Microsoft MVP (Enterprise Security) Founder: Cybercrime Security Forum! Microsoft International Event Speaker MCT (18 Years) Winner: Microsoft Speaker Idol 2006 Andy Malone Follow me on Twitter @AndyMalone
The Inside Man Threat? Understanding the Psychological & Sociological impact of Espionage Understanding Espionage Tactics, Threats & Techniques Counter Espionage Techniques & Technologies The Art of Social Engineering & Corporate Deception Q&A Session Review Agenda
Economic Espionage, Losses to the American Economy now Total more that $13 Billion Per Year… Assistant Director Counter Intelligence, FBI
Malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Firstly, What exactly is the Threat?
Common Espionage / Computer Crimes include.! Intellectual Property Theft Damage of Company Computer Network Embezzlement Copyright Piracy Planting of Viruses, Worms on Company Computers Use of Stealth Listening Devices / Recording Equipment Information Trafficking Illegal Email Information Theft
All Employees are Trustworthy right? Often difficult to Identify Specific Employee Actions are Unpredictable… Difficult to Trace / Track By the time discovery is made the damage has already been done! Plausible Deniability Poor security measures, procedures & policies The Inside Man: The Invisible Threat!
Understanding the Psychological & Sociological impact of Espionage
Why do they do it? Evidence shows that principle espionage threats do not come from clever and devious foreigners. It comes from "insiders Of the 98 US Citizens arrested for espionage over the past 20 years, most were trustworthy and loyal at the time they were investigated and first approved for clearance Most surprising is that a majority of those who became spies volunteered their services to a foreign government They were not enticed, persuaded, manipulated, or coerced into betraying their Source: United States Central Intelligence Agency
Psychological & Sociological impact Selling secrets is seldom a sudden, uncontrolled impulse It is usually the last act of a long- simmering emotional crisis Treatable before the damage was done Spies are not "crazy," but they usually are emotionally disturbed or suffer from one or more personality disorders Of the personality disorders found in spies, the two most common are antisocial personality disorder and narcissism
Types of Malicious Incidents "IT sabotage Typically committed by system administrators, programmers, technically sophisticated users, privileged users who become very disgruntled Theft of intellectual property or industrial espionage involving trade secrets like scientific information and source code is typically committed by scientists, engineers and programmers When insiders steal intellectual property, they usually act within a 30-day window, because of audit processes.
How do they do it? Use stealth recording devices (Audio, video, software based bugs to record private conversations, meetings Plant Keyloggers, malicious Software onto company computers Illicitly obtain private files / information with intention to illegally share / sell.
Amazing Spy Gear! Buy Yours Today The UZI Tactical Defender Pen Allows users to break glass Can obtain DNA samples from attackers Get out of handcuffs... And of course to write Only $24.99
Amazing Spy Gear! Buy Yours Today 1080p HD infrared spy camera fits your keychain Rechargeable battery USB interface for transferring videos and battery recharging Takes regular and IR videos and pictures, as desired Motion-detecting record activation video recorded as AVI Records audio
Spot the Warning Signs! Takes unauthorised material home via documents, thumb drives, computer disks, or e-mail Obtains proprietary or classified information on subjects not related to their work duties Interest in matters outside scope of duties, particularly those of interest to foreign entities or business competitors Unnecessarily copies material, especially if it is proprietary or classified Remotely accesses the computer network while on vacation, sick leave, or at other odd times
Engages in suspicious contacts Shows unusual interest in the personal lives of co-workers Concern that they are being investigated, searches for listening devices or cameras. Many people experience or exhibit some or all of the above to varying degrees
Results of a Breach! Company Defamation Damaged Reputation Loss of Customer Confidence Potential Financial Losses Legal Liabilities Loss of Assets Breach of Trust Potential Closure of Business!
Mitigate the Risk Must Place Trust Aside! Always Monitor Employee Actions Implement a Rigorous Termination Process Maintain Backup and Recovery Invest in Forensic Procedures
Mitigation: Managing Risk! Deliver a Pro Active Security Policy by Management Communicate Insider Threats Through Security Awareness Programs Conduct Pre-Employment Screening (Facebook, Linked in, Twitter etc) Pay Attention to Performance Issue Handling Enforce Separation of Duties and Need-to-Know Access
Monitoring of Insider Email Monitoring of Insider Keystrokes Examination of Insider Computer Files Limit the Use of 3 rd Party Apps ob Phones / Computers Monitoring Insider Internet Traffic Pay Increased Attention to Privileged Accounts Implement Strict Password and Account Policies Mitigation: Tech Ways to Mitigate the Risk!
Mitigation: Counter Espionage! Enforce a Safeguarding proprietary information Programme (SPI) Hire an external CIO or information protection consultant Initiate Internal & External compliance auditing cover conference room walls with lead sheets to stop bugging by radio transmitters Consider Disabling Camera Phones
Mitigation: Defence Against Social Engineering Attacks! Pretexting (The Impersonation Game) Phishing Attack (Click me please) Diversion Theft (Look at that!) Phone Phishing (Hi Im Calling from…) Baiting (The USB Stick Attack) Quid pro quo (Bogus Phone Calls) Tailgating
Defensive Implications The networks of critical organizations will need to be run as a military defense at all times. Constant alertness Well staffed Regular defensive drills Standing arrangements for reinforcement under attack Extensive technological fortification Excellent personnel and information security
Hygiene Patches, AV, external firewalls etc Failsafe design of critical machinery: Not just idiot-proof but enemy-proof All critical, but… There will still be a way in There will still be vulnerabilities Current paradigm will be inadequate
Picking up the Pieces! Software damage Integrity checkers Backup/rollback systems Hardware damage Supply of spares and spare parts Distributed appropriately Military logistics approach
Prevent Further Data Leakage Foster a security-aware culture in which protecting data is a normal and natural part of every employee's job Provide tools and education that employees need to keep data secure, starting with new-hire training and continuing with verbal updates instead of email that might be ignored or lost. Evaluate employee behaviour and the associated risks based on factors such as the locale and the threat landscape
Prevent Further Data Leakage Continuously analyse the risks of interaction between users and networks, endpoints, applications, data, and of course, other users, to maintain an awareness of the threat environment. Provide clear leadership through executive commitment and visibility, so employees understand that executives are engaged and accountable. Proactively set security expectations.
The Inside Man Threat? Understanding the Psychological & Sociological impact of Espionage Understanding Espionage Tactics, Threats & Techniques The Art of Social Engineering & Corporate Deception Counter Espionage Techniques & Technologies Q&A Session Review Review