One of the most critical aspects of safeguarding the IT assets of any corporation is dealing with the Insider's Threat. With so many diversified IT components, it is a real challenge to design an effective IT security strategy. It is critical to recognize this particular threat and take countermeasures to protect your assets. So, this webinar covers: Insider threats, how to mitigate insider threats, how to design an effective IT security strategy, and how to protect your assets.
Main points covered:
• Insider threats
• How to design an effective IT security strategy
• How to protect your assets
Presenter:
The webinar was hosted by Demetris Kachulis. Mr. Kachulis is an expert in the field of Information Security. With over 20 years of Wall Street consulting experience, he has worked with many Fortune 500 companies. He is currently the director of Eldion Consulting, a company offering Security, Trainings and Business solutions.
Link of the recorded session published on YouTube: https://youtu.be/hXe5HHjnBeU
2. 2
Kachulis Demetris
Senior Technical Consultant
Demetris Kachulis is an expert in the field of Information Security. With over 20 years of Wall
Street consulting experience he has worked with many Forture 500 companies. He is currently
the director of Eldion Consulting, a company offering Security, Trainings and Business
solutions.
.
+357 97730865
dkachulis@eldionconsulting.com
www.eldionconsulting.com
https://cy.linkedin.com/in/demetri-kachulis-cissp-cisa-mpm-2456551
3. • An insider threat to an organization is a current or
former employee, contractor, or other business
partner who has or had authorized access to an
organization's network, system, or data and
intentionally exceeded or misused that access in a
manner that negatively affected the confidentiality,
integrity, or availability of the organization's
information or information systems.
What it is
4. • Data security is compromised through the
unintentional and unwise behavior of employees and
IT professionals
The Insider Threat: Negligent Employees
5. • An employee who is disgruntled or seeks to gain
financially through illicit actions that involve
corporate resources can become an insider threat
that adds a dangerous new dimension to the data
loss prevention challenge.
The Insider Threat: Disgruntled Employees
10. • 33 percent of IT professionals were most concerned about data being lost
or stolen through USB devices.
• 39 percent of IT professionals worldwide were more concerned about the
threat from their own employees than the threat from outside hackers
• 27 percent of IT professionals admitted that they did not know the trends
of data loss incidents over the past few years.
Cisco Findings
11. • IT Sabotage – California Case
• Theft of Information (eg. Industrial Espionage)
• Fraud
• Threats in Software Development Life Cycle - Slicing
Threat Types
14. • 77 cases in U.S from 1996-2007
• Who 5 % ex – 95% Current – M/F 50/50
– Low level – Data entry/customer info/clerks
• Why – Financial Gain – 1/3 ongoing for more than a year
– A recurring pattern in the theft of information for financial gain cases
includes an outsider recruiting an insider in a low-paying, non-
technical position who has access to PII or CI
– insiders were paid to modify data, for example credit histories
– some insiders were able to design and carry out their own
modification scheme due to their familiarity with the organization’s
systems and business processes.
Case Study analysis
15. • 95% of the insiders stole or modified the information during normal
working hours, and over 75% of the insiders used authorized access
• Five had system administrator or database administrator access and less
than 15% had privileged access
• Only 16% of the crimes involved sophisticated technical techniques
• 85% of the insiders used their own usernames and passwords to commit
their crimes.
• Slightly over 10% compromised someone else’s account
How was the attack staged?
16. • Only one of the insiders was detected due to network monitoring
activities
• Half were detected due to data irregularities
• The majority of the cases were detected by non-technical means, such as
notification of a problem by a customer
• Over 50% of the cases were detected internally by non-IT security
personnel, 26% by clients or customers of the organization, and 5% by
competitors.
How was it detected?
18. Learn from past incidents
• Some organizations experience the same types of insider crimes more
than once
• When you have an attack, implement controls to catch it next time
• Some organizations: Create formal teams to examine past incidents and
implement new controls
19. Focus on Protecting your Crown Jewels
• One third of CERT’s insider theft of IP cases involve a foreign government or
organization
• What would happen if your IP was stolen and taken out of the country?
• Most insiders use authorized access to steal IP But they don’t always require
the access!
• Some organizations: Implement extra controls for THE most critical IP
• Protect against “erosion of access controls “
20. Technology Use
Use of tools like:
•DLP
•SIEM
•Data Correlation
•IDS
•Network Monitoring
21. Mitigate Threats from Business Partners
• Trusted Business Partners (TBPs) include:
– contractors
– outsourced companies
• Some organizations:
– Specify information security controls in contracts
– Require the same controls for their TBPs as they require internally
– Audit TBP policies and procedures
– Require same policies and procedures for contractors as for employees
22. Recognize Behavior as a Potential Indicator
• Most prevalent in insider IT sabotage and theft of IP
• Some organizations Educate management staff on insider threat indicators
• Communicate employees “on the HR radar” to security staff
23. Educate Employees Regarding Potential
Recruitment
• Carefully consider: do you have any systems or data that an
insider could be paid to steal or modify?
– Financial, Personally Identifiable Information (PII), identity documents, utility
bills, credit histories
–
• Some organizations:
– Perform periodic background checks for existing employees
24. Pay Close Attention to Resignation/Termination
• Change in employment status is the TOP issue of concern in insider threat
list
• BUT… Typically not in fraud cases!
– Some organizations Perform targeted employee monitoring Low
performing employees
– Employees who will be laid off or terminated
• Implement special controls for their most critical IP
25. Address Employee Privacy Issues with the Legal
Department
• Employee privacy issues present a tricky legal issue
• Laws and regulations differ in private sector, government, and various
critical infrastructure sectors
• Some organizations: Have created and implemented insider threat policies
and processes by working with Human Resources, General Counsel,
Information Security / Information Technology, Security, and top
management
26. Work Together Across the Organization
• IT cannot solve this alone!
• Need communication across Management, Information Security /
Information Technology, Security, Data Owners, Software Engineering,
General Counsel, and Human Resources
• Some organizations: Achieve this communication but only after significant
suspicious activity warrants an investigation
• Have achieved proactive communication between some of these
organizational units
27. Create an Insider Threat Program NOW!
• In the first three months following this presentation you
should:
– Obtain buy-in from top management
– Form an insider threat team
– Create policies
– Develop processes and implement controls
• Within six months you should:
– Roll out and consistently enforce the policies
– Regularly communicate across your organization
28. • Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures (such as
streamlined social media profiles), then hold them accountable
• Implement an integrated security solution that includes reputation-based security,
proactive threat protection, firewall and intrusion prevention in order to keep
malware off endpoint
• Deploy data loss prevention technologies which enable policy compliance and
enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two-factor authentication (Ex. VPN plus strong user name and
password)
• Integrate information protection practices into businesses processes
Best Practices