Addressing the insider threat Dan Lohrmann Chief Strategist amp CSO Security Mentor Inc September 4 2014 Key Questions Where does your biggest threat of a data breach reside ID: 756057
Download Presentation The PPT/PDF document "Protection From Within" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Protection From Within Addressing the insider threat…
Dan
Lohrmann
, Chief
Strategist &
CSO
Security Mentor,
Inc.
September
4,
2014Slide2
Key QuestionsWhere does your biggest threat of a data breach reside?Internal staff, contractors and/or known business partners
External hackers, organized crime, overseas (somebody)About equal (almost 50/50)Where are you spending organizational resources?Internal staff, contractors and/or known business partnersExternal hackers, organized crime, overseas (somebody)About equal (almost 50/50)2Slide3
3Slide4
What is an Insider Threat?Security Softie: Limited security knowledge, uses work computer at home and shares with family.
Gadget Geek: Brings in a variety of devices and plug into their work computer.Squatter: Uses work computer for storing content or playing games.Saboteur: Accesses information they shouldn’t, or infect network purposely from within.Note: The Securelist insider threat categories include: the careless insider, the naïve insider, the saboteur, the disloyal insider, the moonlighter and the mole.add conscientious objector?4Source: McAfeeSlide5
Incidental Security LeaksFrom the FBI Insider Threat Program:
- Insider threats are not hackers. - Insider threat is not a technical or “cybersecurity” issue alone. - It’s a people-centric problem. - Organizations should focus first on deterrence, then on detection.5Slide6
Insider Threat Statistics21% of workers let family or friends use work laptops to access the Internet51% connect their own devices to work computer
60% admit to storing personal content on work computer62% admitted to limited knowledge of security6Source: Schneier on SecuritySlide7
What Can Happen?Threats to BusinessLoss of productivityNetwork compromise (virus, malware)
Breach of sensitive informationCopyright violationsLitigationBad publicityThreats to IndividualLoss of professional reputationLoss of personal integrityLoss of employmentCriminal penalties, fines, jail time7Slide8
Small group work(break into groups of 3-5)
What Insider Threat(s) keeps you up at night? Why?Have you had a major insider threat incident? Can you share?What actions are you taking to address the insider threat?Pick a spokesperson and be ready to report back to the group.Slide9
Are you for us or against us?Story of Personal journey on this topic of security as enabler
Linkedin series of three articlesGoal one: Understanding the problem scope Cloud, mobile, BYOD, telework, social mediaHR, productivity, talent acquisition affectedEmployees, contractors, partnersAsk: what’s really happening with policies?Check: do our practices match procedures?Perform: a good risk assessment9Photo credit to: Stockphotoforfree.com.Slide10
Changing your security culture with a new approach
Goal two: trust & verify Reexamine acceptable use and social media policiesExamine access controls for incoming and outgoing staffEnsure contract agreements are in placeAsk: Is majority of staff with you?Check: security logs, monitors, big dataPerform: background checks, as appropriate10Photo Credit: Harland Quarrington/MOD, via Wikimedia CommonsSlide11
Building Trust & Fixing the Security Culture
Goal three: enabling the doers Ask: Do staff know what to do if an incident occurs?Conduct exercisesTrain in memorable ways (more coming on this)Check: engagement with surveys and feedbackMeasure progress reward the right things – all eyes helpingEmpower security team with new tools & attitudeFocus on: risk management methodology11Slide12
Tips for three groups For Company Leadership:
Ask what’s really happening?Begin (or improve) the conversation between management and staff regarding expectations for online behaviors at work. Look at new awareness training techniques that engage staff and provide a positive difference. Offer fun, engaging, updated material to help improve the security culture and get the masses onboard. For Security Professionals: Start by rethinking how to enable secure access for the business and not just disabling access or blocking. Build trust with enterprise staff and verify controls at the same time by focusing in on most serious situations using a risk management approach.Determine what your web monitoring and log data is really telling you about where your greatest insider threats are. Don’t just “check the box” on employee engagement, but offer solutions for tips/input. 12Slide13
Tips for three groups (continued) For End Users:
Become engaged.Encourage office conversations with all levels of staff about what’s really happening online. Be part of the solution.Understand acceptable use policies, security procedures and balance personal freedom with corporate responsibility online. If you are bored at work, dig deeper at root causes. Are you are in the right job? Look in the mirror and ask: Are my actions and surfing online appropriate? EVERYONE: We need to do soul-searching and ask: How can I become more engaged in Internet safety in positive ways at work?13Slide14
Users: Our Greatest Vulnerability14
“. . . Rogers says about 80 percent of the cyber security problems can be solved with regular computer hygiene – strong password, firewall and virus protections that citizens need to exercise diligently.”Slide15
Looking Back . . . The Results15
In a word . . . FLOPApproximately 3,000 of 50,000 employees completed the voluntary training. Some employee feedback:BoringIrrelevantOutdated“Death by PowerPoint”Doesn’t apply to MESlide16
The Problem?11 Audit findings relative to user training.
Minimal actual participation.No user buy-in.16But, wait . . . New sense of urgency.New Executive management.New Michigan Cyber Initiative..Slide17
Next Generation Cyber Awareness TrainingRollout began September 2012 – 50,000 employees/partners – grown to 60K
Twelve modules (approximately 10 minutes each):Intro to Security Awareness Information ProtectionComputer Security e-Mail SecurityReporting Incidents PasswordsPhishing Office SecuritySocial Networking Web SecurityPublic WiFi Mobile SecurityNew module delivered to desktop every other monthInteractive, engaging, and “sticky”Provides measurable metricsCurrently at 87% participation – positive feedback17Slide18
Lesson #7: Phishing
18Slide19
Small group work(break into groups of 3-5)
What activities have you seen bring best cultural change results in your organization? Did change last? Why or why not? have you implemented any of the suggested items for the three groups? If yes, what happened?Any success stories to share regarding insider threats?Pick a spokesperson and be ready to report back to the group.Slide20
Thank You!20
Dan Lohrmann, Chief Strategist & CSOSecurity Mentor, Inc.dlohrmann@securitymentor.comConnect on LinkedIn or Twitter: @govcso