Title - Policy, People, and Ninja Warriors!
In this episode we're gonna cover cloud impacts on insider threat, some ways to reduce insider risk, NINJIO Security Awareness, and more! Don't touch that dial!
Welcome back! This is episode 3 of The Insider Threat podcast, for the week of May 29th, 2017.
Quick Announcements Segment
The continued feedback has been really great, especially those of you in the Cybersecurity community on Reddit. The biggest complaint I've received isn't even really a complaint, which is that the podiant website doesn't have the ability to listen at 1.5 or 2x the speed over the web. I know exactly what you guys are talking about. With something like 8 or 9 weekly podcasts that I listen to in addition to this show, my job, and my fairly large family, I have to do the same thing. There are only so many episodes that I can cram into the time that I am washing the dishes after dinner. The only option there is to listen through your favorite podcast app, so subscribe through iTunes, Stitcher, Pocket Cast, the Google Play Store, Overcast, or whatever you use. If you find that your app doesn't have the show available, please let me know and I'll see what I can do about getting it added. Again, please continue to listen, subscribe, rate, and review. I've gotten far more streams and downloads than I thought possible with only 2 episodes out, which shows that there's a real need for information on this topic.
In addition, I ask that you guys send any insider threat stories that you may have. I'll be sure to strip out any identifying details of course, but it would be nice to have some real world examples of some of the things we discuss.
Infosec Question of the Week
It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "How did notorious hacker Kevin Mitnick know that federal agents were near his apartment?"
The answer was that he compromised the local cellular network and created an alert to let him know when the cell phones belonging to the agents on his case communicated with the nearby cell tower. The hashtag was actually relevant to the story, as the only thing that the agents found when they got to his apartment was a box of donuts in the refrigerator labeled "FBI Donuts".
Pooran from Mumbai, India
Jake from Norwalk, Connecticut
Alyssa from Flagstaff, Arizona
Rich from Bedford, England
I'm going to mess this up. My French is as nonexistent as the prize… Rene'e from Chateauroux, France
And Bernie from Chicago, Illinois for getting the correct answer.
Here's your question for this week: In the early 1970s, John Draper discovered that he could make free long distance calls by sending a certain tone through the phone. What did he use and where did he get it?
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "breakfast".
The first article this week comes from Jessie Bur at MeriTalk and it claims that cloud integration actually increases insider threat risk
This conclusion was drawn from a recent survey, where 59% of government employees that responded were concerned that migration to the cloud makes it more difficult to keep track of malicious or negligent users.
What I find really interesting about this idea is that many, if not most, of the tools today for tracking user behavior are either solely in the cloud or have the option to be implemented either in the cloud or on premises. If the findings of this survey are true, would putting more applications and services in the cloud only add to the problem or would it make things easier? At some point we are going to have different cloud applications and providers talking to each other in our environments and I'm afraid we will completely lose control and oversight of what they are doing.
This could become even worse, since President Trump is now pushing the federal government even more forcefully into the cloud with the new Cybersecurity executive order that was signed a few weeks ago. I'm not trying to be political or anything like that, but the push for cloud integration is strong. Vendors like Amazon, Microsoft, and others are making a good case for organizations to migrate their applications and services into the cloud, and those that don't might feel like they are falling behind when compared to their competitors or peers.
The more complex we make our environments, the more risk we have. If we are adding complexity in order to minimize risk, that might be the wrong approach and what got us in whatever situation we are in to begin with. When you add more variables to the equation, the outcome will be harder to predict. Insurance companies and war strategists have been studying this concept for a really long time, so we have to assume that they are onto something.
Our next article comes from Scott Matteson at Tech Republic and lists 5 ways to reduce insider security risks
Assess access needs and build policies to determine what rights users and administrators should have, and adjust according to changes or new circumstances.
This is generally known as the concepts of least privilege and identity and access management, and it is a really important thing to do in our organizations. We need to ensure that users only have accesses and privileges needed for their current roles and this needs to be reviewed very regularly to make sure we stay on top of it. Another way to ensure this is being done is to integrate access review into onboarding and termination processes, but it also needs to be triggered when an employee changes roles. That is where most of us have the hardest time.
IoT devices can place the organization at exceptional risk via embedded credentials. Use analytics on these to determine normal behavior and detect anomalies.
In addition to extra oversight on these devices, we should also seriously consider network segmentation. The recent widespread malware infestation that we've had speaks to the fact that some organizations simply cannot get away from having vulnerable or outdated devices and operating systems in their environments. The best practice here is to isolate those devices so if they do become a problem, at least they won't be able to serve as staging areas for accessing the rest of the network devices.
Use logging/alerting mechanisms to notify personnel about suspected attacks as early as possible to reduce risk.
This one is key, especially when it comes to insider threat. If we know that a phishing campaign or other human hacking attempt is going on in our organizations, timely communication with the user base might be the only thing that keeps you out of deep water. It also shows the employees that information security is an important part of the business as a whole and tells them that they are an integral part of the program.
Use separate accounts for administrators to perform routine tasks versus privileged operations.
I'm pretty sure this is best practice no matter where you go. There is no reason that I can think of for a system, network, or security administrator to be able to access the internet or email with their privileged accounts. Doing so greatly increases the threat landscape because if one of those accounts got compromised, attackers get the keys to the kingdom. On top of that, those accounts generally get around security controls by default, so something as simple as a malicious advertisement loading on a screen could allow the code to run as administrator and have a higher likelihood of success.
Background checks may provide some protection from malicious insiders (provided they have been caught in the past), but should not be seen as the end-all solution. Individuals with clean records can still be victimized via compromised accounts.
This last risk reduction tip is interesting, and I suspect it is something that is not universally done and in my mind there are different approaches. While discovery of some past crimes should probably deny employment altogether, some others might not fall into that boat. There are several successful information security professionals and consultants today that have a dark history, yet they have been able to move on to very successful and upright careers in our industry. Maybe the best route to take would be to weigh each case independently and if there is any suspicion about a particular person applying for a job, their access can be tightened and we can keep a closer eye on their behavior. Instead of being a binary yes or no for hiring, we can use that information as we tailor our monitoring strategy.
The next article comes from James Graves at ZoneFox.com and centers on the importance of good policy when it comes to insider threat
Security policy in general is viewed differently depending on who you ask. For this article, the author is specifically highlighting the need for an Insider Threat Policy.
So with this one, we talk about different important steps or tips for having an effective Insider Threat Policy.
The first one is defining the threat, as well as defining the policy.
Now this seems like a no-brainer, especially because we have a good idea of what the threat is - we know that insiders either intentionally or unintentionally do things that increase risk. That isn't as easy to detail on paper though. An added note is that by taking the time to write or type out the definition of the threat for this policy, you get the added benefit of ensuring that you and everyone else in the organization has a standardized idea of what the insider threat is. You are identifying the problem in a public way, which will drastically help in the next step, which will be to find ways to solve that problem or at least minimize its impact on the organization.
Now we get to the meat of the policy, which is spelling out the actual rules when it comes to insider threat. The next tip will help with that, since it tells you that you have probably already done some of the work through your other policy or training.
You can look at places like the acceptable use policy, mobile device policy, access control policy, and so on. None of this has to be created on the spot, since it has likely been covered in other places in more detail. Another quick tip from me, and this goes for writing any security policy, is that you shouldn't be so detailed in these policy statements that you have to modify more than one policy when a single change is made. Instead of copying and pasting policy language from one document to the other, you can simply give an overview of the other policy and direct employees to look there for the details. These callouts for other documents will save you an incredible amount of time later.
The next tip says that with context comes clarity.
There is a sentence from this article that I feel needs to be quoted. It says, "Security policies, and therefore insider threat policies, are not created for the benefit of the cybersecurity team, they are created for the benefit of the organization as a whole, and anyone in it."
That is huge and this idea should ring through all the policy you write. If you are able to communicate to the readers that the rules outlined in the policy aren't just some requirements from the security team, but instead that they are meant for everyone to be successful, that will help them to see the importance more clearly. Tell them how insider threat impacts not only their job as a whole, but their success in accomplishing the key components of their job.
People will sometimes intentionally or unintentionally do things that they shouldn't. We are all human. This next tip, enforcing the policy with technology, is one way to either ensure that doesn't happen or give you the capability to discover and respond when it does.
On top of your policy and various training programs, many organizations see the need to compensate their program with tools. When it comes to insider threat, the common technology used is user behavior analytics.
Last week we spoke about Observe IT and their product that allows administrators to monitor user behavior and identify abnormalities. Think of this as the door locks and alarm systems of your home. Even though we have laws and cultural norms that dissuade people from breaking and entering while you are away or asleep, you need to have physical and technical barriers to keep people out that have chosen to disregard the law and morality in general. User behavior analytics solutions are a good way to do that for insider threat.
When you highlight these technologies in your policy, it lets the people in your organization know that although we expect them to do the right thing, we are actively inspecting what we expect.
Lastly, we have to integrate the policy compliance with the existing business compliance strategy. In order for policy to be effective, it must have teeth. I've heard it said that policy without teeth is just words on a page.
If someone performs an act or exhibits a behavior that does not align with the policy, there has to be a way to reprimand or otherwise punish them. This serves as a deterrence just as much as it does a consequence. Aside from moral reasons, a major deterrence for breaking into a house is the knowledge that I will get in trouble if I get caught. If you are implementing a tool effectively, as mentioned in the last tip, they already know that they will probably get caught.
Aligning insider threat policy enforcement with the more traditional enforcement strategy that the organization uses will make it easier to accomplish if an incident arises, and it also gives employees a mental reference point for unacceptable behavior. They can expect similar consequences for punching their boss in the face as they would violating a key security policy.
One thing I would add to this list is something that I stress for all security policy, which is management support. When the executives are on your side, that means they understand the impacts of information security risk and its relationship to business risk. That is language they speak regularly, and they will probably do so very often. When the boss cares about it, everyone under them has no choice but to care as well.
Not a sponsor of the show
From their website - NINJIO attacks end user Security Awareness in a different way. We don’t lecture your users. We entertain and educate them by telling stories about real life security breaches that have happened to real life companies. We do this using 3-4 minute long animated and gamified Episodes written by Hollywood writers, and we focus on one teachable moment around one specific type of attack. A new Episode is released every 30 days, so your users will never see the same Episode twice. It’s like “drip marketing” for Security Awareness.
How it works is they create user accounts for your organization's employees in their online learning management system. Every 30 days they send emails to your employees letting them know that a new lesson is available, then they complete the video or lesson and get placed on a leaderboard for your organization. The lessons are specifically tailored to address current threats around the world.
They have different deployment options available as well.
I have been very excited about NINJIO for quite some time. I've chatted with their CEO once or twice and I really like the approach they're taking to help solve the insider threat problem.
They have a few samples of the videos available on their website, and I strongly suggest that you go check 'em out. Even if you don't think you have a problem with your existing awareness program, it helps to see how others are finding creative ways to communicate the information. They're pretty entertaining, too.
If you decide that you want to know more about their product, let them know. Everyone I've been in contact with at NINJIO has been really helpful and responsive.
I've left a link to their website, as well as the articles covered in this episode in the show notes.
Thought of the Week Segment
Now it is time for our thought of the week. This one comes from Douglas Horton, who said "The art of simplicity is a puzzle of complexity"
Thank you for listening to episode 3 of The Insider Threat podcast. Please remember to review and subscribe in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions and constructive criticism.
You can contact me on twitter @stevehigdon or email me at firstname.lastname@example.org.
Thanks again and I'll see you folks next time!
Welcome to episode 1 of The Insider Threat podcast.
This is the week of May 15th, 2017.
I'm your host, Steve Higdoon
This all started a long time ago when I began writing blog posts and articles centered on selling information security to business minded people. That got me going down the rabbit hole of how to influence the people that impact security.
Then I started seeing headlines all over the place claiming that insider threats or the human factor was the weakest link in organizations.
Heck, a quick google search right now shows headlines claiming that "insiders are today's biggest security threat", "insider threats responsible for 43% of data breaches", "58% of Information Security Incidents Attributed to Insider Threat", and the list goes on.
I've heard the hosts of Paul's Security Weekly podcast (and by the way, if you don't listen to them and you are in this industry, you really need to. In fact, you have my permission. Pause this episode and subscribe to their shows right now. I'll wait.), so anyway, they said that when they go out on pentests they often suggest to their clients that they start with the assumption that they have already infiltrated the network because if they do a simple phishing campaign, one in ten employees is going to click on the link or open the attachment. Making this assumption would save everyone time and money.
The topic of insider threat has almost become a marketing buzzphrase now. There are several new products on the market in the areas of user behavior analytics, data loss prevention, machine learning, and artificial intelligence. Now if any of you are working on your bingo cards, they should be just about filled up.
On a serious note though, this certainly is a problem and there are multiple types of solutions on the market to address it. That is what this podcast is gonna be about.
I really want your listener feedback on this. What are you doing in your organization to deal with the human factor? What do you wish you were able to do? Please leave comments at the link in the show notes or contact me directly on twitter or email. I'll give you that information at the end of the episode. Not only will your feedback give me more to talk about on the show, but it will also help others in the industry who are trying to tackle the same problem. Who knows, I may even be able to do some shout outs to you all if commentary becomes a regular thing.
SC Magazine UK - Max Metzger - Hospitals turn patients away as NHS caught up in global ransomware attack
WannaCrypt0r, one of the largest ransomware attacks ever occurred on Friday, May 12th, 2017, and is reported to have effected organizations in almost 99 different countries across the globe.
The virus first hit headlines as it knocked computers offline at the National Health Service, which is the public health organization for England, Scotland, Wales, and Northern Ireland. On Friday, news agencies all over the UK were urging citizens to avoid the emergency room at all costs.
There are also reports that the virus exploited known vulnerabilities that were recently leaked by the National Security Agency in the United States.
The kicker here is that patches for those vulnerabilities were actually released by Microsoft in March, which means that any organizations that were impacted did not apply patches in just over two months.
What does this have to do with insider threat? Well ransomware is often spread through email with malicious links or attachments. In fact, the article even mentions that initial thoughts were that the ransomware was being spread through an email that was labeled "Clinical Results".
This just goes to show that risks associated with insider threat are real and current. International investigations related to this major incident are still underway.
Infosecurity Magazine - Driving a Culture of Security - Tips For The CIO by Julian Wragg VP at Pluralsight
Pluralsight is an online technology learning platform. They aren't a sponsor or anything, I just wanted to give you all some background about the author.
This article lists 5 ideas for improving security culture.
Get with HR Write more effective policy that people will understand
Invest in role specific training
Invest in your team's skillset - internal penetration testing
Create engaging content - make training more enjoyable
Lead by example - executive management support and culture
The thing that I found interesting is that none of these tips were focused on tools, which I suppose makes sense because it is based on improving the security culture of an organization. I will leave a link to this article in the show notes for anyone who wants to read it.
So far this episode we have highlighted the two major philosophies for dealing with insider threat - technology and training. What do you think about this article? Do you agree?
Thought of the Week Segment “ If you want to change the culture, you will have to start by changing the organization.” Mary Douglas
Thank you for listening to episode 1 of The Insider Threat podcast. Please remember to subscribe, rate, and share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions and constructive criticism.
You can contact us on twitter @stevehigdon or email us at email@example.com.
Thanks again and I'll see you folks next time!