Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Title - Second Pillar of Insider Threat Protection: Policy
In this episode we cover policy to address insider threat, the Equifax security breach, and more. Don't touch that dial!
Welcome back! This is episode 17 of The Insider Threat podcast, for the week of September 11th, 2017. Let's see.. what's going on with me.. I've really enjoyed this series on the pillars of insider threat protection. As soon as we get through all four, I'll post the article. I'm also working on getting another guest interview lined up, which I'm very excited about. Now's the part where I attempt to leave you in suspense about who it might be. As a reminder, I'll be at the Insider Threat Symposium and B-Sides DC next month, so let me know if you plan on going to either of those. Maybe we can get a drink and chat. I'd like that. I think I'm volunteering at B-Sides DC though, so my time might be a bit limited. I also want to mention the plague of hurricanes that we've been getting the past two weeks, and say that my thoughts and prayers go out to any of you that have been impacted. Let me know if there is anything I can do to help, even if it just means promoting a charity or relief effort.
Infosec Question of the Week
With that, it's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "On August 29th, 1831, English scientist Michael Faraday made a groundbreaking discovery that has led to big advancements in the electronic privacy industry. What did he find?"
The answer was "electromagnetic induction".
I also accepted any reference to a faraday cage for this one, even though it's really related in name only. In case you didn't know, electromagnetic induction is the primary principle behind electric motors and electric generators, two very important inventions that power and drive our electronic technology of today.
Congratulations to Lewis from Germany, Hayden from Muskogee, Niklas from New South Wales, and Stephanie from Rochester for getting the correct answer.
Here's your question for this week: "In September of 1956, the first commercial hard drive to use magnetic disk storage was announced by IBM. How much data could it hold?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "no more punch card".
Info - http://thisdayintechhistory.com/09/04/first-commercial-hard-drive/
Our first news article this week comes from Phil Muncaster at inforsecurity magazine and is titled Thousands of Military Vets' Details Exposed in S3 Privacy Snafu
A security vendor, Upguard, noticed that there was a misconfigured Amazon S3 bucket that contained personal details of thousands of US military vets, including many with security clearances. The database was owned and operated by TigerSwan, which is a North Carolina private security firm that hires former military members and law enforcement officers. As many of you know, it isn't uncommon for former members of the special operations space to move on to private security companies after they retire. Since special operations forces revolve around Fayetteville, North Carolina, it makes sense that the company is based there. In fact, I'd bet that there are several private security firms in that area due to the type of people they like to recruit.
Then it gets even more troubling. A month after UpGuard notified TigerSwan of the finding, their database was still on the public internet. TigerSwan claims that the database was created by a third party vendor that managed the resume gathering and recruitng processes.
The type of data that was exposed included past assignments, including those in sensitive defense and intelligence roles, home addresses, phone numbers, email addresses, security clearance information, driver's license numbers, passport numbers, and even some partial social security numbers. There were also resumes from Iraqi and Afghan citizens who had cooperated with US forces in the past from their home countries.
What's the impact? Well this, in my opinion, goes well beyond the typical leak of personal information. Both in the cases of the former special operations personnel and foreign citizens, this presents an actual physical danger. The former military members could be targeted based on the operations that they took part in and the foreign nationals could find the safety of themselves and their families in jeopardy. This just goes to show how important it is to vet and audit your third party service providers because at the end of the day, you are responsible. In fact, I don't see the third party firm mentioned in this article at all.
The next news article is written by Tara Siegel Bernard, Tiffany Hsu, Nicole Perlroth, and Ron Lieber at the New York Times. It's titled Equifax Says Cyberattack May Have Affected 143 Million Customers
On September 7th, one of the three major consumer credit reporting agencies, Equifax, reported that hackers compromized their network and potentially gained access to sensitive information for 143 million American consumers. How sensitive? Well it included driver's license and social security numbers. Keep in mind that according to the US Census Bureau, there were 323.1 million people in the United States last year. Only about 250 million of those are over the age of 18 and would more likely have had a credit check done, which leaves about 106 million people safe from this breach. In other words, that's more that two thirds of adults that potentially have their social security numbers out there in the wild. The ironic thing here is that these credit reporting agencies play a huge role in detecting and respoding to credit card fraud and identity theft. This isn't the first time, either. It's the third major security incident for Equifax since 2015.
It looks like it was caused by the exploitation of a software vulnerability on their website, but, and I'm quoting here, they have since found no evidence of unauthorized activity on their main consumer and commercial credit reporting databases. In other words, don't hate us. We fixed the problem. But wait.. there's more. The hackers were also able to retrieve names, birth dates, addresses, ceredit card numbers, and other personal information for many consumers.
How does this rank when compared to other high profile scans? Well on a scale of one to ten, this is cataclysmic. I'll just say that.
Executives at Equifax started selling off their shares almost immediately after learning about the breach and long before it was announced, which is pretty shady to say the least. Now combine this breach with the one at the Office of Personnel Management in 2014 and Anthem in 2015 and enterprising criminals or nation states could have a complete profile on almost everyone in the United States, including resident and work history, aquiantences, medical history, and financial history. It doesn't get much more invasive than that.
In case you missed last week's episode, we are doing a series on the pillars of insider threat protection, and we already covered the various technology types that can help to reduce insider threat risk. This week's pillar, as you can see from the title, is policy. Any security policy serves multiple purposes. First, it can be used to communicate acceptable use and restrictions to the users so they are not caught unaware in cases where the security rules in an organization are broken. Security policy also serves to bridge any gaps between technical controls and solutions. These are called policy controls and although they only exist on paper, they can be very effective. When it comes to insider threat policy, there are several key elements to keep in mind.
You should begin with a definition of the threat, as well as by defining the policy. Through these definitions, when properly coordinated, the organization can ensure that everyone is on the same page. One person's idea of insider threat may well differ from another's, but it is important that the policy offers standardization. After defining the threat and the policy, the actual rules must be provided. Most of these will be covered already in your Acceptable Use Policy, Mobile Device Policy, Access Control Policy, or others. To save time and effort for both the author and the reader, it is a good idea to only provide general overviews of these rules, then point to the specific policy that provides more detail.
When providing the "what" and "how" in policy, it is also important to explain the "why". Security policy does not only exist for the security department, legal, or management. These are used to inform the employee-base and will be more effective if they understand the reason behind the rules. Explain how the restrictions will help them to accomplish their job tasks more effectively and efficiently.
Good security policy should also explain the ways that it will be enforced. Outline the tools and methodologies that are in use in your organization to detect and respond to deviant behavior. Doing this will make users more aware as well as provide deterrence. If they know that you are watching and have a general idea of how you are doing so, they might think again before accidentally or intentionally violating the policy. Outline the reporting procedures for anyone who suspects malicious or negligent behavior. They might not remember those procedures after first reading the policy, but they will know where to go if the situation arises.
To conclude the policy discussion, it must have support from executive management. When executives reference the policy, that means they understand the impacts of information security risk and its relationship to business risk. Subordinates will understand the importance of the policy and the effect will trickle down the reporting chain. On the other hand, if executive management ignores or speaks against the policy, it will be completely ineffective in its goal of reducing insider threat risk.
The first article this week comes from Scott Matteson at TechRepublic and is titled 10 tips for reducing insider security threats
This is a listicle about reducing the threat of insider risk. I usually try to avoid these types of things, believe it or not, but sometimes the information in them is just too relevant to ignore.
Establish a security incident and response team - Obviously, this one will help you to respond to any insider threat or traditional security incidents quickly to reduce impact. Just establishing the team isn't enough though. You have to have a detailed plan that defines roles, procedures, incident categorization, and contact information. If you want, I can go into further detail about incident response plans in a later episode.
Use temporary accounts - What they mean here is to create accounts with specific expiration dates for temporary personnel, like contractors or interns. You might also put them into separate access groups that you can monitor more closely.
Conduct frequent audits to look for unusued accounts and disable or remove them if possible - This is a no brainer. They give some really good commands though, to check for inactive accounts on a Windows Domain Controller. When people in our industry hear the word audit, we often get a sick feeling in our stomachs about the need to pour through logs. That isn't always the case though. Sometimes you can run a simple command to get the information you want.
Follow employee termination priciples carefully - We've talked about this before. You need to make sure that account and access deprovisioning is being done correctly when an employee leaves the organization. That includes changing credentials for group accounts that they had access to. Last week we spoke about someone who was able to get DEA agent tracking information from a company he used to work for because he still knew the login credentials for the tech support account. We can't let something like that happen.
Identify unhappy employees - There is a root problem here that I think is important, and it goes well beyond the security space. If you are a manager or even an employee and you don't know the people you work with well enough to know that they are unhappy, well, you're doing it wrong. After they have been identified however, you still need reporting procedures that your users know about. They shouldn't have to take hours out of their day just to figure out how to report on their suspicians. More than likely they will give up after about 10 minutes.
Use two-factor authentication - While it isn't a silver bullet, multifactor authentication can greatly improve your security posture. Depending on the method you choose, it could help for nonrepudiation (or the user's ability to claim that they weren't the ones who performed an action), prevention of shared credentials, and prevention of system compromize due to login information that has been either cracked or otherwise found out by someone malicious.
Use encryption of confidential data either in motion or at rest - They said either, I say both. Encryption in transit and encryption at rest solve two different problems. You can't assume that satisfying one will eliminate the risks associated with the other.
Consider third party products - Last week I spoke about the different technological solutions that can be used to address insider threat. I won't go into it too much here, but if you didn't listen to that episode, I suggest going back if this is something that you are interested in.
Don't forget to guard your perimeter - Perimeter defense is the tradition method we have for addressing security risk. I'm not sure if it is necessarily associated with insider threat risk, but it certainly doesn't hurt to focus on the boundaries.
Consider investments in products and staff more than just "insurance" - About two years ago we got an influx of discussion in our industry about quote unquote cyber insurrance. I wrote a blog post about it and at first I thought it was a way for organizations to give up on their security departments. Later, I thought about the other types of insurrance that we have, and how the insurer can make certain risk-reducing demands in order to gain coverage or lower costs. In that view, it almost becomes like compliance.
Do you have any additional tips to share? Remember, the whole point of this is to help organizations and individuals get better at addressing insider threat. The more people we have sharing information and talking about the problem, the better it is for everyone.
The next article comes from Jana Klopsh at West Jordan Journal and is titled FBI agent explains motivations of cybercriminals
At the end of July, cybersecurity supervisory special agent James Lamadrid from the FBI addressed the South Salt Lake Chamber of Commerce about the motivations behind attacks. He classified threat actors into six different categories in order to give the audience a better understanding of the people who use technology to attack organizations and individuals. The first motivation is hacktivism, which is a form of online protest where a hacker tries to push a social or political change. The most famous hacktivist group of the last decade is Anonymous, who has attacked the Church of Scientology, the Australian prime minister, a girl who was filmed throwing puppies into a river, a woman who threw a cat into a garbage can, people and organizations believed to be against wikileaks, like Amazon, Paypal, Sarah Palin, the US State Department, and the Swedish Government, Visa, The UK Government, Sony, Donald Trump, and the City of Orlando, to name just a few.
There are also those that commit crime for financial gain. We see this all the time with credit card breaches, hacked casinos, and so forth. Then he goes over insider threat as a motivation, He didn't go into much detail, but an example that he gave was that if you hav ea business with computer staff, you have to remember that they have the keys to your kingdom. They could take the information and sell it on wikileaks. You should be aware of unusual activity by anyone in your organization, such as someone coming in early, staying late, or accessing folders they don't need to. He says it should raise a red flag that you investigate.
The fourth motivation he covers is espionage, where a nation state or competing business steals secrets or otherwise sensitive proprietary information for various purposes. We've seen this in the past when it comes to other states, but I feel like we seldom see competing companies going after each other. If this is happening, and I'm sure it is, maybe they just aren't getting caught.
The last two are terrorism and warfare. If you asked 100 people to provide a good explanation of how cyberattacks are motivated by terrorism and warfare, we'd be stuck trying to agree on what acts of cyber terrorism and warfare were for days, much less actually get to the explanations. I think I'll put it this way. Whatever you're thinking about these motivations, you're absolutely right.
Our third article comes from Nick Ismail at information age and is titled Reducing the threats posed by third party contractors
A couple of times in this episode I've mentioned third party contractors or service providers. In fact, that seems to be a running issue week after week. Last week we mentioned it with the Game of Thrones episode leaks, and it doesn't look like the problem is going away. Instead of relying on hope to be a winning strategy, perhaps we should look into ways to address third party risk. According to this article, that's comprised of user behavior analytics and machine learning. If you just implement those two things, you don't have to worry anymore. You'll have a system that automatically measures and alerts on user behavior, then another one that can respond to those alerts and mitigate the issue. Now where's my umbrella drink? I think we're gonna have some extra time on our hands.
Okay, maybe I took that one a little far. Look, I read lots of these articles every week and most of them are vendors who are defining a problem so they can try to sell you a solution. Other ones, like this one, actually speak to a real problem but can't provide a good solution, much less sell you one. I know what you're thinking.. well if you're so smart, how do you fix it? Simple. If a third party contractor or service provider is an authorized user on your network, they're treated the same way as any other users. The big difference is that your service level agreement and contract have more legal clout than an acceptable use policy. You can define the rules in those documents and when you audit them, which you should be doing with all your users anyway, you can make sure that they're abiding by those rules. The 4 pillars of insider threat protection that I am talking about for this series go just as much for third parties as traditional employees.
The last article this week comes from Isaac Kohen at Young Upstarts and is titled Five Tips To Dealing With Insider Threats Facing SMBs
In case you haven't heard of Isaac Kohen, he is the founder and CEO of Teramind, which is a company that provides user behavior analytics, total employee monitoring, automated alerts, and other neat tools for addressing insider threat. If you want to know more about three of these 5 tips, I suggest you go over to their website to learn about their product. What I really like about this article however, is that the author provided realistic scenarios of insider threat in a small to medium sized business, then gave tips on how to protect yourself against them.
The first is permissions control, and the scenario given is that a new employee responds to a phishing email and attackers gain his credentials. Since the organization didn't practice good access control techniques, the new employee had access to everything, and so did the attackers. The second tip for this scenario is to ensure that employees are adequately trained on attack methods, how to detect them, and proper response procedures.
The next scenario is about a disgruntled former employee who was told he would need to take a pay cut in order to keep working with a tech startup. He got very angry and put in his two weeks. Immediately after he left, the organization noticed that all customer data had been deleted. There were actually two prevention tips for this scenario, but only one is highlighted. First, the employee's access should have been limited as soon as he put in his two week's notice, especially after how angry he got about the situation. Then administrators should have reviewed logs to make sure that Mark wasn't doing anything out of the norm before he left.
The last scenario is about moles in the organization, or people who intentionally leak sensitive date. In this case, it was discovered that two executives were sharing trade secrets with a competitor. The first tip for this scenario is total organizational email monitoring. Since the ficticious executives were sending the secrets through their work email, I suppose this would have been caught sooner if the organization was monitoring all email traffic. I don't know. I just cant seem to get behind that level of monitoring, though. The second tip is behavior analytics and automated alerts. The problem with forming baselines to measure user activity is that it can be slowly modified over time to keep from setting off any alarms. In this case, they'd been accessing and forwarding the information for three years. I'm just not sure if it would have been picked up as anomolous.
Thought of the Week Segment
Our thought of the week comes from Henry Ford, and is one that I really like. He said, "Whether you think you can, or you think you cant - you're right."
Thank you for listening to episode 17 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions. You can contact me on twitter @stevehigdon or send an email to email@example.com. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show.
Thanks again and I'll see you folks next time!