Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Welcome back! This is episode 18 of The Insider Threat podcast, for the week of September 18th, 2017. Hey, the 18th is released on the 18th. That's neat. I know I mentioned potential podcast guests the last week or two, but I now have a recording officially in the books. Again, I won't tell you who it is yet because I don't want to spoil it, but I plan on this one being a feature episode that will come right after the series on the 4 pillars of insider threat protection. I was also asked to come on someone else's show that I've mentioned here, and I'm really looking forward to that. I'll provide those details as they come so you can check it out. I say this every week, and I mean it, thank you so much for your continued support. We've been able to do things in this show that I never thought possible. I've learned so much and I hope that you've been able to take part in this journey with me. Keep those suggestions and feedback coming. They are my favorite part about doing this thing.
Infosec Question of the Week
It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "In September of 1956, the first commercial hard drive to use magnetic disk storage was announced by IBM. How much data could it hold?"
The answer was "4-5 megabytes".
One of you even mentioned that you might own one of these hard drives, as well as several other early technological benchmarks, which is really cool.
David from Ontario, Chloe from Madison, and Daniel from Washington for getting the correct answer.
Here's your question for this week: "In 1945, the first computer bug and debug were found and accomplished by operators of the Harvard Mark II computer. What did this bug consist of and how was it documented in the maintenance log?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "tape".
The news this week is actually old news, but it is still something that we need to think about. The Equifax breach is still fresh in our minds and although we've covered it in detail, plenty of you have been asking me what you should do in response. We'll I've found an article that goes over the next steps if you were involved in the breach, and more than likely you were. The article is by Lora Strum at PBS.org and is titled Affected by the Equifax hack? Here’s what to do now
I won't go into the suggestions here, but I encourage you to check it out. There are some big things that you can do to help protect your privacy and identity going forward. I'll leave a link to the article in the show notes.
Now we get to discuss the third pillar of insider threat protection in this series, training. If you missed it, we discussed technology and policy in our last two episodes, which leaves only culture after this. Security awareness training impacts the likelihood of insider threat in two primary ways, which include educating users on acceptable behavior in the environment as well as teaching them how to recognize and report suspected incidents. Effective awareness training can help to prevent accidental or negligent insiders, while also improving response efforts for malicious insiders. There are five elements of effective security awareness training: Purpose, Rules, Description of the Threat, Examples of the Threat, and Responding to Incidents. Some things to keep in mind with regards to the purpose are the reason that the organization is conducting the training, any compliance requirements, and the highlighting of key business functions and their associated systems that need to be protected.
The rules are concrete and should be detailed. They should reference the organization's Acceptable Use Policy, Account Management or Provisioning Policy, Data Retention or Encryption Policies, and others that might be better related to the audience. This is where the bulk of the education should take place and employees should leave the training with a solid understanding of what they are and aren't allowed to do on organizational systems and applications from a security perspective.
As with the policy section, you have to give the audience the "why" behind the training. This can be best accomplished through a detailed explanation of the threat as it pertains to them individually as well as the organization as a whole. Mention key business functions that impact the audience, like payroll, benefits, timekeeping, shipping, estimating, email, and other communications that the organization relies on for continued operation. The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission. To add to the threat explanation, examples can help to gain better understanding from the audience. These might contain any stories that the trainer or audience can share, real world incidents, and security incidents that could impact the audience's personal lives. By relating the threat to the individual, there is a higher likelihood that they will understand and care about information security.
Another key element of security awareness training, as with policy, is to provide the audience with ways to detect negligent or malicious behavior, as well as the steps for reporting anything suspicious. This can be accomplished through Q&A, role-playing, or other methods that engage the audience and ensure understanding.
Some additional characteristics to keep in mind when planning and conducting awareness training are relevance to the audience, engagement, timeliness, and support. The training should be current and related to both the organization and the specific members of the audience. For example, it might not be effective to talk at length about the protection of financial information if the audience consists of shop floor workers. As soon as they realize that the information does not pertain to them or their role in the organization, they will stop paying attention. Audience participation is key and serves many purposes. It keep them awake and allows for group-think, as well as provides a method for the instructor to gauge understanding. Breaking the audience into groups for role play, quizzes, or games can have a dramatic effect on information retention.
Timeliness is another factor that should be taken into consideration when planning the information security awareness program. Some organizations have compliance requirements that stipulate the minimum frequency of training. Most of these are annual. The key when defining the frequency of training is to get the members of the organization to be thinking about security at all times, not just the 20 minutes each year that they are taking a test or sitting in a classroom. Another tip might be to have someone from executive management stop by at the beginning of the class and offer endorsement. This simple act shows that they support the program and that it is important to the entire organization.
The first technical note this week comes from The CERT Insider Threat Center and was published by Carnage Mellon University in 2016. It's titled Common Sense Guide to Mitigating Insider Threats, Fifth Edition
This is a very comprehensive document of about 175 pages, and there's absolutely no way that I'll be able to cover it by any measure of completion. Instead, I'll just give a listing of the different suggested practices for mitigating insider threats.
They are to know and protect your critical assets, develop a familiarized insider threat program, clearly document and consistently enforce policies and controls, beginning with the hiring process monitor and respond to malicious or destructive behavior, anticipate and manage negative issues in the work environment, consider threats from insiders and business partners in enterprise-wide risk assessments, be especial vigilant regarding social media, structure management and tasks to minimize insider stress and mistakes, incorporate malicious and unintentional insider threat awareness into periodic security training for all employees, implement strict password and account management policies and practices, institute stringent access controls and monitoring policies on privileged users, deploy solutions for monitoring employee actions and correlating information from multiple data sources, monitor and control remote access from all endpoints including mobile devices, establish a baseline of normal behavior for both networks and employees, enforce separation of duties and least privilege, define explicit security agreements for any cloud services especially access restrictions and monitoring capabilities, institutionalize system change controls, implement secure backup and recovery processes, close the doors to unauthorized data exfiltration, and develop comprehensive employee termination procedures.
This wasn't a listicle. That was just an overview of the several different chapters in this document. It's a really good resource if you're looking for a one stop shop for insider threat mitigation guidance. I'll provide a link to it in the show notes and I highly suggest you check it out.
Next, I want to introduce you to an organization that takes insider threat very seriously. This is the National Insider Threat Task Force in the United States
This organization was creating due to a Presidential Executive Order in 2011. The primary mission for NITTF is fairly simple - to develop a Government-wide insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure, taking into account risk levels, as well as the distinct needs, missions, and systems of individual agencies. They provide various guides, courses, and other materials for government and private sector organizations to help tackle insider threat. It's a wonder that I hadn't heard of them before, because these guys are doing some really great things to address the problem. One reason for its lack of widespread attention is the big brother mindset, where individuals and organizations are afraid to work with the federal government because they don't want the additional oversight.
The last article this week comes from Rajan Koo at IT Pro Portal and is titled Top 5 signs that your employees are engaging in risky behavior
The first one here is Covering One's Tracks. If our employees are using something like VPN solutions to get around internet filtering rules, there is a pretty good chance that they are trying to do something they should, whether they are intentionally doing something malicious or not. To minimize this, you can create and teach people about the process of getting websites and applications added to the approved list, especially if they are related to the employee's job role. Additionally, you should be monitoring user activities in a way that will help you to recognize when they are trying to circumvent security controls.
Next is Personal Email as A vehicle to Data Theft. Yes, this is a way that people can exfiltrate data, but completely locking down personal email might not be the best way to go. Instead, and like the last one stated, you should create rules for this behavior and monitor for deviance.
The article goes over two types of employees that should receive extra attention, Leavers and Joiners. When an employee is leaving the organization, the odds that they'll do something rash are heightened. They have very little to lose. To address this, employee termination processes should be strictly followed and extra monitoring is a must. In the same way, new employees are more likely to bring stolen data into an organization for various purposes, including to help them get a leg up in their new role. This presents moral and legal challenges that could get your organization into hot water down the road. It also gives you a hint of what they might do when they are on their way out. If they have a history of taking information with them in the past, the chances that they will do it again later are much greater.
Finally, you have to look out for Inappropriate Internet Usage & Pirated Software and Media. Everyone, or almost everyone, wants to do their job in the best way that they can. Sometimes they think that can only be accomplished by using technology that is not a part of the standard issue for your organization. A very common example of this is Visio, which will allow them to create diagrams and other products that will help them outpace their peers. You have to look out for this sort of thing. They definitely don't want to spend their own money on licenses for these tools, but pirated software comes with additional security concerns. Not only are you in the dark about the native security implications of these tools, like patching, but you also don't know if there were back doors or other malware baked in from the source.
Thought of the Week Segment
Our thought of the week comes from the famous physicist, Albert Einstein. He said, "Learn from yesterday, live for today, hope for tomorrow. The important thing is not to stop questioning."
Thank you for listening to episode 18 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to email@example.com. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show.
Thanks again and I'll see you folks next time!