stored pictures of the person accessing the system. 6 us- usa- security- snowden- idusbre9a

9 Figure 3: Eavesdropper Capture In the cases of the UK government and Bank of America over- the- shoulder data breaches, PrivateEye s eavesdropper detection feature would alert and store pictures of any potential eavesdroppers discovered looking at the screen from behind the authorized user. Frequent Eavesdropper alerts indicate possible systemic or targeted threats. It could be that a sensitive system is being used in an insecure area where passers- by have too- easy access to the display. It could also indicate that a single individual insider is systematically targeting a display attempting to steal information. PrivateEye enables IT staff to identify these scenarios and stores information on the suspect individuals to help with remediation. PrivateEye Enterprise also offers an optional protective mode to actively Figure 4: Automatic Screen Protection prevent data from being observed by unauthorized people. In protective mode, the system only permits users who are identified with face recognition to view the display. When the authorized user looks away, or leaves the area, the screen is

10 protected so that no- one else can view it. The system will also warn the user whenever eavesdroppers are detected by showing the eavesdropper s face on the display in a small pop- up video window, like an intelligent rear- view mirror. Organizations can choose to use the new capabilities in an analytic- only mode, or can also deploy the protective mode on some or all workstations. 6. A New Dimension in Insider Threat Prevention Bank robbers rob banks because That s where the money is., and insiders access displays because they are the easiest path to the data. Conventional protections like VPNs and disk encryption do not protect your secrets when they are visible on the display. PrivateEye Enterprise s situational awareness capabilities close that gap and give you the tools you need to reduce and resolve insider threat incidents. 7. About OptioLabs Computer screens are the last unprotected frontier in information security. You secure your networks and your hard drives, but how do you secure displayed data from unauthorized viewers? Prying eyes are everywhere from insider threats in the office to competitors in the airport. Developed by a team of security experts, PrivateEye Enterprise from OptioLabs is security software for organizations that need to control proprietary and regulated information displayed on Windows desktops, laptops, and tablets. PrivateEye Enterprise actively prevents visual eavesdroppers by blurring the display on a device whenever an authorized user is not paying attention. It looks for potential visual eavesdroppers nearby and will warn the user or automatically protect the display whenever one is detected. It s convenient for the user, automatically recognizing their faces so that they don t have to type passwords, but it is tough on potential intruders. Anyone attempting to break in to an unattended workstation will have their picture taken and recorded in an audit log. For enterprises needing to comply with regulations, PrivateEye Enterprise s audit trail gives a whole new level of evidence that can be used to prove data on displays is continuously protected against unauthorized disclosure. PrivateEye Enterprise is a product you can depend on to protect your data.

11 OptioLabs develops transformational security products for the mobile enterprise and embedded systems. Led by a world- class team of technologists, and leveraging innovations developed for national security protocols, OptioLabs has pioneered game- changing advanced security solutions for the world's leading mobile platforms. With offices in Baltimore and Nashville, Tennessee, OptioLabs customers include federal agencies, commercial enterprises, and device manufacturers. Contact sales@optiolabs.com West Camden Street Suite 801 Baltimore, Maryland Download a free trial of PrivateEye Enterprise at OptioLabs Inc.