Tuesday, August 8, 2017

Save the Data!

Title - Save the Data!

·         In this episode we're gonna cover 5OE Don't touch that dial!
·         Intro
·         Welcome back! This is episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With all the feedback I've received, I realized that we need a way to chat about these topics and share ideas. For that, I have created a subreddit on Reddit.com. That is where I will be putting the show notes for each episode, and I think we could all benefit if you contribute there as well. Please keep sending your stories. It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I'll be sure to anonymize the stories to keep everyone out of deep water.

·         Infosec Question of the Week
·         It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
·         The question last week was "In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation's web site and left a message saying: "The media are liars." The family's own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?"
·         The answer was "The Brotherhood of Warez". I apologize to our Canadian listeners for the quick jab in last week's hashtag.

·         Congratulations to:
o Elliot from Calgary
o Kelly from Houston
o Bruce from St. Paul
o Rubin from Glendale, Arizona
o And our first two-time winner, Isaac from Washington State, for getting the correct answer.

·         Here's your question for this week: Guido van Rossum was born in the Netherlands, worked for several international tech organizations, and now works for Dropbox. While all these are great fetes, what is he most famous for?
·         Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "cherry pie".

·         Insider Threat Month
·         I recently learned that June is now "insider threat month". I'm not entirely sure what that means, and I've only seen it referenced by a few vendors, but it is nice to know that people are thinking about it. Even if it ends up just being a marketing ploy, only good things can come from in in my opinion.

o    Articles
Our first article this week is actually the writeup for a show called "combating insider threat in government" from Federal News Radio
o    First I'll start with some stats that were presented (there were quite a few)
·         60 percent of all intrusions can be attributed to insider threat (IBM)
·         95 percent of all organizations have employees who seek to bypass security controls (Information Week)
§  Doesn't this highlight a problem with the security department and making sure that employees have access to the capabilities that they need for their job?
§  They didn't specify whether these were technical controls or policy controls
·         47 percent of organizations have more than 1000 files open to all employees (Varonis customer survey)
·         71 percent of all folders had stale data
§  I'm assuming this just means old files that aren't being used anymore. I'm not sure about this one. I often have to go back to historical files when referencing information, and that is a pretty key capability for just about anyone that works at a desk.
o    The guest speaker, Brian Vecci, spoke about the importance of data, as well as the importance of protecting it.
o    Specifically calls out user behavior analytics, machine learning, information classification, and file analysis.
·         Just so happens that the company he works for, Varonis, sells products for each of these capabilities
o    Good nugget that we should consider is "data should be seen as an organizational asset in the same way that money is"
o    When first reading and listening to this, I assumed that they would skip awareness training altogether. I was pleasantly surprised however, to hear them highlight the need for it.
o    The biggest thing I didn't really care for with this probably stems from my own understanding of what our role is as security professionals. They kept talking about the importance of protecting data, but in my mind it is actually our job to protect the key business functions and capabilities of the organization. Data is only one small part of that.
o    With that said however, I have to remember the source of this one. In the federal government, there might be more weight on the protection of the data than anything else because the sensitivity of the data is higher than with most organizations.

·         Eweek.com - Top 10 Tips on How to Avoid Damage From Insider Threats
o 1 Identify sensitive data you want to protect
      • Figure out what data is most important to the organization
o 2 Monitor user activity
      • User behavior analytics
o 3 Encrypt data and enforce strict data policies
      • If you have sensitive data, you should be looking at ways to ensure that it is safe even after it is compromised
o 4 Train and educate employees about insider threat
      • Technology can only go so far. We can train our employees not only to keep from doing the wrong things, but also to report suspicious behaviors and events
o 5 Develop an employee risk-score system
      • I'm not so sure about this one. I suppose you could develop a risk profile for each employee based on the data provided by the user behavior analytics solution, which probably wouldn't be so hard. If you decided not to implement this solution though, it would be very difficult to develop a way to score employee risk.
o 6 Double authentication and privileged access controls
      • By double authentication, they mean multifactor. This could be used to ensure that employees aren't sharing credentials. Not only does this help with access control, but it also helps with nonrepudiation, which is an employee's ability to say they didn't do something that account and access logs say they did.
o 7 Focus on automated detection and prevention
      • This isn't necessarily talking about insider threat, as that is already covered with a few of the other tips. This is specifically talking about data exfiltration. We need to be able to find out when this is happening as well as have the mechanisms in place to stop it quickly.
o 8 Implement IT vendor monitoring tools
      • This might be the first time I've seen something suggesting this route, aside from when we discussed ObserveIT products. The recent NSA leak shows that we can never be too careful about third party product or service providers, no matter how much we trust them. In many cases, any vulnerability in their technology, processes, or the organization as a whole could impact your level of risk.
o 9 and 10 go together.
      • First you need to reassess the policies that are already implemented to make sure they are actually doing what you would like them to do. I addressed insider threat policies a few episodes back, but this should be extended to all existing security policies.
      • Next, you will want to either modify the existing policies or create new ones to bridge any gaps in your security strategy when it comes to insider threat.
o I think this list of tips is a very good starting point. It is important to remember however that you will need to cater all suggestions to fit your specific environment and the amount of risk that your organization is willing to tolerate. Not all organizations are the same and you don't want to stick entirely to a universal template.

·         Vendor Segment
o CyberArk Privileged Account Security
o From the website - "CyberArk is the only security company laser-focused on striking down targeted cyber threats that make their way inside — undetected — to attack the heart of the enterprise. More than 3,200 global businesses trust CyberArk to protect their highest value assets, enabling them to master audit and IT compliance requirements."
o CyberArk has several products and solutions that support information security, but the one we are going to talk about is their Privileged Account Security solution
      • Enterprise Password Vault® fully protects privileged passwords based on privileged account security policies and controls who can access which passwords when.
      • SSH Key Manager™ secures, rotates and controls access to SSH keys in accordance with policy to prevent unauthorized access to privileged accounts.
      • Privileged Session Manager® isolates, controls, and monitors privileged user access as well as activities for critical Unix, Linux, and Windows-based systems, databases, and virtual machines.
      • Privileged Threat Analytics™ analyzes and alerts on previously undetectable malicious privileged user behavior enabling incident response teams to disrupt and quickly respond to an attack.
      • Application Identity Manager™-Conjur eliminates hard-coded passwords and locally stored SSH keys from applications, service accounts and scripts with no impact on application performance.
      • On-Demand Privileges Manager™ allows for control and continuous monitoring of the commands super-users run based on their role and task.
      • Endpoint Privilege Manager secures privileges on the endpoint and contains attacks early in their lifecycle.
o Key benefits
      • Ensure that only authorized users are able to access powerful privileged accounts
      • Prevent users from being able to gain unapproved elevated privileges
      • Establish strict accountability over the use of privileged accounts by tracking who accessed what accounts and what actions were taken
      • Improve forensic analysis by generating a detailed, tamper-proof audit trail of all privileged account activity
      • Rapidly detect and be alerted on anomalous activity that could signal an inside attack in-progress


·         Thought of the Week Segment
o Our thought of the week comes from Mary Anne Evans, an English writer who went by the pen name "George Eliot". She said "It is a narrow mind which cannot look at a subject from various points of view."

·         Outro
o Thank you for listening to episode 5 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
o You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com. Please also consider joining our community and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all other episodes going forward, as well as links to the topics we've covered.
o Thanks again and I'll see you folks next time!



·         Show Notes
·         Welcome back! This is episode 5 of The Insider Threat podcast, for the week of June 12th, 2017. With all the feedback I've received, I realized that we need a way to chat about these topics and share ideas. For that, I have created a subreddit on Reddit.com. That is where I will be putting the show notes for each episode, and I think we could all benefit if you contribute there as well.
·         Please keep sending your stories! It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I'll be sure to anonymize the stories to keep everyone out of deep water.
·         Infosec Question of the Week
·         It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
·         The question last week was "In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation's web site and left a message saying: "The media are liars." The family's own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?"
·         The answer was "The Brotherhood of Warez". I apologize to our Canadian listeners for the quick jab in last week's hashtag.
·         Congratulations to:
o    Elliot from Calgary
o    Kelly from Houston
o    Bruce from St. Paul
o    Rubin from Glendale, Arizona
o    And our first two-time winner, Isaac from Washington State, for getting the correct answer.
·         Here's your question for this week: Guido van Rossum was born in the Netherlands, worked for several international tech organizations, and now works for Dropbox. While all these are great fetes, what is he most famous for?
·         Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "cherry pie".
·         Articles covered in this episode:
·         Vendors covered in this episode
·         Thought of the week
o    "It is a narrow mind which cannot look at a subject from various points of view." - Mary Anne Evans as George Eliot
·         Thank you for listening to episode 5 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
·         You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com. Please also consider joining our community and discussions at http://reddit.com/r/insiderthreat. That is where you will also find the show notes for this and all other episodes going forward.
·         Thanks again and I'll see you folks next time!


Creating an Effective Awareness Program

Title - Creating an Effective Awareness Program

  • In this episode we're gonna cover security awareness programs, culture, insider threat training requirements for federal contractors, and more! Don't touch that dial!

  • Intro
    • Welcome back! This is episode 4 of The Insider Threat podcast, for the week of June 5th, 2017. As a quick update, I am working on a segment or two about unlikely insiders, which was inspired by a story that one of you gave me. Please keep those up. It lets me know of actual issues out there in your organizations and lets me use this as a medium to share the information to a large audience. As I said before, I'll be sure to anonymize the stories to keep everyone out of deep water.

  • Infosec Question of the Week
    • It's time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
    • The question last week was "In the early 1970s, John Draper discovered that he could make free long distance calls by sending a certain tone through the phone. What did he use and where did he get it?"
    • The answer was that he used a whistle that he found in a box of cereal. This later earned him the nickname "Captain Crunch".

  • Congratulations to:
    • Brady from Milwaukee
    • Harlan from the UK
    • Annetta from Jersey City
    • Isaac from Washington State
    • And Bob from Jacksonville for getting the correct answer.

  • Here's your question for this week: In 1997, a hacker group was angry about hackers being falsely accused of electronically stalking a Canadian family. They broke into the Canadian Broadcasting Corporation's web site and left a message saying: "The media are liars." The family's own 15-year-old son was eventually identified as the stalking culprit. What was the name of this group?
  • Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag "notreallybacon".

  • Articles
    • Our first article this week is related to an insider threat training requirement for federal contractors

  • Our next article comes from Kai Roer at Infosecurity-magazine.com A Culture of Security, Not of Blame
    • https://www.infosecurity-magazine.com/blogs/culture-security-not-blame/
    • I really liked the general idea of this one and there were some good nuggets to take from it
    • "Technology continuously introduces huge amounts of security challenges and risk factors, which we keep blaming employees for not handling correctly. Blaming people for not handling poor technology correctly is - in my opinion - simply wrong. In fact, by blaming the employee for clicking on a phishing link, or opening an attachment, is similar to building a car with poor brakes, and then blaming the driver when the car crashes. Guess what, with cars the manufacturer does not get away with blaming the weakest link or the stupid driver."
    • There are quite a few things I can agree with in here, to include the note about not blaming users for doing the wrong thing. I think he could have taken it further by saying that it is our fault - as security professionals - for not training them in a way that makes an impact. Instead of taking the time to do that, we write off our users as lost causes and invest in more technology to compensate.
    • The author appears to be anti-awareness and pro-culture. I guess my argument would be that awareness programs can be an instrumental part of building that culture.
    • What do you think? I'd love to get your opinion on this one in particular, so please let me know.

  • Instructional Segment
    • Speaking of awareness programs, today I want to try a segment that provides some actionable steps for improving your organization right away. I asked some folks on LinkedIn and Twitter some questions related to information security awareness programs, and this is a compilation of sorts of the responses that I received.

  • What goes into effective information security awareness training?

  • Purpose
    • Why does the organization have the program?
    • You can mention compliance requirements here, but I would make it subtle
    • What business functions and their associated systems need to be protected?
  • Do's and don'ts when using information systems, and why?
    • Acceptable Use Policy
    • Account Management Policy
    • Data Retention or Encryption Policies
    • Cater to the applicable policies for the audience
  • Description of the threat
    • Start with a question about the most important parts of their job and what IT assets are critical for their success in accomplishing them
    • Now talk about the critical systems for the organization as a whole, such as payroll, benefits, timekeeping, shipping, estimating, email and other communications, or whatever else the organization relies on for business
    • "If we didn't have <fill in the system>, the organization would come crumbling down"
    • The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission
  • Examples of the threat
    • Here you can talk about any stories you have, as well as anything that the audience members can share
      • Something like "that time that Tom got a virus and had to try to work without a computer for 3 days. He thought he would get fired"
    • Examples of real incidents
      • WannaCry
      • Popular breaches, like Target, Home Depot, and Chipotle
      • The suspicion that other countries are trying to impact election outcomes
    • Bring it home (both the family and the firm)
      • What if a hacker was able to get your bank account information?
      • What if they could see your children through your computer's webcam?
      • What if they were able to hack into your alarm system to break into your home without setting off any bells?
  • Responses to incidents
    • This is where you tie in your own organization's policies and procedures to actionable responses to suspected security events
      • The members of the audience are the ones that have to use these systems every day.
      • I had a user in the past that reported a suspected virus on their system…
        • Sent an email to them afterword expressly thanking them for their contribution to the security program

  • What makes an effective information security awareness program?

  • Relevance
    • Give them information that will actually apply to their work and home lives
      • One idea I had recently was to start at the very basics for securing their home networks. Even if employees don't care about the information security program for the company, they should be concerned about protecting their personal lives.
      • Maybe start with teaching them how to secure their social media accounts, and home wifi or computers and go from there
      • The basics are the same and it greases the wheels in a way that will let you segue to organizational security later
  • Engagement
    • Get them involved
      • This applies to any type of training. If you just stand at the front of the room and lecture them, they will fall asleep
    • Get them to ask and answer questions
      • Who knows, they might think of something that you didn't when you were putting your speaking points together
    • Break them up into groups for further discussion and exercises
      • You could give them some symptoms of a potential security issue and have them come up with the proper reporting procedures, based on how your organization does it
  • Timeliness
    • Frequency
      • Most are annual
      • Might be different for your organization, depending on any compliance requirements
      • One organization I heard of had a security question….
        • Even if they cheat, it still gets them talking
        • Their participation could even be used for annual performance evaluations or keep them from having to do the formal annual awareness exam
    • The key is to get them thinking about security all the time, not just the 20 minutes a year they are taking a test or sitting in a classroom
  • Support
    • Most important
    • Management support for the information security program
      • If the CEO or general manager walks into the class and just says something like "Pay attention to this. It's very important."

  • Bottom line: the most effective awareness program is one that works best for YOUR organization.

  • Thought of the Week Segment
    • Our thought of the week comes from Bruce Schneier, who said "if you think you can solve the security problems with technology, you don't know technology"

  • Outro
    • Thank you for listening to episode 4 of The Insider Threat podcast. Please remember to subscribe and review in your favorite podcast app, and also share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions.
    • You can contact me on twitter @stevehigdon or email me at theinsiderthreatpodcast@gmail.com.
    • Thanks again and I'll see you folks next time!