Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Title - Fourth Pillar of Insider Threat Protection: Culture
In this episode we cover culture and it's impact on insider threat risk, updates on Imran Awan, and more. Don't touch that dial!
Welcome back! This is episode 19 of The Insider Threat podcast, for the week of September 25th, 2017.
This is an interesting week, because the tempo at the Insider Threat Podcast household has picked up quite a bit for a few days. No big deal, really, I've been left some pretty comprehensive checklists that I'm supposed to adhere to. As I've mentioned before.. the short to tall person ratio over here is greatly in favor of the little people. I don't think all of you have noticed this next thing, but some certainly have. I post a link to the newest episodes on the insider threat reddit page as soon as I finish and upload it, so you can actually listen a day or two early in most cases over the web. There's a little pro tip for ya.
Speaking of the insider threat reddit group, you may have also noticed that I have a new call in number for the show. You can use this to leave voicemails or text messages with suggestions, comments about topics we discuss, questions about insider threat, or anything really. Who knows, I might even put your comments or questions on the show, unless you ask me not to of course. The phone number is (443) 292-2287. I'll mention it again at the end of the episodes, as well as include it in the show notes.
Infosec Question of the Week
It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "In 1945, the first computer bug and debug were found and accomplished by operators of the Harvard Mark II computer. What did this bug consist of and how was it documented in the maintenance log?"
The answer was "a real bug".
Yes, that's right. There was an actual bug in the system and in the maintenance log, the technician taped the bug to a page and the term "debug" was born.
Toby from Cincinnati, Lucas from Cells River, Zack from Houston (I hope you guys are doing okay down there, Zack), and Nathan from Washington State for getting the correct answer.
Here's your question for this week: "In 1889, Nintendo was founded by Fusajiro Yamauchi. The company went on to become a forerunner in video game console manufacturing. What did Nintendo first create?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "Aces and 8s".
Our news article this week comes from World Tribune and is titled Imran Awan hid secret server, backed up Democrats’ data on Dropbox
We spoke about this guy a few weeks ago, where he was working for the federal government as an IT technician for several years and was caught both stealing IT equipment and potentially stealing sensitive government data. At that time, the data part was primarily speculation. Well, it looks like that was the case. Imran Awan collected data and emails from many different Democratic congress members, then stored everything on a private Dropbox account. Its estimated that he had data belonging to about 45 different members of congress, amounting to "terabits" of data, according to a senior house official. (and dont go jumping out of your seat, this isnt my wording. I know that terabits would be the speed at which data moves, not the amount of it).
So that is just a quick update on the case. It looks like everything they were afraid of ended up being true.
So this is our final installment on a four part series on the pillars of insider threat protection, which includes technology, policy, training, and culture. If you're just tuning in, you should probably start with the first one, as it sets the groundwork for the series. On that note, its a good idea to listen to the others as well. This week, we are talking about culture and its impact on insider threat risk. Security culture is the culmination of the other three pillars and represents the actual effectiveness of your organization's insider threat protection program. It consists of the technological investments that have been implemented in the operating environment. It uses policy to inform the users of what actions are and aren't allowed to take place on organizational assets, as well as fills any holes that cannot be filled by technology. Training is also used to communicate the rules of behavior and engage users in a more social setting. While some employees may choose not to read the policy, they will still get the information from mandatory training. There are additional ways that security culture can be improved outside of those highlighted in the other pillars, however.
Employees should feel comfortable and obligated to report suspected insider threat incidents. Management should try to encourage such reports and offer praise or reward for accomplishment. An email going out to the entire firm thanking an employee for their report can have lasting effects. Not only will that particular person feel appreciated for their efforts, but every other employee will see the importance of constant vigilance. Corporate newsletters can contain a section on information security, which includes warnings about current attach methods and techniques, reporting procedures, and examples of other organizations in the same industry that were compromised.
Bring the topic of information security into everyday business conversation. Managers at the lowest level can send out a daily or weekly question to their teams related to the discussion and grade their subordinates on both their participation and correctness. It doesn't matter if coworkers work together or otherwise "cheat" to get their answers. The point is that they are talking or reading about information security.
Finally, the success of the insider threat protection program can be measured and the results can communicated for further improvement. The organization can measure the number of insider threat incidents, as well as the number of reports. The scoring method for this measurement will be unique to the organization, but shouldn't be dependent upon the number of incidents as those will remain in a constant state of flux.
Through proper use of the four pillars of insider threat protection, its associated risk can be managed and reduced.
The first article this week comes from Mike Chapple at Fed Tech Magazine and is titled 3 Tips for a Smooth Data Loss Prevention Rollout
I feel as though we aren't hearing the term data loss prevention quite as often as we did a year or two ago, but its still lingering in some circles. In this article, they mention Edward Snowden and Reality Winner, while also saying that 85% of security professionals and managers in the federal space are more focused on insider threat than they were a year ago. If you're listening to this podcast, that sounds like great news. It also says that 86% of organizations surveyed say that they have a formal insider threat program, which is up from about 55% two years ago. The author claims that the solution to inider threat risk is to deploy a data loss prevention tool, which we can argue about later, but they must be deployed in a way that will ensure uptime to the production environment, efficiency, and effectiveness. Here are the three tips for implementing data loss prevention, quoted directly from the article.
1. Test DLP Tools in a 'Monitor-Only' Mode First
DLP platforms offer features that allow for the real-time interception of email and the ability to block file transfers. These actions are designed to obstruct, rather than just report, the loss of sensitive information.
However, this technology can also disrupt normal business activity if it is deployed without testing. IT teams should resist the temptation to immediately deploy a DLP with blocking rules and, instead, run it for a short period in monitor-only mode.
This provides the security team time to investigate traffic the system could block and gives the opportunity to fine-tune the system to avoid false alarms.
2. Make Sure Cloud Services Are Covered by DLP Solutions
Traditional DLP systems monitor outbound traffic on the network for sensitive information. This approach can avert many types of data loss, but it doesn’t work well for cloud services.
For example, if an agency is using cloud-based email or document storage, employees can disclose data with a few keystrokes inside the cloud service interface. That information never crosses the network, and therefore is never accessible to a DLP system.
Fortunately, many cloud service providers now offer DLP solutions, either as a feature of their existing product or as a third-party offering. These cloud-native solutions understand the service’s security settings and can detect public document shares, filter cloud-based email and take other defensive measures inside cloud services.
3. Label Sensitive Data Appropriately to Protect It
Agencies understand classification and labeling. However, DLP systems can detect sensitive information only when staff tell those applications the format in which the data appears.
IT leaders should make sure the DLP system is configured to spot the patterns common to sensitive information in an agency.
Right out of the box, DLP systems understand some elements related to personally identifiable information — such as Social Security numbers — but agencies need to configure systems to recognize the patterns of the most valuable data they use internally.
The next article comes from Nick Ismail at information age and is titled Insider threat: majority of security incidents come from the extended enterprise, not hacking groups
So this one started the same way that many of them do, highlighting that breaches associated with insider threat are on the rise, then giving statistics to support that claim. Then something occurred to me. What if attacks that use insider threat aren't actually on the rise? What if we're just getting better at either discovering these incidents or maybe even just better at disclosing them to the public? As we've seen, including with the last article, more and more organizations are starting to take insider threat seriously. They are paying more attention to the actions of their employees and the systems on their networks. In that sense, it would make sense that we're seeing more insider threat incidents.
The author hit the nail on the head next, or at least I hope so. They said that more and more executive board agendas are starting to devote time to discuss information security, especially after the recent high profile breaches. Many speculate that GDPR in the UK will even further highlight the need to care about security. They don't just blame the users in this one though. They also say that you need a solid balance between culture, education, and technology, while understanding that the weak link might be in your third party contractors or cloud services.
The third article comes from James Evans at Onion ID and is titled Is Your Organization at Risk from Insider Threats?
This one starts of by defining insider threat risk and underlining the differences between negligent and malicious insider threat actors. According to the article negligent insiders are identified by the following:
The employee who never bothers to read corporate security policies, so has no idea that their current email practices are unsafe.
The employee who has their corporate laptop stolen but doesn’t report it for a week because they’re on holiday.
The employee who uses the same, short passwords for their business accounts as they do for their personal accounts.
The employee who frequently leaves their laptop logged on and unattended.
The employee who talks about confidential business information in pubic settings.
For malicious insiders, they give the following examples:
The individual who steals intellectual property to sell to a competitor.
The individual who leaks confidential customer information.
The individual who commits fraud for personal gain.
The individual who steals their business laptop when they leave the company.
Then they talk about ways to reduce your risk. The first one is to ensure security policies are easily understandable. I covered this in our second pillar of insider threat protection, where I made the comment that security policy doesn't just exist for the information security team, executive management, or the legal department. It is actually supposed to be used to communicate the rules and restrictions to the employee base.
Then they said to make security a part of your organization's culture. Isn't that convenient? That was what we covered this week.
The next tip is to perform ongoing risk management. We see this everywhere, especially when looking at organizations that have to adhere to compliance requirements. They make sure everthing is good when audit time comes around, but then put security on the back burner for the rest of the year. In my opinion, an organization's approach to this has a big impact on their security culture.
Finally, they say to use appropriate security software to track and analyze employee behavior. I think we've now covered each of the four pillars except training, which in my opinion is the only way to transform our users from being the biggest vulnerabilities to the first line of defense for our organizations.
Thought of the Week Segment
Our thought of the week comes from Brian Chesky the Co-Founder and CEO of Airbnb . He said, "Culture is simply a shared way of doing something with a passion."
Thank you for listening to episode 19 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to email@example.com. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show. Call and leave a voicemail at (443) 292-2287 to have a conversation, get a comment added to the show, or even ask a question.
Thanks again and I'll see you folks next time!