Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations

Phish, Spoof & Scam:Insider Threats, the GDPR and other regulations

Neira Jones FBCS, MScIndependent Advisor, Payments, Risk,

Cybercrime, & Digital Innovation

1 of 34 Observeit Webinar – 26th May 2016

Observeit Webinar – 26th May 2016

The digital & regulatory landscape challenges

2 of 34

ENVIRONMENTAL

CRIMINAL

BUSINESSES

• Digital, hyper-connected, always on

• No traditional perimeter• Extended supply chain:

staff, contractors and suppliers putting organisations at risk

• People are now the weakest link

• Evolve rapidly and change tactics

• Design malware relying on tools that users trust

• Have moved from targeting systems to targeting individuals first (phishing, ransomware, etc.)

• Complex regulatory landscape: GDPR, PSD2, Privacy Shield, PCI DSS...

• Digital transformation• Pressure to innovate• Complex infrastructures• Pressure to contain costs• Too slow to discover a

breach


Good things come to those that bait…

Hacking the human...

3 of 34


75% of incidents have a common denominator: PEOPLE*

4 of 34

Are People & Regulations a dichotomy?

• Want convenience & flexibility

• Are not aware of risks• Will find the path of least

resistance• Have redefined the concept

of privacy• Believe security is not their

responsibility

• Aim to foster competition & promote innovation

• Aim to protect people• Aim to reduce risk• Aim to foster better

behaviours• Aim to make

organisations more responsible

• Current & forthcoming regulations (e.g. GDPR, PSD2, etc.) apply to all, not only EU organisations.

• People are confused about digital risks and privacy.

• Regulations aim to reduce risks and improve privacy.

• Protecting PEOPLE is the common denominator.

• Managing staff to protect DATA will protect PEOPLE.

Observeit Webinar – 26th May 20165 of 34


An evolving threat landscape

6 of 34

Source: Verizon DBIR 2016

75% OF INCIDENTS HAVE A COMMON DENOMINATOR: PEOPLE

17.7% miscellaneous errors

16.3% insider & privilege misuse

15.1% physical theft & loss


TODAY, THREAT INTELLIGENCE,ADAPTIVE SECURITY, LAYERED DEFENCE

AND INCIDENT RESPONSEHAVE BECOME ESSENTIAL.

“Hours instead of days! Now, we have minutes instead of hours.”

7 of 34

Star Trek II: The Wrath of Khan, 1982


CRIMINALS ARE GETTING BETTER AT KNOWING THEIR TARGETS (US)

8 of 34

WE NEED TO GET BETTER AT KNOWING OURSELVESAND THINKING LIKE CRIMINALS...


Insider Threat Actors: Knowledge is key

9 of 34

IDENTIFY THE POSSIBLE INSIDER THREAT SCENARIOS

Miscellaneous errors

Insider & privilege misuse

Theft & loss

Phishing/ Social Engineering


Insider Threats: Two possible strategies...

10 of 34

Reconnaissance Initial compromise

Set up Command &

Control

Identify, acquire &

aggregate data

PROACTIVE REACTIVE

LET’S HAVE A LOOK AT HOW WE CAN BE PROACTIVE FIRST...

Exfiltrate or manipulate

data

Initial Compromise

ReconnaissanceCyber Kill Chain – Insider Threat: Negligent behaviour

11 of 34 Observeit Webinar – 26th May 2016`

Phishing

Email attachment

Email link

Person Alter behaviour

User device

Install malware

Steal & use credentials

Install Malware, Set up command

& control

Identify, acquire, aggregate data

70% of successful breaches start on endpoint devices (source: IDC)

Email securityPolicies/ Procedures

Education/ MonitoringGovernance Endpoint security

Encryption/ Tokenisation

Access controlMulti-factor auth

Exfiltrate or manipulate data

Monitoring/ Edu.Governance

Incident ResponseMonitoring/ Edu.

Governance

AUTOMATE!

AUTOMATE!

AUTOMATE!

Initial Compromise

Reconnaissance


User devices

Credentials abuse

Tipping point event

Unusual activity

User accounts

Network access


Capture & hide data

Search for data

Cyber Kill Chain – Insider Threat: Malicious behaviour


7.6% of successful breaches are caused by privilege abuse (Verizon DBIR 2016)

Personal circumstances, grudge, dare, greed,

collusion, etc.

Endpoint security

Access mgt/ Privilege Acct Mgt

Data ClassificationPolicies/Procedures

EducationUser Behaviour MonitoringGovernance/ Enablement

Incident ResponseContinuous Improvement

Monitoring/ Governance

Policies/ Procedures/ Education/ MonitoringGovernance / Enablement

AUTOMATE!

AUTOMATE!

AUTOMATE!

Initial Compromise

Reconnaissance


User devices

Use credentials

Normal activity

User accounts

Network access

Perform legitimate action

Initiate legitimate action

Cyber Kill Chain – Insider Threat: Miscellaneous errors


8.7% of successful breaches are caused by miscellaneous errors (Verizon DBIR 2016)

Trigger event

Cause damage by mistake

Deadlines, long hours, personal circumstances, lack of security controls, unaware of policy, non-segregation of duties,

insufficient governance, lack of coffee, etc.


Access mgt Privilege Acct MgtMulti-factor auth


EducationMonitoring

Governance/ EnablementIncident Response

Continuous Improvement


AUTOMATE!

AUTOMATE!

AUTOMATE!

Initial Compromise

Reconnaissance


User devices

Use Privileges

Normal activity

User accounts

Network access

Perform careless action

Initiate careless action

Cyber Kill Chain – Insider Threat: Theft & Loss


15.1% of incidents are caused by physical theft & loss (VZ DBIR 2016)

Trigger event

Personal circumstances, unaware of policy, lack of understanding,

insufficient governance, not enough coffee, etc.

Other

?

Physical documents, knowledge, access devices,leave passwords on postIt

notes, printers, etc.

Lose stuff or have stuff stolen


Endpoint securityEncryption/ Tokenisation

Access mgt/ Privilege Acct MgtMulti-factor auth


EducationMonitoring

Governance/ EnablementIncident Response

Continuous Improvement


AUTOMATE!

AUTOMATE!

AUTOMATE!



15 of 34


Set up Command &

Control

Identify, acquire &

aggregate data

Exfiltrate data


data

PROACTIVE REACTIVEPolicies/ Procedures

EducationMonitoringGovernance Enablement

Email security

Policies/ ProceduresEducation

MonitoringData Classification

Governance/ Enablement

Incident ResponseContinuous Improvmnt

Endpoint securityEncryption/ TokenisationAccess mgt (incl. Priv.)

Multi-factor auth

?AUTOMATE!

Compromise Situation

Cyber Kill Chain – Insider Threat: Negligent behaviour


Phishing Person Alter behaviour

User device

Install malware

Steal & use credentials

Install Malware, Set up command

& control

Identify, acquire, aggregate data

70% of successful breaches start on endpoint devices (source: IDC)


Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/ Education

Incident Response/ Continuous Improvement

Multi-factor Authentication/ Privilege Account MgtPatch All The Things!!!

Server/ Network/ Application Security & MonitoringThreat Intelligence/ Data Leakage Prevention

AUTOMATE!


User devices


Credentials abuse

Tipping point event

Unusual activity

User accounts

Network access


Capture & hide data

Search for data

Cyber Kill Chain – Insider Threat: Malicious behaviour


7.6% of successful breaches are caused by privilege abuse (Verizon DBIR 2016)

Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/ Education


Privilege Account MgtServer/ Network/ Application Security & Monitoring

Data Leakage Prevention

AUTOMATE!



User devices

Use credentials

Normal activity

User accounts

Network access

Perform legitimate action

Initiate legitimate action

Cyber Kill Chain – Insider Threat: Miscellaneous errors


8.7% of successful breaches are caused by miscellaneous errors (Verizon DBIR 2016)

Trigger event

Cause damage by mistake

Omission, Data entry error, Programming error, Gaffe, Disposal error, Wrong

payments, Misconfiguration, Publishing error, Misdelivery, etc.

Policies/ Procedures/ Governance/ EnablementDisposal/ Decommissioning Policies

Process Control/ DevOps/ Workflow ManagementUser Behaviour Monitoring/ Education


Server/ Network/ Application Security & MonitoringPrivilege Acct Mgt / Threat Intelligence/ DLP

AUTOMATE!



User devices

Use Privileges

Normal activity

User accounts

Network access

Perform careless action

Initiate careless action

Cyber Kill Chain – Insider Threat: Theft & Loss


Theft & loss shouldn’t be confined to the physical only...

Trigger event

Other

?Lose stuff or

have stuff stolenAlso includes IP Theft...

Leave screen unlocked,leave devices unprotected, leave

confidential documents unprotected, Unsecure printing, disclose information to strangers, post too much details on social media, leave car unlocked, let stranger go

through doors, etc.

Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/Education


Endpoint security/ Encryption/ TokenisationServer/ Network/ Application Security & Monitoring

Privilege Acct Mgt / DLP

AUTOMATE!



20 of 34


Set up Command &

Control

Identify, acquire &

aggregate data

Exfiltrate data


data

PROACTIVE REACTIVEPolicies/ Procedures

EducationMonitoringGovernance Enablement

Email security

Policies/ ProceduresEducation

MonitoringData Classification

Governance/ Enablement

Incident ResponseContinuous Improvmnt

Endpoint securityEncryption/ TokenisationAccess mgt (Incl. Priv.)

Multi-factor auth

Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow Management

Disposal/ DecommissioningUser Behaviour Monitoring/ Education

Incident Response/ Continuous ImprovementEndpoint security/ Encryption/ Tokenisation

Multi-factor Authentication/ Privilege Account MgtServer/ Network/ Application Security & Monitoring

Patch All The Things!!!Threat Intelligence/ Data Leakage Prevention

AUTOMATE!

AUTOMATE!



21 of 34


Set up Command &

Control

Identify, acquire &

aggregate data

Exfiltrate data


data

PROACTIVE REACTIVE

THESE TWO STRATEGIES ARE COMPLEMENTARY...


Insider Threats: An alternative view...

22 of 34

Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow ManagementDisposal/ DecommissioningData ClassificationEducationUser Behaviour MonitoringIncident ResponseContinuous Improvement

Endpoint securityServer/ Network/ Application Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Authentication/ Privilege Account managementPatch All The Things!!!Threat Intelligence/ Data Leakage Prevention

PEOPLE PROCESS

TECHNOLOGY

AUTOMATE


Insider Threats: complementary strategies

23 of 34


Set up Command &

Control

Identify, acquire &

aggregate data

Exfiltrate data


data

PROACTIVE REACTIVE

THESE TWO STRATEGIES ARE COMPLEMENTARY......AND CAREFUL IMPLEMENTATION WILL PROVE WHAT MANY SECURITY PROS HAVE KNOW FOR AGES......THAT COMPLIANCE DOESN’T EQUAL SECURITY......BUT GOOD SECURITY WILL LEAD TO COMPLIANCE!


GDPR: Process, Monitoring, Education & Governance

24 of 34

The GDPR specifies organisational and individual responsibilities for organisations responsible for the processing of personal data:

Transparent & easily accessible policies

Personal data is processed

securely

Verify that measures are

effective

Risk-based technical &

organisational measures

Data Protection

Officer

• Article 10.1• Process &

governance


governance

• Article 18.3• Process,

monitoring & governance


governance

• Article 32.b• DPO responsible

for application of policies, assignment of responsibilities, staff training & audit


GDPR: Access control

25 of 34

The GDPR specifies organisational responsibilities for giving access to personal data:

Equipment access control Data media control Storage control Data access

control

• Article 27.2.a• Deny unauthorised

persons access to equipment used for processing personal data.

• Article 27.2.b• Prevent

unauthorised reading, copying, modification or removal of data media

• Article 27.2.c• Prevent

unauthorised input of data and inspection, modification, or deletion of personal data.

• Article 27.2.e• Ensure that

authorised persons only have access to personal data according to job need.


GDPR:

26 of 34

The GDPR specifies operational control responsibilities for processing personal data:

Communication control Input control Transport control

Incident response & disclosure

• Article 27.2.f• Be able to monitor

& verify to which bodies personal data has been or may be transmitted or made available to.

• Article 27.2.g• Be able to monitor

& verify which personal data have been input into systems, when, and by whom.

• Article 27.2.h• Be able to prevent

unauthorised reading, copying , modification or deletion of personal data during transfer or transportation.

• Article 28.4• Document all facts

surrounding breaches of personal data and remedial actions taken for subsequent disclosure.


Insider Threats and the GDPR

27 of 34

Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow ManagementDisposal/ DecommissioningData ClassificationUser Behaviour MonitoringEducationIncident ResponseContinuous Improvement

Endpoint securityServer/ Network/ Application Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Authentication/ Privilege Account managementPatch All The Things!!!Threat IntelligenceData Leakage Prevention

Article 10.1, 10.2, 18.1, 18.3, 27.1, 28.4, 32.bArticle 18.1, 27.1, 32.bArticle 18.1, 27.1, 27.2.b, h, 32.bArticle 18.1, 27.1, 27.2.a, b, 32.bArticle 18.3. 27.1, 27.2.a, b, c, d, e, f, g, hArticle 18.1, 27.1, 32.bArticle 18.1, 27.1, 28.4, 32.bArticle 18.1, 27.1, 28.4, 32.b

Article 27.1, 27.2.e, f, g, hArticle 27.1 , 27.2.d, e, f, gArticle 27.1, 27.2.b, d, f, hArticle 27.1, 27.2.dArticle 27.1, 27.2.a, b, d, e, gArticle 27.1, 27.2.a, b, d, eArticle 27.1Article 27.1Article 27.1, 27.2.a, b, f, h

AUTOMATE



28 of 34


Set up Command &

Control

Identify, acquire &

aggregate data

Exfiltrate data


data

PROACTIVE REACTIVE

...AND THAT’S NOT ALL...

...AND IT SHOULD BE NO SURPRISE!...

...THAT THE SAME PRINCIPLES CAN BE FOLLOWED FOR PCI DSS...


Insider Threats and PCI DSS v3.2

29 of 34

Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow MgtDisposal/ DecommissioningData ClassificationUser Behaviour MonitoringEducationIncident ResponseContinuous Improvement

Endpoint securityServer/ Network/ Appl. Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Auth./ Privilege Account MgtPatch All The Things!!!Threat IntelligenceData Leakage Prevention

Req 3.7, 4.3, 5.2, 5.4, 6.1, 6.3, 6.4, 6.6, 6.7, 7.3, 8.4, 8.8, 9.2, 9.4, 9.5, 9.7, 9.8, 10.8, 10.9, 11.6, 12Req 3.7, 6.3, 6.4, 6.5, 6.7, 9.6, 9.8, 12Req 3.1, 9.6, 12, Req 3.1, 12.6Req 4.2, 11.5Req 3.7, 4.3, 12Req 12.5.3, 12.10Req 12

Req 4.2, 5.1, 5.3, 9.9Req 4.2, 5.1, 5.2, 5.3, 6.1, 6.6, 10, 11.1, 11.2, 11.3, 11.4, 11.5Req 4.2, 8.2.2, 12.3Req 3.4, 4.1, 4.3Req 7.1, 7.2, 7.3, 8.1, 8.7, 9.1, 9.3Req 2.1, 7.1, 7.2, 8.1, 8.2, 8.3, 8.5, 8.6Req 6.1, 6.2Req 6.1, 6.6Req 4.2

AUTOMATE


Insider Threats and other regulations

30 of 34

EU Payments Services Directive 2 (PSD2):• Article 79 mandates GDPR compliance for all payments institution;• Other stringent requirements on security, disclosure and authentication.

EU/ US Privacy Shield agreement:• Will put pressure on understanding where data is located, giving focus to

cloud services;• Increased focus on supply chain due diligence;• Will increase focus on sharing tools and other applications used by

employees.


Here’s the Shocker...

31 of 34

MANAGING STAFF TO PROTECT DATA WILL PROTECT PEOPLE...

EFFECTIVE INSIDER THREAT MANAGEMENT...

...WILL GO A VERY LONG WAY TOWARDS REGULATORY COMPLIANCE!


O brave new world, That has such people in't *• Regulations will force better behaviours• Security must be trilateral: PEOPLE, PROCESS, TECHNOLOGY• Effective Insider Threat Management is now crucial:

TRUST BUT VERIFY (your employees are your first line of defense, but also a big risk)

Monitor & study insider behaviours as attackers study you Adopt both Proactive and Reactive security strategies AUTOMATE!

• Don’t be afraid to look at new security technologies• Partnerships will be key

32 of 34

*Star Trek: The Next Generation, Emergence, 1994*Shakespeare: The Tempest, Act 5, Scene 1

Observeit Webinar – 26th May 201633 of 32

... WHERE INSIDER THREATS CAN BE MANAGED


Thank you!

Neira Jones FBCS, MSc | Independent Advisor, Payments, Risk, Cybercrime, & Digital Innovation

34 of 34

Software

Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations