Insider Lessons from Morgan Stanley Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/insider-lessons-from-morgan-stanley-breach-p-2003

New details emerging about a breach involving a former Morgan Stanley
employee illustrate how a case of inappropriate access to data can blossom
into something much more serious. The case shines a spotlight on the urgent
need to mitigate insider threats.

Galen Marsh, who in September pleaded guilty to stealing confidential
customer information and saving it on his home server, has filed court
documents to help refute allegations that he posted some of that
information online for sale in underground forums.

According to Marsh's sentencing memorandum, which his attorney filed Dec.
1, federal investigators have confirmed that Marsh's home server was hacked
just weeks before the data he took from Morgan Stanley appeared on the
Internet. What's more, the memo, filed in hopes of winning a reduced
sentence, alleges that Morgan Stanley suspects the hackers who targeted
Marsh are based in Russia. Marsh is slated to be sentenced Dec. 17.

The possible Russian link was discovered during a forensic analysis of
Marsh's home computer, a Morgan Stanley spokesman told The Wall Street
Journal.

This case clearly illustrates why companies should be doing more to monitor
their employees' access to sensitive information. Not just because of what
the insiders might do with the data, but because of what outsiders can do
to take advantage of the insiders' access.

Privacy attorney Ron Raether, of the law firm Troutman and Sanders, points
out: "Companies need to have technical, administrative and physical
controls appropriate to the sensitivity of the data and role of the
employee. ... In the end, while we can blame the employee as being the
weakest link, it is up to companies to evolve and adjust to new and
persistent threats. The standard of care is constantly in motion. However,
it is important to stay ahead of that line and make sure that the business
can easily argue that it exceeded that standard. It helps in litigation and
with regulators."

What Happened?

Between June 2011 and December 2014, Marsh conducted nearly 6,000
unauthorized searches of confidential client information and then uploaded
information about 730,000 of those clients to a server at his home in New
Jersey, according to court records. In January, Marsh was fired; he later
admitted in court that he illegally accessed account holders' names,
addresses and other personal information, along with investment values and
earnings, from computer systems used by Morgan Stanley to manage
confidential data, court records note.

Morgan Stanley says it discovered the breach after it found that data
linked to approximately 900 of its clients had been posted briefly on the
Internet. The company also says that none of its clients lost money as a
result of the breach.

Marsh has steadfastly claimed that he did not post any data online. He has
argued that he accessed the information to analyze how other advisers
managed clients' money, court records state.

"Consistent with his truthful assertions, the government confirms that Mr.
Marsh's home server, on which Mr. Marsh had saved the client data, had been
compromised between October 6, 2014, and October 31, 2014, only a few weeks
before the client data appeared on the Internet," the sentencing memo filed
on Marsh's behalf states. "It is probable that the client data was
extracted from Mr. Marsh's home as a result of outside hackers. In fact,
based upon conversations with representatives of Morgan Stanley, we learned
that hackers emanating from Russia were suspected of posting the
information and offering to sell it online."

Morgan Stanley did not respond to my request for comment.

But one of my takeaways from the developments of this case: how much it
hammers home the points insider threat experts have made about the growing
risks of "unintentional insiders" - individuals who are unknowingly taken
advantage of by outsiders who have their own agendas. It's a topic that
speakers such as Michael Theis, of the Insider Threat Center at the
Software Engineering Institute at Carnegie Mellon University, have
discussed broadly at ISMG's own international Fraud Summits.

In this unique case, the insider threat has two dimensions. Marsh was
clearly in the wrong for accessing this sensitive data and storing it one a
home server. But then, it would seem, he was used as a pawn by outsiders
who had their own fraud agenda.

Responsibility for Protecting Data

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner,
says that while Morgan Stanley has made significant investments since
firing Marsh to ensure this kind of internal data leak does not happen
again, the company still runs the risk of being found negligent for
allowing an employee to so easily access and exfiltrate information he was
not authorized to view.

"Even in this case, I'm not sure Morgan Stanley is off the hook," Litan
says. "Even though they can pin this on an employee, they are still
responsible."

Litan reiterates her longstanding recommendation that companies implement
user-behavior analytics to detect internal inappropriate access to data.
"It's basically using machine learning to detect anomalous behavior," she
says.

In the Marsh case, she says, "this would not have detected the hack of his
home machine, but it would have detected him exfiltrating that data in the
first place. If you miss it on the way, it's too late. And this is why
machine learning and analytics are the only technologies you can rely on to
solve this problem."

The Morgan Stanley incident also demonstrates that it's essential for
corporations to have strong policies to help ensure sensitive corporate and
customer data is not compromised by employees' use of personal devices to
access corporate files.

Raether, the attorney, sums it up well: "It is not enough to just blame
employees for events. We have known even before breach notice statutes that
users present the most difficult and sometimes greatest threat."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!