An ELOFANT is an “Employee Left Or Fired, Access Not Terminated” and these ghost account insiders can undermine your organization’s information security, as recent DBIR stats suggest.
If you’re concerned about the security of your organization’s data you should be looking out for elofants on your network. I’ve seen them myself and, if your organization’s network is statistically average, then it is statistically likely to be harboring at least one ELOFANT, otherwise known as: Employee Left Or Fired, Access Not Terminated. While nobody wants to think ill of persons who have departed the organization — they could have been colleagues and friends — the harsh realities of cybersecurity and human nature make these unterminated “ghost accounts” a threat to the organization. Namely, they put the confidentiality, integrity, and availability of the organization’s information system security at risk. I will talk more about the risks and responses right after some data to back up my assertions.
The DBIR angle
For many years now, Spring in North America has brought with it the Verizon Data Breach Investigation Report or DBIR, currently the most comprehensive collection of security incident and breach statistics and analysis that is routinely made available to the general public. This year’s dataset was over 100,000 incidents, more than 3,000 of which were confirmed data breaches (Verizon. 2016). Highlights from this year’s report include the following:
- Financial gain is making a comeback as a leading motive behind insider attacks
- The number of “secondary motive attacks” — those perpetrated on one entity to aid attacks on another is increasing
- Phishing emails are being opened by more people, not less (the open rate was up from 23% to 30%)
- Phishing is gaining on the two leading threat action categories: hacking and malware (a finding amply underscored by the latest APWG report)
- Breaches are taking longer to discover — the gap between time to compromise and time to discovery rose 35% from last year’s DBIR
While the general public probably doesn’t read the DBIR, security folks sure do, and we would read it even if it wasn’t written with a sense of humor. However, that sense of humor helps us swallow yet another dose of evidence that the world’s collective effort to protect data and systems from unauthorized access is falling short. One example of the DBIR style is an observation about the category of breaches it labels “Insider and Privilege Misuse”. The DBIR notes that this is: “normally solely associated with TGYFBFTDHRA”. A footnote to that string of capital letters then explains what the letters stand for: “That guy you fired but forgot to disable his remote access.”
And that got me thinking about a couple of things, including a simpler yet more inclusive acronym, hence ELOFANT. Why? Because folk you’ve fired are not the only source of lingering access you have to worry about. While I’m aware of plenty of cases where a security incident was traced back to someone who had been fired but not flushed from the permissions, there have also been cases where a person abused forgotten access after leaving of their own free will. The reality is that circumstances change and new motives for misdeeds can arise. Perhaps they were hired by a competitor who then pressured them to reach back and grab trade secrets or a confidential price list or customer database. Maybe they left happy but then their attitude changed, their severance pay was not as good as expected or their post-severance healthcare coverage let them down.
ELOFANTs are still insiders
To get a better handle on this particular threat, security pros can consult the many insider case studies documented by the CERT Insider Threat Center (see references below). The Center has documented hundreds of internal computer crimes that impacted companies in sectors like banking (Randazzo, Keeney, Kowalski, Cappelli, and Moore, 2004), information technology and telecommunications (Kowalski, Cappelli, Moore, 2008), critical infrastructure (Keeney, Kowalski, Cappelli, Moore, Shimeall and Rogers, 2005), and financial services (Cummings, Lewellen, McIntire, Moore, and Trzeciak, 2012). While the primary goal of the Center is to discover and disseminate practical methods of mitigating insider threats, the case studies are analysed according to academic standards; for example, methodological limitations, like the inability to generalize findings to all organizations, are duly noted (Cappelli et al, 2012).
What these studies reveal is how a wide range of insiders exploit opportunity to commit crimes, often through a simple betrayal of the trust placed in them as employees or contractors. Some insiders may, like Edward Snowden (Poitras, 2014), have far-reaching “super-user” access to the organization’s assets, be they physical or digital; yet CERT has recorded many cases where the crime was committed by an insider with few technical skills and only limited access.
As long as they still have access, elofants are still trusted insiders, and the following is definitely true of insiders: never have so many had so much access to so much computerized information of such great value. Furthermore, stolen information has never been easier to transfer and monetize (Ablon, Libicki and Golay). And just make things even riskier, as the 2016 DBIR reports: “we found that the incidents that take the longest to discover were these inside jobs.” So which organizations tend to be hardest hit by insider incidents? The DBIR says that in 2015 it was those in the public sector, the healthcare sector, and financial services such as credit card companies, banks, and lenders.
Defending against the inside threat is a serious challenge for every organization, but a range of defensive strategies are covered in depth by the CERT Guides linked below. The DBIR itself offers three helpful suggestions that I like, and which can be summarized as follows:
- Monitor employee access to valuable data (a good data loss prevention program can help).
- Control the use of removable media (a good security suite or encryption production can do this).
- Manage and limit access privileges, and remove those elofants!
References (some link to PDF files):
Ablon, L., Libicki, M., and Golay, A. (2014). Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. Rand Corporation.
Cappelli, D., Moore, A., and Trzeciak, R. (2012) The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), Upper Saddle River, NJ: Addison-Wesley Professional.
CERT (2011) 2011 CyberSecurity Watch Survey: How bad is the insider threat? CERT Insider Threat Team, Pittsburgh: Carnegie Mellon University, Software Engineering Institute.
Coles-Kemp, L. and Theoharidou, M. (2010) ‘Insider Threat and Information Security Management’ in Insider Threats in Cyber Security – Advances in Information Security, 49, (Eds, Probst, C., Hunker’, J., Gollmann, D. and Bishop, M.), New York: Springer, 45-72.
Cummings, A., Lewellen, T., McIntire, D., Moore, A., and Trzeciak, R. (2012), Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector, Software Engineering Institute, Carnegie Mellon University, (CMU/SEI-2012-SR-004).
Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., and Rogers, S. (2005) Insider Threat Study: Computer Systems Sabotage in Critical Infrastructure Sectors, CERT, Software Engineering Institute, Carnegie Mellon University.
Kowalski, E., Cappelli, D., and Moore, A. (2008) Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector, Software Engineering Institute and United States Secret Service.
Poitras, L. (Director) (2014) Citizenfour (Film), USA: HBO.
Randazzo, M., Keeney, M., Kowalski, E., Cappelli, D. and Moore, A. (2004) Insider threat study: Illicit cyber activity in the banking and finance sector, Philadelphia: Carnegie Mellon University, Software Engineering Institute.
Verizon (2016) The 2016 data breach investigations report. (Note that the statistics cited in the DBIR relate to those information system security incidents and breaches of which Verizon is aware through its reporting system, and thus cannot be generalized to the entire population of information systems.)