Advice diary: Digital forensics thwarts insider threat ransom attempt
Michael Quinn, managing director in the Cyber Risk practice of Kroll, a division of Duff & Phelps, recounts a case in which his team thwarted a ransom attempt on a global software company. Michael shares some details about the forensic investigation that uncovered the threat was from a former employee who still had access to sensitive company data. Michael Quinn is a managing director with Kroll’s Cyber Risk practice. He joined Kroll from the Federal Bureau of Investigation (FBI), where he most recently served as Supervisory Special Agent in the Cyber Division. Michael managed a variety of state-sponsored and criminal intrusion matters for several FBI field offices and was responsible for some of the first-ever indictments against state-sponsored cyber attackers.
Hackers have only just wet their whistle. Expect more ransomware and data breaches in 2021.
Threat actors found success infecting businesses with ransomware and stealing company data, turning those ransomware attacks into data breaches. Expect more of this to continue next year as remote work continues, according to Accenture. Going into 2021, “threat actor profits [are] likely to increase as a result of targets’ weakened security and remote working, enabling threat actors [to] innovate and invest in even more advanced ransomware,” Accenture’s 2020 Cyber Threatscape Report said. Remote work created something of a new playground for hackers in 2020, agreed Gartner. An October survey of nearly 2,000 CIOs found that cybersecurity investments in technologies that support digitization will be one of the major priorities next year. “With the opening of new attack surfaces due to the shift to remote work, cybersecurity spending continues to increase,” the firm said, with 61% of respondents reporting they will increase investment in cyber/information security, followed closely by business intelligence and data analytics (58%); and cloud services and solutions (53%).
2020 Top Five Financial Sector Security Challenges
This week SecurityHQ released a white paper on the ‘Financial Sector, Threat Landscape 2020’. In this paper, and through an analysis of a real-life threat to a large financial client, their findings revealed the five top security challenges that the financial sector are currently facing, the risks of future threats, and how to spot these risks before it is too late. Among other elements, five of the top challenges to the financial industry include ransomware attacks, internal threats, issues in app developments, changes in working due to COVID-19, and third-party risks. Internal Threats: According to the Verizon, 2020 Data Breach Investigations Report (DBIR) ‘employees’ mistakes account for roughly the same number of breaches as external parties who are actively attacking’ the organisation. In fact, misdelivery within the company, by which information has inadvertently been sent to the wrong person, appears to be the most common issue within insider threats. Misdelivery can occur via emails forwarded or sent to the wrong person/recipient, or by incorporating the wrong mailing list, or via the wrong address on a paper document. Misdelivery is, more often than not, accidental and non-malicious, but the effects can be devastating. Especially if sensitive data is inadvertently shared to the wrong recipient.
Remote Insider Data Theft Worries Financial Industry
As the pandemic rages on, more companies are concerned about the growing risk of insider theft. Remote work has changed the cybersecurity landscape and has required IT and security staff to rethink where the greatest risks are with a WFH employee base versus onsite. A year ago, who would have thought that VPNs and their vulnerabilities or videoconferencing and Zoom bombing would have even considered a cyberthreat? But even as some risks have changed, others have stayed the same, if not a little more pronounced. The concerns about COVID-19-related phishing attacks continue to loom large, even eight months into the pandemic, for instance. But one area of risk that hasn’t gotten a lot of attention is the insider threat and data theft. Remote Worker: Insider threats have been traditionally categorized as accidental or malicious, but now a new category—remote worker—has been added. “In addition to connecting to the corporate network through a potentially non-secure home or public network, these employees may also be using personal devices that were not procured, configured and secured by IT, further compounding the problem,” Renee Tarun, deputy CISO and vice president, information security at Fortinet, wrote. “There is less oversight and fewer restrictions in a work-from-home environment, which, unfortunately, can lead to relaxed attitudes around security.”
How to protect your organization from internal and external threats to cybersecurity
While remote work has ushered in unprecedented freedom and flexibility for thousands of employees, it also exposes workplaces to more cybersecurity threats. When employees work from home, traditional IT departments have less control over devices and networks, leaving open the possibility of internal and external data breaches. Last year, for example, two-thirds of all data breaches were caused by insiders, while one-third were caused by hackers, malware, phishing and other external threats, said Joe Payne, CEO of Code42, a cybersecurity platform. Next year, the combined factors of remote work, job insecurity and increased ease of moving data will combine to produce an increase in insider incidents, according to a recent report by Forrester. “What employers should be thinking about at the end of the year is: Do I have programs in place that protect me against both external threats as well as internal data leakage?” asks Payne. Read more: How to address workplace toxicity in a virtual setting. Training, transparency and technology are the three keys of a robust strategy against insider threats, according to Payne. Comprehensive training to make sure employees understand what they can and cannot do with workplace data is essential, especially as the use of cloud-based collaboration tools increases.
Treyler Ray: Securing the Skies
Treyler Ray began his career in law enforcement with the Mississippi Bureau of Narcotics as an undercover narcotics agent. He soon moved into the special operations division where he conducted surveillance and Title III wiretaps on major drug traffickers. For eight years, he worked as a special agent with the U.S. Department of State, Bureau of Diplomatic Security. He then worked for Raytheon before finding a home at Bellflight in May 2017, as Director of Security. Ray is the Chief Security Officer at Bell, an American aerospace manufacturer for military and commercial applications. It is headquartered in Fort Worth, Texas, with manufacturing facilities in Fort Worth and Amarillo, Texas, as well as Mirabel, Quebec, Canada. He calls his team “world class in industrial, SAP, counterintelligence and insider threats.” Ray’s team is comprised of eight personnel under his charge. As a manufacturer of highly engineered helicopters, “air taxis,” drones and other products, the risk and security challenges are diverse. “The challenges every security element faces are the threats posed to their personnel, their property and their technology,” Ray says. “The unique risk we face at Bell is safeguarding our sensitive information and material, which consists of classified, controlled unclassified information, export-controlled, and our company’s own proprietary data/intellectual property. Bell alone has managed to produce aircraft using tiltrotor technology, a technology that represents a portfolio of incredible capabilities in the hands of U.S. and allied warfighters, and [is a] competitive advantage in the Intelligent Air Mobility arena. We see strong management of our Insider Threat and Security Education, Training and Awareness programs as imperative to our success in safeguarding the sensitive information and material resident at Bell in both our military and commercial programs.”
Raising the Red Flag on the Insider Threat from Ransomware
There was nothing in particular that should have drawn attention to the two individuals sitting for drinks at the bar in Reno. Just two old colleagues catching up over some drinks. But if someone had paid close enough attention (and perhaps spoke Russian), then they might have overheard that one of the pair was attempting to recruit the other into what was possibly one of the biggest ransomware operations to date. According to reports, Egor Igorevich Kriuchkov was allegedly there to recruit his former colleague into aiding his crew in implanting ransomware on his employer’s network via a USB drive or opening a malicious email. Once inside the network, Kriuchkov’s crew planned to take their victim for millions. For performing this one little favor for an old friend, Kriuchkov was going to offer his unnamed former colleague $500,000. This number supposedly eventually rose as high as a cool $1 million.
How to Organize Employees to Cooperate in Threat Mitigation
These days, employees seem to think that cybersecurity is entirely the responsibility of the IT staff. Nothing could be more wrong, given the rising rates of insider threats. Such a position reveals the lack of adequate cybersecurity awareness training for employees, and workers must understand that every endpoint is a potential entry point for an attack and must be trained to take preventive actions. This is especially important in this period of COVID-19 and lockdown restrictions, which has sent many workers home to do their job remotely. Without the direct oversight of the IT staff, WFH employees (and even office staff, with BYOD policies) can inadvertently expose company data and provide an avenue for malware to infect the system. Now more than ever, cooperation is important for mitigating cybersecurity threats. Cybersecurity is a company-wide necessity, and it certainly does not help if one employee is undermining the security actions of others.
Know Your Role: You Are Part of the Security Team
If you think that your company’s security team is singularly responsible for keep things secure, think again. The security team in your organization is responsible in a big way to create and enforce policy, to educate users, and to constantly evolve the security posture, but they are not alone in this fight. You, as an employee, are also responsible for the security of your organization. Security teams can only do so much, after educating users and creating policies, it’s the user that needs to step up and do their part. So what is your part as a user? Let’s work through some of the security responsibilities that you as a user need to own in order to keep things safe and secure in the workplace.