The worst IT threats can come from inside
Imagine the havoc if one day your organization's critical data just disappeared.
It could happen, says Eric Chiu, founder & president of HyTrust, a company in Mountain View, CA, that specializes in access control for data. It likely would be caused by someone employed or formerly employed at your organization, he says.
Information technology (IT) security often focuses on the threat of outsiders hacking into your system, but your own employees could pose the biggest threat of all, Chiu warns. He cites a recent incident in New Jersey that he says illustrates the threat posed by insiders: A former employee of the Japanese pharmaceutical company Shionogi was able to hack the organization and effectively take down its virtual infrastructure, which caused $800,000 in damages to the company.
"Insider threats are on the rise, whether from malicious or disgruntled employees, data leaks, or mistakes and other unintentional issues," Chiu says. "The breach at Shionogi is a great example of how vulnerable virtualization infrastructure and the cloud can be. Critical systems like e-mail, order tracking, financial, and other services were impacted, having been virtualized without the proper controls in place. This was because a disgruntled admin was able to delete the corporate servers with a simple click of a button."
To add insult to injury, he was able to do this remotely while sitting at a booth in a Georgia McDonald's, using the restaurant's wi-fi connection, Chiu says.
The $800,000 in damages and multiple days of downtime at Shionogi could have been prevented with the right automated controls in place, he says. IT administrators, such as the man charged with the Shionogi crime, are primary threats because they must be privileged users with extensive access to the system and its controls, he says.
"They have credentials and back doors that they have put in place, and in this case, he was able to log in using those credentials long after he had been fired from the company," Chiu says. "He proceeded to delete all of the servers and virtual machines that the company ran on, which put the company out of business for a week and cost them almost a million dollars in damages."
The damage can be even worse, Chiu notes. In the Shionogi case, the vandal did not use an especially sophisticated method but rather manually deleted 90 virtual machines from the system one at a time. A more determined hacker could destroy 20,000 virtual machines in five minutes using a program code, he says.
That "virtualization layer," in which data is stored and managed on "machines" that exist only within the system, is a major trend in IT, Chiu says, and it creates vulnerabilities. "Insider threats are not new, but what is new is that about 50% of servers are running on top of virtualization. You can do much more in terms of attacking or stealing data by going through the virtualization layer," Chiu says. "If you want to steal patient information, it can be as easy as going in through the virtualization layer, copying the virtual machine, and putting it on your laptop. You don't have to go through an elaborate program of sniffing the system for weak points if you can access that virtualization layer."
The virtual infrastructure must be secured just like the physical servers, and that step is where most companies are falling short, Chiu says. In his experience, Chiu says, more than 80% of companies do not have proper controls for securing the virtualization layer. (See the story below for more on considering the risks of virtualization.)
"We're seeing just the tip of the iceberg because most of these breaches go unpublished," Chiu says. "For every public one like Shionogi, there are probably hundreds that we don't hear about."
- Eric Chiu, Co-founder and President, Hytrust, Mountain View, CA. Telephone: (650) 681-8100.
Focus on threats, not just ROI of virtualization
The vulnerabilities of a virtual infrastructure are real, but they often are overlooked while healthcare leaders focus on the return on investment (ROI), says Eric Chiu, founder & president of HyTrust, a company in Mountain View, CA, that specializes in access control for data.
"Healthcare companies are not focused on the security aspects of virtualizing patient health information but are focused on the ROI aspects," he says. "They're treating the virtual environment the same way they did the physical data center, so they're securing networks and applications, but they're not securing the underlying technology that all of those applications are sitting on top of."
Chiu says it is only a matter of time before a hospital or health system reports a major breach through its virtualization layer. "Only about 15% of these kind of breaches are done because of a conflict like someone being fired. Most of it is done for personal gain or wanting to expose information like was done with Wikileaks," Chiu says. "The admins can go in and, with the access and free rein they have in the environment, they can steal all sorts of data and never be detected."