Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Game of Pwns, Bots, and Government
In this episode we cover game of thrones leaks, bad robots, security in the government, and more. Don't touch that dial!
Welcome back! This is episode 15 of The Insider Threat podcast, for the week of August 28th, 2017.
In case any of you were wondering, I didn't stay up last night to watch the fight. While that isn't usually my thing, this had all the indications of being a really good one. I'd actually planned on it being a complete surprise, but when I woke up this morning my phone gave away the outcome on the lock screen. I'll still probably try to find a way to go back and watch it though. A couple of you wished me well with my vacation, and I thank you for that. Have you ever gone on vacation and came back even more exhausted than when you left? This was one of those. It really was a good time though and I think it went well for my entire family. On top of that, we came home to the solar eclipse on Monday. My only regret is that I was too busy trying to catch up at work to go outside and see it, but everyone who did has told me that it was a pretty good show. Thanks for giving me a break to spend time with the family this last week. I tried to get something recorded at the last minute, but it just didn't work out. We've had more subscribers this last week, which means you were helping to promote the show.
Thank you for that as well and keep it up! Let's see how many people we can get talking about Insider Threat.
Infosec Question of the Week
It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "In 1995, Netscape Communications went public and stock prices surged significantly in the first day alone. What was the original price of Netscape shares?"
The answer was "$28".
By the end of the very first trading day, the shares were going for $75. This rapid growth has been regarded as the first indicator of the dot com boom.
Charlie from Elizabethtown, Owen from New York, and Riley from Yakima(?) for getting the correct answer.
Here's your question for this week: "A Cuban-born hacker plagued United States retailers from 2005 through 2007 and is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers across the country. Who is this notorious hacker?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "shadow".
Info - https://en.wikipedia.org/wiki/Albert_Gonzalez
Our news article this week comes from Brian Barrett from Wired.com and is titled BREAKING DOWN HBO'S BRUTAL MONTH OF HACKS
If you haven't heard about this one, you might be living under a rock. HBO suffered a massive data breach and seems to still be compromized, as hackers continue to leak full episodes and scripts before their release dates. At one point it was said that the company offered to pay a "bug bounty" to the hackers to get them to stop. We don't call that a bug bounty in this industry. That would be a ransom. Either way, the hackers refused to be paid off.
Richard Ford from Forcepoint says that there are actually four separate incidents taking place, which includes supply chain issues, malicious insiders, accidental insiders, and a compromised account. The malicious insiders in this case were four men in India who allegedly smuggled Game of Thrones episode out of Prime Focus Technologies, a company that works with Star India, which carries HBO in that country. We have spoken about issues like this in the past, and we need to make sure we are protecting our organizations from all insiders, which includes those who work for third parties. The same type of thing happened to Netflix recently, where third party leakers demanded a hefty ransom to stop them from releasing episodes of Orange is the new Black.
After that, accidental insiders from HBO Nordic and HBO España showed a new episode of Game of Thrones four days too early. That didn't stop the footage from showing up on torrent sites within hours.
This just goes to show that we have several different types of attacks that we have to defend ourselves from ever day. Hopefully HBO can get their act together.
The first article this week comes from Zeljka Zorz at Helpnetsecurity and is titled Hacked robots can be a deadly insider threat
This is another one that has had quite a bit of time in the technology headlines lately, with Elon Musk speaking out very publicly against artificial intelligence. In this article though, security researchers analyzed various robots commercially available for vulnerabilities - and they weren't found wanting. In this case, they found things like authentication/authorization issues, insecure transport of data and firmware update mechanisms, undocumented methods, hard-coded passwords, unencrypted storage, easily disabled human safety protections. This sounds like what you would see in any sort of IOT security nightmare, but there's more to it than that. Some of the specific robots they tested we UBTech's Alpha small-sized humanoid robots, SoftBank Robotics' Pepper and NAO small and human-sized interactive companion robots, and Universal Robots%u2019 cobots. These have mechanical arms that work with humans without any physical separation. Unlike with your traditional IOT concerns though, physical access and interaction with these devices is expected, which increases the attack surface. I don't know about you, but usually when I hear that you have to have physical access to a device in order to compromize it, I write it off as not being that big of a deal. If someone came into my house and started messing with one of m kids toys or home automation devices, I like to think that I would notice. If physical access is one of the primary purposes for a device though, it isn't as far of a stretch to think that someone could do something malicious without being noticed.
Anyway, the big difference between these robots and other IOT devices or embedded systems is that they often have high tech cameras onboard. Oh, and they're mobile. If someone was able to compromize a robot, they wouldn't just have access to your wireless network. They could also be used to spy on members of your family or coworkers.
The researchers tried very hard to responsibly disclose this information and some of the vendors have been receptive, but not all.
The next article comes from Kelly Sheridan at DarkReading and is titled 50% of Ex-Employees Can Still Access Corporate Apps
We've been hearing about this problem for years. An employee leaves and their accounts are still active a year or two later. We've even had a few news articles where former employees are able to compromize the systems of their old employers and steal information. I think I even remember one of them redirecting the company's webiste to a competitor, which was pretty nasty.
For this one, researchers from OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. No surprise there, since OneLogin has an identity and access management solution. This is obviously still and issue even though we've had IAM products a long time. They don't do anything to help though if they aren't configured or used properly. I saw recently that one organization actually never deletes inactive accounts. While this may seem like an outrage, they have an interesting approach. You see, they have a unique situation where hundreds of employees are hired on a consultancy type basis and they are joining and leaving the organization all the time. Just because an employee is terminated today doesn't mean that they won't be back in a few weeks or months. While that seems like it would be an administrative migraine, they've actually figured out a way to automate their IAM function. As soon as the user joins or leaves the firm, the list of employees is automatically updated and each day they run a script that updates accounts based on that list. This is the same list that triggers pay, so you can be sure that the money folks within the company stay keenly aware of its accuracy. By the way, extended leave is also tracked on this list, so if a user is gone for just a few weeks, their accounts get deactivated.
You might look at taking a similar approach in your own organization, especially if you have a large number of employees to ensure that you aren't forgetting to remove access from someone who isn't there anymore.
The third article comes from Rick Morgan at PJ Media and is titled The Ever-Burgeoning House Democrat IT Scandal
Speaking of vetting your security, this story about a democratic aide at the House of Representatives is pretty scary. Imran Awan was arrested in July under suspician that he and his family stole computer equipment from the government. At that time, he'd been employeed as an information technologist (how's that for a job title) for 13 years. Then the story gets juicier. There is evidence to suggest that he and his family, there were several working in similar roles across the government, that they were sending money back to Pakistan perhaps along with classified or otherwise sensitive information. The sensitive information could be used to blackmail members of congress and we all know the damage that could come from leaking classified data. It all started when the suspect rented his house to a U.S. Marine who noticed a slew of hard drives and other electronics were left behind. There is quite a bit of political discussion about this, but I'll leave that for you to look into. It's not why we're here.
You might be telling yourselves that this could happen to anyone, but Imran and his family weren't even that good as technicians. They had criminal histories and bankruptsy in their past, which should have stopped them from getting access to any sensitive data, much less working for congress.
Now is the part where I try to spin it back to the purpose of this podcast - helping us get better at addressing insider threat. Stories like these show why it's so important to properly vet the people in our organizations. Yes, even the IT staff. On top of that, he had the job for over a decade and who knows how long he'd been stealing equipment and information. For it to go on that long is unacceptable. Some system should have raised flags about his actions. The employees should have been trained to report anything that looked suspicious. That marine was, and it looks like he is the real hero in all this.
The last article this week comes from Joseph Marks at Nextgov and is titled WASHINGTON, NOT SILICON VALLEY, LEADS THE WAY IN CYBERSECURITY
This is something that I've been saying for some time and it shouldn't be a shock to most of you. While Silicon Valley is certainly still the hotbed for consumer and business-to-business technology, the recent push toward information security in the government, along with the hefty profits that can come from a government contract, have made DC a hotbed for infosec. If anyone should be concerned about security and especially insider threat, it should be the government. For that reason, many new security firms are coming out of the nation's capital region. On top of that, the government already has quite a bit of talent in this space. Members of the military and government employees are choosing to start or join companies that aim to sell security products and services to the government. Why wouldn't they? The potential for high salaries and profits is very strong.
Industries have always been this way. They follow the money and the government has shown that it is willing to open its purse strings for increased security. According to the article, there are more than 77 thousand filled cybersecurity jobs in the DC area, with another 44 thousand or so that are still vacant. A friend of mine in the area told me that he has absolutely no worry that he will be unemployed because the demand is so high that he could leave one job and get another that will probably pay more within a week's time.
Ron Gula runs a cyber venture capital firm that is currently working with several early stage companies that focus on insider threat. Gula said that while the government might be behind when it comes to technology, that isn't the case when it comes to security at all. The approach is different because there is much more at stake.
Speaking of companies that cater to the government and insider threat, Forcepoint has shifted their branding to one that focuses on the human factor. I've spoken about Forcepoint, a Raytheon company before. Their chief marketing officer, Praveen Asthana said recently that their 20-year history of defending people, communities, and governments informs their mission to protect the human point, where data is most valuable and vulnerable. They believe that people are your organization's best defense and this unique approach therefore requires a human face for security.
That is a pretty powerful message and echos things I've said before. We need to stop looking at our users as vulnerabilities and start viewing them as an intregal part of our security strategies. There's a long history of advancement in training and human psychology. It is about time that we start using those advancements to help with insider threat. Companies like NINJIO and others are actively working on creative ways to train people to recognize appropriate behavior and report anything that looks suspicious. There is certainly a need for the other pillars of insider threat, which is technology and policy, but training and culture improvement can go a long way when it comes to improving the environment on a budget. I'm working on a piece that will explore these pillars in more detail and hopefully I'll be able to share it soon.
Thought of the Week Segment
Our thought of the week comes from Mahatma Gandhi. He said, "You must not lose faith in humanity. Humanity is an ocean; if a few drops of the ocean are dirty, the ocean does not become dirty.%uFEFF"
Thank you for listening to episode 15 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to firstname.lastname@example.org. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show.
Thanks again and I'll see you folks next time!