WHITE PAPER | June 2013

The Changing Face of Cyber-Attacks: Understanding and preventing both external and insider security breaches

Russell Miller CA Security Management PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Table of Contents

Executive Summary 3

Section 1: Challenge 4 External Cyber-Threats are Changing Rapidly

Section 2: Opportunity 7 Where Organizations Fall Short

Section 3: 12 Conclusions

Section 4: 12 Refernces

Section 5: 13 About the Author

2 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Executive Summary

Total number of records containing Challenge sensitive personal Techniques to attack computer networks are never static. Methods and tools evolve, as do the information attackers themselves. The attacker landscape from a few years ago—where individuals or small involved in groups attacked organizations for fun and profit—no longer exists. The environment is much more security breaches complex today. Semi-organized “Hacktivist” groups, such as Anonymous and LulzSec, attempt to in the U.S. is cause damage for causes they find worthwhile. Even state-sponsored actors are becoming prominent, 607,611,003 bringing dramatically expanded resources to bear. Advanced Persistent Threats (APTs) are perhaps not in 3,716 data new, but have come to the forefront of cyber-security awareness as a result of these changes. Insider breaches between threats are also ever more complex, with the potential for damage increasing due to rapidly January 2005 expanding stores of sensitive information and highly-dynamic and virtualized IT environments. and April 2013. – A Chronology of Data Breaches, Privacy Rights Clearinghouse Opportunity Fortunately, an organization’s toolbox to defend against security breaches is more complete than ever. Beyond perimeter tools and detection solutions, such as firewalls and intrusion detection systems, cyber-security experts can protect their systems and data from the inside out. Data can be automatically discovered, classified and controlled with modern data leak prevention technologies. The identities that are needed to access data and critical systems—particularly privileged identities— “As cybercriminals can be carefully managed and monitored. With an identity and data-centric approach to security, have become organizations can meet the challenge of ever-evolving threats. more skillful and sophisticated, they have eroded the effectiveness Benefits of our traditional Organizations that successfully reduce the chances of a security breach not only guard their data, but perimeter-based protect their brand, and avoid costly lawsuits and fines. In addition, organizations with an extensive 1 security controls.” security program can save money by simplifying audits and can focus efforts on innovation instead – Forrester Research, Inc. of constantly worrying about devastating attacks.

3 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

“APT1 has Section 1: Challenge systematically stolen hundreds External Cyber-Threats are Changing Rapidly of terabytes of It is tempting to think about cyber-attacks as an ever-present, but unchanging threat. While individuals, data from at small groups, and organized crime are still significant players, they are no longer the only threat to an least 141 organization. To the contrary, attacker profiles have shifted, and new goals and sources of motivation organizations, have fundamentally altered the nature of the threat landscape. The trends driving this shift include: and has demonstrated The militarization of cyber-attacks. Network penetrations to cause damage and steal intellectual the capability property are now commonly state-sponsored, with highly-trained, disciplined and patient attackers. and intent to Military attackers can have access to resources such as training, computing power, and cutting-edge steal from dozens R&D not available to previous generations of attackers. Their targets often include critical infrastructure of organizations to the capture of foreign intellectual property. Recent reports have gone so far as to identify a specific simultaneously.” military unit as the source of a significant number of cyber-attacks. – Mandiant Cyber-security firm Mandiant released a report in February 2013 titled “APT1: Exposing One of China’s Cyber Espionage Units.”2 This report detailed the actions of the China-based group APT1, a unit Mandiant has identified as the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, which is most commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. Operation AntiSec The rise of “hacktivism”. Groups such as Anonymous frequently attack organizations in the name of A joint effort by social causes and look to cause significant financial and reputational damage to a target organization. the groups LulzSec, Hacktivists have targeted entities from MasterCard and Visa, to the U.S. Department of Justice, the Anonymous, and Church of Scientology, the state of Egypt and the World Bank. others, this extremely large New, sophisticated attacks have often been called Advanced Persistent Threats, a term that is hacking operation sometimes derided, but has attained widespread adoption. Whatever these attacks are called, they targeted many have unique qualities that make them more difficult to defend against: companies and • Patient individuals will wait for new vulnerabilities to open up or combine seemingly small security government weaknesses into a large-scale, damaging attack. agencies, from the Arizona • A dedicated, state-sponsored team will not be dissuaded from targeting an organization simply Department of because it has stronger security than similar companies. Public Safety • An APT can unfold in a very measured, deliberate manner, helping it evade even the most well- to the British configured firewalls and intrusion-detection systems. newspaper The Sun and the Companies from RSA Security to Google to Northrup Grumman have found themselves the target Fox News of these targeted attacks. Twitter account.

4 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Insider fraud Insider Threats is a common occurrence. Insiders pose a significant risk due to the damage they can cause through either malicious or On average, inadvertent actions. The most dangerous risk is an organization’s privileged users. These organizations have administrators often possess the privileges to perform essentially any operation on critical systems had approximately and users often have accumulated more entitlements than they need for their current job role. 55 employee- Insider threats are not all the same. There are three types of insider threats, malicious insiders who related incidents deliberately steal information or cause damage, insiders who are unwittingly exploited by external of fraud in the parties, and insiders who are careless and make unintended mistakes.: past 12 months.3 • Malicious insiders are the least frequent, but have the potential to cause significant damage – The Ponemon Institute due to their insider access. Administrators with privileged identities are especially risky. According to the Ponemon Institute, “data breaches that result from malicious attacks are most costly.”3

• Exploited insiders may be “tricked” by external parties into providing data or passwords they shouldn’t. • Careless insiders may simply press the wrong key and accidentally delete or modify critical information.

Many security breaches due to insiders are never made public. Organizations would rather keep these breaches private to avoid the reputational hit and customer concerns about their security About 65 percent that may result. However, many highly-damaging insider breaches have been disclosed, both publicly of employees and anonymously. who commit insider IP theft The potential for damage from insider threats has recently increased with the quantity of sensitive had already data exploding and more powerful administration tools. The rise of virtualization, in particular, has accepted given rise to new risks. First, there is a new class of administrators on the hypervisor that must be positions with managed, monitored and controlled. Second, those hypervisor administrators can change, copy, or a competing delete dozens of virtual machines with only a few clicks of the mouse, making theft and damage company or simpler, faster, and more damaging and difficult to detect than ever. started their own company at the Well-Known Insider Security Breaches time of the theft. WikiLeaks Switzerland’s Intelligence Service (NDB). About 20 percent were recruited by In what is perhaps the most well-known insider A senior IT technician reportedly downloaded an outsider who security breach, (former) U.S. Army Private terabytes of classified counter-terrorism targeted the Bradley Manning leaked hundreds of thousands information to physical hard drives, which he data. More than of classified military and State Department carried out of the datacenter in a backpack. half steal data documents to the WikiLeaks organization, which Investigators believe that the administrator had within a month made many of them available on the Internet. become disgruntled when his advice on securing of leaving. While an “insider”, there are significant key systems was ignored. A source close to the questions about why Manning had such investigation called the perpetrator a talented – Behavioral Risk extensive access to view and classify technician with “administrator rights”, giving Indicators of Malicious Insider IP classified documents. him unrestricted access to most or all of the Theft: Misreading the NDB’s networks, including a significant amount Writing on the Wall, of secret data.5 Eric D. Shaw, Ph.D., Harley V. Stock, Ph.D.

5 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

No Industry is Safe From Security Breaches

Industry Info Example

Defense “Every defense company is constantly Over a three year period, a Chinese under attack. If anybody tells you hacker group stole most, if not all, of the they’re not, it just means they don’t intellectual property from U.S. defense know. It is a threat that is broad-based. contractor Qinetiq, which focuses It’s not just from one source ... on drone aircraft and spy satellites.7 and it’s just unceasing.”6 – Wes Bush, Northrup Grumman Chief Executive

Financial Services “Even as security practices mature and “The US Secret Service estimates that advance, nearly 25% of the banking a data breach at Bank of America in respondents indicated they experienced California and other western states security breaches in the past 12 months”8 cost the bank at least $10 million.”9 – Deloitte

Insurance “Despite increased focus on protecting data In October 2012, attackers stole from security breaches, approximately information on 1.1 million customers 40% of the 46 major insurance of Nationwide and Allied Insurance, organizations have experienced one or putting them at risk for identity theft.10 more breaches in the past 12 months”8 – Deloitte

Healthcare Ninety-four percent of healthcare Hackers demanded a $10 million organizations in this study have had at ransom after stealing 8.3 million patient least one data breach in the past two records from the state of Virginia.12 years. However, 45 percent report that they have had more than five incidents. The average cost to the healthcare industry could potentially be as high as $7 billion annually. 11 –The Ponemon Institute

Retail “24% of breaches occurred in retail Gucci lost ~$200,000 in lost sales environments and restaurants.”13 and remediation expenses when a – Verizon 2013 Data Breach Report network engineer illegally accessed the company’s network and deleted documents after he was fired.14

Government The government and military sector A disgruntled San Francisco employee represented 11.2% of the breaches locked the city out of its own FiberWAN reported in 2012, but 44.4% of the network, which contained confidential records stolen.15 documents including police records. – ITRC Breach Report, Identity Theft Even worse, emails were inaccessible Resource Center, July 2012 and payroll checks could not be issued. The city spent over one million dollars in an unsuccessful attempt to gain access to the network.16

Education In 2012, 13.6% of reported breaches were in A group of hackers, calling themselves the education sector, consisting of 2,304,663 Team GhostShell, published over records stolen.17 120,000 records on students, faculty – ITRC Breach Report, Identity Theft and staff, including e-mail addresses, Resource Center, July 2012 names, usernames, passwords and phone numbers from dozens of universities globally, including Harvard, Oxford, Princeton, Stanford, Johns Hopkins and the University of Zurich.18

6 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

“Only amateurs Section 2: Opportunity attack machines; professionals Where Organizations Fall Short target people.” Organizations have traditionally focused on perimeter security when defending themselves against – Bruce Schneier security breaches. While this obviously falls short of mitigating the risk of insider threats, it is also insufficient for external attacks as well. Given enough time, a determined attacker will be able to bypass an organization’s perimeter. As part of an Advanced Persistent Threat attack, motivated attackers can spend months or even years targeting a specific organization. Using techniques from “spear phishing” (targeted phishing/email attacks) to exploiting zero-day vulnerabilities where patches do not yet exist, an advanced attacker will breach a target network’s perimeter. When this occurs, the outsider becomes, in effect, an insider.

Nearly all external attacks follow the same four phases:

Escalation Reconnaissance Initial Entry Exploitation of Priveges

An investigation into Discovered exposures Following initial Once control has the organization’s are exploited and a penetration, hackers been established, weaknesses, which foothold in the target work to acquire more the assailant will be often includes domain network is established rights and gain able to continuously queries and port and using sophisticated control over additional identify, compromise vulnerability scans. technical methods or systems—and install and exploit social engineering a “back door” that sensitive data. techniques, such as makes future spear phishing. access easier.

Where the focus is Where the focus should be

Organizations are generally proficient in perimeter security, from firewalls to intrusion detection systems. However, this is not enough to prevent an attacker from gaining access to an internal identity. Imagine receiving an email that comes from your boss, asking you to review a file. Nearly everyone will click on the file without careful inspection. That simple action can result in arbitrary code executed on a system, granting the attacker full control of the computer.

You can reduce the risk of all three types of insider threats (malicious, exploited, and careless) by enabling accountability, implementing least privilege access, and controlling sensitive data. Accountability will make malicious insiders think twice before acting, help to identify exploited insiders and make users more careful with their actions. Least privilege access will deny actions and limit the damage done by all types of insider attacks, as well as “stop stupid” actions. By controlling sensitive data directly, you can prevent it from being exported out of your network using tools such as USB drives or even email.

7 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

An In-Depth Approach to Cyber-Defense Today’s security capabilities can make each phase of an attack harder, for both insiders and external attackers. The most critical capabilities include:

Privileged Identity Management Privileged Identity Management lies at the heart of any cyber-defense, whether focused on insiders or external parties. Privileged accounts have the access needed to view and steal an organization’s most sensitive information, or cause the most damage to critical IT systems.

Managing privileged identities requires a multi-pronged approach. In addition to managing shared accounts, additional controls enable accountability for insiders and can limit the damage done by an external attacker that gets access to an administrative account.

Figure A. Privileged Identity Management: Key Capabilities

8 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

56%. Key Capability Need Description Benefit “Percentage of execs who say Shared Account Privileged accounts, Control access to Reduces the risk of Password such as ‘root’ on UNIX privileged, administrative unauthorized users their most Management and ‘Administrator’ on accounts with password gaining access to serious fraud Windows, are often storage and automatic privileged accounts. was due to a shared, reducing login capabilities. This Prevents password 19 accountability. is the starting point for sharing. privileged user.” most privileged identity management solutions. – Pricewaterhouse Coopers Fine-Grained Access Access to privileged Manage privileged user Reduces risk by providing Controls accounts is often “all or access after login. Control administrators with only nothing”—an unnecessary what access users have the minimum privileges security risk that leads based on their individual they need to do their jobs. to users with more identity, even when using privileges than they need. a shared administrative account.

User Activity Track all user actions to Records all user actions, Makes it simple to find Reporting / Video determine what occurred tracking all records by out “who did what” in a Session Recording and “who did what” in an individual, even when a forensic investigation, “If you don’t investigation. Not all user shared account is used. using an understandable implement activities are recorded Ideally, track on an IT video instead of and many applications system in a video-like searching through proper controls do not produce logs, format. incomprehensible for privileged reducing accountability log files. Enables users, you run the and making forensic accountability for users of investigations difficult. IT systems. Creates logs risk of service- for applications that do level degradation, not natively produce logs. audit remediation Virtualization Virtualization adds a new Manage privileged Reduces the risks of costs, developers Security infrastructure layer that users on VMware, while virtualization, from accessing must be secured—the providing virtualization- VMware administrators (sensitive) hypervisor. aware automation of to virtual machines. security controls on production data, virtual machines. and disgruntled employees taking UNIX Authentication Managing user accounts Authenticate users on Consolidates Bridging and access on individual UNIX and Linux systems authentication and down your UNIX and Linux servers is to Microsoft Active account information infrastructure or an administrative burden Directory. in Active Directory, as holding you that can lead to errors opposed to managing 20 and oversights. UNIX credentials locally hostage.” on each system. Reduces administrative overhead. – Forrester Research, Inc

9 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

“Knowing and Identity Management and Governance certifying who A significant cause of security breaches is inappropriate entitlements. This can be caused by incorrect should have initial access rights settings, accumulation of entitlements over time, or even improper access rights access to what for a user that were intentionally set by a rogue collaborating administrator. Entitlement rights in accumulation can result from a lack of maintenance when an employee changes positions and applications is maintains all of his or her old access rights. While incorrect user entitlements primarily increase the the most risk of insider threats, outsiders can also gain access to those accounts or find unused accounts that important aspect make it easier to hide their activities. One frequent mistake many organizations make is terminating of identity administrators while not immediately de-provisioning their accounts and removing all access rights. and access A best practice solution is a comprehensive and continuous process to understand which users should management have access to which resources, then validating that each user has the appropriate access — even if entitlements on a regular basis. Identity Governance—segmented at a high level as Role Management this process and Identity Compliance—involves various identity-related processes including verifying and cleaning doesn’t include up existing user entitlements, building accurate role models and enacting policies and processes fulfillment of which help ensure appropriate assignment of privileges to users. Identity Governance solutions can access rights deliver a variety of benefits including: granting and revocation.”20 • Increased security by automating processes needed to help meet compliance audits and establishing cross-system identity security policies – Forrester Research • Reduced identity management costs by streamlining the steps involved in projects such as role discovery, privilege clean-up and certification • Improved IAM time-to-value and adherence to policy by more quickly delivering a consistent, accurate role and security foundation

Data Controls The end goal of every cyber-attack is to steal sensitive information or cause damage, so having control over data is an essential component to a successful defense. Likewise, many insider security breaches are the result of an employee downloading valuable data intellectual property (such as source code). To protect sensitive data, an organization should protect and control data in four states:

1. Data at-access. Sensitive information attempting to be accessed by an individual in an inappropriate role.

2. Data in-use. Sensitive information handled on the local workstation or laptop. 3. Data in-motion. Sensitive information communicated over the network. 4. Data at-rest. Sensitive information stored in repositories such as databases, fileservers or collaboration systems. To achieve this, organizations must define policies to enforce control if inappropriate access or usage of the data is detected. Once a policy violation occurs (such as attempting to access intellectual property, copying the information to a USB drive or attempting to email it) the solution should mitigate the compromise while generating an alert.

10 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Information classification is at the heart of any data security initiative. Without understanding information context, including what the information is and where it is located, it is impossible to implement a comprehensive data protection program. An organization must accurately discover and classify sensitive information based on its level of sensitivity to the organization. This includes intellectual property, but also personally identifiable information, private health information, and other non-public information.

Once information has been properly classified, policies have been defined, and controls have been deployed, an organization can then monitor and control the access and handling of all sensitive information. This includes user actions from simply attempting to access and read sensitive data, to copying to a removable device or printing, to emailing outside the network, to discovering data stored in a repository such as SharePoint.

Advanced Authentication Passwords don’t provide adequate security for today’s critical applications and information. Security breaches often occur because someone gains access to someone else’s passwords. However, when these attackers authenticate to the system, there are often contextual factors that could, if recognized, raise a warning about the validity of the authentication. For example, if someone from Finance working in New York suddenly logs in from Russia, or if someone logs in from Rome, two hours after logging out in New York, it’s clear that a fraudulent authentication is in progress.

Two-factor authentication provides stronger security than passwords, but when implemented as hardware tokens, creates significant cost and inconvenience issues themselves. A software-based multi-factor authentication solution can help eliminate these problems because it provides strong, two-factor authentication without changing the user experience, and without the administrative problems that hardware tokens bring.

Risk-based authentication solutions provide a risk score of each attempted authentication that can help determine whether an attempted breach might be in progress. In these cases, additional, stronger authentication methods could be used, the attempt could simply be rejected, or an alarm could be raised.

Further, advanced authentication can help detect and prevent fraudulent transactions by enforcing different levels of authentication based on the parameters of a given transaction. For example, transactions involving an unusually large amount of money can be forced to go through additional authentication steps to guarantee the identity of the user. Transactions can be further secured through the use of “transaction signing” where the user includes additional information about the transaction such as amount or payee to help protect against man-in-the-middle attacks.

11 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Section 3: Conclusions Security breaches of all kinds are growing in complexity, sophistication, and impact. A multi-layered approach is necessary in order to deploy effective controls. By approaching security breaches with a focus on privileged identity management, data security, identity and access governance, and advanced authentication, organizations can protect their most critical resources from the inside out from all types of breaches.

Organizations that successfully reduce the chances of a security breach should think beyond the direct cost savings of lost data, fines and lawsuits. The erosion in trust of an organization’s customer base and damage to a brand can be irreparable.

In addition, organizations with an extensive security program can save money by simplifying audits and can focus efforts on innovation instead of breach responses.

Section 4: References

1 Forrester Research, Inc. “Kill Your Data To Protect It From Cybercriminals.” July 12, 2012 2 intelreport.mandiant.com/Mandiant_APT1_Report.pdf 3 The Ponemon Institute, “The Risk of Insider Fraud: Second Annual Study.” February 2013 4 reuters.com/article/2011/04/13/us-djc-ford-tradesecrets-idUSTRE73C3FG20110413 5 informationweek.com/security/attacks/swiss-spooks-warn-of-counter-terrorism-i/240143979 6 reuters.com/article/2011/09/07/us-aero-arms-summit-cybersecurity-idUSTRE7867F120110907 7 m.csoonline.com/article/732784/defense-contractor-under-cyberattack-for-three-years?source=CSONLE_nlt_salted_ hash_2013-05-06 8 Deloitte, Inc. “2012 DTTL Global Financial Services Industry Security Survey: Breaking Barriers.” 9 infosecurity-magazine.com/view/18237/insider-data-breach-costs-bank-of-america-over-10-million-says-secret-service/ 10 threatpost.com/nationwide-allied-insurance-breach-hits-11-million-users-120512/ 11 The Ponemon Institute. “Third Annual Benchmark Study on Patient Privacy & Data Security.” December 2012 12 dailymail.co.uk/news/article-1178276/Hackers-demand--10m-ransom-hijacking-millions-medical-records.html 13 verizonenterprise.com/DBIR/2013/ 14 eweek.com/security-watch/former-gucci-employee-indicted-for-it-rampage.html 15 idtheftcenter.org/ITRC%20Breach%20Stats%20Report%202012.pdf 16 slate.com/articles/technology/future_tense/2013/02/fiberwan_terry_childs_gavin_newsom_on_why_governments_ should_outsource_technology.single.html 17 idtheftcenter.org/ITRC%20Breach%20Stats%20Report%202012.pdf 18 darkreading.com/attacks-breaches/team-ghostshell-exposes-120000-records-f/240008262 19 online.wsj.com/article/SB10001424052970203753704577255723326557672.html 20 Forrester Research Inc., “Assess Your Identity And Access Management Maturity.” September 26, 2012

12 PROTECT AGAINST INSIDER THREATS AND EXTERNAL ATTACKS

Section 5: About the Author Russell Miller has spent over six years in network security in various roles from ethical hacking to product marketing. He is currently a Director of Solutions Marketing at CA Technologies, focused on privileged identity management and virtualization security. Russell has a B.A. in Computer Science from Middlebury College and a M.B.A. from the MIT Sloan School of Management.

Connect with CA Technologies at ca.com

Agility Made Possible: The CA Technologies Advantage CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organizations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. CA Technologies is committed to ensuring our customers achieve their desired outcomes and expected business value through the use of our technology. To learn more about our customer success programs, visit ca.com/customer-success. For more information about CA Technologies go to ca.com.

Copyright © 2013 CA. All rights reserved. Microsoft, Active Directory, SharePoint and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX is a registered trademark of The Open Group. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and so on (collectively, “Laws”)) referenced herein or any contract obligations with any third parties. You should consult with compe- tent legal counsel regarding any such Laws or contract obligations. aCS4037_0613