Is it me or has the term “insider threat” disappeared from security marketing vernacular? Clearly insiders are still doing their thing. Check out a recent example of insider fraud at Bank of America. The perpetrator was a phone technical support rep, who would steal account records when someone called for help. Awesome.
Of course, the guy got caught. Evidently trying to sell private sensitive information to an undercover FBI agent is risky. It is good to see law enforcement getting ahead of some issues, but I suspect for every one of these happy endings (since no customers actually lost anything) there are hundreds who get away with it. It’s a good idea to closely monitor your personal banking and credit accounts, and make sure you have an identity theft response plan. Unfortunately it’s not if, but when it happens to you.
Let’s put our corporate security hats back on and remember the reality of our situation. Some attacks cannot be defended against – not proactively, anyway. This crime was committed by a trusted employee with access to sensitive customer data. BofA could not do business without giving folks access to sensitive data. So locking down the data isn’t an answer. It doesn’t seem he used a USB stick or any other technical device to exfiltrate the data, so there isn’t a specific technical control that would have made a difference.
No product can defend against an insider with access and a notepad. The good news is that insiders with notepads don’t scale very well, but that gets back to risk management and spending wisely to protect the most valuable assets from the most likely attack vectors. So even though the industry isn’t really talking about insider threats much anymore (we’ve moved on to more relevant topics like cloud security), fraud from insiders is still happening and always will. Always remember there is no 100% security, so revisit that incident response plan often.
Reader interactions
2 Replies to “Insider Threat Alive and Well”
Could bring up a nice discussion on how physical law enforcement compares to digital. Do police try to stop all burglaries? Nope. But they do try to catch criminals when they talk, shop their wares around, or are just habitual and already on “lists.” They usually do pretty good in those regards. The IRS can also step in when someone is grossly living beyond their means (outliers).
If this bloke had just stolen the cards and used them himself (in a smart, non-trackable/non-habitual way), catching him would have been difficult.
It’s unfortunate that “stealing” information is simply copying it. Makes the trigger of “I’ve been robbed!” far less obvious.
Spot on, Mike. In fact, look at lots of the “outsider attacks” (phishing, hacks, keystroke loggers, etc) and you find that all they are really trying to do is *become* an insider by gaining an insider’s credentials. The people you trust on your systems are the ones most likely to do something to get you into trouble (whether they do it accidentally or on purpose).