Email Data Loss

Internal Threats to Email Data Security

Statistics vary regarding the prevalence of breaches perpetrated by trusted insiders relative to those committed by external sources. Despite this variance, it is largely accepted that insider threats pose an equal or greater risk than outside threats. Internal threats to data security include negligent employees, broken business processes and malicious employees.

In a recent European study that looked at the internal IT threats of 410 enterprises, over 90% of respondents cited leakage of confidential information as the greatest internal information security threat. Email was seen as a significant contributor to internal data loss by 65% of those surveyed, second only to portable storage devices (69%) [1].

The real and perceived risk of email data breaches by internal threats is echoed in a recent US study that found companies estimate nearly 1 in 5 outgoing emails (19%) contained content that poses a legal, financial or regulatory risk. The most common form of non-compliant content is email that contains confidential or proprietary business information (30%) followed by adult, obscene, or potentially offensive content (25%) and personal healthcare, financial or identity data which may violate privacy and data protection regulations (20%) [2].

Employee negligence and broken business processes

Despite the good intentions of most employees and contractors, human errors such as inadvertently sending a confidential message to the wrong recipient or being duped by a phishing scam can and frequently do result in data loss.

While risks associated with accidental or negligent acts can be mitigated to some extent with acceptable use policies and employee training [3], the failure of an organization to prevent data loss caused by human error through the use of technology-based solutions could also be looked at as a broken business process. In the context of email, this is particularly true as there are now systems available that utilize content scanning and policy management engines to enforce encryption.

Case Study #1

Organization:
Sector:	Financial Services - Insurance
Details:	Contractor emails names and Social Security numbers of 27,000 current and former employees, vendors and contractors to his home computer in violation of company policies [4].

Case Study #2

Organization:
Sector:	Political Party
Details:	An email containing a list of names, races, and Social Security numbers of dozens of top Republican donors erroneously sent to New York Sun reporter [5].

Malicious employees

Malicious insiders pose a substantial threat by virtue of their knowledge of and access to corporate intellectual property and internal systems. Insiders are also more easily able to bypass existing physical and electronic security measures through legitimate means such as security cards and system passwords that have been granted to perform their job functions.

The US Secret Service National Threat Assessment Center (NTAC) in conjunction with Carnegie Mellon University conducted a study of malicious insider threats in the banking and finance sector [6]. Interesting findings included:

• Most incidents required little technical sophistication and typically involved exploitation of business rules or organizational policies; in 87% of the cases simple, legitimate user commands were used.
• In 78% of the incidents, the insiders were authorized users with active computer accounts at the time of the incident; in 43% of the cases, the insider used his or her own username and password.
• Only 23% of the insiders were employed in technical positions, with 17% of the insiders possessing system administrator/root access within the organization.
• Most insiders were motivated by financial gain, rather than a desire to harm the company or information system; other motives included revenge, dissatisfaction with company management, culture or policies, and a desire for respect.

Case Study #3

Organization:
Sector:	Pharmaceutical / Healthcare
Details:	An Idexx employee seeking employment with a competitor sent emails containing valuable trade secrets and other intellectual property such as sales reports, manufacturing processes, operating procedures, and customer lists [7].

Case Study #4

Organization:
Sector:	Sports - Auto racing
Details:	Email exchanges between McLaren employees were leaked by an insider to the authorities and the press [8]; these emails provided key evidence to support the claim that McLaren used information from a 780 page dossier that contained many of Ferrari's technical secrets. McLaren was fined $100 million and excluded from racing for the rest of the season [9].

External Threats to Email Data Security

External threats to private and confidential corporate information include trusted relationships such ex-employees, contractors, and strategic business partners. Untrusted external threats include hackers, organized crime syndicates, competitors and corporations or governments involved in espionage.

Trusted non-employee users are often provided with connectivity to local or remote systems and thus pose a danger due to their access privileges. Of the 218 organizations polled in a recent study the vast majority (85%) indicated that network access credentials are provided to non-employees [10]. Almost two-thirds (63%) of these same respondents expect the number of non-employee credentialed users to increase in the next two years. Physical access privileges also increase the risk of unauthorized access to corporate intellectual property via unlocked workstations, servers, back-up tapes, wired and wireless networks.

Breaches perpetrated by untrusted external groups are often highly targeted and employ relatively sophisticated techniques [11] due to the technical expertise and financial resources of those involved. Financial gain, competitive advantage, altruism and in some cases the simple challenge of accessing restricted information are the main motivations of these individuals or groups.

Ex-employees

Similar to malicious insiders, ex-employees pose a substantial threat due to their knowledge of where corporate intellectual property resides and how to access it. While these individuals may no longer have physical access, system exploits can easily be conducted using accounts that have not been properly disabled, anonymous accounts known to these individuals, or accounts of other employees.

Case Study #5

Organization:
Sector:	Media / Publishing
Details:	A disgruntled former employee of Source Media hacked into the company's computer network, read confidential emails about pending personnel moves, and sent anonymous messages to the affected employees to let them know their jobs were in jeopardy. Federal prosecutors revealed access was gained using passwords for several active employee email accounts that were known to this individual and acquired through his role as the director of information technology and vice president of technology for the company [12].

Case Study #6

Organization:	Not reported
Sector:	Healthcare - Hospital
Details:	A woman who had resigned days earlier still had access to her email and sent messages containing client information and financial reports to her home account. The investigation revealed her new employer was a rival hospital and the sensitive information she collected was apparently passed on [13].

Corporate Espionage

As more and more organizations become reliant on the Internet for communications, data transfer and other critical business applications, electronic espionage (sometimes referred to as Netspionage) has invariably become more widespread. Often veiled under the title of competitive intelligence gathering, corporate or industrial espionage is rarely reported.

High risk industries have historically included organizations in the fields of information systems, sensors and lasers, armaments and energetic materials, aeronautics, electronics, marine systems, space technologies, chemical and biological systems, navigation systems and manufacturing [14]. Today, any company that relies on information systems is conceivably at risk of electronic data theft by corporate espionage agents.

Case Study #7

Organization:	Not reported
Sector:	Manufacturing
Details:	William Malik, an analyst at Gartner Group, says he has consulted in a case where two "heavy manufacturing" firms were bidding on a $900 million contract; one outbid the other by a fraction of a percent. It was later revealed that a hacker had gained access to the losing company's emails relating to their bidding strategy. This incident would have gone undetected had it not been for a network traffic audit that was coincidentally being conducted by the hacked company during the period in which these negotiations were happening [15].

State Sponsored Espionage

Governments around the world are involved in economic espionage activities to both protect and assist their local industries in an increasingly competitive global marketplace. Commonly used data theft techniques include the use of malicious insiders (moles), electronic surveillance systems, malware, social engineering attacks, and a host of low tech tactics such as targeted laptop thefts and dumpster diving.

The US government has openly admitted to spying on foreign companies using a sophisticated signals intelligence and analysis network called ECHELON that can capture radio and satellite communications, telephone calls, faxes, emails and other data streams nearly anywhere in the world and includes automated analysis and sorting of intercepts [16]. Other developed nations have similar capabilities.

On the flip side, the US National Counterintelligence Executive reported 108 nations were involved in trying to steal US corporate intellectual property in 2005 [17], the last year full data was made available. China, Russia, India and a number of other developing countries are increasingly being identified as the intended recipients of information gathered through espionage programs [17,18]. The FBI has publicly admitted that the number of Chinese counterintelligence cases in Silicon Valley alone is increasing by 20 to 30 percent annually [19].

Case Study #8

Organization:	Not reported
Sector:	Consulting Services
Details:	While in Beijing negotiating in with a large state-owned Chinese transportation company, a US businessman repeatedly encountered meetings where his counterpart would start by addressing issues that he had detailed in emails sent to his head office the previous day. He was convinced that his emails were being intercepted by the Chinese government and passed on to the company he was dealing with [20].

Hackers

A hacker is someone specializing in the discovery of exploits. Malicious or criminal hackers, also known as black hats, compromise the security of systems and networks without permission from an authorized party and are typically motivated by financial gain. White hats are ethical hackers who expose vulnerabilities for the purpose of preventing access to systems by unauthorized users. Grey hats are a hybrid between white and black hat hackers and usually do not hack for personal gain or have malicious intentions, but may commit crimes during the course of their technological exploits.

Hackers can work independently, in association with other hackers or on behalf of organized crime, corporations or governments. While hackers have historically been very knowledgeable about computer hardware, software and networks, free and commercially available tools are enabling a new generation of less technologically savvy hackers.

Case Study #9

Organization:
Sector:	IT - Search Engine
Details:	The Motion Picture Association of America paid $15,000 to a hacker to obtain private emails belonging to TorrentSpy. In addition to obtaining private email correspondence between TorrentSpy executives, the hacker also passed on emails that contained financial, operational, customer and employee data. [21].

Case Study #10

Organization:	Embassies of Iran, India, Japan, Russia, Kazakhstan, Uzbekistan, Foreign Ministry of Iran, U.K. Visa Office, Office of the Dalai Lama, Hong Kong Democratic Party, Hong Kong Liberal Party, Hong Kong Human Rights Monitor, India National Defence Academy, India's Ministry of Defence, and several large unidentified companies in the U.S. and the U.K.
Sector:	Governments, Civil Rights Groups, Unidentified
Details:	A Swedish computer security consultant found a vulnerability that allowed him to obtain the user names and passwords of at least 1,000 email accounts. A list of 100 of those user names, passwords, and mail server IP addresses were posted on a public web site to get the attention of the account holders and IT administrators - most of whom had ignored previous warnings about the vulnerability [22].

Conclusion

Based on a closer examination of the internal and external threats presented in this article, organizations need to do a better job of protecting the privacy and confidentiality of their email communications. By implementing standards based systems that utilize end to end encryption and automated policy management, organizations will be able to meet their regulatory obligations and ultimately mitigate much of the risk associated with email data loss.

References

1. InfoWatch, Internal IT Threats in Europe 2006, Apr 2007.
http://www.infowatch.com/threats?chapter=162971949&id=207784668

2. Forrester Consulting, Outbound Email and Content Security in Today's Enterprise, 2007.
http://www.proofpoint.com/downloads/Proofpoint-Outbound-Email-and-Content-Security-2007.pdf

3. CompTIA, Information Security: A CompTIA Analysis of IT Security and the Workforce, Apr 2007.
http://www.comptia.org/sections/research/research%20docs/securitysummary407.pdf

4. Associated Press, Blue Cross says contractor took 27,000 Social Security numbers, Feb 2006.
http://attrition.org/dataloss/2006/02/bcbs03.html

5. New York Sun, GOP Donors' Personal Data Disclosed in RNC Privacy Slip, Oct 2006.
http://www.nysun.com/article/41341?page_no=1

6. U.S Secret Service & Carnegie Mellon University, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, Aug 2004.
http://www.secretservice.gov/ntac/its_report_040820.pdf

7. U.S. Department of Justice, The Economic Espionage Act of 1996: an Overview.
http://www.usdoj.gov/criminal/cybercrime/usamay2001_6.htm

8. Planet F1, Alonso Threatened McLaren With FIA Disclosure, Sep 2007.
http://www.planet-f1.com/story/0,18954,3213_2730143,00.html

9. New York Times, E-mails and Text Messages Reveal Details of F1 Spy Case, Sep 2007.
http://www.nytimes.com/2007/09/15/sports/othersports/15mclaren.html?_r=1&oref=slogin

10. Enterprise Strategy Group, Internal Threat Report, Feb 2006.
http://www.securitymanagement.com/files/mazu_internal_threat0606.pdf

11. Counterpane and MessageLabs, 2005 Attack Trends & Analysis, Mar 2006.
http://www.counterpane.com/dl/attack-trends-2005-messagelabs.pdf

12. U.S. Department of Justice, U.S. Arrests Ex-employee of Hacking into Financial Publishing Firm's Computer Network, Nov 2006.
http://www.usdoj.gov/usao/nys/pressreleases/November06/hoffackerarrestpr.pdf

13. Kathimerini, Woman arrested for hospital espionage, Sep 2007.
http://www.ekathimerini.com/4dcgi/_w_articles_politics_100014_29/09/2007_88365

14. U.S. National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage - 2002, Feb 2003.
http://www.ncix.gov/publications/reports/fecie_all/fecie_2002.pdf

15. Sans Institute, Corporate Espionage 101, May 2003.
http://www.sans.org/reading_room/papers/index.php?id=512&c=4b6244995fea1a55f1a32c8eddb312da

16. European Parliament, Report on the existence of a global system for the interception of private and commercial communications (ECHELON interception system), Jul 2001.
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A5-2001-0264+0+DOC+PDF+V0//EN

17. U.S. National Counterintelligence Center, Annual Report to Congress on Foreign Economic Collection and Industrial Espionage - 2005, Feb 2003.
http://www.ncix.gov/publications/reports/fecie_all/FECIE_2005.pdf

18. National Counterintelligence Executive and ASIS Foundation, Trends in Proprietary Information Loss, Aug 2007.
http://www.asisonline.org/newsroom/surveys/spi2.pdf

19. Time, China's Big Export, Feb 2005.
http://www.time.com/time/magazine/article/0,9171,1027457,00.html

20. The Australian, China's great firewall, Mar 2007.
http://www.theaustralian.news.com.au/story/0,20867,21362873-28737,00.html
(Information about the industries of the participants was gathered through email correspondence with the author.)

21. Rothken Law Firm LLP, U.S. District Court - Central District of California Case CV06-3206 Valence Media vs. Motion Picture Association of America, May 2006.
http://www.techfirm.com/ts-mpaa.pdf

22. Wired, Embassy E-mail Account Vulnerability Exposes Passport Data and Official Business Matters, Aug 2007.
http://blog.wired.com/27bstroke6/2007/08/embassy-e-mail-.html