With all the attention the world can muster for information security squarely focused on Sony Pictures Entertainment, a small but significant breach went mostly unnoticed at Morgan Stanley right at the end of last year. In case you have not heard about it, you can read about it here. There are a couple interesting things about this breach worth noting.
First, there is kudos for the Morgan Stanley team at every level for how this was handled. “But they were breached! Why would you congratulate them?” I can hear much thinking. The first thing to keep in mind is the sad truth of today’s technology world: everyone is breached all the time and insiders still have enough power to cripple any organization if they really care to. So there is no reason that anyone who has an event like this one at Morgan Stanley is so special. What they deserve the points for is how it’s been handled. They had the tools to see it happened and the people trained and watching those tools so they actually caught it. It may come out that some of those tools and people were contracted, and that’s still going to win them the points because it’s the results that matter. They also had processes in place and they reacted swiftly at the technology, business, staffing, and communication levels. Half the outrage when breaches come out is typically the “I can’t believe they tried to hide it” factor. Morgan Stanley stepped up and took their lumps, which included a small stock dip. But if they had done things differently, it may have been a much bigger story and a certainly would have been a much bigger hit on their credibility – and likely their stock price. People barely noticed this story and will likely forget about it soon (if they can get noisy bloggers to shut up about it that is).
Figure 1: Hugh Jackman in Swordfish Looking like no Hacker Ever
The second notable thing here is that this serves as more evidence about how dangerous insider threat is. Insider threat always seems to be taking the backseat to the much sexier notions of hackers using sploits to bring down firewalls and rush into to grab data. I’m convinced too many people actually picture stuff from the movies when they think about hackers. Hackers have the numbers, but I’m convinced insiders do the real financial damage. That there are more attacks from the outside has long been the conventional wisdom, but a recent IBM study casts some doubt on that. Most of us don’t want to think of insider threats for two reasons. The first is that it means becoming suspicious of the person in the next cube. Security folks are a suspicious bunch already, and the idea of having no one on your team may seem too unappealing. But the truth is that the most honest and worthwhile way to do security is to own up to the risks of insiders and campaign to trust no one more than absolutely needed for the business to function – including yourself. The second reason people don’t want to think about insider threat is that it’s so hard to address. The ways insiders get data are often nearly indistinguishable from them using it in legitimate ways. People who have administrator authority, and likely some technical sophistication to go along with it, can be very hard to trace. So, understandably, security folks are not likely to go charging down a road where it’s hard to measure and show success. Much to the dismay of executives, security professionals are just that – professionals, and they have careers and lives to worry about as well.
All this adds up to why I feel the Morgan Stanley breach is worth noting. They deserve credit for handling things so well from start to finish. We need to look more closely at these insider events so we can get in the right mindset for the challenges that lay ahead. All organizations should be emulating what’s been done here as best they can. The more people that openly communicate about security incidents, the less it becomes a blight on an individual organization and the more it becomes and ongoing dialogue about how to improve security for all of us.