Академический Документы
Профессиональный Документы
Культура Документы
Contributors:
John Yeoh
Ekta Mishra
About LemonFish
LemonFish provides proactive defense against data leakage, insider threats, and exposure of confidential
intellectual property. Its cybersecurity and data behavior analytics software scours the open, deep, and
dark web in real time to uncover sensitive data that has been leaked and allows for quick reduction of
risk, preservation of brand reputation, and protection of critical assets.
Introduction ..................................................................................................... 04
Conclusion ........................................................................................................ 20
Everything we know about defeating the insider threat does not solve the issue itself. In fact, evidence
from the Deep and Open Web points to the issue worsening rather than getting better. Todays
employees work with a number of applications and with a series of clicks, information can be both
maliciously and accidentally leaked. The Cloud Security Alliance has been keen to uncover the extent of
the insider threat problem.
The Cloud Security Alliance has been keen to uncover the extent of the insider threat problem with its
overall mission of providing security assurance within Cloud Computing, and providing education to help
secure cloud computing.
As a follow up to the Top Threats in Cloud Computing and from the months of May to July 2016 we
surveyed approximately 100 professionals on the extent of the following:
Employees leaking critical information and tradecraft on illicit sites
Data types and formats being exfiltrated along with exfiltration mechanisms
Why so many data threats go undetected
What happens to the data after it has been exfiltrated
Tools to disrupt and prevent the data exfiltration cycle
Possibilities to expunge traces of data once exfiltrated
Difficult questions were asked, challenging the audience and leaving many hard pressed to answer. The
goal was to see the extent of security professionals knowledge and examine where the gaps lay. There is
often lots of talk about the threats to the cloud and challenges that organizations facing it take. And,
in the wake of emerging data privacy regulation, there considerable discussion about ensuring levels of
compliance. However, the results of this survey show there is a gap with dealing with both present and
future requirements for data erasure in the cloud. Additionally, despite the fact that accidental insider
threats or misuse of data is a common phenomenon, there is a distinct lack of procedure for dealing with
instances across cloud computing.
To provide insights on what happens to data after it has been exfiltrated, we partnered with LemonFish
to obtain their unique insights.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Non-disclosure 85.1
Authorization to conduct
a background check* 62.8
Proprietary Information
Agreement 46.8
Computer Monitoring
Agreementment 41.5
Non-compete 27.7
Outside Employment
Agreement 19.1
Post Employment
Monitoring 7.4
Other
(please specify) 4.3
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Information Security
policy 88.0
Removal of Company
Information* 60.9
Workplace Violence
52.2
policy
Outside Employment
40.2
policy
A little
11%
To a great extent
31%
Not at all
QUESTION 4
What data exfiltration mechanisms do you
believe to be the most common?
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Email 3.68
Thumb drive, or
removable media 3.60
There is a strong perception that email and thumb drive are the prevalent means of data exfiltration,
while social media ranks low. However, research from Lemonfish shows that there is a perception issue as
their research paints a different picture. Corporate data is commonly available on the open or deep web
due to both inadvertent exposure, as well as malicious. Corporate data is also sold on dark web sites. The
primary motivation for stealing credit card data is making a profit by selling the data on dark web sites.
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Excel 3.38
Other 3.34
PPT 2.91
In keeping with the responses for Question 4. Email is the most widely acknowledged format for data
exfiltration. Many of todays data loss protection solutions focuses on email as the data loss vector,
however, with the advent of a hyper-connected era and blurred boundaries between personal and work,
perhaps we need to examine other formats more closely. Most companies closely watch email, and some
of the better-known file sharing sites, but proliferation of cloud storage and file sharing sites provide the
opportunity to move data out of the company in bulk.
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Engineering code or
pending patents 3.00
Payment or Financial
2.95
transactions
Healthcare 2.33
Interestingly the type of data believed to be most exfiltrated was marketing followed by engineering
code, payment and financial transactions, with healthcare at the lowest. This contrasts starkly with other
types of survey responses and industry data from sources such as the Ponemon Institute. Again, there
appears to be a gap between perception and reality.
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Technology 2.81
Government 2.73
Financial 2.68
Healthcare 2.51
The vertical most compromised was perceived to be technology. There are growing indications that this
is indeed the case. This was followed by Government, Financial and Healthcare. Healthcare ranking as
the vertical perceived to be least compromised was surprising as research otherwise points to a growing
blackmarket in aggregated healthcare records.
QUESTION 8
Do you know what happens to your data
that has been exfiltrated?
Yes
No 29%
Sold
14%
Sold and I have an idea for how much
QUESTION 10
Is there a way to expunge information after it has
been leaked or placed on an illicit site?
Yes
No
19%
Unsure
44%
Of the 78 respondents who answered this question,
close to half were unsure of whether its possible to
37%
expunge data after it has been placed on an illicit site.
This demonstrates the need for much greater research
and as well the need for new data erasure techniques
given the ease with which digital data can be copied.
QUESTION 12
In general, do the insiders within your organization
that exfiltration datahave malicious intent?
Yes
No
19%
Unsure
44%
The data from this question highlights that the bulk of
insider threats could be accidental and not maliciously
37%
motivated. We are starting to see signs of recognition
of that in the industry.
QUESTION 13
Do you believe that insiders within your organization
that exfiltration data take steps to cover their tracks?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Other
(please specify) 15.4
0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 4.0 4.5 5.0
Behavioral monitoring
3.47
with Big Data Analytics
QUESTION 16
Given the big spending on data protection by IT, how
do you know if your toolsets are working?
Over 60 respondents skipped the question asking how they
Answered question 34 know their toolsets are working. This is frightening given the
huge investments that are made in toolsets as a panacea to
Skipped question 60 this problem, even when we know that policies and processes
are a big part of the picture as well.
The survey questions were developed by collaborators from the Cloud Security Alliance (CSA). Survey
questions were edited and vetted by industry experts before the survey was distributed. Data analysis
was conducted by CSA. The final report authored by the analysts associated with CSA and contains
special insights from analysts at LemonFish. Approximately 100 IT and IT security professionals
responded to the survey spanning across multiple countries and industry verticals and representing
multiple job levels and company sizes.
1 - 1,000
1,000 - 5,000
5,000 - 10,000
24%
10,000 - 30,000
32%
30,000 - 50,000
+50,000 employees
4%
14%
17%
9%
1%
1%
5% 8%
Business Services (8%)
4%
6%
Education (4%)
Entertainment (1%)
Other (5%) 4%
6%
18%
Staff
41%
21%
Americas
32%
*Majority are from USA, India, and Canada
A CISOs nightmare:
Your engineering manager comes to you with a source code listing one of his engineers found on Git.
Its identical to your companys proprietary SCADA code your clients rely on to ensure infrastructure
availability, but missing the copyright statements you use as company policy. Later in the day, a technical
sales lead shows you a company presentation marked Proprietary & Confidential that he found posted
on a popular file-sharing site. Finally, the HR manager is very concerned because employees have been
increasingly reporting that they are receiving suspicious emails at their company address containing
details that should be private. More often than not, they point to the mesh of anonym zed networks and
protocols known as the Dark Web.
This distinguishes Dark Web actors and resources from the Deep Web, which uses traditional open
Internet technologies to host content and provide resources to users, but puts that content behind pay
walls or some level of authentication, and out of reach of search engines.
These characteristics of the Dark Web make it an ideal place to initiate a data breachs public lifecycle.
There are two broad, non-mutually-exclusive categories behind most breaches: monetary gain and
notoriety. Both of these require the quality of not getting caught, which the Dark Web enables by its
very nature.
Despite these bad actors, there are many uses of the Dark Web that have no nefarious component
to them it is an important community resource for marginalized populations such as dissidents of
repressive governments. It is also a valuable platform for whistle-blowers to bring illegal activities to light
with less fear of reprisals.
This survey challenged Information Security Professionals in ways that other surveys have not. In asking
questions that might have left our respondents hard pressed to answer we discovered where the gaps
really lay. The cyber security incident market in general in nascent, and toolsets that address the
emergence of new data security challenges are just beginning to emerge.
We encourage todays businesses to utilize a proactive data security solution that encrypts mission-
critical and sensitive data when it is created so that when it falls into the wrong hand it is not so readily
exposed. This also speaks to identity needing to be one of the key focal points for emerging data security
solutions. Secondly leverage behavioral analytics and big data threat intelligence: this helps identify
malicious activity, such as violations of enterprise security policy. At the very least, this helps keep the
honest employee honest. Thirdly, monitor the open, deep, and dark web for your sensitive data, so that
you can be informed as soon as possible and take appropriate mitigation steps