Title - Save the Data!
·
In this episode we're gonna
cover 5OE Don't touch that dial!
·
Intro
·
Welcome back! This is
episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With
all the feedback I've received, I realized that we need a way to chat about
these topics and share ideas. For that, I have created a subreddit on
Reddit.com. That is where I will be putting the show notes for each episode,
and I think we could all benefit if you contribute there as well. Please keep
sending your stories. It lets me know of actual issues out there in your
organizations and lets me use this as a medium to share the information to a
large audience. As I said before, I'll be sure to anonymize the stories to keep
everyone out of deep water.
·
Infosec Question of the
Week
·
It's time for your Infosec
Question of the Week, where Google is king and the prize is nonexistent!
·
The question last week was
"In 1997, a hacker group was angry about hackers being falsely accused of
electronically stalking a Canadian family. They broke into the Canadian
Broadcasting Corporation's web site and left a message saying: "The media
are liars." The family's own 15-year-old son was eventually identified as
the stalking culprit. What was the name of this group?"
·
The answer was "The
Brotherhood of Warez". I apologize to our Canadian listeners for the quick
jab in last week's hashtag.
·
Congratulations to:
o Elliot from Calgary
o Kelly from Houston
o Bruce from St. Paul
o Rubin from Glendale, Arizona
o And our first two-time winner, Isaac from Washington State, for
getting the correct answer.
·
Here's your question for
this week: Guido van Rossum was born in the Netherlands, worked for several
international tech organizations, and now works for Dropbox. While all these
are great fetes, what is he most famous for?
·
Send your response to
InfosecAnswer@gmail.com. Be sure to include your first name, location, and the
hashtag "cherry pie".
·
Insider Threat Month
·
I recently learned that
June is now "insider threat month". I'm not entirely sure what that
means, and I've only seen it referenced by a few vendors, but it is nice to
know that people are thinking about it. Even if it ends up just being a
marketing ploy, only good things can come from in in my opinion.
o Articles
Our first article this week is actually the writeup for a show
called "combating insider threat in government" from Federal News
Radio
o First I'll start with some stats that were presented (there were
quite a few)
·
60 percent of all
intrusions can be attributed to insider threat (IBM)
·
95 percent of all
organizations have employees who seek to bypass security controls (Information
Week)
§ Doesn't this highlight a problem with the security department and
making sure that employees have access to the capabilities that they need for
their job?
§ They didn't specify whether these were technical controls or
policy controls
·
47 percent of organizations
have more than 1000 files open to all employees (Varonis customer survey)
·
71 percent of all folders
had stale data
§ I'm assuming this just means old files that aren't being used
anymore. I'm not sure about this one. I often have to go back to historical
files when referencing information, and that is a pretty key capability for
just about anyone that works at a desk.
o The guest speaker, Brian Vecci, spoke about the importance of
data, as well as the importance of protecting it.
o Specifically calls out user behavior analytics, machine learning,
information classification, and file analysis.
·
Just so happens that the
company he works for, Varonis, sells products for each of these capabilities
o Good nugget that we should consider is "data should be seen
as an organizational asset in the same way that money is"
o When first reading and listening to this, I assumed that they
would skip awareness training altogether. I was pleasantly surprised however,
to hear them highlight the need for it.
o The biggest thing I didn't really care for with this probably
stems from my own understanding of what our role is as security professionals.
They kept talking about the importance of protecting data, but in my mind it is
actually our job to protect the key business functions and capabilities of the
organization. Data is only one small part of that.
o With that said however, I have to remember the source of this one.
In the federal government, there might be more weight on the protection of the
data than anything else because the sensitivity of the data is higher than with
most organizations.
·
Eweek.com - Top 10 Tips on
How to Avoid Damage From Insider Threats
o 1 Identify sensitive data you want to protect
- Figure out what data is
most important to the organization
o 2 Monitor user activity
- User behavior analytics
o 3 Encrypt data and enforce strict data policies
- If you have sensitive
data, you should be looking at ways to ensure that it is safe even after
it is compromised
o 4 Train and educate employees about insider threat
- Technology can only go
so far. We can train our employees not only to keep from doing the wrong
things, but also to report suspicious behaviors and events
o 5 Develop an employee risk-score system
- I'm not so sure about
this one. I suppose you could develop a risk profile for each employee
based on the data provided by the user behavior analytics solution,
which probably wouldn't be so hard. If you decided not to implement this
solution though, it would be very difficult to develop a way to score
employee risk.
o 6 Double authentication and privileged access controls
- By double
authentication, they mean multifactor. This could be used to ensure that
employees aren't sharing credentials. Not only does this help with
access control, but it also helps with nonrepudiation, which is an
employee's ability to say they didn't do something that account and
access logs say they did.
o 7 Focus on automated detection and prevention
- This isn't necessarily
talking about insider threat, as that is already covered with a few of
the other tips. This is specifically talking about data exfiltration. We
need to be able to find out when this is happening as well as have the
mechanisms in place to stop it quickly.
o 8 Implement IT vendor monitoring tools
- This might be the first
time I've seen something suggesting this route, aside from when we
discussed ObserveIT products. The recent NSA leak shows that we can
never be too careful about third party product or service providers, no
matter how much we trust them. In many cases, any vulnerability in their
technology, processes, or the organization as a whole could impact your
level of risk.
o 9 and 10 go together.
- First you need to
reassess the policies that are already implemented to make sure they are
actually doing what you would like them to do. I addressed insider
threat policies a few episodes back, but this should be extended to all
existing security policies.
- Next, you will want to
either modify the existing policies or create new ones to bridge any
gaps in your security strategy when it comes to insider threat.
o I think this list of tips is a very good starting point. It is
important to remember however that you will need to cater all suggestions to
fit your specific environment and the amount of risk that your organization is
willing to tolerate. Not all organizations are the same and you don't want to
stick entirely to a universal template.
·
Vendor Segment
o CyberArk Privileged Account Security
o From the website - "CyberArk is the only security company
laser-focused on striking down targeted cyber threats that make their way
inside — undetected — to attack the heart of the enterprise. More than 3,200
global businesses trust CyberArk to protect their highest value assets,
enabling them to master audit and IT compliance requirements."
o CyberArk has several products and solutions that support
information security, but the one we are going to talk about is their
Privileged Account Security solution
- Enterprise Password
Vault® fully protects
privileged passwords based on privileged account security policies and
controls who can access which passwords when.
- SSH Key Manager™ secures, rotates and controls access to SSH keys in
accordance with policy to prevent unauthorized access to privileged
accounts.
- Privileged Session
Manager® isolates, controls,
and monitors privileged user access as well as activities for critical
Unix, Linux, and Windows-based systems, databases, and virtual machines.
- Privileged Threat
Analytics™ analyzes and alerts on
previously undetectable malicious privileged user behavior enabling
incident response teams to disrupt and quickly respond to an attack.
- Application Identity
Manager™-Conjur eliminates
hard-coded passwords and locally stored SSH keys from applications,
service accounts and scripts with no impact on application performance.
- On-Demand Privileges
Manager™ allows for control
and continuous monitoring of the commands super-users run based on their
role and task.
- Endpoint Privilege
Manager secures privileges on
the endpoint and contains attacks early in their lifecycle.
o Key benefits
- Ensure that only
authorized users are able to access powerful privileged accounts
- Prevent users from being
able to gain unapproved elevated privileges
- Establish strict
accountability over the use of privileged accounts by tracking who
accessed what accounts and what actions were taken
- Improve forensic
analysis by generating a detailed, tamper-proof audit trail of all
privileged account activity
- Rapidly detect and be
alerted on anomalous activity that could signal an inside attack
in-progress
·
Thought of the Week Segment
o Our thought of the week comes from Mary Anne Evans, an English
writer who went by the pen name "George Eliot". She said "It is
a narrow mind which cannot look at a subject from various points of view."
·
Outro
o Thank you for listening to episode 5 of The Insider Threat
podcast. Please remember to subscribe and review in your favorite podcast app,
and also share with everyone you know! Those reviews are key to building this
out and improving for later episodes, so please feel free to leave suggestions.
o You can contact me on twitter @stevehigdon or email me at
theinsiderthreatpodcast@gmail.com. Please also consider joining our community
and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all
other episodes going forward, as well as links to the topics we've covered.
o Thanks again and I'll see you folks next time!
·
Show Notes
·
Welcome back! This is
episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With
all the feedback I've received, I realized that we need a way to chat about
these topics and share ideas. For that, I have created a subreddit on
Reddit.com. That is where I will be putting the show notes for each episode,
and I think we could all benefit if you contribute there as well.
·
Please keep sending your
stories! It lets me know of actual
issues out there in your organizations and lets me use this as a medium to
share the information to a large audience. As I said before, I'll be sure to
anonymize the stories to keep everyone out of deep water.
·
Infosec Question of the
Week
·
It's time for your Infosec
Question of the Week, where Google is king and the prize is nonexistent!
·
The question last week was
"In 1997, a hacker group was angry about hackers being falsely accused of
electronically stalking a Canadian family. They broke into the Canadian
Broadcasting Corporation's web site and left a message saying: "The media
are liars." The family's own 15-year-old son was eventually identified as
the stalking culprit. What was the name of this group?"
·
The answer was "The
Brotherhood of Warez". I apologize to our Canadian listeners for the quick
jab in last week's hashtag.
·
Congratulations to:
o Elliot from Calgary
o Kelly from Houston
o Bruce from St. Paul
o Rubin from Glendale, Arizona
o And our first two-time winner, Isaac from Washington State, for
getting the correct answer.
·
Here's your question for
this week: Guido van Rossum was born in the Netherlands, worked for several
international tech organizations, and now works for Dropbox. While all these
are great fetes, what is he most famous for?
·
Send your response to
InfosecAnswer@gmail.com. Be sure to include your first name, location, and the
hashtag "cherry pie".
·
Articles covered in this
episode:
·
Vendors covered in this
episode
·
Thought of the week
o "It is a narrow mind which cannot look at a subject from
various points of view." - Mary Anne Evans as George Eliot
·
Thank you for listening to
episode 5 of The Insider Threat podcast. Please remember to subscribe and
review in your favorite podcast app, and also share with everyone you know!
Those reviews are key to building this out and improving for later episodes, so
please feel free to leave suggestions.
·
You can contact me on
twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com. Please
also consider joining our community and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all
other episodes going forward.
·
Thanks again and I'll see
you folks next time!