Massive Korean breach stokes insider threat warnings

News by Tim Ring

Expert reaction to Korean breach emphasises need to prioritise tackling insider threat

UK organisations are being urged to take a series of security steps such as encryption, staff education and monitoring, and limiting ‘privileged' users' access to data, in the wake of the theft of 20 million people's credit card details in South Korea.

As SC reported on Monday, the massive data breach was caused by a contractor at credit scoring firm Korea Credit Bureau being able to access, steal and sell the financial data of around 40 percent of the population of South Korea.

Among security experts, it ranks second only to the ‘insider theft' of secret data on US intelligence operations by ex-contractor Edward Snowden - and has prompted warnings that UK companies are still too focused on external cyber security threats.

Mark Brown, director of information security at Ernst & Young, told “The breach highlights to companies the significant and realistic risk of an insider threat to their security systems. We see many businesses focusing significant resource on tackling and responding to external risks and threats in information security. However, it is important to reinforce that good security starts internally. It is vital that all employees are educated on cyber risks to minimise an organisation's exposure to data mishandling.”

Paul Ayers, VP for EMEA at enterprise data security firm Vormetric, agreed, saying that recent research by his firm shows “a whopping 73 percent of organisations” fail to block privileged insider user access to sensitive data.

In an emailed comment to journalists, he said: “Privileged users exist in all organisations. Examples include ‘root' users, domain administrators and system administrators, many of which are often short-term contractors. They often have powerful, privileged, network access rights and, although these users require a high level of access to enable them to conduct the tasks that they need to perform – like software installation, system configuration, etc – there is a very real security issue that arises when these users also have access to data stored within computer systems, and have the ability to read documents, copy or change them.”

Ayers advised: “The best solution is to limit access so that privileged users can't actually read or edit the information in data files, but can still move them around as their job requires.”

But he warned: “Unfortunately the majority of organisations do not yet have this capability and the Korea Credit Bureau incident is an example of what can go wrong. This will likely begin to change as more incidents of insider threat data breaches make headlines, but for now a high level of risk from inside company networks remains.”

Matt Middleton-Leal, regional director for UK & Ireland at CyberArk, pointed out via email that the insider threat does not just apply just to the ‘privileged' person concerned. “The threat from within can also include the accidental misuse of privileged access, or the abuse of these accounts by cyber attackers, who immediately seek out these credentials once inside a corporate network in order to steal information or embed malware in a system.”

Like many of the experts, Middleton-Leal emphasised that “a breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information”.

He recommended: “It is essential for organisations to have a system in place that is capable of managing, monitoring and controlling all privileged access and activity, with the option to terminate a malicious session if necessary.”

Mark James, technical director at ESET UK, said in a comment to journalists that  “encryption is a key first step, and ensuring data is fully locked down should be a basic” – but he too felt that “organisations need to be aware that despite having the latest technology in place the biggest threat, whether intentional or accidental, may in fact come from within.” 

James advised: “The ultimate aim of any IT policy should be the creation of a ‘security-aware' workforce. All staff should be conscious of the security risks they face, best practice and likewise feel empowered by processes policing access to sensitive data.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews