Podcast: Play in new window | Download

Subscribe: RSS

The Rising Tide of Insider Threats: Are Companies Prepared?

Welcome to the human element, the podcast that delves into the often overlooked human side of cybersecurity. Each episode, we’ll explore real world stories, uncover the tactics used by cybercriminals to exploit human behavior and share insights on how you can protect yourself and your organization from these subtle but devastating attacks. Join us as we peel back the layers of deception and reveal the true power of the human element in cybersecurity. Let’s get started. You.

A long, long, long time ago, in my high school days, I had a job at a fast food restaurant. Not going to name the fast food restaurant or where it was located, but they used to get robbed a lot. So there was a it was a franchise, and I don’t remember how many restaurants there were. There were 15 or 20 restaurants in the franchise, and they used to get robbed a lot. And it turned out they finally caught the guy. And the guy that was behind all the robberies was actually an employee who knew the routines when the employees would come, when the employees would go, where the where the walk in coolers were, because at one point the employees were locked in a cooler, when the bank drops were made things like that. Knew the routines. They knew how the all of the restaurants in the franchise operated, and when, when the most money would be available to anybody who wanted access to it, eventually got caught, got prosecuted, and I’m not going to go into the gory details, but it didn’t end well for that person.

But insider threats have been around. You know, this was going back a few decades, insider threats have been around for a long time. Welcome to the human element Podcast, episode 23 it’s been a while. I am your host, Scott gombar, owner and CISO at najec, and we’re going to talk about insider threats today. But first I want to say it’s been a little over a year since the last episode of the human element, and life just got crazy, and so put it on hold, but we’re returning. I don’t know if I can do this weekly. We will try to do this weekly, but we you will have new episodes for sure. So I apologize if you were looking forward to the podcast, I don’t know. Didn’t have a lot of listeners. We didn’t get that far with it, but we’re back. We’re back with a vengeance, and I’m here to talk today about insider threats, and this is a growing concern. We’re going to call this episode the rising tide of insider threats. And our company is prepared, and in most cases they are not. So
there was some recent research that was done. It was, let me tell you who it was that did the research. So I found it on an on a website called businesswire.com this is from back of January this year, so it’s about seven months old, and it was an insider threat report commissioned by securing Secura Nix, I guess, S, E, C, u, r, o, n, i, x, and they found some some concerns, I guess we can call them about insider threats. The report found that while 76% of organizations have detected increased insider threat activity over the past five years, less than 30% believe they are equipped with the right tools to handle them. Just as concerning is that only 21% of respondents said they had fully implemented an operational Insider Threat program, which highlights the inability of most organizations to effectively identify and mitigate internal security risks. Now that being said that the audience for this podcast is the small business owner. So these are organizations, large enterprise, businesses that are being surveyed, small businesses are even less prepared for these things. So global security professionals indicated the main drivers and enablers of insider attacks are insufficient employee training at an awareness at 37% globalization and adoption of new technologies at 34% inadequate security measures at 29 complex IT environments at 27 and disgruntled insiders at 25% more than 75% of the orgs report an increasing prevalence of ransomware and triple extortion techniques in. Environments. So what is triple extortion? You add ask, well, so first you have the ransomware attack, where they encrypt all your data, then they threaten to leak that data. And the third method of extortion, I believe now, is they will call people that are, you know, people whose data, maybe not call, but contact people whose data you have but 750 6% information disclosure at 56% and unauthorized data operations at 48% are also leading concerns. The challenges of securing distributed, less controlled environments led to 70% of respondents expressing concern about insider risks in hybrid work environments, a majority of respondents, at 75% are concerned about the impact of emerging technologies such as AI, which will play a huge role the metaverse and quantum computing, which will also play a huge role. Companies are chiefly concerned with the loss of financial data at 44% and customer data at 41% pointing to concerns over direct monetization for threat actors and loss of personally identifiable information, respectively. And we have seen this time and time again. Data gets stolen, and we’re actually going to talk about some of that data gets stolen and monetized on the dark web. So here’s an example that was in the news, at least the cybersecurity news most recently. And it just it points to the Insider. How real the insider threat is. This is a cybersecurity company called know before they inadvertently hired a North Korean hacker, didn’t they were not aware that it was a North Korean hacker, of course. And so what no before does they provide phishing simulation, among other things, they provide phishing simulation, software security awareness training, and I think a few other things that they do there, but they are well known in the cybersecurity world, and they hired a North Korean hacker. Now you’re wondering, how did this happen? Well, no, before was hiring, I don’t know if they were using LinkedIn, but if this happens a lot on LinkedIn, for many companies, and they hired a contractor to help with developing the software further. That employee, that contractor, then used access to the systems to plant malware that was designed to steal sensitive information, so it’s called an info stealer. Now familiar, if you’re familiar with the cybersecurity landscape, you’ll know that North Korea has well documented history of cyber attacks. The country’s state sponsored hackers are notorious for their sophisticated techniques and bold attacks on targets worldwide, ranging from financial institutions to healthcare organizations. The incident with no before underscores just how sophisticated and far reaching these operations can be. What’s particularly alarming about this case is that it happened to a cybersecurity company. Okay, we’re vulnerable just like everybody else, and I would say cybersecurity companies have a bigger target because of what they do and who they do it for, you know, the no before probably has access to some pretty attractive targets, I guess, is the right word.

And so therefore somebody would want to get in there, or want to get into watch tech, or wanted to get into, uh, any number of, you know, we had solar winds a few years ago. We’ve had number of Kaseya. It could happen to anybody. So the guy gets in, he plants this info stealer. They caught it. Fortunately, no damage done. They caught it in time before anything could happen. But no one is immune to these kinds of threats. That is the point of this. Me bringing up no before this just the most recent example. But what? What can businesses do? Most businesses are not cyber aware. You know they’re not so most businesses are not cybersecurity businesses. They do other things. What can they do? So first of all, rigorous vetting processes. It’s hard, especially if you’re going to hire contractors. It’s really hard to meet in person these days, but you can when hiring contractors, especially from international markets, crucial to have a big a rigorous vetting process in place. This includes background checks, verifying identities and understanding the geopolitical risks associated with certain regions. Now they did not know this person was in North Korea. Obviously, they wouldn’t have hired them if they did know that, but nonetheless, know who you’re hiring. Do some research, continuous monitoring, and that’s where they were. We were able to. Catch the unusual activity. But after hiring, continuous monitoring of network activity and behavior is essential. In this case, if no board before had been monitoring unusual data access or downloads, they might have detected the info stealer attack earlier they you know, eventually they did. And I don’t know, I don’t think it says how long he was there, but eventually they did and then Incident Response preparedness. Everybody should have an incident response plan. Every business needs an incident response plan. If you’re a one person team, have an incident response plan, because you need to know what to do in case the glass breaks. Okay? If you have to break the glass, what do you do? All right, so now this was a malicious insider, essentially, right? They hired him. He becomes an insider. He does his thing. They fire him, or get rid of him, I guess, cut off access. Can’t really fire someone who technically wasn’t really an employee, but nonetheless, that’s a malicious insider. That was somebody looking to get in and cause damage. And so you have different variations, I guess, of insiders variation. Guess is a good word for this. So you have the malicious insiders, what we just described, somebody that wanted to get in and cause damage. And this happens a lot. You know, you have people in healthcare that are stealing phi that’s protected health information and selling it. These are malicious insiders. They were employees. They got caught eventually, some cases, it happens for years before they get caught, but they get caught selling phi or other information to, you know, ransomware, people or or somebody else who’s interested in collecting that information. Phi on the dark web is like gold. It is the most valuable ticket item on the dark web. You have inadvertent insiders. These are employees who they’re not acting malicious, but you know, they click on a link, or they download something by accident, or they enter their password in the wrong place, or somebody calls up, and they get tricked into allowing access to the computers, you know, the the old little Tech Support Scam, which we’ve talked about in previous Podcast. Whatever the reason may be, they are tricked into becoming an insider threat. Wasn’t intentional. They didn’t mean to do it, but nonetheless, it’s an insider threat, and we’re going to talk about how you could protect against that. And then negligent insiders, these are similar to inadvertent insiders, but with a pattern of behavior that suggests a lack of care or disregard for security protocols. This is your disgruntled employee. A lot of times you know that they’re tired of working where they’re working. They don’t like their boss, they’re not happy with their pay, whatever the case may be, so they just don’t care. They’re just negligent. Okay, now you’re the business owner. You have a pretty good idea of how to protect yourself against malicious insiders. Going to be careful about your hiring process. You’re going to make sure people that shouldn’t have access don’t have access, and so forth. However, let’s just assume a malicious insider, and this happened, offers to pay someone a million dollars in your organization to gain access to the network. This happened to Tesla. The employee decided to forego the million dollars and reported it to the FBI. The person that offered the million dollars flew to California, and when he stepped off the plane, got arrested. Good news for Tesla. However, how many times has a malicious insider offered money to someone and that person took the money and did what they the malicious insider wanted them to do that that employee now becomes the malicious insider. So it’s not a malicious insider that’s offering a million dollars. It’s it’s a, could be a ransomware as a service group. It could be an ex employee, it could be anybody. But what can you do? What can the business do to protect themselves so you have behavior analytics, and that’s implementing advanced monitoring tools that analyze user behavior. This can help detect unusual activities before they turn into full blown security incident, these tools are crucial for identifying both malicious and negligent insider threats. Now that might be difficult for a small business, but you can do things like track where OneDrive is accessed, where OneDrive folders are accessed, or if their files are being shared outside the organization, or if they’re installing shadow IT programs, maybe maliciously, these things can be done where behavior analytics might be a little more difficult monitoring activity in OneDrive email computer used to. Installation of of programs and file sharing and things like that can be monitored by a small business at a more cost effective level and not quite as difficult, continuous training and awareness programs. If you know me, you know this is, this would be number one for me, all day, providing training, and I don’t mean your once a year, annual compliance training that’s required, no continuous training. We train all of our clients and their employees. They get micro trainings three times a month. They get an annual training, they get phishing simulation, they get all of this stuff so that they are aware. And then on top of that, we also do in person training. So we’ll go in or over zoom sometimes, train the employees on what to look for based on current situations in the cybersecurity world. In addition to that, I will provide whenever there’s something that I feel clients need to know, they’re going to know that as well strong access controls. We cannot give the keys to the kingdom to every employee. As a matter of fact, I don’t even give the kids keys to the kingdom to any employee, even CEOs and directors and managers. None of them have the keys to the kingdom. I don’t have the keys to the Kingdoms, whatever, depending on what the information is, what the what it is that they’re trying to access, there may be two people required to get to it, or or some other form of of authentication required to get to it. So strong, strong access controls should be implementing a zero trust policy, essentially so that says, Never trust, always verify. Don’t believe the person logging is logging in or calling or sending an email or whatever is who they say they are verify it, and then only give access to what the employee needs access to to do their job. And that’s it. Nothing else, nothing more, nothing less. Just that. Balancing security and privacy. Now this is tricky. This is the seesaw. While monitoring is essential, respecting employee privacy is equally important. So I see posts all the time where companies are looking to monitor employee activity, especially if they’re work from home. Wfh, they want to monitor their activity. This is, this is not good. This is, I could tell you firsthand, as somebody who spent the last year at a company working from home exclusively. I did more when I worked from home than I did when I went through Office. I, you know, traveled to the office. It was almost an hour drive every day. If there was traffic, sometimes it was an hour and a half. And I got there, I was tired. I left. I was even more tired. I did not do eight hours worth of work. It didn’t happen. And I don’t believe in the eight hour work day. I believe break it up, get work done. People are more productive this way. This is my opinion. You might disagree with me, but if you are so concerned with the employee that you need to have monitoring software on their computer to see exactly what they’re doing, all their keystrokes and mouse moves and everything else that’s that’s overboard, in my opinion,

so you have to give the employee a little bit of privacy, but there also needs to be security. So we application block by default on all applications, and you cannot install anything on on a computer without prior approval. But also make sure that the employee understands that some things are being monitored. For example, the location of the computer, the computer isn’t going to, you know, fly away to the Caribbean when they’re supposed to be working. Will know you’re not going to be able to log in, in most cases, to your Microsoft account or your Google account if you’re overseas. These are some of the things that we do monitor for. We monitor for software installs, as I mentioned earlier, because we do deny by default. So you got to balance that a little bit, you know, if you’re going to worry about every mouse click and every keyboard tap, that’s a little much, but there has to be some measures in place so that we know what the employee is doing if they’re doing anything malicious. Primarily, that’s that’s the most important piece. Are they doing anything malicious? We have gone so far as to set up honey pots so I may install a document on a critical system, sometimes even just a workstation that might say something like bank account numbers or passwords or something like that. And so this, it’s a honeypot. If it gets open, then I know somebody’s behaving in a malicious manner, and that alerts us that. We need to take some, some extra measures to secure that that device in that company, something is something is going on. Now, of course, the CISO side of me will tell you, you need to have all of this documented. There needs to be policies and procedures in place, including the incident response plan. And you need to educate all of your employees, everybody from C level executives all the way down to the cleaning team at night. They all need to understand what is being monitored,
what they should be on the lookout for,

and how to recognize social engineering attacks, phishing attacks, all related to social engineering. It’s going to get harder thanks to artificial intelligence, thanks to deep fakes, which is a form of artificial intelligence, all of these things are going to make it harder to identify malicious insiders quick enough to do something about it. That’s why these things need to be in place. So to recap, again, you need to have behavior analytics or some type of monitoring of access controls and who’s sharing what with who, and where are emails going and where are files going and things like that. Continuous training and awareness. Again, that will always be my number one, as long as your employees are aware, they’re less likely to do anything malicious, whether it’s inadvertent or not, because if they know they’re being monitored, and they know that this measures are in place to protect a business, they’re less likely to take steps to do damage to the business. Strong access controls, again, only give the employee access to what they need to do to do their job. So they shouldn’t have access to bank accounts if they have no reason to do anything with the bank accounts. Previous company I worked for, I was in the IT department, and I was able to access HR records. Shouldn’t have been able to I should not be able to have access to HR records as an employee in the IT department. That should never happen. Balancing security and privacy again, there’s a fine line you have to find it in your organization, a fine line between being overzealous about monitoring every keystroke and every mouse click and making sure that your devices in your network and your most importantly, your data is secure. So I’m going to give you another example real quick before we go. This one was from earlier this year as well. Back in February, was reported that a an insider threat caused a data breach of 63,000 plus employees at Verizon. What they said was that it was information that an employee had access to, an employee discovered that or an employee inappropriately handled a file containing certain personal information about some Verizon employees. So, you know, I’ve seen this as well. How many times I can’t even tell you how many times I’ve seen Excel spreadsheets in email folders with sensitive information. So it could have been something as simple as that. And it even says that they have no reason to believe the information was in improperly used, or that it was shared outside of Verizon. But I’ve seen this. I’ve seen it time and time again, where an employee accidentally sends an Excel spreadsheet with sensitive information to someone else, whether inside or outside of the organization. So it’s really that simple. You know, you your outlook has emails cached. This is why some emails block or some companies block external email. But your outlook has email addresses cash, and maybe you’re think you’re sending it to one person and you accidentally send it to someone else. Happens more than you would like to believe. Believe me, I have seen it numerous times. So another example inside a threat, this one being in an inadvertent insider threat where 63,000 employees information was exposed, including full name, physical address, social security numbers, National ID, gender, union affiliation, date of birth and compensation information. So it’s a lot of information that’s PII out there somewhere for someone to see potentially, and that’s going to do it for the return of The human element. So until next time, stay secure.