Canadian ice hockey player, Wayne Gretzky, was once quoted as saying: “I skate to where the puck is going to be, not where it has been.”
Former US intelligence expert, Keith Lowry, has advised organisations to take the same approach when protecting their networks against cyber security breaches.
“Until we [adopt] that thought processes within our organisations, we are always going to be chasing a puck instead of being able to prevent or use it to our advantage,” he told attendees at the Information Governance and Ediscovery Summit in Sydney.
Lowry – who led the Edward Snowden counterintelligence damage assessment team – said organisations must stop looking merely at defensive shields and focus on who on the inside has access to critical-value data.
Alarmingly, he said many organisations do not know where they house their critical data, who has access to that data and what they do with the information once they have access to it.
“If you are unable to answer those questions then you are searching for a needle in a haystack,” he said.
Organisations and governments must progress from being reactive to proactive in their security posture, he said. They must discover where adversaries are going to be not where they were “today, yesterday or a month ago.”
“We need to find and understand what we possess that the adversaries want and focus on protecting those pieces of information – those finite targets,” he said.
He said although the perimeter is important – cyber defence, instant response, security operations centres all have to be there – but those activities alone are defensive and respond after the event has occurred.
“An additional pitfall of relying on post-activity alerting is that it can take days or even months after a significant malicious event has occurred before it is reported. This can cause embarrassment, public scandal, and affect stock prices,” he said.
Lowry suggested that organisations create a good intelligence picture of who wants access to their data.
“This is enlightening because you know where the vulnerabilities are and you can wait," he said.
“An organisation that we created an insider threat program for – there was an employee who had access and transferred 1GB of data to an unauthorised storage device," he said.
"When that occurred, it was thrown over to me and I looked at that data and asked 'does this person have access to critical value data and if so ... are they supposed to transfer it to an unauthorised storage device?"
He said this person was authorised to access the data but the action he took he wasn't supposed to take, which was an indication that something was wrong.
"I did two things. I took that information, went to his personnel folder, said 'who is this person and who does he associate with that may be interested in this intellectual property that he transferred?'"
As Lowry went through his file, he discovered the person's CV, passport photo, and a picture of him in a foreign military uniform.
That's when alarm bells started going off and the organisation he was working for wasn't aware that a foreign military officer was posing as an employee.
"We took that information and asked who else he was communicating with. By doing a sleuthful trail, we were able to identify several compatriots who were doing the exact same thing he was doing.
"Because we were able to pinpoint the activities the led us to the other individuals, we could identify them and prevent them from doing something wrong," he said.
Lowry warned that cyber attacks initiated by insiders are one of the greatest but rarely mentioned threats to Australian organisations and governments. He said the majority of data breaches are not caused by hackers but internal factors such as malicious insiders and the loss or theft of devices, errors that can be addressed by improving internal communication between IT and security administrators.
He quoted the US State of Cybercrime Survey, which suggests that one-third of cybercrime incidents involve insiders. Further, it found that 50 per cent of organisations say insider breaches are more damaging than external breaches.
Lowry is meeting Australian government security, intelligence and business representatives this week to discuss insider threats in his role as VP, business threat and intelligent analysis at Australian tech firm, Nuix.