characterize the threats we are dealing with:
>> Rogue employees: trusted individuals who exceed their authority for personal gain or to deliberately damage the organization.
>> Accidental disclosures: trusted individuals who accidentally damage the organization through inadvertent misuse of data.
>> Risky business process: a potential leak due to a business process that is either poorly secured or against policy (but for legitimate business reasons).
>> External attacker on the inside: an external attacker who has penetrated the organization and is operating internally. This threat actor might have compromised a trusted account and appear like an internal user.
10. Privacy (here) Big brother is watching
There is little doubt that advances in technology have radically changed many aspects of our lives, from healthcare to manufacturing, from supply chains to battlefields, we are experiencing an unprecedented technical revolution.
Unfortunately, technology enables the average person to leak personal information at a velocity that few understand. Take a moment and think about how much of your life intersects with technology that can be used to track your movements, record your buying patterns, log your internet usage, identify your friends, associates, place of employment, what you had for dinner, where you ate and who you were with. It may not even be you who is disclosing this information.
We live in a world without secrets and we must act accordingly. Realize that much of what you may think is confidential, isn’t. To borrow an old saying if more than one person knows something it isn’t a secret and if you’re alive today, you have very little privacy.
9. Advanced Persistent Threats (here) Alarming people throughly
Advanced persistent threats are real. As hackers moved from hobby-based malware and cyber-vandalism to financially motivated, or state-sponsored hacking we experienced more thoughtful and controlled approaches. APT isn’t a new class of threat that requires a whole new disparate set of technologies to address. In fact many of the technologies you have been using to identify and monitor deviations from normal operating state are suited to provide a base level of visibility into the environment.
Remember, 90 percent of all external attacks take advantage of poorly administered, misconfigured, or inadequately managed systems that any moderately competent hacker can exploit. Sure, there are some real artists out there, but when you can take candy from a baby 90 percent of the time, you rarely need expert safecrackers.
I’ve seen the attitude promulgated that if you’re smart and have skillz, it’s okay to be an asshole. That it’s somehow okay to hurl insults under the guise of “educating” someone and that they should be grateful for it. That caring about something gives you permission to display your bad temper for all to see, because you’ll make up for it by doing something really cool.
As far as I’m concerned, nothing could be further from the truth. There are plenty of egotists in the industry who think they’re entitled to a free pass on manners, and when I’m hiring, I steer clear of them, because there are just as many genius-level hackers who can also manage to behave themselves and work cooperatively with others without starting brawls
The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users… eventually shortened to “users.”
Today the situation is different.
Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users
The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.
Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claiming “It’s time to reboot the security industry”) that reinforces our knowledge, experience and power while shielding us from the knowledge, power and experience of the individuals we work with.
There are a few principles I like to keep in mind when discussing the insider threat. Some are a little redundant to make a point from a slightly different perspective:
Thus, the best strategy includes a mix of technology and business controls, a focus on preventing and detecting external attacks, and reliance on a mix of preventative controls and detective controls with efficient response for the insider threat. I really don’t care if an attacker is internal or external once they get onto a single trusted system or portion of my network.
The “insider threat” isn’t a threat. It’s become a blanket term for FUD. Understand the differences between malicious employees, careless employees, external attackers with access inside the perimeter, and trusted partners without effective controls on their systems and activities.
insider threat