©Use by permission

Protection From Within

Addressing the insider threat…

DAN LOHRMANN, CHIEF STRATEGIST & CSO

SECURITY MENTOR, INC.

SEPTEMBER 4, 2014

©Use by permission

2

KEY QUESTIONS

• WHERE DOES YOUR BIGGEST THREAT OF A DATA BREACH RESIDE?

• INTERNAL STAFF, CONTRACTORS AND/OR KNOWN BUSINESS PARTNERS

• EXTERNAL HACKERS, ORGANIZED CRIME, OVERSEAS (SOMEBODY)

• ABOUT EQUAL (ALMOST 50/50)

• WHERE ARE YOU SPENDING ORGANIZATIONAL RESOURCES?

• INTERNAL STAFF, CONTRACTORS AND/OR KNOWN BUSINESS PARTNERS

• EXTERNAL HACKERS, ORGANIZED CRIME, OVERSEAS (SOMEBODY)

• ABOUT EQUAL (ALMOST 50/50)

©Use by permission

3

©Use by permission

4

WHAT IS AN INSIDER THREAT?

• SECURITY SOFTIE: LIMITED SECURITY KNOWLEDGE, USES WORK COMPUTER AT HOME AND SHARES WITH FAMILY.

• GADGET GEEK: BRINGS IN A VARIETY OF DEVICES AND PLUG INTO THEIR WORK COMPUTER.

• SQUATTER: USES WORK COMPUTER FOR STORING CONTENT OR PLAYING GAMES.

• SABOTEUR: ACCESSES INFORMATION THEY SHOULDN’T, OR INFECT NETWORK PURPOSELY FROM WITHIN.

NOTE: THE SECURELIST INSIDER THREAT CATEGORIES INCLUDE : THE CARELESS INSIDER, THE NAÏVE INSIDER, THE SABOTEUR, THE DISLOYAL INSIDER, THE MOONLIGHTER AND THE MOLE.

ADD CONSCIENTIOUS OBJECTOR?

Source: McAfee

©Use by permission

INCIDENTAL SECURITY LEAKS

FROM THE FBI INSIDER THREAT PROGRAM:

- INSIDER THREATS ARE NOT HACKERS.

- INSIDER THREAT IS NOT A TECHNICAL OR “CYBERSECURITY” ISSUE ALONE.

- IT’S A PEOPLE-CENTRIC PROBLEM.

- ORGANIZATIONS SHOULD FOCUS FIRST ON DETERRENCE, THEN ON DETECTION.

5

©Use by permission

INSIDER THREAT STATISTICS

• 21% OF WORKERS LET FAMILY OR FRIENDS USE WORK LAPTOPS TO ACCESS THE INTERNET

• 51% CONNECT THEIR OWN DEVICES TO WORK COMPUTER

• 60% ADMIT TO STORING PERSONAL CONTENT ON WORK COMPUTER

• 62% ADMITTED TO LIMITED KNOWLEDGE OF SECURITY

6

Source: Schneier on Security

©Use by permission

7

WHAT CAN HAPPEN?• THREATS TO BUSINESS

• LOSS OF PRODUCTIVITY

• NETWORK COMPROMISE (VIRUS, MALWARE)

• BREACH OF SENSITIVE INFORMATION

• COPYRIGHT VIOLATIONS

• LITIGATION

• BAD PUBLICITY

• THREATS TO INDIVIDUAL

• LOSS OF PROFESSIONAL REPUTATION

• LOSS OF PERSONAL INTEGRITY

• LOSS OF EMPLOYMENT

• CRIMINAL PENALTIES, FINES, JAIL TIME

©Use by permission

SMALL GROUP WORK(BREAK INTO GROUPS OF 3-5)

1) WHAT INSIDER THREAT(S) KEEPS YOU UP AT NIGHT? WHY?

2) HAVE YOU HAD A MAJOR INSIDER THREAT INCIDENT? CAN YOU SHARE?

3) WHAT ACTIONS ARE YOU TAKING TO ADDRESS THE INSIDER THREAT?

PICK A SPOKESPERSON AND BE READY TO REPORT BACK TO THE GROUP.

©Use by permission

ARE YOU FOR US OR AGAINST US?

• STORY OF PERSONAL JOURNEY ON THIS TOPIC OF SECURITY AS ENABLER

• LINKEDIN SERIES OF THREE ARTICLES

GOAL ONE: UNDERSTANDING THE PROBLEM SCOPE • CLOUD, MOBILE, BYOD, TELEWORK, SOCIAL MEDIA

• HR, PRODUCTIVITY, TALENT ACQUISITION AFFECTED

• EMPLOYEES, CONTRACTORS, PARTNERS

• ASK: WHAT’S REALLY HAPPENING WITH POLICIES?

• CHECK: DO OUR PRACTICES MATCH PROCEDURES?

• PERFORM: A GOOD RISK ASSESSMENT 9

Photo credit to: Stockphotoforfree.com.

©Use by permission

CHANGING YOUR SECURITY CULTURE WITH A NEW APPROACH

GOAL TWO: TRUST & VERIFY • REEXAMINE ACCEPTABLE USE AND SOCIAL MEDIA POLICIES

• EXAMINE ACCESS CONTROLS FOR INCOMING AND OUTGOING STAFF

• ENSURE CONTRACT AGREEMENTS ARE IN PLACE

• ASK: IS MAJORITY OF STAFF WITH YOU?

• CHECK: SECURITY LOGS, MONITORS, BIG DATA

• PERFORM: BACKGROUND CHECKS, AS APPROPRIATE10

Photo Credit: Harland Quarrington/MOD, via Wikimedia Commons

©Use by permission

BUILDING TRUST & FIXING THE SECURITY CULTURE

GOAL THREE: ENABLING THE DOERS

• ASK: DO STAFF KNOW WHAT TO DO IF AN INCIDENT OCCURS?

• CONDUCT EXERCISES

• TRAIN IN MEMORABLE WAYS (MORE COMING ON THIS)

• CHECK: ENGAGEMENT WITH SURVEYS AND FEEDBACK

• MEASURE PROGRESS

• REWARD THE RIGHT THINGS – ALL EYES HELPING

• EMPOWER SECURITY TEAM WITH NEW TOOLS & ATTITUDE

• FOCUS ON: RISK MANAGEMENT METHODOLOGY

11

©Use by permission

TIPS FOR THREE GROUPS

FOR COMPANY LEADERSHIP: ASK WHAT’S REALLY HAPPENING?

• BEGIN (OR IMPROVE) THE CONVERSATION BETWEEN MANAGEMENT AND STAFF REGARDING EXPECTATIONS FOR ONLINE BEHAVIORS AT WORK. LOOK AT NEW AWARENESS TRAINING TECHNIQUES THAT ENGAGE STAFF AND PROVIDE A POSITIVE DIFFERENCE.

• OFFER FUN, ENGAGING, UPDATED MATERIAL TO HELP IMPROVE THE SECURITY CULTURE AND GET THE MASSES ONBOARD.

FOR SECURITY PROFESSIONALS: START BY RETHINKING HOW TO ENABLE SECURE ACCESS FOR THE BUSINESS AND NOT JUST DISABLING ACCESS OR BLOCKING.

• BUILD TRUST WITH ENTERPRISE STAFF AND VERIFY CONTROLS AT THE SAME TIME BY FOCUSING IN ON MOST SERIOUS SITUATIONS USING A RISK MANAGEMENT APPROACH.

• DETERMINE WHAT YOUR WEB MONITORING AND LOG DATA IS REALLY TELLING YOU ABOUT WHERE YOUR GREATEST INSIDER THREATS ARE.

• DON’T JUST “CHECK THE BOX” ON EMPLOYEE ENGAGEMENT, BUT OFFER SOLUTIONS FOR TIPS/INPUT.

12

©Use by permission

TIPS FOR THREE GROUPS (CONTINUED)

FOR END USERS: BECOME ENGAGED.

• ENCOURAGE OFFICE CONVERSATIONS WITH ALL LEVELS OF STAFF ABOUT WHAT’S REALLY HAPPENING ONLINE. BE PART OF THE SOLUTION.

• UNDERSTAND ACCEPTABLE USE POLICIES, SECURITY PROCEDURES AND BALANCE PERSONAL FREEDOM WITH CORPORATE RESPONSIBILITY ONLINE.

• IF YOU ARE BORED AT WORK, DIG DEEPER AT ROOT CAUSES. ARE YOU ARE IN THE RIGHT JOB? LOOK IN THE MIRROR AND ASK: ARE MY ACTIONS AND SURFING ONLINE APPROPRIATE?

EVERYONE: WE NEED TO DO SOUL-SEARCHING AND ASK: HOW CAN I BECOME MORE ENGAGED IN INTERNET SAFETY IN POSITIVE WAYS AT WORK?

13

©Use by permission

USERS: OUR GREATEST VULNERABILITY

14

“. . . Rogers says about 80 percent of the cyber security problems can be solved with regular computer hygiene – strong password, firewall and virus protections that citizens need to exercise diligently.”

©Use by permission

15

LOOKING BACK . . . THE RESULTS

In a word . . . FLOP

Approximately 3,000 of 50,000 employees completed the voluntary training.

Some employee feedback:• Boring• Irrelevant• Outdated• “Death by PowerPoint”• Doesn’t apply to ME

©Use by permission

16

THE PROBLEM?• 11 AUDIT FINDINGS RELATIVE TO USER

TRAINING.

• MINIMAL ACTUAL PARTICIPATION.

• NO USER BUY-IN.

But, wait . . . • New sense of urgency.

• New Executive management.• New Michigan Cyber Initiative..

©Use by permission

NEXT GENERATION CYBER AWARENESS TRAINING

• ROLLOUT BEGAN SEPTEMBER 2012 – 50,000 EMPLOYEES/PARTNERS – GROWN TO 60K

• TWELVE MODULES (APPROXIMATELY 10 MINUTES EACH):

INTRO TO SECURITY AWARENESS INFORMATION PROTECTION

COMPUTER SECURITY E-MAIL SECURITY

REPORTING INCIDENTS PASSWORDS

PHISHING OFFICE SECURITY

SOCIAL NETWORKING WEB SECURITY

PUBLIC WIFI MOBILE SECURITY

• NEW MODULE DELIVERED TO DESKTOP EVERY OTHER MONTH

• INTERACTIVE, ENGAGING, AND “STICKY”

• PROVIDES MEASURABLE METRICS

• CURRENTLY AT 87% PARTICIPATION – POSITIVE FEEDBACK

17

©Use by permission

LESSON #7: PHISHING

18

©Use by permission

SMALL GROUP WORK(BREAK INTO GROUPS OF 3-5)

1) WHAT ACTIVITIES HAVE YOU SEEN BRING BEST CULTURAL CHANGE RESULTS IN YOUR ORGANIZATION? DID CHANGE LAST? WHY OR WHY NOT?

2) HAVE YOU IMPLEMENTED ANY OF THE SUGGESTED ITEMS FOR THE THREE GROUPS? IF YES, WHAT HAPPENED?

3) ANY SUCCESS STORIES TO SHARE REGARDING INSIDER THREATS?

PICK A SPOKESPERSON AND BE READY TO REPORT BACK TO THE GROUP.

©Use by permission

20

THANK YOU!

Dan Lohrmann, Chief Strategist & CSOSecurity Mentor, Inc.

dlohrmann@securitymentor.comConnect on LinkedIn or Twitter: @govcso