Insider Threats in the Real World Eavesdropping and Unauthorized Access

Similar documents
INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

HP ArcSight User Behavior Analytics

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Stay ahead of insiderthreats with predictive,intelligent security

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Information Security

Presented by Evan Sylvester, CISSP

INTRODUCTION TO PENETRATION TESTING

Teradata and Protegrity High-Value Protection for High-Value Data

National Cyber Security Month 2015: Daily Security Awareness Tips

THE EVOLUTION OF SIEM

The Cloud App Visibility Blindspot

IT Security DO s and DON Ts

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

A practical guide to IT security

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

THE TOP 4 CONTROLS.

Seven Things To Consider When Evaluating Privileged Account Security Solutions

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Network Security & Privacy Landscape

Digital Consumer s Online Trends and Risks

AUTOMATED PENETRATION TESTING PRODUCTS

End-user Security Analytics Strengthens Protection with ArcSight

10 Quick Tips to Mobile Security

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Incident Response. Six Best Practices for Managing Cyber Breaches.

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Top tips for improved network security

LSE PCI-DSS Cardholder Data Environments Information Security Policy

Impact of Data Breaches

Managed Security Services

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Incident Response Plan for PCI-DSS Compliance

Security Awareness Quiz Questions

Assuring Application Security: Deploying Code that Keeps Data Safe

10 best practice suggestions for common smartphone threats

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

SIEM is only as good as the data it consumes

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Why The Security You Bought Yesterday, Won t Save You Today

Information Technology Security Review April 16, 2012

How To Protect Your Data From Theft

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

SPEAR PHISHING UNDERSTANDING THE THREAT

CYBERSECURITY POLICY

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

General Rules of Behavior for Users of DHS Systems and IT Resources that Access, Store, Receive, or Transmit Sensitive Information

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Securing Remote Vendor Access with Privileged Account Security

Securing SharePoint 101. Rob Rachwald Imperva

Security Awareness Program Learning Objectives. By Aron Warren Last Update 6/29/2012

Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff

Wellesley College Written Information Security Program

How To Protect Decd Information From Harm

SecurityMetrics Vision whitepaper

Don't Be The Next Data Loss Story

Two Factor Zero Knowledge Proof Authentication System

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Hands on, field experiences with BYOD. BYOD Seminar

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

SecureAge SecureDs Data Breach Prevention Solution

DATA AND PAYMENT SECURITY PART 1

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

What is Penetration Testing?

Agenda , Palo Alto Networks. Confidential and Proprietary.

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Transcription:

Insider Threats in the Real World Eavesdropping and Unauthorized Access A Visual Data Security Whitepaper Prepared by: OptioLabs Camden Yards 323 West Camden Street, Suite 801 Baltimore, Maryland 21201 info@optiolabs.com www.optiolabs.com Keyword: insider threat 2016 OptioLabs Inc. All rights reserved.

Table of Contents 1. Insider Threats in the Real World... 3 1.1. Eavesdropping: What you see is what they get... 3 1.2. Anti- Eavesdropping Legislation... 4 2. Incident Rates are High... 4 3. Threat Vectors... 5 3.1. Shoulder- Surfing... 6 3.2. Unauthorized Access... 6 3.3. Credential Misuse... 6 4. Examples of Breaches... 7 5. PrivateEye Enterprise Addresses the Threat... 8 6. A New Dimension in Insider Threat Prevention... 10 7. About OptioLabs... 10

1. Insider Threats in the Real World National Security Agency contractor Edward Snowden accessed the classified materials he leaked to the media using login credentials and passwords obtained unwittingly from his colleagues 1. The NSA s strong network security and encryption systems were helpless because he bypassed them completely with a simple social engineering security exploit. The impact of this insider breach on the U.S. Government has been enormous, requiring extensive effort to repair the harm caused by one individual. If such a damaging insider breach can occur at the NSA, it can happen in your organization too. The problem at the root of this breach is the absence of systems for detecting and preventing suspicious insider activity in front of the computer. Conventional information security technology only protects data inside the computer and network. Clearly this is not enough. What is also needed is a system that can recognize when the wrong people are looking at protected data, and when their activity in the real world appears to be suspicious. This whitepaper will introduce a solution to the risk present in every office where insiders can peer over their colleagues shoulders, sneak access to their computers when they walk away, and steal login credentials to pose as authorized users. We will describe the scope of threats faced by organizations and describe how OptioLabs PrivateEye Enterprise works to detect, and prevent these insider exploits. You will see how adding PrivateEye Enterprise to your current insider threat management tools will protect you against these kinds of devastating assaults. 1.1. Eavesdropping: What you see is what they get Studies by the Secret Service, Verizon Business, and CERT at Carnegie Mellon have found up to 50% of information security breaches are caused by insiders. 1 http://www.reuters.com/article/2013/11/08/net- us- usa- security- snowden- idusbre9a703020131108

These are employees with an axe to grind, or who see an opportunity for financial gain. They re not easy to spot demographic analysis shows no easy pattern to finding the bad apples before they spoil. The same studies found an astonishing 42% of insider breaches involved no more than simple observation of computer screens. There were no sophisticated tools involved, just the skill to look around the office and discover the orienting information needed for a successful breach. To a social engineer intent on extracting data, the modern office reads like an open book. Over- the- shoulder reconnaissance reveals what is available, where it is, and who has access to it all the ingredients an adversary needs to succeed at a data breach. Whether it starts inside or out breaches are expensive, costing companies an average of $750,000 per incident. 1.2. Anti- Eavesdropping Legislation In 2010 the U.S. legal definition of Computer Trespassing was expanded to include information gained by looking at a computer screen that an individual was not authorized to view. While the new statute makes it easier to prosecute social engineers, catching or, even better, preventing them remains the primary challenge. What s lacking are technical security solutions to protect information over the last two feet of the network: from the screen to the user s eyes. 2. Incident Rates are High Your network logs show the frequency of external hacking attempts, but they don t say anything about incidents inside your offices. Don t let the absence of evidence fool you into believing you re safe. You need Figure 1: Annual Insider Fraud Incidents

the right tools to detect suspicious activities before you ll be able to stop them. On average, organizations experience 55 employee- related incidents per year according to the Ponemon Institute Insider Threat Report 2. Figure 1 shows how many organizations cannot determine when incidents occur. This is because they are lacking the proper tools to monitor and assess employee activity that may indicate the intent to expose sensitive data. Organizations take insider threats seriously, with 44% considering insider fraud to be the top security priority. A closer look at the methods used by insiders to breach security shows the need for improved security tools to match the threat. The Ponemon report also reveals the most prevalent techniques used to subvert security in Figure 2. Notably, misusing a co- worker s credentials tops the list. Figure 2: Insider Threat Techniques 3. Threat Vectors The major holes most organizations need to patch are caused by credential misuse, unauthorized access, and shoulder- surfing: 2 http://www.ponemon.org/news- 2/49

3.1. Shoulder- Surfing Shoulder surfing is the easiest way to compromise data without leaving a trail. Simply looking over a colleague s shoulder while he s working can reveal a lot of valuable information. It does not matter how good your network security and access control is data on display is vulnerable to unauthorized use. Over- the- shoulder observation puts only a fraction of the total data available at risk, but it is often the most important, topical, and timely data that will be found on colleagues terminals. Visual eavesdropping is most often used for reconnaissance revealing what data is available, where it is, and who has access to it. Using these clues an adversary can plan and execute a damaging breach. Traditional security tools cannot detect or stop a shoulder- surfing attack. An organization can raise awareness of these social engineering techniques with regular employee education, but cannot stop a motivated attacker. What is needed is a technology that can identify when shoulder- surfers are present and prevent them from observing the screen. 3.2. Unauthorized Access Employees are told to lock their systems when they are away from their desks to prevent unauthorized access. Organizations may be lucky to reach 60% compliance with this goal. When the user forgets, and they always do eventually, an attacker can use the computer as if he was the user. This kind of breach can cause significant loss. It s easy for an attacker to access any file or application on the machine. It takes only a couple of minutes to send an email containing sensitive data somewhere it s not meant to be. As far as conventional security systems are concerned, in these breaches the attacker is the authorized user. What is needed is a technology that can detect when the wrong person is using the authorized user s account. 3.3. Credential Misuse NSA contractor Edward Snowden used his colleagues login credentials and passwords to gain access to some of the classified information he leaked to the media. When an attacker has the credentials to pose as the authorized user he can achieve the most significant breaches. Unlike the scenario above,

where the attacker has presumably limited time and opportunity, through credential misuse he can take all the time he needs to steal confidential or classified records. He can send emails, post documents to external sites, print, and even change documents at leisure without being detected. To prevent this most damaging type of attack, organizations need a biometric factor to identify authorized users and detect when credentials are being misused. 4. Examples of Breaches There are many cases where highly confidential information has been exposed on computer displays. A quick tour around any modern office will confirm that on- screen data is entirely vulnerable to insider viewing and that there are frequent opportunities for unauthorized access. Several high profile cases have been publicized, including these: Army Private Bradley Manning received a 35 year sentence following his conviction for leaking a vast trove of military and diplomatic secrets to Wikileaks. He copied more than 700,000 sensitive documents while working as a junior intelligence analyst near Baghdad in 2010. 3 A senior government executive in the UK fell asleep on a commuter train leaving highly sensitive information displayed on his screen, including one on Al Qaeda vulnerabilities 4. Another passenger took photographs of the information the screen, which were then published in the national media. A Bank of America branch in downtown St. Petersburg Florida exposed their client s banking records for an extended period of time to people walking by in the street. The branch had arranged their computer displays so they were visible through the street- level windows. 5 3 http://abcnews.go.com/politics/bradley- manning- sentenced- 35- years- leaking- secrets/story?id=20021288 4 http://www.dailymail.co.uk/news/article- 1082375/The- zzzzivil- servant- fell- asleep- train- laptop- secrets- view.html 5 http://www.tampabay.com/features/consumer/simple- fix- to- bank- security- breach- close- the- blinds/1139356

NSA Analyst Edward Snowden copied and released as many as 200,000 sensitive NSA documents by using colleagues credentials to access their accounts without permission. 6 This approach gave him access to far more documents than his clearance level would allow. 5. PrivateEye Enterprise Addresses the Threat OptioLabs PrivateEye Enterprise has a powerful set of real- world insider threat prevention and detection capabilities. The product addresses the threat of unauthorized insider access to displays and unattended workstations, and gives organizations a tool to monitor and respond to incidents they would otherwise miss. PrivateEye Enterprise uses computer vision to detect suspicious behavior in front of the computer and then sends alerts to the System Event Log or 3 rd party SIEM tools where it can be used to identify and analyze incidents. Using a secured webcam as input, the system distinguishes authorized users from unauthorized users, and discovers visual eavesdroppers. PrivateEye protects against the worst of the insider breaches described above, and provides security analysts with a valuable record for dealing with compliance problems. Of particular value for incident management is the ability to capture and store pictures of the individuals present whenever suspicious activity is discovered. In the Edward Snowden case his misuse of login credentials would have been detected by PrivateEye s background user identity checking. PrivateEye quietly checks to ensure that the person using the workstation looks like the expected user. It performs this check periodically as long as a person is present. When Snowden went to use his colleagues credentials, PrivateEye would have immediately sent an Intruder alert and stored pictures of the person accessing the system. 6 http://www.reuters.com/article/2013/11/08/net- us- usa- security- snowden- idusbre9a703020131108

Figure 3: Eavesdropper Capture In the cases of the UK government and Bank of America over- the- shoulder data breaches, PrivateEye s eavesdropper detection feature would alert and store pictures of any potential eavesdroppers discovered looking at the screen from behind the authorized user. Frequent Eavesdropper alerts indicate possible systemic or targeted threats. It could be that a sensitive system is being used in an insecure area where passers- by have too- easy access to the display. It could also indicate that a single individual insider is systematically targeting a display attempting to steal information. PrivateEye enables IT staff to identify these scenarios and stores information on the suspect individuals to help with remediation. PrivateEye Enterprise also offers an optional protective mode to actively Figure 4: Automatic Screen Protection prevent data from being observed by unauthorized people. In protective mode, the system only permits users who are identified with face recognition to view the display. When the authorized user looks away, or leaves the area, the screen is

protected so that no- one else can view it. The system will also warn the user whenever eavesdroppers are detected by showing the eavesdropper s face on the display in a small pop- up video window, like an intelligent rear- view mirror. Organizations can choose to use the new capabilities in an analytic- only mode, or can also deploy the protective mode on some or all workstations. 6. A New Dimension in Insider Threat Prevention Bank robbers rob banks because That s where the money is., and insiders access displays because they are the easiest path to the data. Conventional protections like VPNs and disk encryption do not protect your secrets when they are visible on the display. PrivateEye Enterprise s situational awareness capabilities close that gap and give you the tools you need to reduce and resolve insider threat incidents. 7. About OptioLabs Computer screens are the last unprotected frontier in information security. You secure your networks and your hard drives, but how do you secure displayed data from unauthorized viewers? Prying eyes are everywhere from insider threats in the office to competitors in the airport. Developed by a team of security experts, PrivateEye Enterprise from OptioLabs is security software for organizations that need to control proprietary and regulated information displayed on Windows desktops, laptops, and tablets. PrivateEye Enterprise actively prevents visual eavesdroppers by blurring the display on a device whenever an authorized user is not paying attention. It looks for potential visual eavesdroppers nearby and will warn the user or automatically protect the display whenever one is detected. It s convenient for the user, automatically recognizing their faces so that they don t have to type passwords, but it is tough on potential intruders. Anyone attempting to break in to an unattended workstation will have their picture taken and recorded in an audit log. For enterprises needing to comply with regulations, PrivateEye Enterprise s audit trail gives a whole new level of evidence that can be used to prove data on displays is continuously protected against unauthorized disclosure. PrivateEye Enterprise is a product you can depend on to protect your data.

OptioLabs develops transformational security products for the mobile enterprise and embedded systems. Led by a world- class team of technologists, and leveraging innovations developed for national security protocols, OptioLabs has pioneered game- changing advanced security solutions for the world's leading mobile platforms. With offices in Baltimore and Nashville, Tennessee, OptioLabs customers include federal agencies, commercial enterprises, and device manufacturers. Contact sales@optiolabs.com 443-275- 9253 323 West Camden Street Suite 801 Baltimore, Maryland 21201 Download a free trial of PrivateEye Enterprise at http://. 2016 OptioLabs Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information