Title - Wanna Bring Down the Globe?
·
In this episode we're gonna
give a recap of the Wanna Cry ransomware, talk about insider threat in health
IT security, Observe IT User Behavior Analytics, and more! Don't touch that
dial!
·
Intro
o Welcome back! This is episode 2 of The Insider Threat podcast, for
the week of May 22nd, 2017.
·
Quick Announcements Segment
o We have gotten some really great feedback from the first episode,
and I urge you to keep it up. In the future, I plan on having some guest
interviews, to include folks from the industry and vendors who have a solution
for tackling insider threat. Please continue to provide as much feedback as
possible, as this is your show and you should be helping to drive its direction
for the future.
·
Infosec Question of the
Week
o It's time for your Infosec Question of the Week, where Google is
king and the prize is nonexistent!
o Here's your question: How did notorious hacker Kevin Mitnick know
that federal agents were near his apartment?
o Send your response to InfosecAnswer@gmail.com. Be sure to include
your first name, location, and the hashtag "colddonuts".
·
Articles
o As a recap of the WannaCry ransomware attack that plagued the
world and our news feeds over the past week, there are claims that the initial
infection of the worm was carried out by a malicious email attachment
o An estimated 200,000 computer in 150 countries were infected
o At one point, there was a DDoS against the server that was being
used by the attackers for the decryption process, so victims who had already
paid the ransom were out the money and still couldn't access their files
o The spread of the attack was stopped when a security researcher
that goes by the name MalwareTech registered the domain address that was being
used as a kill switch. Basically when the malware infected the system, one of
the first things it did was try to communicate with the unregistered domain
name. As long as it wasn't active, it continued through the infection,
propagation, and encryption. By the way - if you are in the media and you
encounter someone in the security industry who wishes to remain nameless,
please respect that.
o The reason this worm was so impactful to begin with was the high
number of legacy operating systems being used throughout the world. In many
cases it was people who were using unlicensed copies of windows and were too
afraid to update their computers because they didn't feel like going through
the steps to re-crack their windows version.
o Researchers who have reverse engineered the malware claim that it
was probably a product purchased and modified by amateurs, as it was poorly
designed and appeared to be comprised of bits of code from other malicious
tools literally copied and pasted together.
o I've also included a link in the show notes to another piece of
malware called Adylkuzz that is using the same vulnerability as WannaCry, but
instead of encrypting your files it mines a cryptocurrency called
"Monero". For those who don't follow cryptocurrency, Monero is a
lesser known digital currency than bitcoin or ethereum. I wasn't able to find
any indication that this malware used phishing for infection, but I wouldn't be
surprised.
o This entire episode with both worms just goes to show that we need
to be teaching our employees to verify senders, links, and attachments before
opening things that they shouldn't. https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
o Information Age Website - Cyber security professionals "admit
to paying ransom"
o Bromium, a security tool vendor that specializes in
virtualization-based enterprise security that stops advanced malware attacks,
announced the findings of their research conducted at the recent RSA
Conference.
o During the research, they surveyed security professionals on their
own behavior. According to that survey, about 10% of security professionals
admit to paying ransoms and not disclosing the incident to their bosses or
anyone else in their organizations.
o We have spoken about insider threat and ransomware already, but
that typically involves users clicking on links or attachments. We haven't yet
however covered the human factor of security professionals and their own
motivations behind their actions.
o It is important here to remember that absolutely everyone involved
in security - from the end users to executive management - is human. Just like
everyone else, those of us in security are equally concerned about our own
jobs. If you were to accidentally infect your corporate workstation with some
sort of malware, would you go through the standard incident response procedures
or would you find a way to take care of it yourself? This is an important
question to ask, because the same fear of reprisal is what often drives the
decisions of our users.
o The study also claims that about 35% of security professionals
admit to bypassing their own corporate security settings, but that one isn't as
much of a surprise to me. We often have to make configuration changes in the
course of our day-to-day work and it isn't malicious in nature. On the other
hand, if this is being done in order to circumvent security controls for
reasons outside of their normal job scope, this can be a very bad thing and we
should know better.
o Health IT Security website - 67% of Security Teams Say Insiders
Top Data Security Threat
o The author quoted findings from a survey conducted during the 2017
Secure Access Threat Report
o Over 2/3 of security professionals surveyed believed that either
malicious or unintentional acts from insiders were the greatest security threat
to organizations
o There were some other really good statistics in that article, so I
will leave a link to it in the show notes. I won't swear to the accuracy of the
survey, though. Between us, some of the math just doesn't seem to add up. But
in all fairness, that could certainly be attributed to my own arithmetic
deficiencies.
o So I heard from another information security professional this
past week that during an internal phishing campaign, 80% of the users clicked
on the link in the email. That said, I'm not sure if the source of the email was
internal or external, but that’s a pretty high percentage, especially when you
take into account that there were about 2000 users in the organization. What
can we do differently to get the point across? If you were in the situation I
just described, what would be your next step? Do you start including things
like this in employee annual performance reviews? Do you repeat the process
until you can identify habitual offenders and use that information to focus
your oversight strategy? Just some thoughts.
o SC Magazine - Insider threat faces $300K fine for hacking former
employer
o So Yovan Garcia was caught hacking his employer's website to
adjust his overtime hours and they took him to court, claiming $318,661.70
worth of damages. The judge ruled in favor of the company, named Security
Specialists, and he is going to have to work many extra overtime hours to pay
up, that is if he is able to get a job after this.
o On top of all that, after Garcia was fired from his company, he
started his own consulting firm and sold a knock-off version of the software
that his old employer developed.
o When we trust our system, network, and even security
administrators with privileged access to our environments, we can't just assume
that they are the "good guys". Even people who should know better
have the ability to make mistakes or cross the ethical line. It doesn't
preclude them from the same stringent oversight and separation of duties
strategies that every other employee must adhere to. Actually, we might want to
pay even closer attention to those who have admin rights to the systems or
network. In this case, he probably thought that he could get away with it
because of an assumption that nobody was watching.
o Our last article today was written by Dr. Jessica Barker, who runs
a security consultancy and, with a background in sociology, specializes in the
human side of security.
o She says that we often fail to acknowledge that there is an
excessive security burden placed on the people using technology and that we
don't take the time to bridge the gap and see the overlaps between the human
and technical vulnerabilities in our organizations.
o We spend quite a bit of time with the hardening of our software,
hardware, and networks, but we don't spend nearly enough time hardening our
people and culture and "the responsibility is on all of us to work towards
the creation of a positive and empowering environment".
o I really like the approach that Dr. Barker uses when trying to
address the human side of security, and one day I would really like to try to
get her on the show to talk about it more. Sometimes we place too much emphasis
on the security processes and technologies in our organizations as a band aide
for the real problem, which is that users either don't understand the security
impacts of their actions or they simply don't care.
o As always, the links to these articles will be placed in the show
notes.
·
Vendors
o Not a sponsor of the show
o From their website - ObserveIT empowers organizations to precisely
identify and proactively protect against malicious and negligent behavior of
everyday users, privileged users and remote vendors. They significantly reduce
security incidents by changing user behavior through real-time education and
deterrence coupled with full-screen video capture of security policy
violations. This cuts investigation time from days sifting through logs to
minutes of playing back video.
o Some of the key features are session recording, alerting, risk
dashboards, behavior management, shared account identification, and privacy
protection.
o This solution can be used to observe and record user actions to
ensure that they are not violating the organization's acceptable use policy
during the course of their work day.
o We spoke earlier about trusting privileged users with elevated
access without periodically verifying that they aren't doing the wrong thing.
This tool can also be used for that purpose.
o When it comes to service contracts with vendors, Observe it can be
used to remotely watch third-party personnel and ensure that they are doing
what they are contracted to do and billing labor hours accurately.
o Finally, Observe it can be used for regular compliance
requirements when it comes to auditing. It isn't just generating logs of user
actions on systems and the network - it is recording everything they do. This
capability will certainly help with providing evidence of wrongdoing after a
malicious act has occurred.
o The first thing I was thinking about when researching this product
was privacy. Well, they have thought of that, too. You can configure the system
to require multiple unique passwords in order to play back the recorded
sessions. In this case, you would have someone from Observe it enter their
password, then a union representative or someone from legal enter theirs.
o What do you think? Could you use this tool in your environment in
order to help combat the risks associated with insider threat? Would you use
this as your go-to solution or pair it with your security awareness training
program?
·
Thought of the Week Segment
o Our thought of the week comes from Dr. Jessica Barker when she was
speaking to Microsoft earlier this year - "If you engage in changing your
culture, if you engage in empowering your staff… then people go from being the
weakest link to the biggest part of defense"
·
Outro
o Thank you for listening to episode 2 of The Insider Threat
podcast. Please remember to subscribe, rate, and share with everyone you know!
Those reviews are key to building this out and improving for later episodes, so
please feel free to leave suggestions and constructive criticism.
o You can contact us on twitter @stevehigdon or email us at
theinsiderthreatpodcast@gmail.com.
o Thanks again and I'll see you folks next time!
No comments:
Post a Comment