Visit https://reddit.com/r/insiderthreat for show notes and discussion! This is a podcast where we explore the issues today with the insider threat, or human factor, of our organizations. We also talk about ways to tackle those issues through training, culture, and technology in order to help information security and business professionals reduce risks in their environments.
Title - Data Management and Music Degrees
In this episode we cover Data Management, Music degrees and information security, another real world insider threat story, and more. Don't touch that dial!
Welcome back! This is episode 21 of The Insider Threat podcast, for the week of October 9th, 2017.
If you're listening to this on Monday, which most of you are, I just spent the weekend at BSides DC. If we met up during the event, hello again. Thank you for reaching out and having a conversation with me. Sometimes we have guests on the show, and many of you have provided excellent feedback, but sometimes it feels as though this is a one way conversation. When I get to actually sit down and talk with you guys about insider threat, it energizes me in a way that I can't even explain. Thank you for that, once again.
I have some pretty awesome news! I mentioned a few weeks ago that I would try to get the article on the four pillars of insider threat published, and I submitted to CSO Online. Now I'll admit that I didn't actually expect a response, but they came back to me saying that they don't accept articles from guest contributors and suggested that I apply to be part of their contributor network. Well I did, once again not expecting much to come of it. This last week, I received an email from their parent company offering me a monthly column on the website, saying that I can write about pretty much anything I want in the security space. I was at a loss for words. Heck, I'm still over the moon with this. Thank you to CSO Online and I look forward to contributing on their platform in the future. I'll keep you all updated on all that as it pans out.
If you haven't been able to tell already, I'm terrible about remembering to mention important dates and holidays on this show. That said, and as you probably already know, October is cybersecurity awareness month. Be sure to take some time and think about ways that you can help improve awareness in your own organization this month. If you are listening to this podcast, that is probably something that you do every month, which is awesome, but vocalizing the importance of cybersecurity awareness can be a way to get more people on your side.
Finally, and I know this is probably the longest introduction that I've ever done, we've had some pretty terrible tragedies in the past few weeks. First, we had hurricane Maria that has decimated many islands, especially Puerto Rico. The information security community has made great strides in finding ways to support relief efforts for Puerto Rico (hashtag trevorforget). We also had the mass shooting in Las Vegas last week, and when viewing these events it might be easy to lose faith in humanity. I have a special quote of the week at the end of the show to address this, but I want to break one of the cardinal rules of podcasting and offer a moment of silence for everyone in the world that has been impacted by the recent tragedies in any way.
Another quick note is that I received probably the best feedback I could have asked for this week from one of you. I'm going to try to implement many of those suggestions in the coming weeks, and I think it will greatly improve the show in the long run. Please bare with me as I work through all this, as it will take a few weeks to really get into the swing of things. As always, if you have additional feedback or suggestions, don't hesitate at all to contact me. Seriously, if you have something on your mind right now, stop the episode and let me know about it, good or bad.
Infosec Question of the Week
Now it's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
The question last week was "On Spetember 28th, 1998, Internet Explorer became the most widely used web browser, beating out this competitor."
The answer was "Netscape Navigator".
It's important to note that Internet Explorer didn't become the most widely used browser because of anything special about the product. Actually it was just because it came as the default browser on Windows installations, which were widely used. New internet users didn't know about different options, so they just used what they had. This isn't a dig against Microsoft in any way, but more an attempt to say that it wasn't necessarily Netscape's fault for losing market share.
Marko from Northampton, Mike from Queensland, Harvey from Little Rock, Bailey from Rostock, Amber from Myrtle, and Rhys from Lumberton for getting the correct answer.
Here's your question for this week: "In 1983, a blockbuster movie introduced the public to hacking and even brought on some mass paranoia about hackers and their seeming possibility to bring the world to a screeching halt with the ability to launch nuclear weapons. What was the name of this movie?"
Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "X".
Info - https://en.wikipedia.org/wiki/WarGames
Why are you here?
So this is something that I've been thinking about for some time. This podcast has been downloaded from 36 different countries and all but one continent. I'm looking at you, Antarctica. Actually, if one of you can just go down to Antarctica and download the podcast from there just so I can fill my bingo card, I'd be forever in your debt. The question is, why are you here? I'm sure it isn't the infosec question of the week, or we'd have more people answering. Is it the news stories? Those are easily found on Google. I imagine it isn't the articles, either. Correct me if I'm wrong, and I mean that, but I think the reason you are listening is because you know from every other information security article and study that insider threat is a serious thing that you know you should care about. Even though most of the information you can find on the internet and at conferences is about fantastic new technologies that can be used to quote unquote completely eliminate insider threat risk, you know that there is more to it than that. I spoke last month about the four pillars of insider threat protection, and I welcome you to go back and listen to those if you missed them. They're pretty timeless topics, so even if you are listening to them a year from now, they should still be relevant. The issue with insider threat is that everyone who is providing information is also trying to sell you something. I'm not saying that anything is wrong with that, as technology is equally as important as training, policy, and culture, but I have a very difficult time finding articles about the administrative pillars of insider threat protection. That is where this podcast is different. I try to provide a mix of topics and stories that cover the entire insider threat program, not just the shiney toys you can buy that claim to address all your concerns.
Am I wrong in saying this? Is there another reason that you're listening today? Let me know, because that's how I cater this to your needs. My focus here is to help people and organizations get better. The only way that can happen is if I know what type of information you're looking for. I promise that you aren't alone in your concerns, worries, and frustrations, and there's a very good chance that someone else has the same questions and pain points. I mean it. Let me know. I'll provide several ways to contact me at the end of the show.
Our news article this week comes from Doug Olenick at SC Magazine and is titled New Jersey email admin charged with accessing former company's account
Jian Yang Zhang, also known as “Kevin Zhang,” was the email administrator at his family's company. The name of the company wasn't provided in the court documents, but at some point the family sold it to someone else. Right before this happened, Zhang created a hidden subuser account on the email server that would allow him to log after his regular administrator and user accounts were removed. Immediately after the company was sold and for the next 14 months, Zhang accessed the email server and leaked messages to his own computer. There isn't any information about what he did with the information after that, but I imagine it was either curiosity about his family's former business or perhaps he even sold the information to competitors. Either way, Zhang is being charged with one count of unauthorized access of a protected computer and one count of interception of electronic communications by the U.S. Attorney's Office and he faces up to five years in prison and a fine of $250,000.
Now this is something that I don't think we've ever discussed before. Businesses are being bought and sold every day, but the question is, are we adequately scrubbing the systems for unneeded access after this is done and are we looking at the new information architecture with a critical eye? I could see this type of thing happening very easily and I'm actually surprised that we don't hear about it more often. If your organization acquires another, its security is now in your bucket. You need to pay close attention for things that just don't look right and completely reaccomplished your access controls.
The first article this week comes fromh Lompoc Record.com and is titled Leader and team recognized for exceptional insider threat capabilities
Speaking of looking at things with a critical eye, I was very close to tossing this article into file 13 after I finished reading it. I was really looking for the methods and tools that this Air Force organization used to have such a great insider threat program, but it wasn't mentioned anywhere. All it said was that the Armed Forces Communications and Electronics Association, or AFCEA, recognized the organization and its leadership for doing an awesome job. Then it talked about Jason Barron crediting his own leadership skills for the team's success. Bleh. I mean I'm sure he did great things, but the article doesn't do anyone justice in my opinion. Then I took a look at it from a different lense, me being the type of person who at least wants to see the silver lining in everything. Here we have an organization being recognized for their exceptional insider threat program. When is the last time you saw that happen? This, being cybersecurity awareness month, is the perfect time to bring insider threat into the forefront. Publicly recognizing a leader in this space and publishing an article about his achievements is actually really cool. We are getting the message out there that this is important and people should be thinking about it. How do you like that? I was able to turn something that made me want to throw up in my mouth a little bit into a big win for the community. You're welcome, Lompoc Record. If you'd like to comment on my opinion, please send in your concerns written on the back of a 20 dollar bill and we will process that for you.
The next article comes from Tammy Bilitzky at Data Center Journal and is titled INSIDER SECURITY: MISSION IMPOSSIBLE?
I have to start this one off by saying that it's probably the best article on insider threat that I have read since starting the show. I am in now way, shape, or form a reliable critic of writing, but wow. It starts off with a captivating antecdote, provides more information about the problem that you were probably looking for, and introduces more detail about a particular method for addressing insider threat that many people aren't talking about. If you want to skip ahead to my coverage of the next topic and simply read this one yourself, I won't be mad at you. The fantastic leadup and description of the problem end with the following roadmap for using proper data mangement to impact insider threat risk, directly from the article:
- Inventory your data across all databases and documents. What data do you own? What format(s) do you use to store your data? Where do you house your data? What data do you access from external sources?
- And then you explore your data and gain a complete understanding of its purpose and potential. What’s the purpose(s) of the data, by context? What’s the meaning(s) of the data, by context?
What business functions, systems and/or job functions create, update, delete, view or share the data? What data is exchanged with external parties?
- Next, you have to determine the correct strategic format for your data, emphasizing the reusability, extendibility and data granularity most conducive to the administration of security policies (e.g., XML). Is the data in a format conducive to reconciliation and consistency validation across disparate sources? Is it in a viable format that portrays meaning, context and data relationship? Evaluate detail data and summary data independently, as they are not the same, regardless of whether they originate from a common source.
- Then assess the best location for your data. Is your data stored in multiple locations? Should it be? Is the data queried live from multiple federated sources or is it centralized and harmonized in a data lake or data hub to reduce your dependency on the source system?
- You need to classify your data by relevant risk factors including personal information, intellectual property and client-sensitive data. Be as explicit as possible. Data may be classified as sensitive owing its inherent or contextual nature. Detail information may be more sensitive than summary, and vice versa—for example, summary department salary information versus individual salary information.
- To get a better understanding, map your data classifications to job functions, including time span. Assess and document all job functions. Prepare a data map correlating job function to data attribute, including timeframe. Remember the basic principle: access to data is a responsibility, not a privilege. Effective training that conveys this message will encourage colleagues and third parties to become active, vocal partners when granted access to data they don’t need— and, therefore, don’t want.
- Finally, stipulate and implement security and compliance best practices to administer access to the data. Strive for simplicity. Complex access policies are error prone and increase your risk. To streamline access administration and minimize errors, assign job functions to data and individuals to job functions.
We have talked about this before, and so has many other people, but we typically just say you need to have good access controls and classify your data. It's refreshing to see someone that specializes in data management talk about the actual things you can do it accomplish this task. One of, if not the biggest benefit that I get from doing this is that I get to learn from experts in the field, and this is one of those where I definitely learned something. The big thing that Tammy was trying to get across in this article is that the problem is not impossible to tackle. There is hope and real methods that can be used to reduce insider threat risk.
The last topic of discussion today is about the former CSO of Equifax
If you follow any sort of informaiton security topics on social media, discussion forums, or news outlets, you've probably seen people criticizing the Equifax CSO because she had an Arts degree. I've seen some pretty nasty things said on Twitter and LinkedIn, but I think people are going a little bit too far. First, the average CSO or CISO of a large organization has to have at least 10 years of experience in IT and information security. I remember exactly when colleges started offering security degrees, as that's the time that I immediately changed my undergrad major, and I'll tell you what... it wasn't 10 years ago. The most you could get 10 years ago was a degree in computer science, information systems, or management with a focus on information systems. While that may help you in IT and lower level security roles, it isn't going to do much for CISO because their job is actually focused on the business, project management, and finding creative ways to solve security problems from the 10,000 foot level. To back that up, right before we learned about the Equifax breach, on September 7th of this year, securityintelligence.com posted an article titled Aiming for a Security Career? Consider a Liberal Arts Degree. In July of 2015 Forbes even published something saying that your quote unquote 'Useless' Liberal Arts Degree Has Become Tech's Hottest Ticket. This idea was all over my social media in the few months before the breach, but afterward everyone seemed to change their tune. Most of what a CISO does is knowing the problems in the organization, knowing the tools and best practices to address those problems, and being able to manage implementation in a way that aligns with the business. Heck, I'd go so far as to say that you don't even need a technical cert for that.
I know that I probably just lost half of my listeners, but this is something that I've been wrapping my head around for the past few weeks and I felt that it needed to be said. Was the breach really bad? Yep. Were there technical and procedural issues at Equifax that lead to the loss of personal information for over 145 million people? Absolutely. I'm just saying that the CSO's education had nothing to do with it. Do you disagree? Once again, send in your comments and concerns written on the back of a 20 dollar bill and we will process them appropriately. Really though, let me know what you think in one of the contact methods I'll mention in a minute.
Thought of the Week Segment
Back on the topic of the shooting in Las Vegas and the hurricane that seriously impacted Puerto Rico, our thought of the week comes from Fred Rogers, who you may recognize as the host of Mr. Rogers' Neighborhood. In this community, I don't know if that dates me or if it shows the green behind my ears. Anyway, he said, “When I was a boy and I would see scary things in the news, my mother would say to me, "Look for the helpers. You will always find people who are helping.”
Thank you for listening to episode 21 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
You can contact me on twitter @stevehigdon or send an email to firstname.lastname@example.org. Join our Reddit community and discussions at the subreddit named insiderthreat. The subreddit is also where you'll also find the show notes for this and any other episode, as well as links to the topics we've covered. If you go to our website, you can also find a link to the Patreon page and you can subscribe to the newsletter to get up-to-date information on current episodes and news for the show. Call and leave a voicemail at (443) 292-2287 to have a conversation, get a comment added to the show, or even ask a question.
Thanks again and I'll see you folks next time!