Honeypots and Copy-and-Paste: Avoiding Insider Leaks

Many companies underestimate the security risks involved with the employees themselves. The real threat isn't from things like industrial espionage - simple inattentiveness is the real culprit.

30 Mai. 2016 David Lin
If corporate data escapes unintentionally outside the company's walls, the damages can quickly get expensive. (Photo:FernandoMadeira/

The Threat Inside

The problem of leaks from the inside are growing more, not less, acute. Many might initially think of economic espionage, of competitors infiltrating companies or of bad actors who intentionally sell off information. In fact the grand majority of the threat from insiders is much more banal: incorrect behavior on the part of employees. Most companies now conduct training and educational programs. Even so, the "2014 Data Breach Investigations Report (DBIR)" from Verizon found that 60 percent of all insider leaks were based on human error, not malicious intent.

One frequent error comes through simple copy and paste work, which can lead to unintended distribution of confidential or sensitive data within the corporate network. In many cases a well-intentioned employee is working in a section of the network that isn't intended for his or her eyes. If that employee has the access rights to view the affected data, then a hacker can use that user's login data to access the data.

It's time to address a largely overlooked problem. All companies should fundamentally put their focus on the data, not on the employees. After all, data is easier to control.

Global access rights

Global access rights are a major multiplying factor for potential damages. As such, they should be used exclusively with information that is 100% unproblematic if it should reach the public. Many systems offer the option of using specific groups such as "Everyone" or "Authorized Users" in Windows to assign global rights to data. When a company allows this, it is in essence saying: "I don't care what happens to this data."

And in fact it has happened that global access rights are assigned to folders containing millions of credit card or social security numbers. For internal data, companies are well advised to ban global access rights altogether.

A current survey by the Ponemon Institute found that four out of five IT experts admitted that their company has not yet implemented the principle of minimalist rights assignment. In other words, most organizations allow employees much greater access rights than is actually needed. The killer consequences: criminals have an unnecessarily broad choice of potential attack vectors.

Some of the reasons for broad rights assignment are:

  • employees change jobs or position, or their responsibilities change
  • temporary projects require temporary rights
  • consulting contracts run out
  • access rights are unintentionally assigned
  • employees leave the company

This unchecked growth is hard to prevent and even harder to eliminate. Rights for temporary employees, suppliers, consultants and project teams should always be awarded with an expiration date. Software should also always be viewed as an 'internal party', meaning the principle of minimal rights assignment applies here as well.

If for example the web server has a vulnerability and runs as a privileged domain user with access to the file system or network, then a security hole in the web server software is no different than a compromised insider.

Even if you assign access rights that expire automatically, routine reviews by users of the respective departments are essential. Those users have a major advantage: they know the persons using the data. Leave the decisions to people who know the context. Those should also be the users who make the modifications.

Routine access rights reviews are needed

Within the group of domain administrators, routine access rights checks should be conducted to ensure that no unauthorized users have snuck in. One thing that can be tremendously helpful is setting up notifications when a user is added to the group. This should occur so rarely that email or SMS notifications can be reviewed individually.

Reviewing Active Directory is practically mission-critical, since for many companies this is the heart of the control scheme. When someone is granted Active Directory group rights for critical information, it should be clear logged who added the user, when and how. Furthermore, the log for file analysis should be used to observe how the user utilizes those new access rights.

Yet context matters, something that standard intrusion prevention systems can overlook. Much more the results must be viewed in their respective framework. One example: if Mr. Schmidt deleted 250 contracts in five minutes... and Mr. Schmidt works in the cafeteria, then the alarm bells should be ringing.

The analysis would ideally assign a profile to each user, including an expected 'normal' behavior. This is important for identifying the proper context, which then triggers warnings only if the user behaves in an unexpected manner. File analysis software can be used to record and analyze each transaction within a file sharing (and email) infrastructure.

Once implemented, this kind of software delivers functions such as:

  • identification when a sensitive file is placed into a public folder, and quarantine that file automatically
  • issue warnings if certain threshold values are exceeded, such as when thousands of files are copied within a minute. This is generally indicative that the user has performed a massive copy-and-paste action on an uncontrolled end device (known as 'exfiltration').
  • monitor whether normal users execute or create EXE files on a server

It is also recommended that the network be monitored for significant bumps in activity outside normal working times as well as access to data that does not belong in the storage area for the respective department.

Honeypots and risk carriers

A honeypot is a shared, freely accessible folder that looks like a lucrative target for data thieves. It serves solely to determine who access it. The recipe is relatively simple. First set up a shared folder than any user can access. Name it something like: "X:\Shared\Salaries" or "X:\Shared\CEO." Then lean back and see who takes the bait. It many just be curious employees browsing through the directories - or it may be malware in action.

Monitor risk carriers

It's very important to know where a company's "crown jewels" are kept. In general, this means classifying data based on its software. Yet that information alone isn't enough. Suitable software can also answer questions such as: who is the file's owner (not the attribute Author/Data Owner, but who really owns it)? Who has access to it? How is the data being used? Has it been opened? Copies? By whom? When?

This metadata makes it possible to identify the data with the greatest potential risk and implement corresponding measures: monitor rights structures, check access rights more frequently and set up warnings.

Beyond this type of data, users with potentially higher risk levels (such as IT administrators) should be monitored. Controlling of administrators is no trivial matter, as they generally require more comprehensive access rights. Certain behavior patterns can however awaken clear suspicions, such as when domain administrators read emails from other users' inboxes and then mark them as unread.

Security CEBIT RSS Feed