Tuesday, August 8, 2017

Save the Data!

Title - Save the Data!

·         In this episode we're gonna cover 5OE Don't touch that dial!
·         Intro
·         Welcome back! This is episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With all the feedback I've received, I realized that we need a way to chat about these topics and share ideas. For that, I have created a subreddit on Reddit.com. That is where I will be putting the show notes for each episode, and I think we could all benefit if you contribute there as well. Please keep sending your stories. It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I'll be sure to anonymize the stories to keep everyone out of deep water.

·         Infosec Question of the Week
·         It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
·         The question last week was "In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation's web site and left a message saying: "The media are liars." The family's own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?"
·         The answer was "The Brotherhood of Warez". I apologize to our Canadian listeners for the quick jab in last week's hashtag.

·         Congratulations to:
o Elliot from Calgary
o Kelly from Houston
o Bruce from St. Paul
o Rubin from Glendale, Arizona
o And our first two-time winner, Isaac from Washington State, for getting the correct answer.

·         Here's your question for this week: Guido van Rossum was born in the Netherlands, worked for several international tech organizations, and now works for Dropbox. While all these are great fetes, what is he most famous for?
·         Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "cherry pie".

·         Insider Threat Month
·         I recently learned that June is now "insider threat month". I'm not entirely sure what that means, and I've only seen it referenced by a few vendors, but it is nice to know that people are thinking about it. Even if it ends up just being a marketing ploy, only good things can come from in in my opinion.

o    Articles
Our first article this week is actually the writeup for a show called "combating insider threat in government" from Federal News Radio
o    First I'll start with some stats that were presented (there were quite a few)
·         60 percent of all intrusions can be attributed to insider threat (IBM)
·         95 percent of all organizations have employees who seek to bypass security controls (Information Week)
§  Doesn't this highlight a problem with the security department and making sure that employees have access to the capabilities that they need for their job?
§  They didn't specify whether these were technical controls or policy controls
·         47 percent of organizations have more than 1000 files open to all employees (Varonis customer survey)
·         71 percent of all folders had stale data
§  I'm assuming this just means old files that aren't being used anymore. I'm not sure about this one. I often have to go back to historical files when referencing information, and that is a pretty key capability for just about anyone that works at a desk.
o    The guest speaker, Brian Vecci, spoke about the importance of data, as well as the importance of protecting it.
o    Specifically calls out user behavior analytics, machine learning, information classification, and file analysis.
·         Just so happens that the company he works for, Varonis, sells products for each of these capabilities
o    Good nugget that we should consider is "data should be seen as an organizational asset in the same way that money is"
o    When first reading and listening to this, I assumed that they would skip awareness training altogether. I was pleasantly surprised however, to hear them highlight the need for it.
o    The biggest thing I didn't really care for with this probably stems from my own understanding of what our role is as security professionals. They kept talking about the importance of protecting data, but in my mind it is actually our job to protect the key business functions and capabilities of the organization. Data is only one small part of that.
o    With that said however, I have to remember the source of this one. In the federal government, there might be more weight on the protection of the data than anything else because the sensitivity of the data is higher than with most organizations.

·         Eweek.com - Top 10 Tips on How to Avoid Damage From Insider Threats
o 1 Identify sensitive data you want to protect
      • Figure out what data is most important to the organization
o 2 Monitor user activity
      • User behavior analytics
o 3 Encrypt data and enforce strict data policies
      • If you have sensitive data, you should be looking at ways to ensure that it is safe even after it is compromised
o 4 Train and educate employees about insider threat
      • Technology can only go so far. We can train our employees not only to keep from doing the wrong things, but also to report suspicious behaviors and events
o 5 Develop an employee risk-score system
      • I'm not so sure about this one. I suppose you could develop a risk profile for each employee based on the data provided by the user behavior analytics solution, which probably wouldn't be so hard. If you decided not to implement this solution though, it would be very difficult to develop a way to score employee risk.
o 6 Double authentication and privileged access controls
      • By double authentication, they mean multifactor. This could be used to ensure that employees aren't sharing credentials. Not only does this help with access control, but it also helps with nonrepudiation, which is an employee's ability to say they didn't do something that account and access logs say they did.
o 7 Focus on automated detection and prevention
      • This isn't necessarily talking about insider threat, as that is already covered with a few of the other tips. This is specifically talking about data exfiltration. We need to be able to find out when this is happening as well as have the mechanisms in place to stop it quickly.
o 8 Implement IT vendor monitoring tools
      • This might be the first time I've seen something suggesting this route, aside from when we discussed ObserveIT products. The recent NSA leak shows that we can never be too careful about third party product or service providers, no matter how much we trust them. In many cases, any vulnerability in their technology, processes, or the organization as a whole could impact your level of risk.
o 9 and 10 go together.
      • First you need to reassess the policies that are already implemented to make sure they are actually doing what you would like them to do. I addressed insider threat policies a few episodes back, but this should be extended to all existing security policies.
      • Next, you will want to either modify the existing policies or create new ones to bridge any gaps in your security strategy when it comes to insider threat.
o I think this list of tips is a very good starting point. It is important to remember however that you will need to cater all suggestions to fit your specific environment and the amount of risk that your organization is willing to tolerate. Not all organizations are the same and you don't want to stick entirely to a universal template.

·         Vendor Segment
o CyberArk Privileged Account Security
o From the website - "CyberArk is the only security company laser-focused on striking down targeted cyber threats that make their way inside — undetected — to attack the heart of the enterprise. More than 3,200 global businesses trust CyberArk to protect their highest value assets, enabling them to master audit and IT compliance requirements."
o CyberArk has several products and solutions that support information security, but the one we are going to talk about is their Privileged Account Security solution
      • Enterprise Password Vault® fully protects privileged passwords based on privileged account security policies and controls who can access which passwords when.
      • SSH Key Manager™ secures, rotates and controls access to SSH keys in accordance with policy to prevent unauthorized access to privileged accounts.
      • Privileged Session Manager® isolates, controls, and monitors privileged user access as well as activities for critical Unix, Linux, and Windows-based systems, databases, and virtual machines.
      • Privileged Threat Analytics™ analyzes and alerts on previously undetectable malicious privileged user behavior enabling incident response teams to disrupt and quickly respond to an attack.
      • Application Identity Manager™-Conjur eliminates hard-coded passwords and locally stored SSH keys from applications, service accounts and scripts with no impact on application performance.
      • On-Demand Privileges Manager™ allows for control and continuous monitoring of the commands super-users run based on their role and task.
      • Endpoint Privilege Manager secures privileges on the endpoint and contains attacks early in their lifecycle.
o Key benefits
      • Ensure that only authorized users are able to access powerful privileged accounts
      • Prevent users from being able to gain unapproved elevated privileges
      • Establish strict accountability over the use of privileged accounts by tracking who accessed what accounts and what actions were taken
      • Improve forensic analysis by generating a detailed, tamper-proof audit trail of all privileged account activity
      • Rapidly detect and be alerted on anomalous activity that could signal an inside attack in-progress


·         Thought of the Week Segment
o Our thought of the week comes from Mary Anne Evans, an English writer who went by the pen name "George Eliot". She said "It is a narrow mind which cannot look at a subject from various points of view."

·         Outro
o Thank you for listening to episode 5 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
o You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com. Please also consider joining our community and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all other episodes going forward, as well as links to the topics we've covered.
o Thanks again and I'll see you folks next time!



·         Show Notes
·         Welcome back! This is episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With all the feedback I've received, I realized that we need a way to chat about these topics and share ideas. For that, I have created a subreddit on Reddit.com. That is where I will be putting the show notes for each episode, and I think we could all benefit if you contribute there as well.
·         Please keep sending your stories! It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I'll be sure to anonymize the stories to keep everyone out of deep water.
·         Infosec Question of the Week
·         It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
·         The question last week was "In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation's web site and left a message saying: "The media are liars." The family's own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?"
·         The answer was "The Brotherhood of Warez". I apologize to our Canadian listeners for the quick jab in last week's hashtag.
·         Congratulations to:
o    Elliot from Calgary
o    Kelly from Houston
o    Bruce from St. Paul
o    Rubin from Glendale, Arizona
o    And our first two-time winner, Isaac from Washington State, for getting the correct answer.
·         Here's your question for this week: Guido van Rossum was born in the Netherlands, worked for several international tech organizations, and now works for Dropbox. While all these are great fetes, what is he most famous for?
·         Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "cherry pie".
·         Articles covered in this episode:
·         Vendors covered in this episode
·         Thought of the week
o    "It is a narrow mind which cannot look at a subject from various points of view." - Mary Anne Evans as George Eliot
·         Thank you for listening to episode 5 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
·         You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com. Please also consider joining our community and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all other episodes going forward.
·         Thanks again and I'll see you folks next time!


No comments:

Post a Comment