I had the privilege of attending the 2016 CISO Executive Summit in San Francisco on Monday the 5th. I went with a great group of people!
There was a lot of good discussions regarding leadership, insider threats, third party management, challenging the status quo, and effective security awareness. One of the biggest realizations that I had, was that we all have common overlapping problems despite our level of maturity within those domains.
- We purchase products that are top right in the Gartner magic quadrant, normally because it comes with process and maturity… We are attracted to those products because we normally lack internal (products) process and maturity to face up to those risks.
- We lack a clear definition of insider threats and less than 1% of attendees is proactive in sorting them out.
- We put our money, at least $20 billion annually as an industry, into perimeter devices and fancy technologies though the threats have changed attack strategy and have targeted users directly through social engineering.
- Less than 5% of attendees have a person or more dedicated to awareness of social engineering.
Riddle me this… When will we shift focus and migrate from product to process and people, despite more than a decade of publicly announced compromise via social engineering? This to me is a leadership/psychological/behavioral problem.
Here is a great write-up on insider threats.
There are a number of precursors of insider attacks that can help to identify and prevent them:
Deliberate markers – These are signs which attackers leave intentionally. They can be very obvious or very subtle, but they all aim to make a statement. Being able to identify the smaller, less obvious markers can help prevent the “big attack.”
Meaningful errors – Skilled attackers tend to try and cover their tracks by deleting log files but error logs are often overlooked.
Preparatory behavior – Collecting information, such as testing countermeasures or permissions, is the starting point of any social engineering attack.
Correlated usage patterns – It is worthwhile to invest in investigating the patterns of computer usage across different systems. This can reveal a systematic attempt to collect information or test boundaries.
Verbal behavior – Collecting information or voicing dissatisfaction about the current working conditions may be considered one of the precursors of an insider attack.
Personality traits – A history of rule violation, drug or alcohol addiction, or inappropriate social skills may contribute to the propensity of committing an insider attack.
Security professionals should understand that attackers are people too, who differ in resources, motivation, ability and risk propensity.