Sunday 26 October 2014

Insider Threats: Breaching The Human Barrier

By Christopher Hadnagy, Dark Reading

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

According to the “CERT: Common Sense Guide to Prevention and Detection of Insider Threats,” 65% of all IT sabotage attacks are non technical and 84% of all attacks for financial gain were also non-technical. One call, that’s all. If organizations are unable to keep their own data safe, how can we as customers expect them to keep our data safe?

I see this highlighted daily in the work we do for clients. In a single 10-minute phone call to an enterprise chain store, a non-technical employee can provide my team with enough data to execute a virtual attack or onsite impersonation. The one vector that seems to always work is another insider, a fellow employee. Insiders are automatically trusted and automatically given answers to things that an outsider would never get. Therein lies the danger with insider attack. That trust can be exploited, that automatic authentication can be used to compromise.

Read more of what Christopher has to say on the insider threat . . . here

Saturday 25 October 2014

Roselyn Singh reported to AFP for identity theft.

Prolific fraudster Medical Centre owner Roselyn Singh recently used the identity of a prominent Canberra Doctor to intimidate victims of her various scams. Over 200 text messages were sent from Singh claiming to be the doctor and a lawyer named Sam. After being notified his identity had been compromised the doctor reported the identity theft to Australian Federal Police.

Roselyn Singh

The Canberra doctors identity was first used in 2013, by a business partner of Singh ‘Dr Salmans Baig’, to swindle over $50,000 from a Melbourne Healthcare worker. That incident was also reported to NSW Police by the victim.

What started out as an introduction, by text to a Canberra Doctor with information about Singh, quickly turned to harassment and intimidation. It became clear very quickly it was actually Roselyn Singh sending the texts.

Redacted to protect the privacy of the doctor.

Singh and her associates theft and use of identities to scam, harass or make false accusations to regulatory authorities and Police is a tactic often used against their competitors, unpaid ex-employees and suppliers and other victims of their many scams.

In the words of the executive officer of NSW Health Care Complaints Commission (HCCC), following complaints about Roselyn Singh using stolen identities to lodge vexatious complaints against her medical centre competitors:

"The Commission will respond to any request for information from the Police regarding this matter. The Commission does not intend on pursing this in this instance as it does not concern an issue of public health or safety."

Senior NSW Fraud Police have stated:

"We have not received a report from the HCCC. The HCCC must first make a report to Police before it can investigate any matters concerning vexatious and false accusations causing an investigation".

Singh has also been implicated in the theft of thousands of patients personal information in 2012 and again in 2013. Singh collaborated with competitor medical centre insiders to hack secured systems to steal sensitive personal information of patients.

The HCCC, NSW Police and the OAIC have refused to investigate the data thefts despite detailed reports, witnesses and evidence.

Roselyn Singh’s company UTSG Consortium Pty Ltd trading as Sydney City Medical Centre was wound up earlier in 2014 by ASIC owing creditors and victims of her frauds millions of dollars.

Singh refused to cooperate with the liquidators and was reported for committing an illegal phoenix. Singh immediately started a new entity ‘UTSG Global’ after shifting assets.

Roselyn Singh continues to trade by having her son Brendon Singh and her business associate Dr Salmans Baig act as directors. Her businesses include V Health Plus and Miss Earth Australia located at 40 Park Street Sydney.

If you know more contact us.

Insider Threats Still Pose Major Problems For Enterprise

By Frank Ohlhorst, Techrepublic

A survey sponsored by SpectorSoft shows that insider threats are one of the most challenging security issues to deal with for a majority of enterprises.

SpectorSoft, a user activity monitoring and analysis software firm, recently commissioned a survey to identify the top issues surrounding "insider threats" and identify some best practices to deal with those threats. The SpectorSoft 2014 Insider Threat Survey revealed some interesting facts about how enterprises are dealing with the challenges associated with insider threats.

One of the most revealing aspects of the survey is that the majority of enterprises can neither detect nor deter insider threats, making them especially vulnerable to fraud, data breaches, and intellectual property theft. The survey, which tallied the opinions of some 355 IT professionals, showed that some six in ten respondents are not adequately prepared to deal with insider threats.

Commenting on the results of the survey, SpectorSoft chief marketing officer Rob Williams said "The statistics paint a bleak picture when it comes to securing company data against insider threats". Williams added "With so many data breaches happening, C-level executives are coming to the realisation that their jobs could be on the line if company data isn't protected."

While Williams points out that insider threats could result in staff shakeups, there are some more troubling aspects to the menace of the insider threat, such as the crippling costs associated with employee fraud, coupled with the nature of insider threats which are difficult to detect due to the fact that authorised persons are misusing their authorisation.

According to Verizon's 2014 Data Breach Investigations Report, a dramatic increase in attacks has resulted in some astounding costs - where $2.9 trillion in losses globally can be attributed to employee fraud losses globally per year. In the U.S. alone, organisations suffered $40 billion in losses due to employee theft and fraud--but chances are that even more fraud went undetected.

While the numbers are troubling, IT managers need not sit on their hands and hope for the best. Those numbers can spur action and help to justify investments in technologies that can tame the insider threat beast. However, those IT managers need to understand both the consequences of inaction as well as the insider threat landscape and SpectorSoft's survey does an excellent job of spelling those concerns out.

For example, the report shows:
  • 35% of organisations have experienced at least one insider threat, with the following breakdown (the total does not equal 100% as some respondents had more than one type of incident): Data leak: 49%, Fraud : 41%, Data breach: 36%, IP theft: 16% Insider threats were uncovered by: IT department: 41%, Coworker: 34%, Security team: 18%, Partner: 6%, Customer: 1%
  • Losses from insider threats most-often cost less than $50,000: 70% of respondents report financial losses of under $50,000, 17% suffered losses of $50,000 to $100,000, 6% lost $100,000 to $500,000, 4% lost $500,000 to $1 million, 3% lost over $1 million
  • 61% of organizations say they are not prepared for insider threats (the total exceeds 100% as multiple factors could be cited): Lack of training: 55%, Inadequate budget: 51%, Low priority: 34%, Understaffed: 34%, Lack of technology: 31%
  • Even though 49% of respondents say they are trying to detect insider threats, 59% of these respondents admit that they cannot detect them
  • 42% say detection is harder than deterrence or detailing an attack. Why? Because it's more straightforward. It's more about technology than psychology

While those survey results should prompt action - some IT managers may be uncertain as to what that action should be. It all comes down to three critical elements, which can be defined as:
  • Deterrence: IT managers should draft and implement an acceptable use policy that spells out what is and is not acceptable for employees. That policy should also inform employees that the organisation has the right to monitor activity on company-provided devices and on the company network.
  • Detection: IT managers should identify and implement usage monitoring platforms that can provide the forensic information for investigation and also be customised to detect unusual behaviour that indicates fraudulent behaviour.
  • Details: IT Managers will find that investigating the details of an attack proves critical for preventing future attacks and also gathering evidence if prosecution is necessary. It is very important to select tools that can recreate the steps involved in an attack and identify the depth of the breach, as well as the amount of potential damage incurred.

SpectorSoft and Verizon have revealed the facts around insider threats, now it is up to IT managers to learn from those numbers and take action, before their organisations become victims of the ever growing menace of insider threats.

Sunday 12 October 2014

Companies Struggle To Deal With Insider Threats

Baseline Magazine

One of the biggest business and technology challenges facing enterprises that are attempting to batten down the security hatches is the ongoing peril of insider threats. In some cases, these breaches occur inadvertently, when employees engage in risky or negligent behavior without realizing the damage it can cause.

But threats also take place due to intentional fraud, hacking or intellectual property (IP) theft. And the nature of insider threats — an authorized person misusing or abusing access to systems and data — makes it extremely difficult to detect such attacks and protect against them.

A recent survey of 355 security professionals conducted by mobile software firm Spectorsoft offers insights into the problem, which, according to industry estimates, amounts to approximately $40 billion a year in losses in the United States alone and about $2.9 trillion globally. Among other things, the survey found that while executives across a wide swath of industries acknowledge the problem and the risks, companies are largely unable to deter insider threats — and the problem is getting worse.

Read more

Wednesday 8 October 2014

ICO Warns on Leaving Employees Walking Off With Company Info

Steve Gold - SC Magazine UK

The Information Commissioner's Office (ICO) has warned staff that walking off with the personal information of their employer when changing jobs is a criminal offence.

The warning comes in a week when a paralegal - who previously worked at Dewsbury-based Jordans Solicitors - was prosecuted for illegally taking the sensitive information of more than 100 people before leaving for a rival firm in April 2013. The UK data regulator say the information was contained in six emails sent by James Pickles in the weeks before he left the firm.

Pickles had hoped, says the ICO, to use the information - which included workload lists, file notes and template documents but still contained sensitive personal data - in his new position. He was prosecuted under section 55 of the Data Protection Act and on Tuesday fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs.

Commenting on the case, Stephen Eckersley, the ICO's Head of Enforcement, said that stealing personal information is a crime.

"The information contained in the documents taken by James Pickles included sensitive details relating to individuals involved in ongoing legal proceedings. He took this information without the permission of his former employer and has been rewarded with a day in court and a substantial fine," he said.

"Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people's details, then taking them without permission is breaking the law. Don't risk a day in court," he added.

Three main challenges
According to Nigel Stanley, practice director for cybersecurity, risk and compliance with OpenSky UK, there are three main security challenges facing employers when it comes to tackling information theft by staff: governance, policy and procedures.

"Employers clearly need to enforce a security policy, typically using suitable technology, but there are limitations to the technology. An employee could, for instance, photograph the screen of data they are working on. That doesn't mean we shouldn't take precautions, such as locking down USB ports on a machine and so on," he said.

An incident response plan, says Stanley, is something of a must-have in these situations, as it advises managers who to call - eg legal, public relations etc., when an employee data theft situation - or similar security incident - takes place.

Response plans, he adds, are necessary, because - as the Pickles case shows - incidents like this will happen to organisations, since the insider threat is quite prevalent in many organisations.

"I've just completed this process with a client. We developed an incident response plan that advises on who to call, developed a flow chart on what happens, and what actions need to be taken. This is something that all businesses need to think about," he explained.

Tom Cross, director of security research with Lancope, said that research by US-CERT at Carnegie Mellon University breaks down malicious insider attacks into three common themes: disgruntled insiders who damage systems or data; insiders who commit fraud using information they have access to, such as credit card numbers; and insiders who steal intellectual property because they intend to use it in a new job or sell it to a competitor.

"Insiders who steal intellectually property usually do so in the last few weeks of their employment. They often feel a sense of ownership or entitlement to the things that they are stealing, because they worked on them in their jobs," he said, adding that detecting this type of data leakage can be carried out using audit trails on network activity, as well as network monitoring for anomalous data transfers, particularly during the last few weeks of a person's employment.

Toyin Adelakun, vice president of Sestus, meanwhile, says there is a lot more to covering this risk - to corporate entities as well as to individual staff members - than technology.

It is often, he said, best to address the risk in top-down fashion, using people, processes and technology, with dual controls being imposed on personally identifiable information, and the enforcement of policies through the use of IAM (identity and access management) technologies and tools.

Defend your data
Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said that the need to defend data in an employee-company situation is all the more necessary today, when words of agreement do not result in real security.

If a company does not tie down its active directory and its access control lists, he says, it will likely hit security problems.

"Allowing employees to populate open shares containing PCI-DSS data, client data and a plethora of sensitive and business-related data, is becoming all too common," he explained, adding that the appointment of young and inexperienced security managers in our industry is only adding to the potential scale of the problem.

Saturday 4 October 2014

Medical Data Worth More On The Black Market Than Credit Cards


Patients' medical information is worth about 10 times more than credit card numbers on the black market, and medical identity theft often is harder to recognize, according cybersecurity experts, Reuters reports (Humer/Finkle, Reuters, 9/25).


Last month, FBI issued a flash alert warning to health care organizations that they are being targeted by hackers.

In the notice, the FBI said the agency "has observed malicious actors targeting health care-related systems, perhaps for the purpose of obtaining protected health care information and/or personally identifiable information."

The alert came days after Community Health Systems announced that an external group of hackers attacked its computer network and stole the non-medical data of 4.5 million patients.

The CHS incident is the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat, 8/21). Security Experts Weigh In on Patient Data Theft

In interviews with Reuters, nearly a dozen health care executives, cybersecurity investigators and fraud experts explained the appeal of health care data for cyber criminals.

Don Jackson -- director of threat intelligence at PhishLabs, a cybercrime protection company -- said that stolen health credentials can be sold on the black market for $10 each, or about 10 or 20 times more than the price of a U.S. credit card number.
Experts say medical data thieves are most interested in:
  • Billing information;
  • Birth dates;
  • Diagnosis codes; and
  • Policy numbers.

They note that thieves can use such data to:
  • Create fake IDs to purchase medical equipment or prescription drugs that they can resell; or
  • File false claims with insurers by combining a patient number with a false provider number.

According to Reuters, medical data theft is not as easy to identify as credit card theft, meaning thieves have more time to reap benefits. For example, many patients do not discover their medical data have been stolen until after unpaid bills using a patient's medical ID has been sent to a debt collector who contacts the fraud victim to seek payment (Reuters, 9/24).