The Journal of Information Technology Management

Cutter IT Journal

Vol. 27, No. 8August 2014

Data Hacking:

No Day at the Breach

Opening Statement

by Ken Orr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Leading in the Time of Data Breaches

by Rick Brenner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Crafting a Secure and Effective BYOD Policy

by Anjali Kaushik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

The Insider Track on Cyber Security

by Chris Kauffman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

The Data Shell Game: The Best Way to Protect Corporate

and Institutional Data in the Cloud

by David C. Wyld . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

An Architecture Approach to Corporate Information Security

by Fred Donovan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

“No matter how large or small

our organizations are, we can-

not just wash our hands of the

data security problem — there

is too much at stake.”

— Ken Orr,

Guest Editor

NOT FOR DISTRIBUTION

For authorized use, contact

Cutter Consortium:

+1 781 648 8700

service@cutter.com

In June 2013, the actions of Edward Snowden set off afirestorm of revelations about the inner workings of oneof the US’s most secretive organizations, the NationalSecurity Agency (NSA). As the country began debatingthe spy versus whistleblower status of Mr. Snowden, asecond, equally chilling dialogue began: how was oneperson, a contractor, able to walk so easily out the doorof a heavily monitored facility with a treasure troveof secrets? For all organizations, it served as a sharpreminder of how much damage one insider can gener-ate. But despite the far-reaching consequences to USfederal agencies — presidential executive orders, bud-get reallocations, technology reviews — the Snowdenincident has done surprisingly little to affect the near-term strategies and implementations of cyber securityin private industry.

That’s not to say private industry isn’t aware of the vul-nerability. A recent survey performed by the PonemonInstitute found that 88% of the 693 IT professionals sur-veyed recognize the potential for significant harm frominsider threats.1 As it turns out, businesses harboredconcerns for some time before the NSA affair — theyjust hadn’t been very vocal about it. Despite these con-cerns, plans to mitigate insider threats seem to hoverat the bottom end of the cyber security priority list.The common sentiment of business owners, executiveteams, and IT administrators goes like this: “We’vespent the last two years building a layered perimeterdefense, and we’re almost done. As long as the threatdoesn’t come from inside, we’re good.”

SIGNIFICANT RISK, SIGNIFICANT COSTS

As the Snowden incident demonstrates, statements likethe above are misguided at best. An organization’scyber defense strategy cannot be comprehensive with-out a mitigation strategy for addressing insider threats.Otherwise, it’s like knowingly leaving a back door ontothe computer network (except that insiders get to usethe front door). Insider incidents don’t get nearly theattention that the breaches caused by external attacksget on a daily basis. However, sources such as the

Brooklyn Law School’s Trade Secrets Institute website2

have pages filled with insider threat legal cases.

From a numbers viewpoint, it has been difficult to get aclear picture of the severity of insider incidents relativeto the higher-profile external attacks. That has begun tochange over the last few years as the major benchmarkstudies have led to a better understanding of how toparse out the data. External attacks will always out-number insider incidents, given that the number ofexternal actors is much larger, but the industry statisticsshow that insider threats play a significant role inbreaches:

n The 2014 Verizon Data Breach Investigations Reportindicates that 18% of the collected security incidentsare attributed to insider misuse,3 trailing only crime-ware and miscellaneous errors.

n According to the 2013 Ponemon Cost of CyberCrime Study, 42% of companies surveyed admit to an insider incident in the last year.4

n SafeNet keeps a running tally of breaches at the datarecord level. Its data indicates that while externalattacks outnumber insider incidents, insiders cando more damage. The Q1 2014 report, for instance,shows that while 11% of successful breaches werecarried out by an insider, they accounted for 52%of the 200 million data records exfiltrated.5

REASONS FOR THE LACK OF INSIDER THREAT PROGRAMS

If business leaders and IT professionals continue toexperience a general unease at the lack of strong insiderthreat programs, and industry numbers appear to jus-tify those concerns, why hasn’t this translated into moreaction? There are any number of reasons, of course, buttwo primary themes can be seen across private indus-try. First, insider threats are poorly understood, and lit-tle is known about the remedies that might be availableto address the vulnerability. Second, there is an emo-tional discomfort that comes from thinking employeesmight betray the trust that’s been granted them by theorganization.

17©2014 Chris Kauffman. All rights reserved. Vol. 27, No. 8 CUTTER IT JOURNAL

The Insider Track on Cyber Securityby Chris Kauffman

FOILING THE INSIDE JOB

NOT FOR DISTRIBUTION • For authorized use, contact

Cutter Consortium: +1 781 648 8700 • service@cutter.com

©2014 Chris Kauffman. All rights reserved.CUTTER IT JOURNAL August 201418

The emotional issue is certainly understandable, but itshouldn’t be allowed to delay or prevent addressing avery real threat. Most businesses will be affected by aninsider at some point, probably several times. When ithappens, it’s not just profits that get impacted; it canaffect customers’ lives, the reputation of the business,and, ultimately, all the employees in the organization.

It might be said that neither of these issues is at play inlarger organizations, especially in regulated industrieslike banking and healthcare. Indeed, regulators do takesome of the heat off businesses; it’s the regulatory bodiesthat require controls be put in place for insider threats,not the employers. And larger organizations are morelikely to have the resources to investigate the insiderthreat risk more thoroughly. Still, that doesn’t explainthe frequent delay in addressing insider threats, whichorganizations often plan to address only after theperimeter has been fully secured against external threats.

INSIDER THREATS ARE DIFFERENT

It’s not surprising that organizations have difficultyunderstanding the insider threat; it’s not your typicalcyber security adversary. For one, the average insideris not a professional hacker and generally lacks thetechnical sophistication needed to use the tools of thatparticular trade. But it doesn’t require a lot of sophisti-cation to do great harm to an organization when youare an insider.

To better understand effective strategies and technolo-gies for combating insider threats, let’s start by definingwhat an insider threat is. An insider threat is whensomeone with authorized access to the network and theelectronic assets located on it uses that access to dounauthorized things, such as commit fraud, theft ofintellectual property (IP), or IT sabotage. Those withauthorized access could include employees, contractors,vendors, and even business partners and corporateexecutives.

There are two key components to keep in mind withregard to the definition. First, we’re talking aboutinsiders, not outsiders trying to breach the perimeterdefenses. The importance of this goes beyond theirauthorized use of the computer network. It means that

they work alongside others in the office, they under-stand and are part of the corporate culture, they gettrained in the same procedures and policies as everyoneelse, they know if they’re being monitored and probablyhow, and they know where the company tends to belax and where it is strict in its policies. They are alsolikely to know exactly where and how the organiza-tion’s sensitive data is stored, as well as the true valueof the data. Second, they’re authorized. In order to beproductive, they need access to the data that the orga-nization is attempting to protect. These characteristicsmake it very difficult for traditional cyber securityproducts to address insider threats, as we can see fromthe following example of attempted trade secret theft.

Hanjuan Jin, an American citizen, had been anemployee of Motorola in Chicago for nine years. In2007, as she prepared to board a flight to China, shewas stopped for a random customs search. Officialsfound over US $30,000 cash in her luggage and morethan 1,000 documents containing Motorola IP relatedto the company’s proprietary iDEN technology. Jinwas able to sneak away with hundreds of confidentialdocuments without Motorola’s knowledge, using anunsophisticated method, only to be stopped by chanceat the airport.6 She apparently didn’t seek out Motorolawith the intent to steal its secrets; the attempted theftoccurred nine years after she began working at the com-pany. Such circumstances aren’t the exception when itcomes to insider attacks. A report on insider threats inthe financial industry found that the typical maliciousinsider has worked for his or her organization for fiveyears before committing a crime, and goes on commit-ting the crime for two and a half years before beingcaught.7 Clearly, insiders know how to conceal theircriminal activity in the everyday noise of their workenvironments.

TRADITIONAL TECHNOLOGIES AND NEW ATTEMPTS

Technology has been used in an attempt to detectinsider threats for some time. A study by the US-basedIntelligence and National Security Alliance (INSA)found that many of the insider threat programs runby the 13 private industry companies interviewed aretechnology-centric.8 Given the lack of successful detec-tion of insider threats in general, it’s pretty clear thatthese technologies haven’t been as effective as onewould hope.

This lack of success stems from the nature of the insiderthreat, which is a human problem, and the fact thattraditional cyber security products applied to the

It doesn’t require a lot of sophistication to

do great harm to an organization when you

are an insider.

NOT FOR DISTRIBUTION • For authorized use, contact

Cutter Consortium: +1 781 648 8700 • service@cutter.com

19Get The Cutter Edge free: www.cutter.com Vol. 27, No. 8 CUTTER IT JOURNAL

insider threat, such as security information and eventmanagement (SIEM) and data loss prevention (DLP)products, aren’t aligned to address it. Most cyber secu-rity systems use rules engines and pattern recognitionto detect activity that matches known methods of theftor misuse. But insiders have authorized access to thedata and the systems being protected, making it diffi-cult to develop rules that don’t also produce numerousfalse positives resulting from legitimate work activity.How does one write a rule to distinguish an authorizedinsider’s use of data for legitimate purposes from simi-lar use of the data for something malicious? What if anorganization wishes to support the use of cloud sharingservices, even if such services can be used for exfiltra-tion? Compounding the problem, insiders are often wellaware of the ways in which they might be monitoredand have proven adept at avoiding attention.

As big data spawned advances in data analytics andmachine-learning techniques, organizations haveattempted to use these sophisticated approaches todefend against insider security threats. Network flowanalysis tools use statistical methods to establish base-lines and identify anomalies in the network traffic data.The problem is that networks, and especially the peopleusing them, generate too many anomalies to make thisa practical solution for effectively identifying insiderthreats. Others have tried to employ predictive model-ing to discern an insider threat from a non-threat.Predictive models, like random forests and supportvector machines, can yield impressive results indomains where the algorithms can be trained withlarge data sets containing numerous examples of eachpossible outcome (e.g., a data set with tens of thousandsof labeled examples of spam and normal email). Buteven a large organization will have only a few historicalcases of insider threat incidents — not nearly enough totrain a viable predictive model.

INSIDER THREAT PROGRAMS: TRAINING, POLICIES,AND ASSURANCES

Given the difficulty that technologies have historicallyhad in addressing the insider threat, businesses haveestablished a number of procedural mitigations. Someexamples include:

n Background checks. As part of the hiring process,high-risk indicators — such as a criminal record —can be discovered early to avoid potential problems.

n Confidentiality agreements. Having employees signlegal documents can serve to educate them on thepolicies of the organization and reinforce the conse-quences of IP theft.

n Awareness training and banners. Regular remindersreinforce expectations for the proper handling ofsensitive data.

n Compartmentalization. Operating on a need-to-knowbasis limits the amount of sensitive data exposed toinsiders and thus the damages that could be causedby an insider threat.

n Reporting suspicious activity. Organizations shouldestablish the idea that security is everyone’s responsi-bility, and everyone should remain diligent. If some-thing is out of place, or someone is doing somethingsuspicious, it should be reported to managementor HR.

n Restricting the use of technology. New technologiessuch as cloud storage, mobile devices, social mediaplatforms, and removable storage have sprung upeverywhere to make us more productive and con-nected at the office and elsewhere. They also make iteasier for a malicious employee to collect and exfil-trate sensitive data. Many organizations restrict theuse of these resources to minimize the risk.

There are a number of additional controls that organi-zations have used in various insider threat programs.CERT, a division of the Software Engineering Instituteat Carnegie Mellon University, has run a robust insiderthreat research program for years. Its “Common SenseGuide to Mitigating Insider Threats” publicationdescribes several additional mitigation proceduresand policies.9

As with the application of technologies for combatinginsider threats, these procedural controls have theirlimitations and noted failures, too — a topic often dis-cussed in the trade secret legal community. A notableexample of this is the recent incident at the pharma-ceutical company Eli Lilly. Guoqing Cao, an Americancitizen living near Indianapolis, was a research scientistat Eli Lilly for seven years. In October 2012, he wasarrested on charges of theft of trade secrets.10 Cao,along with a codefendant, were accused of emailingnumerous confidential documents to a contact at a for-eign competitor. A significant aspect of the case is thatEli Lilly had a number of procedural controls in placeto mitigate against insider threats. Specifically, the com-pany “limited access through security cards, requiredemployee confidentiality agreements, restricted accessto Lilly confidential information on a need-to-knowbasis, limited access to computer networks, and utilizeddata security banners and policies.”11 Despite theseand many other policy controls, the codefendants wereable to plan their crime and execute the collection andexfiltration of confidential documents. It’s clear that

©2014 Chris Kauffman. All rights reserved.CUTTER IT JOURNAL August 201420

neither traditional cyber security technology nor proce-dural controls have adequately addressed insiderthreats.

NEEDS ARE DRIVING NEW TECHNOLOGIES

Even if the NSA incident wasn’t a game changer forprivate industry, it certainly awakened technologycompanies to the preexisting concerns of business lead-ers and their need for better solutions. The market isbeginning to see a number of new products dedicated todetecting and mitigating insider threats. Some productsfocus on monitoring and recording all insider activity —including keystrokes, social media posts, and use ofremovable media — thereby acting as a virtual securitycamera. They are similar in purpose to what you wouldfind behind the counter of a convenience store; they arethere to record evidence of a crime when it occurs. Mostnew products, however, are reengaging the problemwith some form of data analytics technology. Hopingto overcome the lackluster results of prior attempts,the new products try to address the issue of noisydata in different ways. For instance, one new approachtakes the form of a data analytics platform or toolkit.Analysts treat the various sources of security and net-work information like big data, employing data analyt-ics techniques to explore and detect patterns that mightindicate a threat. Here it’s the analyst drawing conclu-sions about possible threats, using a more investigativeprocess of asking questions of and getting answers fromthe data, as opposed to previous approaches that reliedon algorithms to draw the conclusions.

Another group of emerging data analytics–based tech-nologies is significantly improving the detection rate ofinsider threats by focusing on how each individual in anorganization uses the computer network. These systemscapture network transmissions and events each individ-ual generates on the network and use them to establisha behavior profile for the individual. Analytics are thenused to identify the individual’s behavior patterns, suchas how often he typically accesses a document reposi-tory, which computers or devices he uses to access thenetwork, and which websites he regularly visits.

If an effective behavior profile can be defined, one thatis sensitive enough to pick up on subtle changes thatindicate a threat but robust enough to allow for the vari-ances in everyday work activity, then this method couldprovide a powerful means of observation and detection.For instance, one mechanism could compare currentbehavior profiles to their historical baselines in orderto detect behavior changes, which often occur whenan insider makes the decision to commit a crime.Meanwhile, a second mechanism could evaluate onebehavior profile against other behavior profiles in acohort group. This latter control can detect when oneperson on a team is covertly hiding an activity whileperforming her job responsibilities for the team, even ifthat activity is part of her historical baseline (an impor-tant factor if, say, the behavior monitoring capabilitywas put in place after the malicious activity had begun).

The data sources for behavior-based technologies arevaried. Some use security events collected by SIEMproducts, while others use captured network traffic, textdata mined from social feeds, and even manually keyed-in events documented by HR in personnel files. Giventhe sensitive nature of such data, users of these tech-nologies will have to weigh their inherent invasivenessagainst the need to protect the organization’s own data.

BUSINESSES NEED TO ACT ON INSIDER THREAT VULNERABILITIES

Addressing the insider threat is a difficult task formany reasons:

n It’s never pleasant to think about one of yourown using the trust he has been given againstthe organization.

n Past technologies and policy controls have had aspotty track record.

n Privacy implications and the response of employeesto monitoring technologies have to be taken intoaccount.

n Unlike investigating an alert arising from a possibleexternal attack, a false positive on an employeeamounts to accusing her falsely. This can havepersonal and professional consequences for theemployee and HR consequences for the employer.

Nevertheless, failure to address insider threats can havedevastating consequences for a business and all thosethat depend on it: employees, customers, suppliers, andothers. Focusing only on external threats still leaves the

Failure to address insider threats can have

devastating consequences for a business

and all those that depend on it: employees,

customers, suppliers, and others.

NOT FOR DISTRIBUTION • For authorized use, contact

Cutter Consortium: +1 781 648 8700 • service@cutter.com

21Get The Cutter Edge free: www.cutter.com Vol. 27, No. 8 CUTTER IT JOURNAL

most vulnerable part of the network open to attack, soa comprehensive cyber security plan needs to mitigateinternal threats. The plan should include:

n Policy controls. At a minimum, everyone should beunder nondisclosure agreements, and expectationsshould be clearly communicated for the proper han-dling of sensitive information. Other controls maybe included to some effect, although they can havedrawbacks. For instance, compartmentalization mayreduce the exposure of confidential data, but it alsolimits the exchange of ideas and cross-purpose infor-mation. Overemphasis on reporting policies can bedetrimental to trust and the culture in the office. Andrestricting the use of personal devices, personal emailaccess, and social media in the office doesn’t playwell with younger members of the workforce, whohave integrated these technologies into their personaland professional lives. Industry regulations will alsoplay a big role in which policy controls are required.Each organization must assess its requirements andweigh the benefits and drawbacks of various policycontrols for the environment.

n Monitoring technology. Some form of comprehen-sive monitoring capability should be deployed —one that isn’t rules- or signature-based, is able toapply some level of machine learning, and can detectbehavior changes and outliers. If the network is atightly controlled environment with policies againstremovable media, outside email, and cloud-basedpersonal storage, rules can be an extra layer to detectsome policy violations. Forensics is also important fora monitoring technology. When an incident occurs, itis important to be able to collect evidence and deter-mine what confidential information or systems mayhave been affected.

n Incident response plans. Insider incidents willoccur, and it is important to plan in advance how theorganization will respond to them. Incident responseplans should be developed with executive directionand support, as well as input from the IT, legal, andHR departments.

With these angles covered, organizations can helpsecure the most vulnerable part of the network —the part inside the perimeter.

ENDNOTES

1“2013 Cost of Cyber Crime Study: United States.” PonemonInstitute, October 2003.

2Trade Secrets Institute (http://tsi.brooklaw.edu).

3“2014 Data Breach Investigations Report.” Verizon EnterpriseSolutions, 2013.

4Ponemon Institute (see 1).

5“Breach Level Index: First Quarter Recap.” SafeNet, 2014.

6“Suburban Chicago Woman Sentenced to Four Years in Prisonfor Stealing Motorola Trade Secrets Before Boarding Plane toChina.” Press release, US Federal Bureau of Investigation,29 August 2012.

7Cummings, Adam, et al. “Insider Threat Study: Illicit CyberActivity Involving Fraud in the US Financial Services Sector.”Carnegie Mellon University, July 2012.

8“A Preliminary Examination of Insider Threat Programs inthe US Private Sector.” Intelligence and National SecurityAlliance, 2013.

9Silowash, George, et al. “Common Sense Guide to MitigatingInsider Threats, 4th Edition.” Carnegie Mellon University,December 2012.

10Beyer, Justin K. “Two Former Eli Lilly Scientists Accused ofStealing $55 Million in Trade Secrets on Behalf of ChinesePharmaceutical Company in Southern District of IndianaIndictment.” Trading Secrets, 28 October 2013.

11Beyer (see 10).

Chris Kauffman is founder and CEO of Personam, Inc., a technology

company that provides insider threat detection products and services.

He has 20 years of experience in software product development, spe-

cializing in data analytics, machine learning, and the domain of the

insider threat problem. Mr. Kauffman was formerly a Managing

Partner at Sphere of Influence, where he directed a diverse R&D

team of software developers and scientists investigating new technolo-

gies in behavioral profiling, emerging trends in real-time social media

streams, and significant event prediction from open source indicators.

He can be reached at ckauffman@PersonamInc.com.

Cutter IT Journal

The Journal of Information Technology Management

Get global perspectives and solutions to some of the most critical business-technology issues facing organizations today!

Special Offer: Save $100 on a New Subscription Today!YES! Please start my new, one-year subscription to Cutter IT Journal for just $385 (US $485 outside N. America) — I save $100 off the regular rate of $485/US $585! Plus send all 2013 issues on a flash drive!

Name Title

Company Dept.

Address/PO Box Mailstop/Suite

City State/Province

ZIP/Postal Code Country

Phone

Fax

Email

Fax to +1 781 648 8707, call +1 781 648 8700, or send e-mail to service@cutter.com. Mail to Cutter Consortium, 37 Broadway, Suite 1, Arlington,MA 02474-5552, USA. Order online at bookstore.cutter.com.

Your Front-Row Seat to ITManagement Debate at the Highest Level!Every day, your organization is confrontedwith the stark reality of having to achievemore aggressive goals with a shrinkingbudget, ever-changing requirements, andimpossible deadlines.

Few of you have the time to develop well-supported arguments on how to getyour organization to improve its IT opera-tions. It’s a tough trap: you know solutionsare out there, but you’re too busy to identifythem and convince your organization toimplement them.

Advice, Solutions, and Experience YouCan Rely OnA Cutter IT Journal subscription helps youbreak out of the trap. Every month, CutterIT Journal features a select guest editorwho articulates the controversial issues,offers his or her opinion on them, invitesothers to introduce opposing viewpoints,and sparks a lively debate.

Cutter IT Journal provides you the opportu-nity to experience a variety of perspectives:viewpoints that will be instrumental inadvancing the cause of better softwaredevelopment. No matter where you standon these issues, the thoughtful discoursedelivered in Cutter IT Journal will certainlyhelp you clarify your position.

In addition to your monthly issue, you willalso receive the weekly Cutter IT Advisor.Each Advisor brings you practical adviceand thoughtful analysis from well-knownand respected experts in the IT field. Learnfrom the experiences of others, includingwhat you should avoid and what youshould consider implementing.

As a subscriber to Cutter IT Journal, you’llstay up to date on important IT issues suchas agile project management, big data,business and technology trends, cloud com-puting, social media analytics, IT leadership,enterprise architecture, security and privacy,the IoT and more. Whatever the topic, youcan be sure you’ll receive frank, unbiasedopinions, in the no-holds-barred mannerCutter IT Journal is known for.

Don’t miss upcoming issues on:

Workforce 2020

How IT Can Transform Healthcare

Serious Games: Tools for Innovation

Creating Smart Managerial Dashboards

SPECIAL OFFER FOR NEW SUBSCRIBERS!

Begin your subscription to Cutter IT Journaltoday and save $100 off the regularsubscription rate! Plus receive all 2013 issues FREE on a flash drive!

To subscribe for just $385 ($485 outside N.America) and receive your FREE flash drive,go to bit.ly/CITJFD and enter coupon codeCITJSAVEFD at checkout. Or visitbookstore.cutter.com and search CITJ specialoffer. Or complete and return the form belowby fax to +1 781 648 8707, call +1 781648 8700, or email sales@cutter.com.

For more information on Cutter IT Journal,please visit www.cutter.com/itjournal.html.

Visit bookstore.cutter.com to order individualCutter IT Journal issues.