Presentation on theme: "Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011."— Presentation transcript:
Insider Threat Assessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011
Why I love this topic… We have met the enemy and he is us… - Pogo Social Engineering; because there is no patch for human stupidity! The potential size of the fraud is directly proportional to the level of access and the degree of trust placed in the individual.
If I were targeting a company…. Evil Plan #626 rev 0.9 1.Identify capable IT staff (system admin, network admin, DBA, etc) 2.Determine how to compel/coerce/suborn them to your cause 3.Select your target company 4.Get these persons hired by the target company 5.Pay them over and above their salary to keep them ‘engaged’ 6.Wait a period of time while the ‘employees’ become ‘trusted members’ of the company 7.Extract insider knowledge to target information or tangible assets 8.Determine your target(s) 9.Time your move 10.Leave the ‘trusted employees’ to face law enforcement
Insert really boring statistics HERE to scare and impress the audience…
Technology Risk Interdependencies End Users download Malware that allows their computer to become part of a BotNet Executives at targeted companies advertise personal information on their Facebook pages The Executives are ‘spear-phished’ when they open a bogus email crafted based on their personal information Internal, secure, systems are infected Data is exfiltrated IF the leak is discovered we hold a meeting and wonder how it happened… Must have been China!
The Fraud Triangle Uncontrolled access to information creates opportunity Are you creating opportunity?
‘Risky People’ Persons with extraordinary access to information assets C-Level Executives CEO President CFO Board Members ‘Privileged’ IT Staff Systems Administrators Database Administrators Programmers Third Parties Commercial Software Vendors Outsourced IT Staff Offshore Programming Resources ‘I know what I’m doing…’ ‘I need to do my job… ‘Trust us!’
Mitigating Risky People Do they have more access to information than needed? Who are they? When were they last background checked? Do you have background check requirements specific to job responsibilities? What other compensating controls can be or are in place? ‘2 Man System’ requirements Segregation of duties Continuous monitoring Ad hoc audits
Who is watching the store? Consider Security operations vs. oversight roles Potential conflicts of interest Who owns RISK for the organization?
Align the CISO with Risk Owners Align Security Operations with the IT organization Separate oversight functions under the CISO Dotted line relationship aligns policies, standards and procedures with risk The ability to say NO
Key Takeaways Ecommerce Servers Who are the Riskiest People in my organization? How well do I know the people in my organization with access to information assets? Is my organization engaging in ‘Blind Trust’ instead of ‘Control’? Consider Stricter background check requirements for privileged staff Recurring and/or ad hoc background checks for certain roles What is the role of your CISO? Where does he/she report? How your network, systems and application architecture does or does not support effective segregation of duties Data Analytics as part of regular audit procedures The use of Continuous Controls Monitoring Доверяй, но проверяй Trust, but verify… - Ronald Reagan