Safeguarding against the insider threat

The insider is still one of the most vulnerable elements of cybersecurity and it was the discussion of the recent Modern Workplace webcast on cyber intelligence and the human element.  Insiders are those who are authorized to work on company systems or in company facilities and they include trusted employees and contractors.  Whether it is through human error, social engineering, or intentional action, insiders are the cause of a significant portion of malware infections, data breaches, information theft, and privacy violations.

There are some key strategies you can use to safeguard against the insider threat.  First, technical controls can reduce the burden placed on insiders or minimize the potential damage done by insiders.  However, the insider threat cannot be solved entirely by implementing more technical controls.  No, human behavior is far different from a computer system and cannot be changed with by flipping a switch or changing a bit.  Companies need effective security leadership, security awareness training, and assessments and metrics.

Technical controls

Technical controls need to be implemented in such a way that they make it easy for users to do their job, while still remaining secure.  Systems that become too difficult to use when security controls are applied are the systems that will see less use as employees find workarounds.  For example, a company may implement more stringent password policies and change intervals only to find that users are storing the passwords unencrypted in phones, memo pads, or on the calendar at their desk.

Not implementing technical controls can have the same effect.  A company without adequate spam filtering could see users utilizing personal cloud email accounts for company email to avoid having to sift through mass amounts of spam.

Security leadership

Leaders should set an example for other employees and their subordinates by following secure computing practices.  They can also set an example by choosing where to spend money.  Information security needs to have an adequate budget and spending should be consistent and proactive rather than spike immediately following a security incident.  In the Modern Workplace webcast on cyber intelligence and the human element, Phil Ferraro, Nielsen CISO, said that it is essential for business leaders to understand that cyber risk is business risk.  This is more than an IT problem.

Awareness training

Awareness training is essential for teaching employees how to do their jobs safely.  Almost everyone uses a computer on the job and this means that they are interacting with organizational apps and data.  End users need to understand how to recognize phishing messages, including targeted spear phishing messages, as well as other social engineering schemes such as fake social media accounts, unsafe instant messages and text messages, or deceptive phone calls and voice mails.

People need regular reminders in order for information to stay top of mind.  It is not enough to conduct training once a year.  Training should be augmented with emails that inform users of new techniques and attacks or remind them of what they learned in training.  Posters and signs can also help employees remember their training.

Assessment and metrics

Follow up security awareness training with assessments such as online quizzes or questionnaires.  You may also consider conducting social engineering penetration testing by phishing your own users.  These assessments can help identify those that still make mistakes or do not fully understand the material so that you can focus additional training on those users.

It is also helpful to establish meaningful metrics on security performance.  Report on these metrics in company meetings so that employees know that it is important to the organization.  Use security metrics in employee reviews and reward employees and groups when security goals are met.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

The missing leg – integrity in the CIA triad

Information security is often described using the CIA Triad. The CIA stands for Confidentiality, Integrity, and Availability and these are the three elements of data that information security tries to protect. If we look at the CIA triad from the attacker’s viewpoint, they would seek to compromise confidentiality by stealing data, integrity by manipulating data and availability by deleting data or taking down the systems that host the data.

By and far, most attacks have been focused on disrupting confidentiality or availability so defense mechanisms and training has also been focused there. The number of data breaches has skyrocketed and there is a flourishing market for stolen data including personal health information, credit card numbers, social security numbers, advertising lists, and proprietary technology. We also see many attacks on availability through Denial of Service.

Integrity attacks are much less commonplace, but they still represent a threat. Organizations must protect more than just confidentiality to be secure (see Overly and Howell’s Myth #3).

So what does an attack on integrity look like? Let’s look at three examples

  1. Enticing an opponent to make a bad decision

There is a software development saying that goes, “Garbage in, garbage out,” meaning if you let junk data into your program, it will produce junk for output. Similarly, junk data used in decision making will result in bad decisions. Integrity attacks of this sort aim to sabotage competitors or opponents by poisoning information stores that their competitors use to make critical decisions.

  1. Exploiting temporary data inconsistencies

Attackers modify the time on a Network Time Protocol server so that door access control systems think it is the middle of the day instead of the middle of the night. Consequently, the doors unlock or require only a pin instead of multi-factor authentication.

In another example, thieves momentarily inflate the balance of accounts before performing a wire transfer or stock ticker symbols are changed in a trading company database resulting in many incorrect stock transactions and inflated or deflated stock valuation by the market.

  1. Online Vandalism

Hacktivists or cyber activists often employ online vandalism to spread their message and others vandalize sites for fun or to hurt brand image. For example, the FBI issued a warning in April that ISIL was mass-defacing WordPress websites using known vulnerabilities.

The good news is that many of the technical controls organizations already have in place to protect the confidentiality and availability of data can also be used to protect its integrity since attackers must exploit similar vulnerabilities or access the same systems on which they perform other attacks. However, procedures and training may need to be updated so that employees are aware of such threats and how to recognize them. Furthermore, the data that goes into critical decisions should be validated through alternate sources. Consider the following:

  • Require application security assessments to address integrity as well as confidentiality and availability.
  • Conduct a risk analysis of the loss of data integrity for key information systems and use these risk calculations to ensure that controls adequately address risk levels.
  • Update security awareness training to include sections on data integrity, validation and incident reporting.
  • Ensure that security policies and procedures address integrity as well as confidentiality and availability.

Continue reading

Essential Computer Security at the Untangled Conference

I welcome you to join me on November 8 at Grace Baptist Church of Westlake for the Untangled Conference.  I will be presenting on security awareness to provide helpful tips and tricks to keep your computer and church network secure.

 

December 1 Update: Chris Brown took a photo of the Untangled Conference group which I have attached below:

 

 

 

 

 

UntangledConference

Data breach threats of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media, and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were:

  1. Employee errors and omissions
  2. Denial of service (DoS) attacks
  3. Security breaches by third parties

Employee errors and omissions

Awareness is a critical factor here, and Deloitte lists it as one of the top three security initiatives of 2013.  70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.  The risks, as stated by Deloitte, include, “talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.”  To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of service (DoS) attacks

Denial of Service (DoS) attacks was also rated a high threat.  DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.  Due to the relative ease of conducting a DoS and the criticality of information systems to today’s businesses, it is no wonder that DoS makes the list.  These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.  Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Security breaches by third parties

Breaches by third parties are at the top of the listing party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to protect adequately the data they work with and, as we all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow, and companies are tasked with more responsibility to protect the data they work with.  As can be seen from Deloitte’s survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.  To protect themselves, businesses can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

Who’s stealing your data?

Here is a fact that many of us would like to forget.  Most data theft occurs by insiders.  This is often termed the insider threat or the human threat.  Insiders are the people who would usually be considered very trustworthy.  However, all it takes is some incident or life change to occur that can motivate someone to commit a crime.

An evaluation of cases of insider theft has provided statistics useful in identifying the types of employees who are most likely to threaten information security.  Surprisingly, it’s not the underpaid computer guru working in the server room.  According to data from the Software Engineering Institute at Carnegie Mellon University, information theft is more likely to occur with those who serve in a managerial capacity in a non-technical role.  These individuals are usually between the ages of 26 and 40 and they are more likely to steal business data than Personally Identifiable Information (PII).

Equally important is that very few data thefts were discovered by the use of technology.  Rather, security awareness and incident response played a greater role in the detection of these crimes. Unfortunately, these competencies are neglected in many businesses.  The majority of cases were detected by employees who reported suspicious or unusual activity, customers who complained or by auditors.

Ensure that your incident response plans include response to the insider threat.  This includes computer forensic imaging and proper evidence handling procedures since these cases often result in litigation.  Train employees on how to recognize suspicious activity and whom to contact when they observe it.  Lastly, set up methods for anonymous reporting and whistleblowing.

Blind Security: A case of site intimidation

Every once in a while, a web site will try to convince you to change your security settings.  I was looking for blinds the other day, and I found a web site that had a great deal.  When I tried to customize the blinds, I was presented with this web page informing me that I needed to modify my cookie settings for first and third-party cookies for the site to work. I tried the site in a few browsers, and this page came up each time I tried to modify my selection. This should be a red flag to leave the site immediately.  It doesn’t matter what the reason is, possibly outdated code or incorrect security settings.  Either way, changing your security settings can make your machine vulnerable to attack.

I’ll leave the name of the company out but here is a screenshot of the page.   I sent the company an email about this I I sent them an email four days ago, but I have not received a response. Here is a copy of the email I sent them.

I have to tell you that I am extremely displeased with your web site.  I wanted to get a quote for blinds from you but I was presented with a page that requested I modify my browser security settings.  I tried it on Firefox and IE on my PC and neither worked so I tried it Firefox and Safari on my Mac, and it still did not work with my settings.  There is a reason why computers block the content you have on your site and that is because it is a security risk.  For you to force people to modify their security settings to use your site makes all your customers unsafe, and I think it is very reprehensible.  It opens them up to an attack or loss of privacy from future sites they may visit even if your own site has no malicious intent.  I would strongly encourage you to update your site so that it does not require this feature. You are doing a disservice to your customers.  Sincerely, Eric Vanderburg   Don’t let a site intimidate you into changing your browser security settings just to use the site.  It may look like a good deal but there could be some “hidden fees” such as personal information harvesting.  Just go to another site instead.  Companies, protect company data and your employees by enforcing browser security controls through group policies.  This way users will not be able to modify their browser security even if a web site tries to convince them to make a change.

Developing a Security Oriented Corporate Culture – white paper

JURINNOV is pleased to announce the release of an important and timely white paper, ” Developing a Security-Oriented Corporate Culture.” Organizations that do not develop a security-oriented corporate culture are risking fraud, loss or misuse of data, and even legal responsibility when information is compromised, according to the new white paper written by Eric Vanderburg of JURINNOV.

Eric, Director of Information Systems and Security at JURINNOV, wrote the white paper as a means of informing clients that corporate culture is a vital aspect of information security. Readers will benefit from his detailed analysis, which is available free online.

As the white paper makes clear, “the greatest security initiative may fail because of an incompatible corporate culture.”

Continue reading