Embed Size (px)
Citation preview
The Insider ThreatTaking Control of the Most Unsavory of Threats
Presented by:John H Rogers, CISSP
Manager of Professional [email protected] 2016-2017 © Sage Data Security | All rights reserved
Agenda
What is the Insider Threat?
Why is this Important?
Who is the Insider?
Characteristics, Factors & Indicators
Deterrence
Prevention & Detection
Response
Insider Threat
What is Insider Threat?
• Intentional abuse of access
• Misuse of privilege
• Inadvertent compromise
• Breach of trust relationship
“92 percent of IT Leaders felt their organizations were either somewhat vulnerable to insider threats, while 49 percent said they felt very or extremely vulnerable to insider threats.” –Vormetric Insider Threat Report 2015
Insider Threat - Why Is This Important?
The Path of Least Resistance : Why Brute Force when people (or their stolen credentials) can circumvent technical controls?
• Unwitting Insider Threat : A compromise of the good• Phishing
• Vendor Spoofing
• Pretexting
• Keylogging
• Active Insider Threat : Disgruntled, In Trouble, or Just Greedy• Advertising for specific company employees to join the dark side
• Desperate people do desperate things – Good folks doing bad things
• Mercenary employees – No loyalty can translate into criminal behavior
Insider Threat - Why Is This Important?
“Cyber threats can be launched from within a financial institution or TSP by a disgruntled employee or a person placed in the financial institution deliberately to carry out a cyber attack. The financial institution should consider the possibility that a knowledgeable insider may cause a disruptive event and the potential impact of the event on business resilience...”
FFIEC Appendix J Business Continuity Planning Booklet
Insider Threat - Why Is This Important?
2016
Insider Threat – Who is the Insider?
• FS-ISAC reports typically have one or more items for arrests and conviction of malicious actions taken by insiders in each issue.
Insider Threat – Characteristics*
• Extreme introversion• Financial need• Vulnerability to blackmail• Compulsive / destructive
behavior• Rebellious, passive
aggressive• Ethical “flexibility”• Reduced loyalty• Entitlement – narcissism
• Minimizing mistakes / faults• Inability to assume responsibility
for actions• Intolerance• Self-perceived value exceeds
performance• Lack of empathy• Pattern of frustration and
disappointment• History of managing crises
ineffectively
*National Cybersecurity and Communications Integration Center : Combating the Insider Threat
Insider Threat – Personal Factors
• Greed / need
• Anger / Revenge
• Problems at work, e.g., lack of recognition, disagreements, pending layoff
• Ideology
• Divided loyalty
• Adventure / Thrill
• Ego / Self-image
• Ingratiation
• Compulsive behavior
• Family problems
U.S. Department of Justice Federal Bureau of Investigation: The Insider Threat
Insider Threat – Organizational Factors
• Availability and ease of acquiring information
• Mislabeled information
• Lack of physical access controls : Taking hard-copy information
• Weak logical access controls
• Undefined policies related to “work from home” for sensitive projects
• Perception of lax control
• Time pressure
• Lack of training
• Policies that are not enforced
• Leadership that doesn’t follow policies
U.S. Department of Justice Federal Bureau of Investigation: The Insider Threat
Indicators - Behavioral
• Without need or authorization, takes proprietary or other material home.
• Inappropriately seeks or obtains information not related to their work duties.
• Interest in matters outside the scope of their duties.
• Unnecessarily copies material, especially if it is proprietary or classified.
• Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
• Disregards company computer policies:• Installing personal software or hardware
• Accessing restricted websites
• Conducting unauthorized searches
• Downloading confidential information
U.S. Department of Justice Federal Bureau of Investigation: The Insider Threat
Indicators - Behavioral
• Works odd hours without authorization; notable enthusiasm for overtime work, weekend work.
• Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel.
• Unexplained affluence; buys things that they cannot afford.
• Engages in suspicious personal contacts.
• Overwhelmed by life crises or career disappointments.
• Concern that they are being investigated.
• Many people experience or exhibit some or all of the above to varying degrees; however, most people will not cross the line and commit a crime.
U.S. Department of Justice Federal Bureau of Investigation: The Insider Threat
Indicators - Activity
• Data being accessed, copied, or deleted when there is no business justification
• Data being transferred out of the organization through File uploads, Email, and/or physically on media.
• Changes to access for file locations or inside of business applications that have no business justification.
• Disabled or terminated employee accounts active again
• Access to unauthorized areas
Deterrence
• Deploy data-centric, not system centric security
• Crowd-source security – Train / educate workforce, provide avenues for reporting
• Use positive social engineering
• Think like a marketer and less like and IDS analyst
• Build a baseline based on volume, velocity, frequency and amount based on hourly, weekly, and monthly normal patterns
• Use centralized logging to detect data exfiltration
• Require identification for all assets (e.g. access cards, passwords, inventory check out)
*National Cybersecurity and Communications Integration Center : Combating the Insider Threat
Deterrence
• Announce the use of policies that monitor events like unusual network traffic spikes, volume of USB/mobile storage use, volume of off-hour printing activities and inappropriate use of encryption
• Provide avenues for employees to vent concerns and frustrations to aid in mitigating the insider threat motivated by disgruntlement
• Implement employee recognition programs that offer public praise to aid in mitigating the insider threat motivated by ego
• Authorize users based on least access privilege and
• Conduct periodic audits to detect inappropriately granted access or access that still exists from previous job roles/functions and should be removed
*National Cybersecurity and Communications Integration Center : Combating the Insider Threat
Prevent
How do you prevent?
• Effective prevention relies on administrative and technical controls. • Block file downloads to media.
• Encrypt critical information at rest.
• Restrict access and review access frequently.
• Monitor for access success as well as failure.
• Network segmentation.
• Role-based access with application of “least privilege” to perform job duties.
Detect
How do you detect?
• Know where your critical data is and log access and changes
• Review those logs
• Know your critical applications and log access and access changes
• Review those logs
• Periodically rotate responsibilities for sensitive functions
• Separate responsibility for detection setup and detection monitoring
• Monitor Internet traffic by type and location
• Mandatory vacation time
Detect
Detect
Detect
Detect
Detect
Detect
Detect
Detect
Detect
Detect
Some Security Technologies to Detect/Prevent Insider Attacks Include
Data/file encryptionEnterprise identity and access management(IAM)
Data access monitoring Data access control
SIEM or other log analysisIntrusion detection/ prevention systems(IDS/IPS)
Data loss prevention (DLP)Enterprise digital rights managementsolution
Data redaction
Response
What are the elements for a response?
• Have a process to investigate and document• Ensure your IRP has provisions for Insider Threat
• Be committed to respond based on evidence • Detective controls
• Forensics
• Be prepared to act quickly
• Be prepared to restore
Recap
• Insiders are responsible for most data breach
• Intentional bad-actors
• Inadvertent: compromise of good people
• Vendors and partners
• Know your people!
• Pay attention to the characteristics and indicators
• Take steps to deter
• Educate and notify
• Provide avenues to report
• More carrots
• Detective controls are critical
• Policies that are socialized and enforced, top to bottom
• Planning is the key to swift and effective response
