Who moved my data?
April 2018
When it comes to cyber security, the media focus tends to be on the actions of evil hackers. But in the real world of IT, threats emanating from inside organisations, not hackers, account for around three-quarters of all recorded threat instances1. At last year’s Black Hat conference, 84% of attendees who had suffered cyber-attacks attributed all or part to human error2.
Statistics on data breaches appear to contradict this, in that three-quarters are caused by external actors3, not internal threats. This reflects the fact that data is more valuable to outsiders.
But this figure also points to internal weaknesses. The majority of data thefts may be attributed to external actors but they gain access by probing for cracks left in an organisation’s cyber armoury. These are cracks that should and could have been closed – hence the problems being recognised as internal too. Robust cyber hygiene is therefore of paramount importance for all organisations.
Two-thirds of malware infections, a particularly virulent form of cyber attack, arrive via email attachment4. While this could be deemed an internal fault, staff are often opening infected mail by mistake rather than intentionally.
This gives us three main categories of internal cyber threat:
Malicious intent usually involves targeted attacks against specific organisations. Disgruntled employees might deliberately install malware out of spite or greed. It’s not unknown for employees leaving companies to steal data5 before moving to competitors, swiping customer account details, intellectual property or financial information.
Encryption makes internal theft more difficult and good human resources practices lay the groundwork for liability. These efforts may not stop misuse but do at least allow for restitution. Monitoring and correlation tools can spot suspicious events, such as employees accessing data outside their privilege levels or data being exfiltrated outside the company.
Email-based infections rely on people clicking a link that goes to a fraudulent website or opening an attachment containing malware.
Common ways to prevent these are user education – which must be reinforced regularly – and anti-virus software. Despite growing awareness, these attacks, which are cheap and easy to launch, are still prevalent and clear evidence that employees are still clicking on them.
It is also important to be aware that your firewall may be whitelisting certain things, such as DNS traffic, so any attacks launched via DNS could go straight through your firewall to the intended target.
An often-quoted example of exploiting a vulnerability that technically could have been patched occurred when the WannaCry ransomware exploded in May 2017. It hit organisations in 150 countries, notably the UK National Health Service, where up to 19,000 appointments had to be cancelled6. Renault stopped production at several sites and FedEx, Deutsche Bahn and Spain’s Telefónica were also impacted, among others. Petya was another similar attack which caused the biggest disruption to ever hit the global shipping7 industry, particularly Maersk.
A Government report into the impact of WannaCry on the NHS6 concluded that cyber security advice to patch older systems, or migrate away from those that could not be patched, had not been followed. Although a lack of time and resources was partly to blame, not to mention the sophistication of the WannaCry attack, Microsoft had issued patches to close the relevant loophole two months beforehand.
If you are hit by a cyber attack, you don’t have much time. Verizon’s 2018 report on global data breaches3 reveals that 87% of compromises took minutes to take effect but that 65% went unnoticed for months. Only 3% of breaches are discovered within minutes.
Prevention is therefore much better than cure. Methods you can employ to ward off insider (and external) cyber security threats include:
Depending on the nature of your business and the sensitivity of your data, you are probably already employing all of the above in varying degrees.
When it comes to the last one on that list – protective systems – the range of possible threats is so wide that only a system operating at the core of your network infrastructure can cover it effectively. That means the DNS.
DNS is the phone book of the internet, translating readable addresses such as www.example.uk into the numerical IP address (e.g: 203.0.113.17) that programs use to find any website. DNS traffic forms an integral part of the lowest levels of network traffic so there are high numbers of packets of DNS data travelling constantly.
For this reason, DNS packets are often overlooked by protective systems (like firewalls) and are vulnerable to manipulation by malware. But that also makes them perfect places to look for signs of that malware.
Nominet is at the heart of the UK internet and operates DNS-based defence programs and services to keep governments and other organisations safe from harm.
It is important for all organisations to employ a range of solutions to protect themselves from cyber threats. Using Nominet for this ‘technical element’ gives you protection designed into the heart of your network.
By analysing DNS packets in real-time, our systems provide you with unique visibility of the threats to your organisation, pinpointing anomalous behaviour and automatically blocking known threats at the DNS level across your entire digital estate. Our algorithms are also designed to build up pictures of your network over time and allowing you to adapt to emerging threats.
The system also detects command and control malware, and severs the communication with the host, stopping the attack from unfolding. We also fortify your security by interrogating your network traffic against third-party intelligence from reputable sources around the world.
Coupling detection and blocking together protects your organisation when staff innocently click on links or install malware – as soon as malware tries to connect with the outside world, we’ll spot it.
The systems can also detect the signs of data exfiltration (using a technique known as DNS tunnelling) that is commonly used to sneak data out of otherwise secure locations.
This article was originally published here.