The Changing Face of Cyber-Attacks:Understanding and preventing both external and insider security breaches

Russell MillerCA Security Management

WHITE PAPER | June 2013

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Table of Contents

2

Executive Summary 3

Section 1: Challenge 4 External Cyber-Threats are Changing Rapidly

Section 2: Opportunity 7 Where Organizations Fall Short

Section 3: 12 Conclusions

Section 4: 12 Refernces

Section 5: 13 About the Author

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Executive Summary

3

ChallengeTechniques to attack computer networks are never static. Methods and tools evolve, as do the attackers themselves. The attacker landscape from a few years ago—where individuals or small groups attacked organizations for fun and profit—no longer exists. The environment is much more complex today. Semi-organized “Hacktivist” groups, such as Anonymous and LulzSec, attempt to cause damage for causes they find worthwhile. Even state-sponsored actors are becoming prominent, bringing dramatically expanded resources to bear. Advanced Persistent Threats (APTs) are perhaps not new, but have come to the forefront of cyber-security awareness as a result of these changes. Insider threats are also ever more complex, with the potential for damage increasing due to rapidly expanding stores of sensitive information and highly-dynamic and virtualized IT environments.

OpportunityFortunately, an organization’s toolbox to defend against security breaches is more complete than ever. Beyond perimeter tools and detection solutions, such as firewalls and intrusion detection systems, cyber-security experts can protect their systems and data from the inside out. Data can be automatically discovered, classified and controlled with modern data leak prevention technologies. The identities that are needed to access data and critical systems—particularly privileged identities—can be carefully managed and monitored. With an identity and data-centric approach to security, organizations can meet the challenge of ever-evolving threats.

BenefitsOrganizations that successfully reduce the chances of a security breach not only guard their data, but protect their brand, and avoid costly lawsuits and fines. In addition, organizations with an extensive security program can save money by simplifying audits and can focus efforts on innovation instead of constantly worrying about devastating attacks.

Total number of records containing sensitive personal information involved in security breaches in the U.S. is 607,611,003 in 3,716 data breaches between January 2005 and April 2013.– A Chronology of Data

Breaches, Privacy Rights Clearinghouse

“As cybercriminals have become more skillful and sophisticated, they have eroded the effectiveness of our traditional perimeter-based security controls.”1

– Forrester Research, Inc.

4

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Section 1: Challenge

External Cyber-Threats are Changing RapidlyIt is tempting to think about cyber-attacks as an ever-present, but unchanging threat. While individuals, small groups, and organized crime are still significant players, they are no longer the only threat to an organization. To the contrary, attacker profiles have shifted, and new goals and sources of motivation have fundamentally altered the nature of the threat landscape. The trends driving this shift include:

The militarization of cyber-attacks. Network penetrations to cause damage and steal intellectual property are now commonly state-sponsored, with highly-trained, disciplined and patient attackers. Military attackers can have access to resources such as training, computing power, and cutting-edge R&D not available to previous generations of attackers. Their targets often include critical infrastructure to the capture of foreign intellectual property. Recent reports have gone so far as to identify a specific military unit as the source of a significant number of cyber-attacks.

Cyber-security firm Mandiant released a report in February 2013 titled “APT1: Exposing One of China’s Cyber Espionage Units.”2 This report detailed the actions of the China-based group APT1, a unit Mandiant has identified as the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.

The rise of “hacktivism”. Groups such as Anonymous frequently attack organizations in the name of social causes and look to cause significant financial and reputational damage to a target organization. Hacktivists have targeted entities from MasterCard and Visa, to the U.S. Department of Justice, the Church of Scientology, the state of Egypt and the World Bank.

New, sophisticated attacks have often been called Advanced Persistent Threats, a term that is sometimes derided, but has attained widespread adoption. Whatever these attacks are called, they have unique qualities that make them more difficult to defend against:

• Patient individuals will wait for new vulnerabilities to open up or combine seemingly small security weaknesses into a large-scale, damaging attack.

• A dedicated, state-sponsored team will not be dissuaded from targeting an organization simply because it has stronger security than similar companies.

• An APT can unfold in a very measured, deliberate manner, helping it evade even the most well-configured firewalls and intrusion-detection systems.

Companies from RSA Security to Google to Northrup Grumman have found themselves the target of these targeted attacks.

4

“APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.”

– Mandiant

Operation AntiSec

A joint effort by the groups LulzSec, Anonymous, and others, this extremely large hacking operation targeted many companies and government agencies, from the Arizona Department of Public Safety to the British newspaper The Sun and the Fox News Twitter account.

5

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Insider ThreatsInsiders pose a significant risk due to the damage they can cause through either malicious or inadvertent actions. The most dangerous risk is an organization’s privileged users. These administrators often possess the privileges to perform essentially any operation on critical systems and users often have accumulated more entitlements than they need for their current job role.

Insider threats are not all the same. There are three types of insider threats, malicious insiders who deliberately steal information or cause damage, insiders who are unwittingly exploited by external parties, and insiders who are careless and make unintended mistakes.:

• Malicious insiders are the least frequent, but have the potential to cause significant damage due to their insider access. Administrators with privileged identities are especially risky. According to the Ponemon Institute, “data breaches that result from malicious attacks are most costly.”3

• Exploited insiders may be “tricked” by external parties into providing data or passwords they shouldn’t.

• Careless insiders may simply press the wrong key and accidentally delete or modify critical information.

Many security breaches due to insiders are never made public. Organizations would rather keep these breaches private to avoid the reputational hit and customer concerns about their security that may result. However, many highly-damaging insider breaches have been disclosed, both publicly and anonymously.

The potential for damage from insider threats has recently increased with the quantity of sensitive data exploding and more powerful administration tools. The rise of virtualization, in particular, has given rise to new risks. First, there is a new class of administrators on the hypervisor that must be managed, monitored and controlled. Second, those hypervisor administrators can change, copy, or delete dozens of virtual machines with only a few clicks of the mouse, making theft and damage simpler, faster, and more damaging and difficult to detect than ever.

Well-Known Insider Security BreachesWikiLeaks Switzerland’s Intelligence Service (NDB).

In what is perhaps the most well-known insider security breach, (former) U.S. Army Private Bradley Manning leaked hundreds of thousands of classified military and State Department documents to the WikiLeaks organization, which made many of them available on the Internet. While an “insider”, there are significant questions about why Manning had such extensive access to view and classify classified documents.

A senior IT technician reportedly downloaded terabytes of classified counter-terrorism information to physical hard drives, which he carried out of the datacenter in a backpack. Investigators believe that the administrator had become disgruntled when his advice on securing key systems was ignored. A source close to the investigation called the perpetrator a talented technician with “administrator rights”, giving him unrestricted access to most or all of the NDB’s networks, including a significant amount of secret data.5

Insider fraud is a common occurrence. On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months.3 – The Ponemon Institute

About 65 percent of employees who commit insider IP theft had already accepted positions with a competing company or started their own company at the time of the theft. About 20 percent were recruited by an outsider who targeted the data. More than half steal data within a month of leaving.

– Behavioral Risk Indicators of Malicious Insider IP Theft: Misreading the Writing on the Wall, Eric D. Shaw, Ph.D., Harley V. Stock, Ph.D.

6

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

No Industry is Safe From Security Breaches

Industry Info Example

Defense “Every defense company is constantly under attack. If anybody tells you they’re not, it just means they don’t know. It is a threat that is broad-based. It’s not just from one source ... and it’s just unceasing.”6

– Wes Bush, Northrup Grumman Chief Executive

Over a three year period, a Chinese hacker group stole most, if not all, of the intellectual property from U.S. defense contractor Qinetiq, which focuses on drone aircraft and spy satellites.7

Financial Services “Even as security practices mature and advance, nearly 25% of the banking respondents indicated they experienced security breaches in the past 12 months”8

– Deloitte

“The US Secret Service estimates that a data breach at Bank of America in California and other western states cost the bank at least $10 million.”9

Insurance “Despite increased focus on protecting data from security breaches, approximately 40% of the 46 major insurance organizations have experienced one or more breaches in the past 12 months”8

– Deloitte

In October 2012, attackers stole information on 1.1 million customers of Nationwide and Allied Insurance, putting them at risk for identity theft.10

Healthcare Ninety-four percent of healthcare organizations in this study have had at least one data breach in the past two years. However, 45 percent report that they have had more than five incidents.The average cost to the healthcare industry could potentially be as high as $7 billion annually. 11

–The Ponemon Institute

Hackers demanded a $10 million ransom after stealing 8.3 million patient records from the state of Virginia.12

Retail “24% of breaches occurred in retail environments and restaurants.”13

– Verizon 2013 Data Breach Report

Gucci lost ~$200,000 in lost sales and remediation expenses when a network engineer illegally accessed the company’s network and deleted documents after he was fired.14

Government The government and military sector represented 11.2% of the breaches reported in 2012, but 44.4% of the records stolen.15

– ITRC Breach Report, Identity Theft Resource Center, July 2012

A disgruntled San Francisco employee locked the city out of its own FiberWAN network, which contained confidential documents including police records. Even worse, emails were inaccessible and payroll checks could not be issued. The city spent over one million dollars in an unsuccessful attempt to gain access to the network.16

Education In 2012, 13.6% of reported breaches were in the education sector, consisting of 2,304,663 records stolen.17

– ITRC Breach Report, Identity Theft Resource Center, July 2012

A group of hackers, calling themselves Team GhostShell, published over 120,000 records on students, faculty and staff, including e-mail addresses, names, usernames, passwords and phone numbers from dozens of universities globally, including Harvard, Oxford, Princeton, Stanford, Johns Hopkins and the University of Zurich.18

6

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

7

Section 2: Opportunity

Where Organizations Fall ShortOrganizations have traditionally focused on perimeter security when defending themselves against security breaches. While this obviously falls short of mitigating the risk of insider threats, it is also insufficient for external attacks as well. Given enough time, a determined attacker will be able to bypass an organization’s perimeter. As part of an Advanced Persistent Threat attack, motivated attackers can spend months or even years targeting a specific organization. Using techniques from “spear phishing” (targeted phishing/email attacks) to exploiting zero-day vulnerabilities where patches do not yet exist, an advanced attacker will breach a target network’s perimeter. When this occurs, the outsider becomes, in effect, an insider.

Nearly all external attacks follow the same four phases:

“Only amateurs attack machines; professionals target people.”

– Bruce Schneier

Reconnaissance Initial Entry ExploitationEscalationof Priveges

An investigation into the organization’s weaknesses, which often includes domain queries and port and vulnerability scans.

Discovered exposures are exploited and a foothold in the target network is established using sophisticated technical methods or social engineering techniques, such as spear phishing.

Following initial penetration, hackers work to acquire more rights and gain control over additional systems—and install a “back door” that makes future access easier.

Once control has been established, the assailant will be able to continuously identify, compromise and exploit sensitive data.

Where the focus isWhere the focus should be

Organizations are generally proficient in perimeter security, from firewalls to intrusion detection systems. However, this is not enough to prevent an attacker from gaining access to an internal identity. Imagine receiving an email that comes from your boss, asking you to review a file. Nearly everyone will click on the file without careful inspection. That simple action can result in arbitrary code executed on a system, granting the attacker full control of the computer.

You can reduce the risk of all three types of insider threats (malicious, exploited, and careless) by enabling accountability, implementing least privilege access, and controlling sensitive data. Accountability will make malicious insiders think twice before acting, help to identify exploited insiders and make users more careful with their actions. Least privilege access will deny actions and limit the damage done by all types of insider attacks, as well as “stop stupid” actions. By controlling sensitive data directly, you can prevent it from being exported out of your network using tools such as USB drives or even email.

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

8

An In-Depth Approach to Cyber-DefenseToday’s security capabilities can make each phase of an attack harder, for both insiders and external attackers. The most critical capabilities include:

Privileged Identity ManagementPrivileged Identity Management lies at the heart of any cyber-defense, whether focused on insiders or external parties. Privileged accounts have the access needed to view and steal an organization’s most sensitive information, or cause the most damage to critical IT systems.

Managing privileged identities requires a multi-pronged approach. In addition to managing shared accounts, additional controls enable accountability for insiders and can limit the damage done by an external attacker that gets access to an administrative account.

Figure A.Privileged Identity Management: Key Capabilities

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

9

Key Capability Need Description Benefit

Shared Account Password Management

Privileged accounts, such as ‘root’ on UNIX and ‘Administrator’ on Windows, are often shared, reducing accountability.

Control access to privileged, administrative accounts with password storage and automatic login capabilities. This is the starting point for most privileged identity management solutions.

Reduces the risk of unauthorized users gaining access to privileged accounts. Prevents password sharing.

Fine-Grained Access Controls

Access to privileged accounts is often “all or nothing”—an unnecessary security risk that leads to users with more privileges than they need.

Manage privileged user access after login. Control what access users have based on their individual identity, even when using a shared administrative account.

Reduces risk by providing administrators with only the minimum privileges they need to do their jobs.

User Activity Reporting / Video Session Recording

Track all user actions to determine what occurred and “who did what” in an investigation. Not all user activities are recorded and many applications do not produce logs, reducing accountability and making forensic investigations difficult.

Records all user actions, tracking all records by individual, even when a shared account is used. Ideally, track on an IT system in a video-like format.

Makes it simple to find out “who did what” in a forensic investigation, using an understandable video instead of searching through incomprehensible log files. Enables accountability for users of IT systems. Creates logs for applications that do not natively produce logs.

Virtualization Security

Virtualization adds a new infrastructure layer that must be secured—the hypervisor.

Manage privileged users on VMware, while providing virtualization-aware automation of security controls on virtual machines.

Reduces the risks of virtualization, from VMware administrators to virtual machines.

UNIX Authentication Bridging

Managing user accounts and access on individual UNIX and Linux servers is an administrative burden that can lead to errors and oversights.

Authenticate users on UNIX and Linux systems to Microsoft Active Directory.

Consolidates authentication and account information in Active Directory, as opposed to managing UNIX credentials locally on each system. Reduces administrative overhead.

56%. “Percentage of execs who say their most serious fraud was due to a privileged user.”19

– Pricewaterhouse Coopers

“If you don’t implement proper controls for privileged users, you run the risk of service-level degradation, audit remediation costs, developers accessing (sensitive) production data, and disgruntled employees taking down your infrastructure or holding you hostage.”20

– Forrester Research, Inc

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

10

Identity Management and GovernanceA significant cause of security breaches is inappropriate entitlements. This can be caused by incorrect initial access rights settings, accumulation of entitlements over time, or even improper access rights for a user that were intentionally set by a rogue collaborating administrator. Entitlement accumulation can result from a lack of maintenance when an employee changes positions and maintains all of his or her old access rights. While incorrect user entitlements primarily increase the risk of insider threats, outsiders can also gain access to those accounts or find unused accounts that make it easier to hide their activities. One frequent mistake many organizations make is terminating administrators while not immediately de-provisioning their accounts and removing all access rights.

A best practice solution is a comprehensive and continuous process to understand which users should have access to which resources, then validating that each user has the appropriate access entitlements on a regular basis. Identity Governance—segmented at a high level as Role Management and Identity Compliance—involves various identity-related processes including verifying and cleaning up existing user entitlements, building accurate role models and enacting policies and processes which help ensure appropriate assignment of privileges to users. Identity Governance solutions can deliver a variety of benefits including:

• Increased security by automating processes needed to help meet compliance audits and establishing cross-system identity security policies

• Reduced identity management costs by streamlining the steps involved in projects such as role discovery, privilege clean-up and certification

• Improved IAM time-to-value and adherence to policy by more quickly delivering a consistent, accurate role and security foundation

Data ControlsThe end goal of every cyber-attack is to steal sensitive information or cause damage, so having control over data is an essential component to a successful defense. Likewise, many insider security breaches are the result of an employee downloading valuable data intellectual property (such as source code). To protect sensitive data, an organization should protect and control data in four states:

1. Data at-access. Sensitive information attempting to be accessed by an individual in an inappropriate role.

2. Data in-use. Sensitive information handled on the local workstation or laptop.

3. Data in-motion. Sensitive information communicated over the network.

4. Data at-rest. Sensitive information stored in repositories such as databases, fileservers or collaboration systems.

To achieve this, organizations must define policies to enforce control if inappropriate access or usage of the data is detected. Once a policy violation occurs (such as attempting to access intellectual property, copying the information to a USB drive or attempting to email it) the solution should mitigate the compromise while generating an alert.

“Knowing and certifying who should have access to what rights in applications is the most important aspect of identity and access management — even if this process doesn’t include fulfillment of access rights granting and revocation.”20

– Forrester Research

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

11

Information classification is at the heart of any data security initiative. Without understanding information context, including what the information is and where it is located, it is impossible to implement a comprehensive data protection program. An organization must accurately discover and classify sensitive information based on its level of sensitivity to the organization. This includes intellectual property, but also personally identifiable information, private health information, and other non-public information.

Once information has been properly classified, policies have been defined, and controls have been deployed, an organization can then monitor and control the access and handling of all sensitive information. This includes user actions from simply attempting to access and read sensitive data, to copying to a removable device or printing, to emailing outside the network, to discovering data stored in a repository such as SharePoint.

Advanced AuthenticationPasswords don’t provide adequate security for today’s critical applications and information. Security breaches often occur because someone gains access to someone else’s passwords. However, when these attackers authenticate to the system, there are often contextual factors that could, if recognized, raise a warning about the validity of the authentication. For example, if someone from Finance working in New York suddenly logs in from Russia, or if someone logs in from Rome, two hours after logging out in New York, it’s clear that a fraudulent authentication is in progress.

Two-factor authentication provides stronger security than passwords, but when implemented as hardware tokens, creates significant cost and inconvenience issues themselves. A software-based multi-factor authentication solution can help eliminate these problems because it provides strong, two-factor authentication without changing the user experience, and without the administrative problems that hardware tokens bring.

Risk-based authentication solutions provide a risk score of each attempted authentication that can help determine whether an attempted breach might be in progress. In these cases, additional, stronger authentication methods could be used, the attempt could simply be rejected, or an alarm could be raised.

Further, advanced authentication can help detect and prevent fraudulent transactions by enforcing different levels of authentication based on the parameters of a given transaction. For example, transactions involving an unusually large amount of money can be forced to go through additional authentication steps to guarantee the identity of the user. Transactions can be further secured through the use of “transaction signing” where the user includes additional information about the transaction such as amount or payee to help protect against man-in-the-middle attacks.

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

12

Section 3:

ConclusionsSecurity breaches of all kinds are growing in complexity, sophistication, and impact. A multi-layered approach is necessary in order to deploy effective controls. By approaching security breaches with a focus on privileged identity management, data security, identity and access governance, and advanced authentication, organizations can protect their most critical resources from the inside out from all types of breaches.

Organizations that successfully reduce the chances of a security breach should think beyond the direct cost savings of lost data, fines and lawsuits. The erosion in trust of an organization’s customer base and damage to a brand can be irreparable.

In addition, organizations with an extensive security program can save money by simplifying audits and can focus efforts on innovation instead of breach responses.

Section 4:

References1 Forrester Research, Inc. “Kill Your Data To Protect It From Cybercriminals.” July 12, 2012

2 intelreport.mandiant.com/Mandiant_APT1_Report.pdf

3 The Ponemon Institute, “The Risk of Insider Fraud: Second Annual Study.” February 2013

4 reuters.com/article/2011/04/13/us-djc-ford-tradesecrets-idUSTRE73C3FG20110413

5 informationweek.com/security/attacks/swiss-spooks-warn-of-counter-terrorism-i/240143979

6 reuters.com/article/2011/09/07/us-aero-arms-summit-cybersecurity-idUSTRE7867F120110907

7 m.csoonline.com/article/732784/defense-contractor-under-cyberattack-for-three-years?source=CSONLE_nlt_salted_hash_2013-05-06

8 Deloitte, Inc. “2012 DTTL Global Financial Services Industry Security Survey: Breaking Barriers.”

9 infosecurity-magazine.com/view/18237/insider-data-breach-costs-bank-of-america-over-10-million-says-secret-service/

10 threatpost.com/nationwide-allied-insurance-breach-hits-11-million-users-120512/

11 The Ponemon Institute. “Third Annual Benchmark Study on Patient Privacy & Data Security.” December 2012

12 dailymail.co.uk/news/article-1178276/Hackers-demand--10m-ransom-hijacking-millions-medical-records.html

13 verizonenterprise.com/DBIR/2013/

14 eweek.com/security-watch/former-gucci-employee-indicted-for-it-rampage.html

15 idtheftcenter.org/ITRC%20Breach%20Stats%20Report%202012.pdf

16 slate.com/articles/technology/future_tense/2013/02/fiberwan_terry_childs_gavin_newsom_on_why_governments_should_outsource_technology.single.html

17 idtheftcenter.org/ITRC%20Breach%20Stats%20Report%202012.pdf

18 darkreading.com/attacks-breaches/team-ghostshell-exposes-120000-records-f/240008262

19 online.wsj.com/article/SB10001424052970203753704577255723326557672.html

20 Forrester Research Inc., “Assess Your Identity And Access Management Maturity.” September 26, 2012

PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Section 5:

About the AuthorRussell Miller has spent over six years in network security in various roles from ethical hacking to product marketing. He is currently a Director of Solutions Marketing at CA Technologies, focused on privileged identity management and virtualization security. Russell has a B.A. in Computer Science from Middlebury College and a M.B.A. from the MIT Sloan School of Management.

Copyright © 2013 CA. All rights reserved. Microsoft, Active Directory, SharePoint and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX is a registered trademark of The Open Group. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”)) referenced herein or any contract obligations with any third parties. You should consult with compe-tent legal counsel regarding any such Laws or contract obligations. aCS4037_0613

Connect with CA Technologies at ca.com

Agility Made Possible: The CA Technologies AdvantageCA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/customer-success. For more information about CA Technologies go to ca.com.