The Insider Threat: Prevention, Detection, And … The Insider Threat: Prevention, Detection, And...
-
Upload
truongdiep -
Category
Documents
-
view
220 -
download
4
Transcript of The Insider Threat: Prevention, Detection, And … The Insider Threat: Prevention, Detection, And...
1
The Insider Threat: Prevention, Detection, And Response When All Else Fails
1
Littler Mendelson, PC 2016 SCCE Dallas Regional Compliance & Ethics Conference
2
Philip L. GordonLittler Mendelson, P.C.1900 16th Street, Suite 800Denver, CO 80202Phone: 303.362.2858Email: [email protected]
Allison E. MooreLittler Mendelson, P.C.100 Congress Avenue, Suite 1400 Austin, TX 78701 Phone: 512.982.7255 Email: [email protected]
2
I. Why Should You Worry
About The Insider Threat?
II. Creating A Culture Of Data
Stewardship
III. Understanding, Detecting
And Preventing The
Malicious Insider
IV.Security Breach Response
Agenda
3
Why Should You Worry About The Insider Threat?
4
3
2016 Verizon Data Breach Investigations Report5
Insiders Are #1 Cause of Security Breaches
18%
16%
15%
15%
14%
12%
8%
<1%
<1%
<1%
Average total cost = $7 million.
– ↑ 8% from $6.5 million in 2015
Average cost breakdown:
– $730K in detection and escalation
– $590K in notification costs
– $1.7M in post-breach costs, i.e., help desk and remediation
– $4M in loss of customers/good will
Average cost per lost or stolen record = $221
– ↑ 2% from $217 in 2015
2016 Cost of Data Breach Study: United States, Ponemon Institute, May 2016
Cost of a Security Breach
66
4
� 39% of CEOs/Boards involved in
data breach preparedness in 2015
vs. 29% in 2014 (Ponemon/Experian 2015)
� Several CEOs have recently lost
their jobs at least partly because of
a security breach
– HB Gary
– Ashley Madison
– Director of OPM
The CEO & Board Cares
77
� Dozens of class action lawsuits
have been filed in the wake of
security breaches
� Many are dismissed early in the litigation process
� However, the plaintiffs’ class action bar is starting to see some success
Class Action Litigation
8
5
Federal Enforcement
9
� FCC: $25 M fine imposed on telecom provider whose employees stole information on 280,000 customers
� HHS: 34 publicly announced settlements since January 2011
- 15 settlements exceeded $1M
- Average settlement > $1.3M
� SEC: Investment advisor fined $75K for poor cyber security
9
1. $95K to NY (3/16): Employer’s online application was insecure,
making about 500 employment applications available on Google
2. $20K to NY (1/16): Failure to notify workers of a data breach of
names and driver’s license numbers and collection of
unencrypted geolocation information on workers
3. $15K to NY (12/15): Nurse took patient list with diagnoses when
leaving hospital’s employ
4. $40K to MA (12/14): Theft of employee’s company-issued laptop
with more than 2,000 patient records
5. $100K to MA (12/14): Employee’s personal laptop with 3,800
patient records stolen from unlocked office
AG Enforcement Is Ramping Up
10
6
� Unintentional
– Even good employees can cause significant harm
with the tools they have today.
� Intentional
– A motivated employee who wants to do you harm,
can do so.
– Traditional tools to detect and prove harm may not
be as effective.
Insider Threat Model
11
Establishing A Culture Of Data Stewardship
12
7
� Key steps for reducing risk:
1. Implement comprehensive pre-employment screening of employees and temps and contractors
2. Tailor checks for positions involving access to sensitive data
3. Consider conducting continuous monitoring on current employees
‒ Only 36% conduct any form of on-going surveillance for changes in
an employee’s risk profile (Sterling 2016)
� Confirm that background check program complies with FCRA, ban-the-box laws, and EEOC guidance
Background Screening
13
� During the on-boarding process
� Key Terms:
1. “Confidential Information” should cover sensitive
consumer and employee information
‒ Beware of potential NLRB, EEOC, SEC restrictions
2. Summarize key information security obligations
3. Require return of all confidential information upon
request or at termination of employment relationship
Confidentiality Agreements
14
8
� Policies and procedures need to address all forms of
data, not just digital data “owned” by IT
� Policies and procedures not directly related to
safeguarding data also are critical
- Code of ethics - Pre-employment screening
- Confidentiality - Acceptable use
Policies And Procedures
15
� Every employee should receive data privacy training at
orientation
– Only 44% provided training at orientation (Ponemon/Experian 2015)
� Employees with access to trade secrets, confidential
information, or personal data should have more in-depth
training
– Training can vary based on job functions and sensitivity of data that is
accessed
� Periodically send reminders, updates, and notices
– 71% of companies that provide training do so only once or sporadically
(Ponemon/Experian 2015)
Information Security Training
16
9
1. Employer’s legal and/or contractual
obligations to safeguard sensitive data
2. Types of information falling within scope of
legal duty
3. Potential consequences for employer of
noncompliance
4. Steps employees can take to safeguard
sensitive data
Big Picture Points
17
1. Importance of protecting log-in credentials
– In 2015, 63% of confirmed data breaches involved weak, default or
stolen passwords (2016 Verizon Data Breach Report)
2. How to create a strong password
3. Screen security
4. How to recognize a “phishing” e-mail
– Sanctioned phishing tests conducted in 2015 revealed that 30% of
phishing messages are opened and 12% click on the
malicious attachment (2016 Verizon Data Breach Report)
Training On Safeguards
18
10
Phishing E-mail: Exhibit #1
Your Account has been limited ! Login Now and solve it
Dear Client
It looks like your account has limitation due to login from unkowndevice . We are keep your informations secret so you need to login to your account and provide us with some informations as security check .
To reset your account access please enter the link below
Login Now
19
5. Physical safeguards for
mobile devices
6. No storage in personal
online accounts
7. What is a security
incident?
8. How to report a security
incident?
Training On Safeguards
20
11
1. Devices must be registeredand centrally managed
2. Password protection
3. Remote wipe capability
4. Encryption
5. Inactivity time
� Require participation in a BYOD program for
employees using a personal mobile device
for work
Mobile Device Security
21
1. Only employees who need
access to sensitive information
to perform job responsibilities
have authorized access
2. Authorized access restricted by
“minimum necessary” principle
3. Access rights are modified
when job duties change
4. Terminate access promptly
upon termination of
employment
Technical Access Controls
22
12
1. Provide departing employee with copy of
executed confidentiality agreement
2. Remind employee of ongoing obligation to keep
information confidential
3. Ensure return of all employer-owned computers,
mobile devices and portable storage media
4. Ensure return of all paper documents containing
confidential information
Exit Interviews
23
5. Coordinate removal of confidential
business information from any
“BYOD device”
– Only 38% of organizations do this
(Blanco Tech Group 2016)
– Only 34% securely wipe departing
employees’ BYOD 100% of the time (Blanco Tech Group 2016)
6. Coordinate removal of confidential
information from all personal
accounts and media
Exit Interviews
24
13
The Malicious Insider
25
� Attend ALL information security training sessions
� Sign a confidentiality agreement
� Sign a non-competition agreement
� Volunteer as a security “steward”:
• Volunteer to update or create policies
• Volunteer to test security measures/policies
The Malicious Insider WILL…
26
14
Unauthorized Data Storage Devices:
Data Exfiltration
27
Data Exfiltration: Think Outside the Box
=28
15
Data Exfiltration: Think Outside the Box
29
Data Exfiltration: Think Outside the Box
Less in size…
30
16
Data Exfiltration: Think Outside the Box
31
Steganography
Data Exfiltration: Think Outside the Box
32
17
Unauthorized Recording Devices:
� Camera phones (yes, even the innocent iPhone)
� Phones can easily record audio
• Meetings
• Sensitive conversations
� Smart glasses
� Pen and other spy cameras
Data Exfiltration: Think Outside the Box
Images from: http://ecx.images-amazon.com/images/I/51rEusQbg5L.jpghttp://ecx.images-amazon.com/images/I/31biUVj0mkL.jpghttp://ecx.images-amazon.com/images/I/41AJALwHpdL.jpg
33
Inspiration?
The Result…
Images from:http://commons.wikimedia.org/wiki/File:Martin_Motors_CEO_Rear.JPGhttp://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101155.jpg
34
18
Inspiration?
“Naturally, our cars are inspired by European carmakers,” said Karl Schlössl, a German who is the chief executive of China Automobile. “But we reject the charge that they are copies.”http://www.bmwblog.com/2007/09/13/frankfurt-2007-bmw-vs-shuanghuan/
The Result…
Image: http://www4.pictures.gi.zimbio.com/62nd+International+Motor+Show+Cars+IAA+cc0QC1ZxBxyl.jpg
35
Knock it off!
The Result?
Image from: sunboar.files.wordpress.com/2006/10/bmw-vs-byd-logo.jpg
BMW X5 Toyota Land CruiserShuanghuan CEO
Images from:http://images.forbes.com/images/2002/07/08/test_int_415x308.jpghttp://images.caradisiac.com/images/3/7/6/9/23769/S0-Shuanghuan-CEO-et-Jonway-UFO-en-France-au-mois-de-mai-101102.jpghttp://www.sobrecoches.com/var/plain_site/storage/images/coches/toyota/land_cruiser/novedad_r_edition/interior/toyota_land_cruiser_r_edition/313114-1-esl-ES/toyota_land_cruiser_r_edition1.jpg
36
19
Detecting And Preventing Insider Threat Activity
37
Odd hour activity
Undue curiosity
Positions screen tohinder view
Rogue systems
Bogus accounts
Detection: Insider Indicators
Remote access sites/software:
• PCAnywhere
• Citrix
• WebEx
• GotoMyPC
Unauthorized websites
Anonymity websites(TOR)
38
20
� Joking and bragging
� Installs unauthorized software– Duty associated software
• Photoshop, Nero, programming software– Unassociated harmless software
• Spotify, Telegram, Games– Suspicious software
• Network Sniffers, Password Crackers, Rootkits
� Escalated privileges
� Monitor Help Desk tickets for trends– Insiders do call for help when their attempts
to circumvent security measures break things
Detection: Insider Indicators
39
Detection: Collecting Useful Data
&Account Records
GPS
&Print Servers
Logs-Firewall-IDS-A/V-Sniffers-Proxy-System
Create a timeline.
40
21
� Look for strange activity / behavior
− Emailing lots of pictures
� Look for tools
− Good list: www.jjtc.com/Steganography/tools.html
− Sometimes you won’t find tools…
• copy /B source.gif+source.zip target.gif
(creates a file that is a GIF and a ZIP at the same time)
Identifying Steganography
41
�Analyze current IT security posture
� Implement Strategic Initiatives
�Regular Assessment of Risk
Prevention
42
22
� What tools do you have to detect and log activity?
� What can these tools detect and not detect?
� How can the data these tools provide be used?
� Does the IT/Security staff understand how to configure and
use the tools available?
� How far back is data available from these tools?
� Who is monitoring the reports from these tools? How often?
� Are your privacy policies consistent with your practices?
� Who can grant exceptions to your policies?
Analyze IT Security Posture:Table Top Exercise
43
� Policies for the People
� Policies for IT/Management
� Information Classification
� Monitoring Use:
• User-based analytics
• Digital Loss Prevention
• Specialty tools for more sensitive data
Implement Strategic Initiatives
44
23
Assess risks of current operations and decide whether to update the rules.
Consider new technology or new data categories:
– Use of cloud tools
– VPN (with or without personal devices)
– BYOD polices
– Forbid devices in sensitive areas?
Regular Assessment of Risk
45
When Is An Incident A Breach?
46
46
24
� State Law
� HIPAA
� GLBA
� Payment Card Industry Data Security Standard
� International Data Protection Law
Is The Incident A Breach?: Sources of Law
47
State Breach Notification Laws
47 states D.C., Puerto Rico, USVI, and Guam now mandate notice of security breach
Only the following states do not have notice statutes: AL, NM, and SD
48
25
Trigger Event
1. Unauthorized acquisition
2. Unencrypted
3. Computerized
4. Personal information
5. A material risk of harm
49
Computerized vs. Paper
Ten states require notice even when the breach does not involve computerized data:
AK, CA (medical providers only), HI, IA, IN, MA, NC, SC, WA, WI
50
26
Personal Information Defined
First name or initial plus last name plus:
� SSN
� Driver’s license number and/or state-issued ID number
� Credit or debit card number or financial account number in combination with any required password
Other information included:
AK, AR, CA, CO, FL, GA, IA, KY, ME, MD, MO, MT, NC, ND, NE, NJ, NV, OR, PR, RI, SC, TX, VA, WI, WY
51
The Notification Process: How Does It Really Work?
52
52
27
1. What happened?
2. Was the data in paper form or encrypted?
3. When did the incident occur?
4. When was the incident discovered?
5. Has law enforcement been contacted?
Understand The Incident
53
1. Who was affected by the incident?
2. Where do affected individuals reside?
3. How many affected individuals per state?
4. What categories of information were affected and for which individuals?
5. What steps have been/should be taken to mitigate the incident?
Understand The Affected Population
54
28
Need For An Interdisciplinary Team
� Legal Counsel
– Preserve attorney-client
privilege
– Navigate patchwork of breach
notification laws
– Prepare required notices to
affected individuals and to
government agencies
� IT Department/Outside
Forensic Firms
– Conduct investigation
� Business Unit Leader
– Business judgment calls
– Customer relations issues
� Communications
– Media relations
– Notices to customers
55
1. Most jurisdictions: “Without unreasonable delay”
2. Beware of short reporting deadlines
– PR: 10 days to Dept. of Consumer of Affairs
– VT: 14 business days to the state’s Attorney General
– CA: 15 business days to Dept. of Health Services
– FL: 30 days to individuals
– OH, RI, WI, WA, VT: 45 days to individuals
3. Strive to complete notification within 30 days of discovery
4. Do you need law enforcement delay?
Know Your Deadlines
56
29
1. Breach Counsel: Involve at the earliest possible stage
– Establishes attorney-client privilege of communications with the SIRT and with breach response vendors
2. Identity Protection Services: Select vendor, negotiate pricing, complete contracting
3. Printing/Mailing Vendor: Get timelines and mailing list requirements
– Preparing the mailing list can be the most time consuming aspect of security incident response
– Beware of special populations: minors, deceased, non-English speakers
4. Call Center Vendor: Select vendor, complete contracting, develop FAQs
5. Public Relations Firm: Develop a press release in case the breach goes viral
Get Your Vendors Working
57
1. What happened
2. Types of personal information involved
3. What has organization done to investigate,
mitigate and remediate
4. Steps individuals should take to protect
themselves
5. Contact person
� Laws of various states impose 21 additional
content requirements
Notice To Affected Individuals
58
30
� Required only in CA and CT and only for breaches
involving social security numbers, and in California,
driver’s license numbers
� Credit monitoring is the best practice if there is a
risk of financial harm
� Important considerations:
Offer Identity Protection Services?
59
– Are minors impacted?
– Fraud resolution services
– Cost
– 1 year vs. 2 years
– Types of personal information impacted
25 States & PR:
� More than 1,000 individuals: HI, MO, SC, VA
� More than 500 individuals: CA, FL, IA, RI, WA
� More than 250 individuals: IL, ND, OR
� No minimum: CT, IN, LA, MA, MD, ME, MT, NC,
NE, NH, NJ, NY, PR, VT
Notice To Government Agencies
60