When we hear the term “insider trading” most people think of the illegal practice of trading a public company’s stock based on material, non‐public information. The image of Michael Milken, Ivan Boesky or Martha Stewart may come to mind. Yet there’s a second face to insider trading: insiders that sell valuable data or privileged access via online forums and marketplaces to cybercriminals.
Forrester recently published a research report on malicious insiders, Defend Your Data As Insiders Monetize their Access. I’ve also discussed how financial industry insiders and cybercriminals trade in high‐value data or credentials on the dark web and on criminal sites on the open web. In these forums, individuals may ask about the best places to sell insider information or claim to be selling insider access. Meanwhile cybercriminals shop for data or use these venues to attempt to recruit insiders.
The problem isn’t limited to the financial services industry. Every industry has insiders that are disgruntled, may be seeking revenge or simply want to make a profit and aren’t above engaging in illicit activity to do so. Retail and healthcare organizations have a tremendous amount of valuable data including payment card details and health records. Research by Experian finds that payment card data can sell on the dark web for $5‐$110 and medical records can be valued at up to 10 times more depending on how complete the records are as well if it is a single record or an entire database.
The manufacturing, technology and telecommunications industries also hold highly‐prized customer data and intellectual property (IP) that make them susceptible to this threat. In the telecommunications industry, fraudsters seek insiders who can facilitate SIM‐swapping (also known as SIM‐hijacking) attacks. SIM‐swapping takes advantage of the millions of instances each year when people transfer phone numbers to a new mobile network. An attacker will typically contact the target’s network provider and use social engineering techniques to convince network support staff that they are the customer and to switch calls and texts to a new SIM that they control. From there they can bypass two‐factor authentication methods such as the additional precaution of a phone call or text used in online banking to verify identity before approving a transaction. In the manufacturing and technology sectors, criminals will pay top dollar for information they can sell to a target’s rivals – detailed plans and images of upcoming product designs, patent applications, copyright information and proprietary code.
There’s also a third face to insider trading – the “accidental insider” unwittingly exposing company data or information. They aren’t benefitting, but the hacker is. This could be an administrator who misconfigures a server or database or hasn’t updated default settings. Other culprits include employees or contractors who share login credentials, use insecure file repositories on the Internet, or copy and archive files on personal devices.
The scope of the problem is of epic proportions. More than 1.5 billion files are currently being exposed across open Amazon S3 buckets, or file transfer and sharing services such as File Transfer Protocol (FTP) and Server Message Block (SMB), misconfigured websites and network‐attached storage (NAS) devices often used to backup home computers. Besides the personal data and intellectual property already discussed, our research has found thousands of documents including security audits and assessments, network infrastructure details, and penetration testing and vulnerability scanning reports are also publicly accessible. The availability of this information that attackers can use to launch attacks is largely a result of third parties and suppliers – instances of contractors backing up or transferring data outside of an organization’s network.
Although the challenge may seem insurmountable, there’s a lot that security professionals can do to mitigate risk. Here are just a few tips.
1. Provide security awareness training for all staff, including contractors and third parties. This should also cover the risks of using home NAS drives for company data and archiving files using file transfer and sharing services.
2. If employees and contractors need to use NAS devices, then users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default. If possible, offer backup solutions so that contractors and employees don’t feel the need to back‐up their devices at home.
3. Amazon now sets S3 buckets private by default, but their site also provides a good overview of measures organizations can take to set permissions and monitor for unusual activity.
4. Adopt strong password hygiene and ensure two‐factor authentication (2FA) is enabled across the organization where possible. This will help prevent unintentionally leaked credentials being leveraged by malicious actors.
5. Restrict access to important data to only those who are required to have it. Read/write access should only be granted where there is an explicit business requirement.
6. Monitor your external footprint for cases of accidental data loss and exposure. Data loss prevention solutions can help identify cases where sensitive information has left your environment.
Insider trading in all its forms is here to stay because humans are flawed. Fortunately, in the case of malicious and accidental insiders, organizations that understand the risks and make a focused effort to mitigate them can limit their exposure.
