With me is guest analyst Terry Cutler of Montreal’s Cyology Labs. We’re going to take a deep dive into insider threats and what to do about them. But first a look at some of the top news from the past seven days:
A ransomware group called REvil has given Apple a May 1st deadline to buy back product schematics it says were stolen from Apple’s Taiwan manufacturer. As proof of the theft the group started posting what appears to be drawings of a yet-to-be-released laptop. This is a twist on supply chain attacks that ransomware groups are now adopting: Steal data from one company, then pressure that firm’s customers to squeeze the victim company for money. According to one news site, the gang is demanding $50 million to prevent the Apple data from being sold to competitors.
Speaking of supply-chain hacks, the compromise of a software development tool called Codecov is worse than initially thought. The Reuters news agency reported this week that security investigators believe hundreds of organizations were hacked by a threat group leveraging the compromise. They did it by stealing login credentials stored by developers in the tool. Codecov customers are being urged to reset all credentials.
A Vancouver law firm is no longer listed on the data theft website of the Clop ransomware gang. That’s often a sign that a ransom has been paid. IT World Canada isn’t naming the firm because it hasn’t confirmed it was victimized. But earlier this week the ransomware gang’s site posted evidence of what is said was stolen data. It included a list of the law firm’s staff and their home and cell phone numbers, as well as a list of British Columbia government employees and their office email addresses.
Urgent warnings went out this week to IT administrators to patch two business products with critical vulnerabilities. SonicWall said it is imperative the latest security updates for the on-premise version of its Email Security appliances be applied.
In addition, Pulse Secure said its Pulse Connect Secure VPN appliance has to be patched immediately. It fixes a zero-day login authentication bypass that’s been recently used to hack dozens of organizations in the U.S. and Europe. A new vulnerability rated 10 out of 10 in criticality works with other bugs to compromise devices. The thing is, patches for those three other bugs were released in 2019 and last year and should have been installed by now.
And Google had to issue a security patch for the Chrome browser a week after releasing version 90.
(The following is a condensed transcript of my talk with Terry Cutler of Cyology Labs)
Howard: I’m going to turn now to Terry Cutler. I want to start with the attempt to blackmail, Apple into paying millions of dollars to prevent the sale of stolen product schematics to others. This started with a theft from a Taiwan-based manufacturer of Apple laptops. In addition to threatening that company, the ransomware group is also threatening Apple and, and demanding a reported $50 million. This is really turning up the screws, isn’t it?
Terry: It is. In fact there was even another note saying, ‘If you don’t pay by April 27th, it’s going to go to a hundred million dollars.’
Howard: This is another twist on ransomware. Ransomware started with groups encrypting a victim company’s data. Then they started stealing data and threatening to release the data unless the company paid up in addition. And now ransomware games are going after the victims the initial ransomware attack. This is in essence a supply chain attack.
Terry: And what’s interesting about this one, too, is they just released some schematics of the new MacBook Pro. The problem is if Apple or the other manufacturer pays for this they’re incentivizing future attacks.
Howard: There’s a great risk that your partners, suppliers may be hit by ransomware and you’re going to be getting an email message saying you should either pay the ransom should be squeezing your supplier to pay up the ransom. What do you do?
Terry: It’s a really tough choice. Even though our system is secure, we have to prepare our partners to be secure as well. And a lot of times they’ll say, ‘Well, we’re compliant [with regulations], but compliant, doesn’t guarantee you’re secure.
Howard: Certainly what it means for any organization that trusts data to a third party you’ve got to have agreements with that third party to make sure that they have secure ways of holding your data and that reduces the odds of this happening.
Terry: The data [going to third parties] has to be encrypted.
Howard: I want to turn now to insider threats and, and not because they’re in the news this week but because the last time you were on just before time ran out you briefly mentioned working on two cases this year, where it, administrators were caught reading their executives and using information for their personal gain. And that made me think that we should look at insider threats. First of all, tell me about those incidents.
Terry: One of them was around the IT guy that was reading the president’s email. There was some union negotiations happening and one of the union members paid off an IT guy to get confidential information to the group. He had access to the president’s email and was getting information from it so they can better negotiate union deals. One of the ways we caught them was the president suspected somebody was reading his email. There’s technology that allows us to hack back hackers legally. We can send in a bugged Word document and the moment somebody opens up the attachment it does an HTTPS call to our system and says, ‘Here’s the IP address of the person that just opened up the email. ‘
That revealed the workstation IP, so we knew it was the IT guy. In another one of the employees of an energy company was bought off by someone in China to spy on them. The company suspected something was going on because confidential documents were leaking. So we used the same technology. We created a Word document and copied it into a confidential folder on the [company] server. We named it something enticing and just let it sit there. A couple of weeks later it was triggered and revealed who [the informant] was.
Howard: What’s an insider threat, who’s an insider?
Terry: A rogue employee who would have too much access and pokes around the system, copying data where he’s not supposed to. But there are also insider threats where employees are clicking on stuff they’re not supposed to and accidentally compromising the company.
Howard: And an insider can be a contractor who has been given legitimate access to company systems.
Terry: Correct. The other issue is there’s not enough logging [of events]. The company doesn’t know when these suppliers are logging in, who’s accessing what, because there’s so much data that gets transferred in event log information. And nobody’s watching the alerts, unfortunately.
Howard: There’s some disagreement among experts on the size of the insider threat, because there’s different ways of measuring. If a crook steals an employees’ login credentials, to the IT department it looks like the employee is roaming around the network and not an outsider. So in that sense, it’s an insider attack. But Verizon Communications has been issuing a deep analysis of data breaches from around the world for over a decade and uses a narrower definition that excludes crooks and others. So by their definition on average insiders are responsible for about one-third of breaches of security controls. Now that’s not to minimize the insider threat, but I think managers shouldn’t go around thinking like 90 per cent of their staff are likely to steal data.
An insider incident can also include errors like misconfiguration of software … and ignoring security rules just to get work done. So there’s no intention of data theft, but things like this do put corporate data at risk.
Do you think that the risk of insider incidents has increased because of the number of people now working from home?
Terry: Absolutely. It’s not necessarily their fault. It’s because now that the cybercriminals have gotten much more clever. Employees working from home are outside the corporate firewall. They can fall for what’s called drive-by attacks from an infected legitimate website. And all of a sudden they’re getting infected. When they connect back into the company, the cybercriminal can now access the company infrastructure.
Howard: I’ve written several stories about insider attacks in Canada. The most well-known private sector insider attack was the copying and theft by an employee of the Dejardins credit union of files on 9.7 million current and former customers. The data was sold to another person around 2019. According to a federal privacy commissioner investigation, Desjardins had a good strategy for fighting external threats, but they lacked a culture of vigilance against internal threats. By the way, as a side note of that data on 9.7 million customers, 4 million were former customers whose data should have been destroyed. One lesson there to every organization is to only keep the data that you need.
What do organizations need to do to reduce the risk of insider incidents?
Terry: They’ve got enough to move towards a zero- trust model [for identity and access control]. It’s ‘We trust nobody [on the network] because now really hard to identify who’s legit and who’s not. Also, implement data leakage prevention, so the IT department can see why is this guy copying so much data to his machine.
Howard: One of the first things that you need for protection against insider threats is the broad cybersecurity strategy you need for any threat: You’ve got to know where your data is. You’ve got to know which data is sensitive, and you’ve got to have a company policy on who’s allowed to access what.
That’s identity and access management. And of course, once you set up your directory that lists everybody and what assets that they can access, you’ve got to monitor that directory for suspicious changes.
Terry: The biggest challenge they’re going to see is how do you find the right resource? Who’s going to do this job because [IT people] are not being trained coming out of school. If you want senior guys that can really pull this off, they’re either too expensive or they’re unavailable. So now you’ve got all these systems in place collecting event log data, but nobody’s watching the system. There’s no automation. That’s going to be key: Automation, AI and behavioral analysis.
Howard: I also want to mention that there have to be controls on the use of external cloud storage. We’re talking things like Box, Dropbox, Amazon AWS, Microsoft Azure. These are the things where employees will upload data. They’ll want to do data processing, and they’re not checking the controls. Often times the stuff is sitting out on the internet. And if somebody knows how to do a search, this stuff can be found. And so in essence, you can have inadvertent data theft.