Two people lost $8.1 billion for their companies, while two others compromised the security of the United States. Internal data breaches are not to be taken lightly.
The names Jerome Kerviel and Nick Leeson may sound familiar; together, they lost $8.1 billion for Societe Generale and Baring's respectively. Leeson put Baring's, an investment bank that had been in business for more than 200 years, out of business. Societe Generale was able to absorb the losses. Both went to jail.
Bradley Edward Manning (now known as Chelsea Elizabeth Manning) was an intelligence analyst in Iraq with access to classified databases. He passed videos of bombings in Iraq and Afghanistan, almost a quarter of a million U.S. diplomatic cables, and half a million Army reports to Wikileaks.
Manning was sentenced to 35 years in jail.
Edward Snowden worked at the National Security Agency as a contractor for Dell and Booz Allen Hamilton. He handpicked a few journalists to whom to release his information about global surveillance programs managed by the NSA with cooperation of global telcos and European governments. Snowden is still in Russia, seeking asylum elsewhere.
Four people, billions of dollars and untold scores of government secrets – all thanks to internal breaches in data access governance.
Kerviel and Leeson wreaked their havoc thanks to negligence in compliance. Both had permission to both approve and implement trades - lack of tracking and no enforcement whatsoever of separation of duties (SOD).
Manning simply downloaded data onto a CD-RW then copied it onto a personal computer. Had a data access governance system been in place, administrators and management would have been alerted that material was being copied from the network.
Snowden was a contractor, not an employee. Access controls were not in place. He was able to access – and did – more than he should have. No one caught it, obviously.
Admittedly, internal breaches of this level are hopefully not happening at your organization, but they are happening nevertheless. According to Verizon's latest report, internal data breaches have been growing at a steady rate. The same report explains that 88 percent of insider breaches are from privilege abuse – having inappropriate access.
Not every employee should have the right to access every resource. Without robust data governance, it's difficult to know who has done what and when, from where and how – and whether they were supposed to be doing it in the first place.
Ignorance is definitely not bliss. Just ask any of the regulatory agencies. Companies of all sizes should do:
- Understand who can access which types of data, via what means, and within what parameters (time of day, department, location, etc.).
- Determine what data is sensitive and whether it is over exposed.
- Review and authorize access, both by context and content.
- Monitor who is actually accessing the data.
- Detect unauthorized access in real-time.
- Track data access patterns.
- Be able to perform forensics after the fact.
- Determine what compliance controls have been violated and by whom.
Steps for protection are fairly straight forward: Eliminating stale permissions isn't just a way to clean out the files. It is a critical step in reducing threat vectors, especially those from the inside. Enhanced permissions management combined with data classification adds an additional level of compliance control and security by ensuring that only approved personnel have access to or can modify certain information. Managing exceptions is key to managing risk. Check that each access requirement matches up to clearly defined security parameters and be able to respond in real time when it doesn't. You also need periodic access reviews – “surprise” checks as it were to determine who is accessing what, who has what permissions to access what, and whose access permissions should change.
Meanwhile, strong internal controls on SOD will further strengthen the barriers to breaches from within.
While internal breaches don't occur with the same level of frequency as external attacks, the damage from an internal breach can bring down the company – or even compromise a country's security.
Maor Goldberg founded Whitebox Security after recognizing access governance as a critical tool to secure organizations' petabytes of data over which they previously had little control. Mr. Goldberg cultivated his significant security experience as a member of the Israel Defense Forces, where he served as head of security and networking section, among other roles.