Protect Your Data Against The Insider Threat
BIS: Where is one of the places insider threats remain unchecked at Financial Institutions?
COLE: In a bank or credit union, one area Iâ€™ve seen hit most is at the mid to lower manager levels of operations areas, such as teller supervisors, or in the processing areas. They are typically the ones who have 20 or 30 tellers working under them and so have a good amount of account data to tap into. While many Financial Institutions look at the VP level or higher director levels to screen access, or at the teller level, to look at theft losses, the mid level managers have some pretty intense access. Iâ€™ve seen itâ€™s the one in the middle, that is causing the most damage.
BIS: What about catching a potential insider threat employee during the background check?
COLE: Any area where youâ€™re hiring someone, even a teller, where youâ€™re not hiring someone with three masters degrees, there are some things to look for. Length of work record, especially if theyâ€™ve worked at other institutions is a good indicator for hiring managers and HR. Having said that, getting a job as a teller in some growth areas isnâ€™t as hard as it may sound. Of the last three banks I visited, they had ads in their lobby, saying they were hiring tellers. So many banks and credit unions are actively hiring for teller positions.
One thing I will add, just thinking that a teller will take money is not the entire scenario. Tellers do have access to customer account information, including customer account numbers. Imagine a customer comes in, fills out a deposit slip, and then the teller tells them, â€˜Can you write out your account number on this slip of paper because I canâ€™t make out the numbers on the deposit slip?â€™ Then once done, the teller slips the slip of paper into their pocket, and no one is the wiser. By writing it down, itâ€™s only a duplicate copy, they didnâ€™t do anything suspicious. After 20 or more account numbers are taken this way, the teller then gives this information to a third party to siphon off money through withdrawals at a different branch. And to track that loss via a third party conspirator all the way back to an individual teller would be hard, not unless there was only one transaction made. So donâ€™t just think that tellers should be watched for monetary theft, itâ€™s the data theft that also may be happening.
BIS: What are some of the most overlooked insider attack vectors at Financial Institutions?
COLE: I would say that the most overlooked insider attack vectors, especially in Financial Institutions â€“ is not controlling access properly. Moving up the ladder from tellers, many managers have access to a lot more information than what they need to do their job.
They can log in and go into a system, and bring up entire account information and account histories. For example, one insider theft case that I worked on involved the manager of the tellers at the institution. She looked for dormant activity accounts, usually with assets of $80,000 or more. Typically these accounts were owned by elderly people or retirees who kept their retirement savings in checking or savings accounts but rarely drew money out of these accounts or checked their balances. This manager went into these accounts and turned off the automatic statement mailings that would be mailed each month, and later she went and slowly skimmed money off the accounts.
How would the bank know that something like this is happening, especially if a manager was given full access to accounts? The rule of least privilege is the answer for this, grant access to only the information needed to perform their job functions, and break up the amount of information being accessed on accounts over several positions.
BIS: What are some other areas financial institutions should look at within their operations when mitigating the insider threat?
COLE: Iâ€™ve already mentioned improper access and separation of duties, the second most troubling issue Iâ€™ve seen is the porous data streaming across different areas at institutions. Data is everywhere, available at different locations, across branches and by remote access. Data is strapped to the waist of mobile professionals on their PDAs, on laptops and even email has sensitive information that if not properly encrypted, could fall into the hands of an insider.
I also would want to stress: Pay attention to the perimeter, and watch whatâ€™s going out, as well as whatâ€™s coming into your networks. Validate your existing architecture to make sure your IDS settings are looking at both the incoming and outgoing data. I must stress the outgoing, because what is normally going out of a bankâ€™s or credit unionâ€™s systems is a heck of a lot more valuable that whatâ€™s coming into it.
Know where your most sensitive data is stored, and make sure there is a data classification program in place to identify it properly. People say â€˜oh thereâ€™s no way we can do it.â€™ A data classification project can take anywhere from 6 to 9 months to really get a good handle on what is private, and whatâ€™s public information, but it is definitely worth doing. Once you have a data classification program in place, then youâ€™ll be better able to know where your most sensitive information is, and protect it.
BIS: Have you seen any new technologies lately for combating the insider threat?
Yes, in my investigations and work with financial institutions and other companies, Iâ€™ve seen several solutions, but many of them are still in their infancy. One solution Iâ€™ve seen work well in many environments, is Intellinx, which is a solid solution. What I recommend to financial institutions is that they try out several vendorsâ€™ products, test them to find which one has the â€˜best fitâ€™ to their existing network architecture.
Finally, the information security awareness program should be viewed as one of the best ways to train staff to report suspicious activity. Iâ€™ve seen it in my investigations when you finally catch someone, and then begin talking to coworkers who were around them, the co-workers inevitably say â€˜Oh yeah, we knew that he was acting weird or suspicious, he looked like he was doing something strange. That leads to the question of â€˜why didnâ€™t you say something?â€™
Their reply: â€˜Oh I didnâ€™t know if I should say something, and get that person in trouble,â€™ or â€˜I didnâ€™t know who I should tell it to, and I didnâ€™t know if I would get in trouble for reporting it.â€™
You canâ€™t expect to reach everyone with an information security awareness program, but if you get at least 20 to 30 percent of your employee base involved and educated, that gives you more information than if you didnâ€™t have an active employee information security awareness program.
About Dr. Eric Cole:
Dr. Eric Cole is an industry recognized security expert, technology visionary and scientist, with over 15 yearâ€™s hands-on experience. He co-authored Insider Threat, Protecting The Enterprise From Sabotage, Spying and Prevent Employees and Contractors from Stealing Corporate Data. He currently performs leading edge security consulting and works in research and development to advance the state of the art in information systems security. Dr. Cole has more than a decade of experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He also the inventor of more than 20 patents and is a researcher, writer, and speaker for SANS Institute and faculty for The SANS Technology Institute, a degree granting institution.