insider threat

Josh and Kurt talk about insider threats, but not quite in the way one would expect. The potential for insider threats is possibly higher than usual right now, but what about open source? Are open source developers insider threats for your organization? Have you ever thought about this before?

Show Notes

• CISA insider threats
• hacks4pancakes toot
• Don’t Trust a Programmer Who Knows C++
• CISA Insider Threat Mitigation

This is a collaborative effort with Clearancejobs.com and an interview from my newest book, Establish and Insider Threat Program Under NISPOM

FSOs have a huge responsibility to protect contractor information. One important job is to start with an insider threat program.

Most people make the mistake of relying on tracking employees and looking for suspicious behavior. That's not a good way to start.

I've got a better solution. It's here in the video as well as my new book:

Establish an Insider threat program under NISPOM. Tools, templates and procedures you can download.
https://www.redbikepublishing.com/insiderthreatprogram/

Jeff is available for speaking and consulting
https://jeffreywbennett.com


Online security clearance webinars and coaching. Providing security training and resources.

FSO Consulting:
https://thriveanalysis.com/nisp/

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

• How to get a clearance
• What to expect once you get a clearance
• What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

Jeff is available for speaking and consulting

https://jeffreywbennett.com
https://jeffreywbennett.thinkific.com

FSOs have a huge responsibility to protect contractor information. One important job is to start with an insider threat program.

Most people make the mistake of relying on tracking employees and looking for suspicious behavior. That's not a good way to start.

I've got a better solution. It's here in the video as well as my new book:

Establish an Insider threat program under NISPOM. https://www.redbikepublishing.com/books/
https://www.redbikepublishing.com/insiderthreatprogram/

Online security clearance webinars and coaching. Providing security training and resources.


It also answers the question that so many people have asked,

• If we have the NISPOM, why do we need an insider threat program?
• If the NISPOM is so thorough, what would an additional insider threat program look like?

Most organizations attack the problem with either an employee tracking or online activity reporting goal.

After asking the above questions, we recommend a different solution. Of course the employee reporting and activity tracking solutions are important and part of the solution, but they should not be the end goal.

This book recommends a different application that can easily be implemented to both resolve insider threat issues and demonstrate compliance.

Establishing an Insider Threat Program Under NISPOM is written primarily for cleared defense contractors to meet Insider Threat Program requirements under the cognizance of the U.S. Go

FSO Consulting:
https://thriveanalysis.com/nisp/

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

• How to get a clearance
• What to expect once you get a clearance
• What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

Guest:

• Mike Sinno, Security Engineering Director, Detection and Response  @ Google

Topics:

• You recently were featured in “Hacking Google” videos, can you share a bit about this effort and what role you played?
• How long have you been at Google? What were you doing before, if you can remember after all your time here? What brought you to Google?
• We hear you now focus on insider threats. Insider threat is back in the news, do you find this surprising?
• A classic insider question is about “malicious vs well-meaning insiders" and which type is a bigger risk. What is your take here?
• Trust is the most important thing when people think about Google, we protect their correspondence, their photos, their private thoughts they search for. What role does detection and response play in protecting user trust?
• One fun thing about working at Google is our tech stack. Your team uses one of our favorite tools in the D&R org! Can you tell us about BrainAuth and how it finds useful things?
• We talked about Google D&R (ep 17 and ep 75) and the role of automation came up many times. And automation is a key topic for a lot of our cloud customers. What do you automate in your domain of D&R?

Resources:

• “Hacking Google” videos  (EP00 with Mike)
• The Secure Reliable Systems book
• The CERT Guide to Insider Threats book
• Common Sense Guide to Mitigating Insider Threats book
• Insider Threats (Cornell Studies in Security Affairs)
• Foreign Espionage in Cyberspace from the NCSC
• “How We Scale Detection and Response at Google: Automation, Metrics, Toil” (ep75)
• “Modern Threat Detection at Google” (ep17)

Mieng Lim, VP of Product at Digital Defense by HelpSystems

Topic she will discuss:

• Outsmarting RaaS: Strategies to Implement Before, During, and After a Ransomware Attack

Webinar: https://www.digitaldefense.com/resources/videos/webinar-outsmarting-raas-strategies-against-ransomware-attacks/

https://www.digitaldefense.com/blog/infographic-the-latest-ransomware-facts/

https://www.digitaldefense.com/wp-content/uploads/2020/07/Digital-Defense-Inc.-Ransomware-Infographic-070621.jpg

https://www.digitaldefense.com/blog/the-terrifying-truth-about-ransomware/

Prepared questions from Mieng:

• Belief that “malicious actors today are using cutting edge techniques for the majority of attacks”
• Belief that “majority of compromises are via zero-day vulnerabilities”
• Organizations continue to leave systems unpatched with years old vulnerabilities
• Belief that “my organization doesn’t have anything a malicious actor would be interested in…I’m not a target”
• My organization has cyber insurance and that’s enough.
• “I don’t have budget to buy all the products/hire the staff needed to protect my network.”

https://www.techrepublic.com/article/initial-access-brokers-how-are-iabs-related-to-the-rise-in-ransomware-attacks/

https://www.pandasecurity.com/en/mediacenter/security/ransomware-statistics/

As new approaches to ransomware like double extortion continue to pay off, attackers are demanding higher ransom payouts than ever before. The average ransom demand in the first half of 2021 amounted to $5.3 million — a 518% increase compared to 2020. The average ransom payment has also increased by 82% since 2020, reaching a whopping $570,000 in the first half of 2021 alone.

The FBI’s Internet Crime Complaint Center (IC3) received 2,084 ransomware complaints in the first half of 2021. (FBI and CISA)

At least one employee downloaded a malicious mobile application in 46% of organizations in 2021. (Check Point)

https://www.marsh.com/us/services/cyber-risk/insights/ransomware-paying-cyber-extortion-demands-in-cryptocurrency.html

@infosystir

@boettcherpwned

@bryanbrake (on Mastodon & Twitter)

@brakeSec

Discord Invite! "please click OK to accept the Code of Conduct in the 'Rules-and-info' channel" https://discord.gg/brakesec

#AmazonMusic: https://brakesec.com/amazonmusic 

#Spotify: https://brakesec.com/spotifyBDS

#Pandora: https://brakesec.com/pandora 

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

Apple Podcasts: https://podcasts.apple.com/us/podcast/brakeing-down-security-podcast/id799131292

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

#Patreon:  https://brakesec.com/BDSPatreon

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

In this episode, host Bidemi Ologunde presents the case of an IT consultant who hacked and deleted over 1,200 Microsoft Office 365 enterprise user accounts for his former employer's clients (accounts that he helped set up) due to negative performance reviews that the client sent to his former employers.

The revenge hack was done in August 2018 from India, but he was arrested by the FBI in January 2021 as he arrived in New York to visit his brother. He was recently sentenced to two years in prison and ordered to pay a restitution of $567,084 to his former employer's client.

Please send questions, comments, and suggestions to bidemi@thebidpicture.com. You can also get in touch on LinkedIn, Twitter, the Clubhouse app (@bid), and the Wisdom app (@bidemi).

Some security training and briefings are very discouraging for the work force. Many times, the training is the exact same video or presentation used year after year. 

So, if you go to my website www.redbikepublishing.com, you might find training and tests that do ask those types of questions. 

This topic is specifically about how to make your security training more effective for your work force. There are two types of training: for security professionals and for the workforce. 

So here are three problems I see with the current security training trend:

1.     Lack of training resources

What is concrete is that there are various training topics required for cleared defense contractor employees, they include:

·       SF 312 Non-Disclosure Agreement briefing

·       Initial Security Awareness training

·       Annual Security Awareness Training

·       Derivative Classifier training

·       Insider Threat Training 

·       other required training events and briefings

2.     One Size Fits all

There are many resources that busy security managers can draw upon to solve the problem of training the workforce. There are downloadabl

FSO Consulting:
https://thriveanalysis.com/nisp/

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

• How to get a clearance
• What to expect once you get a clearance
• What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

This blog continues the series describing what happens after the government grants you a security clearance. After receiving a job with a company or agency performing classified work, you’ll receive your onboarding training, which may have included the SF 312 Non-Disclosure Agreement, Initial Security Awareness, Derivative Classifier and other required training events and briefings. Even though the Facility Security Officer (FSO) brought you into the system, awarded your security clearance, and performed the required high-level training, there is still much more work to do to ensure you understand how to perform on classified contracts.

The high-level training and onboarding is enough to get you “authorized” and prepared for the work. The rest of the preparation will come from other sources to include peers, supervisors and program managers. This training is usually provided on the job as you actually begin performing on the classified contract.

This is how it might play out. The Government Contracting Agency (GCA) or program office flows down the classified work in the contract to the Cleared Defense Contractor (CDC). Part of the classified contract is the Contract Security Classification Specification or DD Form 254. According to the information on the DAMI website, the purpose of the DD Form 254 is to “…convey security requirements, classification guidance and provide handling procedures for classified material received and/or generated on a classified contract…” This DD Form 254 provides direct information to complete your training so that you can perform well. Keep in mind that if you will be working on multiple contracts,

FSO Consulting:
https://thriveanalysis.com/nisp/

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

• How to get a clearance
• What to expect once you get a clearance
• What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

Find out more about Dr Leukfedlt:

https://www.nscr.nl/en/author/rutger/

https://www.cybercrimeworkingroup.com/rutger-leukfeldt

Publication mentioned in the Podcast:

A typology of cybercriminal networks: from low-tech all-rounders to high-tech specialists

Leukfeldt, E.R., Kleemans, E.R. & Stol, W.P. Crime Law Soc Change (2017) 67: 21. https://doi.org/10.1007/s10611-016-9662-2

News article:

Cryptocurrency Entrepreneur and Investor Michael Terpin Sues “Too Big to Care” AT&T for Permitting $23.8 Million Theft in “SIM Swap” Scam by Authorized Agent

https://www.globenewswire.com/news-release/2018/08/15/1552594/0/en/Cryptocurrency-Entrepreneur-and-Investor-Michael-Terpin-Sues-Too-Big-to-Care-AT-T-for-Permitting-23-8-Million-Theft-in-SIM-Swap-Scam-by-Authorized-Agent.html

More Background for this discussion:

Criminal networks in a digitised world: on the nexus of borderless opportunities and local embeddedness

Leukfeldt, E.R., Kleemans, E.R., Kruisbergen, E.W. et al. Trends Organ Crim (2019) 22: 324. https://doi.org/10.1007/s12117-019-09366-7

Book

The Human Factor of Cybercrime

by Rutger Leukfeldt, Thomas J. Holt

https://www.crcpress.com/The-Human-Factor-of-Cybercrime/Leukfeldt-Holt/p/book/9781138624696

Cleared defense contractors are required to integrate an insider threat program. The first step is to designate a “Senior Official” to establish and execute the insider threat program

In this episode we'll address: 

•Fundamentals of the Insider Threat Program (ITP)

•Establishing an ITP

•ITP Definitions

•Insider Threat Impact on Industry

•ITP Training Requirement

FSO Consulting:
https://thriveanalysis.com/nisp/

We provide facility security clearance, personnel security clearance, FSO consulting and NISPOM consulting.

Personnel Security Clearances

• How to get a clearance
• What to expect once you get a clearance
• What you can do to prepare for a clearance

Facility Security Clearance

✓Become a CDC Contractor

✓Determine security requirements for SECRET, TOP SECRET and SCI Clearances

✓Establish a security team to protect classified information

✓Develop and provide required security training

✓Prepare for government inspections

✓Interpret Contract specifications

✓Fight Insider threat

✓Learn Security clearance levels

✓Process Classified information

✓Prepare Derivative Classification

✓Provide required Security Training

✓Appointing a Facility Security Officer

✓Prepare for Government Audits

Security Clearance and NISPOM consulting

I recently came across a tweet that was shared during the Infosecurity Maganzine Conference in Boston, “Security is a benefit, but not always a feature.” Why? You can spend a lot of money and still be hacked or not spend a dime and not be hacked.

How did the Inside Out Security Show panel react? Here's what Mike Buckbee, Kilian Englert and Alan Cizenski had to say:

Buckbee: It’s all tradeoffs. It’s all a bet. If you go into a casino and putting money down…While it’s true you can spend a lot of money and still get hacked, it’s less likely than you spend nothing. Or not even so much spend, in terms of money, but in terms of effort. You spend the effort and time to make secure systems….so you’re trying to play the odds.

Englert: We can write it up as a true-ism…We’ve never been hacked before, so we must be secure. That’s the default security mindset, which is at odds with the truth…The best security in the world, only takes you so far.

Cizenski: When you’re spending money on security tools, at that point, at the very least, you’re gonna have an audit trail or something to look back at so you can say, “How did that happen?” Instead of just thinking, “We’ve never been hacked. We’re good.”…When it does happen, you can’t really do much about it [if you don’t have an audit trail].

Click play to learn more!

Additional comments include:
• A rogue admin who took down a former employer’s network
• Admins who experience burn out
• NIST announced guidance on SMS on two factor.
• Whether or not security problems are the user’s fault or not
• As well as the latest research report on security shortcomings on a heart device.