The latest Verizon breach report is out. And it’s a great opportunity for organizations to internalize the learnings and reevaluate some of their protection strategies. In particular, organizations should consider using encryption along with other security measures to protect against partner-based privilege misuse attacks.
In its 2017 Data Breach Investigations Report (DBIR), Verizon Enterprise reveals that privilege misuse attacks are alive and well. Its researchers received data for 7,743 incidents of privilege misuse in 2016. 277 of those security events disclosed corporate and/or customers' data.
According to Verizon's dataset, privilege misuse primarily affected companies in the Public, Healthcare, and Finance industries. In 60 percent of cases, an end-user stole sensitive data with the hopes of monetizing it. It's therefore not surprising that 71 percent of privilege misuse attackers were financially motivated to steal personal information and medical records. They perpetrated their misdeeds by compromising databases (57 percent), reviewing printed documents (16 percent), and accessing another employee's email (9 percent).
Nearly one fifth (17 percent) of cases included in Verizon's analysis involved individuals surrendering to their curiosity and snooping for information. These actor in some cases aligned with 15 percent of attackers by espousing espionage as a motive. The offending individuals stole trade secrets or internal data approximately a quarter of the time.
Overall, internal actors were primarily responsible for the privilege misuse breaches reported to Verizon at 81.6 percent. External actors came in at 7.2 percent and colluded with internal actors in 8.3 percent of cases. The remaining 2.9 percent of breaches fell on partners.
This last finding might come as a surprise. Organizations like to think of their partners as trusted relationships through which they can expand their business interests and realize their goals. However, just as malicious insiders sometimes hide in an organization's ranks, so too can malevolent employees at another company abuse access to a partner's network to cause harm.
Verizon documented one such security event in its 2016 DBIR. In that case, a cyber insurance firm launched an investigation into one of its clients, an oil and gas company which operated a chain of service stations. The firm's inquiry detected suspicious activity emanating from the service station chain's IT and point-of-sale vendor. As it turns out, a helpdesk employee at the vendor had changed a configuration file. This modification allowed the malicious actor to collect cleartext authorization requests from each fuel pump, information which contained customers' payment card details. The attacker could use that data to conduct fraudulent transactions.
To protect against partner-based privilege misuse incidents such as those detected by Verizon, organizations should store their data on their servers or databases in encrypted form. Another group should in turn manage the encryption keys under an arrangement that's known as transparent encryption. This type of scheme helps ensure that those who can access the data, e.g. partners, also don't have access to the keys. Companies can then implement access controls to further prevent privilege misuse attacks.
Whoever manages the keys will need to know where the keys are located, who owns them, and/or how they are used. To expand their visibility into these factors, organizations should consider investing in a management and monitoring solution for their keys and certificates.