Your best defense against insider threats | TECH(talk)

Hi and welcome back to tech talk I’m Ken
Mingus executive editor computer world I’m here with Juliet Bosch amp and CSOs
Lucien Constantine to talk about cybersecurity month and insider threats
if you’re watching us be aware that we’re streaming live on YouTube and on
the computer world LinkedIn live page so please subscribe to either one of those
payee the subscriber YouTube follow the computer world LinkedIn page and if
you’ve got questions or comments that we might be able to answer during the show
please stick them in the comments we’ll try to get to them if we don’t we’ll
circle back as always play nice we don’t want a food fight here so Lucien thanks
for being here from an undisclosed Eastern European Bureau location it’s
great to see you again thanks thanks so what we want to talk about this month
obviously its cybersecurity months a lot of you know there’s a lot of focus on
the kinds of threats that companies face and insider threats you know there are a
variety of kinds of insider threats we thought you’d be a good one to sort of
you know maybe give us a few examples of what companies should be looking for or
worried about and maybe some thoughts on how they can maybe avoid problems so
take it right so insider threat it’s kind of like a big category of threats
that only has kept expanding over the past few years and I think it’s it’s
good to go through them because people need to understand what inside the Jets
are and how they they vary so you have insider threat as as employees who can
be disgruntled because they don’t like the company for some reason and they
decide to sabotage it for just because they want to do you have employees who
might change jobs they might have been recruited by by a competitor and when
they leave their job they might intend to take documents business documents
with them and not necessarily because the competitor asked them to but because
they consider that it would help them in their new job right like if you’re
working sales you might take client lists because you have to keep selling
stuff so then you have employee this might be bribed by an external
actor there was a case in I remember in Eastern Europe a few cases in Eastern
Europe and in Russia in particular were ATM technicians working for banks were
actually working on the side with criminals and living the ATMs giving
them the tools to access ATMs or living ATMs open to to access and then getting
a cut of the the stolen money there was also there’s also employees
who might do it for political reasons and they might be recruited by a
nation-state and they might do it for the home country and a recent case there
was a recent report where about an espionage campaign that combined cyber
espionage by an apt group and traditional espionage with insiders they
recruited by the Chinese intelligence agencies into aerospace companies in
order to acquire technology so they could produce components for an airplane
locally in China by by state-owned companies so you can have that you can
have insiders recruited by nation-states and then you have unwitting employees
who click on phishing links who act on based on emails they receive whether
that’s you have this whole over the past few years you have this whole business
email compromised trap where attackers either impersonate a company official at
the CEO or CFO where they actually hack the CEOs email and then send emails to
other people in the organization asking them to wire money for a partner or for
a supplier or for and people act on those so not because they because they
want to harm the company but just because they weren’t properly trained or
informed or aware of such threats and yeah I was just gonna say it does strike
me that you know given the number of categories you’re looking at here that a
lot of times it’s it’s often the the unwitting employee who may be the
biggest danger because you know security training really
varies from company to company trying to get people up to speed on some of these
very sophisticated phishing attacks you know as you mentioned you know somebody
can can break in and can somehow get hold of the the CEO the CI o–‘s email
address or their their targeted email lists and all kinds of logos and things
and craft an email that you know can allow the hackers to get into the
company and start fishing around and it only takes one employee to sort of close
you say click on the link and then you know your you know your network is
compromised right and that’s that’s probably the most the most common one
and I would say the hardest one to fix because yes obviously everyone should do
security awareness training phishing teach employees how to detect phishing
emails emails with suspicious links and things like that but it’s very hard to
change human behavior and someone who is naturally very helpful will always want
to help people and mistakes mistakes happen and if you have a very large
organization with thousands of employees of hundreds of employees it’s it’s very
easy to find one and it’s also the type of attack that it’s the easiest to pull
off by attackers so it’s it comes in large quantities let’s say the large one
day you have a lot of phishing emails a lot of malicious emails with links to
exploits the wave where malicious attachments we have all sort of of
threats because it’s it’s easy to do for them so yes I mean in order to mitigate
this you you mentioned or to prevent this you mentioned security awareness
training what other other things companies should
do is limit do not use shared credentials that you give to all
employees to access resources be aware of the inventory of the information and
data you have and make sure people have access only to the data they need to do
their job so make sure you have access controls make sure every employee has
their own credentials and that could and don’t use administrative accounts on
computers use limited accounts for employees and in that way you can limit
the damage no one said no one will say that it will never happen but if it
happens then you want to limit the impact of that happening right I mean
what can the attacker do if they have access to a single employees credentials
and some limited amount of data and some limited the limited account they can do
very much if they have access to an admin account and have access to
basically open open data shares on the network then they can export a lot of
data they can do a lot of damage that way I should just break in and remind
people if you’re just tuning in and we’re talking about cybersecurity month
and of course insider threats and the different types of threats that
companies face and also what they can do about it I think Juliet you would say
yeah so I have a question for you Lucian it seems like a lot of what you’re
talking about is the ways that companies can mitigate risk with their own
employees but what if you have like a contractor or you contract out a part of
your business to another company how do you ensure that you’re not a victim of
insider threats to either that individual or whatever company you’re
contracting out to right that’s a difficult problem to solve and we’ve had
cases like that in the case of the target data breach it happened through
two credentials stolen remote credential stolen from from a contractor or
subcontractor or a partner right so what you have to do in those cases is
obviously choose your partners carefully you could ask security aware
organizations could actually ask for security audits from their partners hey
I want to I know how my network looks I know how my network is secure I want to
make sure your net or pist occur before you allow your people to connect into my
network for you or all your systems to access my system so I did it’s fair to
do it does make business contract harder but it’s something companies do some
companies go and also make sure if that partner is a remote support they
offer remote support for something and they have remote access credentials into
your network make sure those credentials are unique they’re strong they are not
some-some share credentials they use for all their clients or they can be easily
brute-force make sure those credential at least are
unique to you and restrict what those credentials can do to only that
particular device or that particular type of devices if it’s a TMC car if
it’s point-of-sale systems if you are a retailer if you take the mCP of
financial institutions or things like that make sure those those credentials
only have access to those things that they don’t have access to other things
on your network yeah you know we it’s interesting we were talking about this a
little bit beforehand and of course prime example of a contractor who you
know did cause some serious problems was Edward Snowden you know as some right
was able to you know obviously had access to a treasure trove of data that
he was able to get to and then basically steal it and take it out you know right
and that’s a bit more complicated because he was an IT he was part of the
IT staff right so as being part if you’re an IT administrator if you are an
IT part of the IT team or the security team you obviously by the nature of your
work you have access to a lot of things you have administrative credentials you
have but the question arises why did no one no one detect this behavior why did
no one detect that was downloading a lot of data extreme trick a lot of data over
a long period of time and no one this means they didn’t have automated systems
to detect behavior that was out of place right I mean why why is this IP guy
accessing data that is only relevant for analysts or for other types of people
right so it’s yeah I mean Edward is a good example and he was also politically
motivated so falls into one type of insider threat
politically motivated employees so I wonder this all sounds a
bit sinister and I’m wondering what company should be looking at what kind
of behavior that should they be looking at and what are ways that they can
prevent or what sort of Pat yeah what’s what patterns or behavior should
companies be looking at to / to detect and prevent insider threats within their
own organizations okay so you could there are products out there that
analyze employee behavior and by behavior I mean I the way they use their
computer right if you see access out after work hours if that employee stays
late at the office and tries to access different types of data if that employee
comes with requests to for access to data they shouldn’t actually have access
to if you see obviously see them suddenly downloading a lot of data on
their computer when normally they don’t that’s that’s a red flag and that can be
flagged automatically it doesn’t have to be so some things can be done from an IT
perspective and can be detected through the way they use their they suddenly
make changes in the way they use their systems and their system and do their
job other things must be monitored and
detected by the human resources department like that employee acting
strangely being upset working after hours and things like that that those
are things that can be red flags for the human resources department so it’s it it
has to to be a process that’s both common to the IT team and Human
Resources team mitigating insider threat it’s not just IP you know it’s
interesting that as we talk about this the thing that comes up so often is that
a lot of this stuff is just simple common sense you know looking for people
who as you say are accessing or trying to access data they don’t need you know
reminding people that that email that you got from the CEO promising you a
bonus if you just click on this link might not be a real email
and of course I you know obviously as we talk about the cybersecurity issues and
again just if you’re joining us we’re talking about cybersecurity month and
insider threats as we talk about these things it always seems like with
security it’s almost like we’re always closing the barn door after the last
horse you know because you only know what the threat is after it’s happened
and it has gone and then you you’ve mitigate against that and then hackers
or someone who’s going to you know who wants to do some damage find some other
way around it but do you get any sense you know sort of an a 30,000 foot view
broader sense that companies are taking these kinds of threats more seriously
now that there are efforts to do like employee training and to monitor
networks and you know more much more so than saving three four or five years ago yes it’s become I mean the Verizon data
breach report that came out this year I think it was something like over 30% of
alpha text involved phishing and around also over 20% of them were the result of
some type of insulted read if we consider also obviously frequencies are
clicking on phishing links as an insider threat fiend we issue then yes obviously
it over 30 percent so it’s become and this this ratio has increased over over
over the years so it’s a serious problem and companies are taking it seriously
but there are also many companies where I would say what companies should start
with if they are not prepared yet for this if they don’t do security awareness
trading if they don’t do this other things they should start at least with
one inventory of their data know what data you have and where it is located on
premise in the cloud in in what shares and obviously who has access to it
is it like share credentials and you should enforce access controls based on
based on the the things employees need to their job right
people who are not in the finance department don’t need access to the
financial data people who are not in the sales department don’t need access to
client lists and sales data and things like that those are very important
limiting the access that that employees have and when employees leave the
company for whatever reason revoke those credentials immediately don’t leave
those two dishes laying around because if the employee left the company because
he was upset and disgruntled employee they might be looking for revenge and
there have been cases where that has happened where employees who got fired
connected back to the company’s servers and deleted data or did other things got
it we should probably check and see if we’ve got any questions or comments from
people who are watching us now while we’re live on the air it’s actually kind
of quiet today so well obviously we’re giving them all the information and
advice you need ok good I mean I think we’ve really sort of gone through the
list here of you know the types of insider threats that companies face and
the ways to mitigate against that any any final thoughts Juliet or Aleutian
before we let you go no I think this is very interesting
every anytime I feel like we talk Lucian I’m learning things that just scare me
more well it is scary I mean there’s the thing is there’s a
lot of data companies have a lot of data financial data personal data and you
know when you’ve got that amount of data being created constantly and of course
the threat attack that the vectors changing you know the chances that
something’s gonna get out you know continue to rise Lucian any final
thoughts before we let you go no I mean I would finish off with saying that
security is not is not a business of eliminating threats but reducing risk so
you will never be able to eliminate threats whether they’re insider threat
or external threat or other types of threat and I I’d like to go back what
they’re saying earlier the most important thing is limit the damage that
can be done if you are affected by something like this limit the damage
that can be done by attackers if they get accessed through an employee
or by an employee if they want to go broke or or steal the data when they
leave work the little date our cause damage great that’s great advice okay
well before we wrap up I should make a point that we have a Twitter chat coming
up this coming Thursday at noon Eastern Time the hashtag is IDG Tech Talk that’s
on cybersecurity correct it’s insider threat yeah exactly so we can continue
the conversation online they’re also coming up next week on Wednesday we’re
gonna take a look at technology that scares you
of course fitting for Halloween whether it’s AI robots security insider threats
you know autonomous driving cars they’re gonna run you down so if we can have a
nice conversation about that and also as a reminder if you’re watching us on
YouTube you can subscribe to the channel if you’re looking at us on the computer
world LinkedIn Live page you can follow that page for more information on future
episodes in the meantime Lucien I want to say
thank you for being here I know it’s later in the day there so thanks for the
information a lot of good advice here sure thank you for having me and anytime
we’ll do this again Juliet thanks for being here thank
you.thank solution thanks everybody thanks a lot that’ll do it

, , , , , , , , , , , ,

Post navigation

2 thoughts on “Your best defense against insider threats | TECH(talk)

  1. Extremely Impressive, I compleatly enjoyed it!, See this New Album 'Monish Jasbird – Death Blow', channel link , if you like to 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *