Quis custodiet ipsos custodes?

A lot of businesses don’t appreciate where threats come from; they defend the perimeter of their network without looking too closely within. I was reminded of this the other day when the story of the Swiss HSBC employee reared its ugly head again.

For those of you who don’t know a chap called Herve Falciani stole data about some customers with the view to selling this information. He was employed in the IT department so had privileged access to data. What was his motivation? Well it is reported that he was asking £2,000,000 for the data he stole.

Whilst the theft was made over three years ago it is still coming back to haunt not only the business but also the clients. HSBC has had to revise how many records were stolen twice now. First it was a handful, then 15,000 customers and more recently 24,000 customers affected by this theft. The implications are pretty catastrophic, for some more than others, because the details of their accounts have been exposed which in turn could risk them prosecuted by tax authorities!

So is too much power being left in the hands of the IT department? Yes they need some privileges to do their work but how much? As frequently demonstrated too much.

Most organisations have a security model that can be likened to a sieve, they know there are holes so they attempt to plug them. When they discover the next leak, out come the sticking plasters and another hole is plugged. Realistically this takes a great deal of effort, there is usually something that has been overlooked and so can be exploited. The thing is how much monitoring do you put in place and who monitors those doing the monitoring? After all if you have not spotted a security hole you won't be looking for it or monitoring it. At what point do you stop this process as well, there are only finite resources and in the end who will guard the guards

A recent survey has shown that a staggering 59% of ex-employees take some of their employer's data with them when they leave. This is a pretty high figure when you think about it. Over half of all people that have ever worked for a company will have some of its data. All of that data out there, uncontrolled and the business typically blissfully unaware of how many copies are floating about. Once outside the control of the business there is no way to stop how many times said data is subsequently copied.

I was also reminded of when my own business suffered from this very problem. Several years ago an ex-employee, whom I believed I could trust, surfaced at a competitor and as soon as they joined the competitor our clients started to get phone calls and emails telling them this person now worked for them and asking would they like to transfer their business.

Fortunately no personal data was involved however it did highlight to me the weakness we had by trusting people with privileges on our network. Whilst this also doesn’t speak much of this person’s character (especially as when they left I had reassurance from them that they would never do anything to betray any trust) it also made me appreciate how valuable even the smallest amount of data can be to someone else. I don't know what his motivation was, perhaps desperation to get a job so offering a list of potential new business on the condition of a job could have been the angle, I will probably never know and to be honest don't really want to.

We also did not know this was happening but fortunately several of our clients contacted us to make us aware that this was happening and I thank them for their loyalty to us. What made it so obvious was that the competitor had foolishly used privileged information only we had and in doing so exposed it's source.

After this exercise I immediately decided to change the way we worked and how we granted privileges to staff and so rolled persistent encryption on our data so that no matter who had access to our data, if it were ever copied it would be rendered useless outside of the control of our network. Fortunately the product we implemented is very good and forces encryption whenever anything is created but denies the ability of the creator/author to decrypt it.

Whilst I appreciate that this is not a magic bullet (trust me we also have some IDS, DLP and NAC in place as well as usual server security and auditing) I am able to rest more easily at night knowing that if someone has found a new way to copy our data outside of our control, and inevitably they will, it will be in a pretty useless format once they take it away.

After all there is only so much security you can put in place before you prevent someone from being able to do their job so instead of putting in too much, put in smart solutions that give the most protection for the least overhead like we have.