The breach at the Office of Personnel Management (OPM) has the entire government on high alert for the actions of sophisticated, nation-state hackers. But a report by CNN reminds us that it isn’t just APTs that the government has to worry about.
According to this story, the U.S. Department of Justice (DOJ) is investigating whether an employee of the Department of Alcohol, Tobacco, Firearms and Explosives (ATF) transferred personnel files of fellow ATF employees to a home e-mail account. The report names Scott Sweetow, the deputy assistant director for strategic intelligence and information at ATF headquarters in Washington, as the target of the investigation, though Mr. Sweetow claims he is the victim of “character assassination.”
According to the CNN report, security officials began the probe after systems used by the DOJ to monitor the transfer of personally identifiable information noted the transfers outside the DOJ network. The Department's Justice Security Operations Center notified their counterparts in the ATF, which began an investigation.
That investigation is ongoing and it’s possible that nothing untoward happened. But it is also a reminder that trusted insiders are a major source of data theft and data leaks within organizations. Of over 2,100 confirmed data breaches that were analyzed in the latest Verizon Data Breach Investigations Report, for example, Insider Misuse accounted for close to 21 percent of them.
Those incidents often amount to inadvertent or well-intentioned errors – employees transfer work to a home- or personal cloud account so that they can continue to work after hours. But these incidents are often malicious or criminal in nature. Wayward employees, for example, might harvest sensitive data to resell it on the black market for use in identity theft. Or they may use the data to harass fellow employees anonymously or otherwise. As Verizon notes, many incidents of insider abuse simply go unnoticed, and are discovered during forensic examination of user devices after the individual left a company – when such examinations are done.
The question is what to do to stop insider leaks. A good place to start is with tight control and monitoring of user privileges. Many insider data leaks are a byproduct of loose internal controls that give employees access to systems and data that they don’t need to do their job. That access, combined with curiosity or greed, can lead to incidents.
The other thing organizations need to do is to develop normative patterns of employee behavior based on their role, or on specific user actions. Observing employee connections to systems during the normal course of business will create a certain predictive pattern of activity against which unusual forays to systems or data sources that are not required in their day to day work will stand out, providing a basis for further investigation by their employer.
Finally – as DOJ showed here – you need to monitor outbound communications for the presence of sensitive information such as personally identifiable information or intellectual property. Criminals need to get their data off your network somehow. By simply monitoring data flows, in concert with other detection means, you can spot suspicious or malicious activity at an early stage and prevent longer and more damaging breaches.
Paul F. Roberts is the Editor in Chief of The Security Ledger.
