Don't Go Breakin'

My Heart

Trust, But Verify

Shawn Oden | codefumonkey@gmail.com | @CodeFuMonkey | codefumonkey.com

Who am I?

Pilot (1992) >> Programmer (1999) >> DBA (2016)

  • Certifications
    • CompTIA Security+
    • MCSE: Data Management & Analytics
    • MCSA: SQL 2016 Database Administration
    • MCSA: SQL 2016 Database Development
    • Adobe ColdFusion Specialist
      • (Plus CFMX certs from Macromedia & Adobe)
  • Currently hold a U.S. DoD Security Clearance

I'm basically a geek who is sometimes too curious for my own good.

And I have spent nearly my entire career working in sensitive environments.

I don't consider myself a Cyber Security Expert. I'm more like someone with a strong curiosity about CyberSec.

Disclaimer:

Let's start with a riddle:

Let's start with a riddle:

One day, you're sitting alone in your office...

Let's start with a riddle:

One day, you're sitting alone in your office,

A Programmer

Programmer

when in walks...

Let's start with a riddle:

A Network Admin

One day, you're sitting alone in your office,

A Programmer

NetworkAdmin
Programmer

when in walks...

Let's start with a riddle:

A Network Admin

And a Boss.

One day, you're sitting alone in your office,

A Programmer

NetworkAdmin
Programmer

when in walks...

Let's start with a riddle:

How many potential Insider Threats are in the room?

A Network Admin

And a Boss.

One day, you're sitting alone in your office,

A Programmer

Programmer
NetworkAdmin

when in walks...

What is an Insider Threat?

An Insider Threat is someone (or something) with authorized access to a system, who can, wittingly or unwittingly, use that access to harm or degrade that system. 

This can be an employee, a contractor, a vendor, a trusted visitor, a former employee ...

What is an Insider Threat?

An Insider Threat is someone (or something) with authorized access to a system, who can, wittingly or unwittingly, use that access to harm or degrade that system. 

... and even other systems or devices that can authenticate into a network.

This can be an employee, a contractor, a vendor, a trusted visitor, a former employee ...

What is a Threat Actor?

A Threat Actor is essentially the "bad guy" behind the Insider Threat.

BadGuy

If they lose control of their data, bad things can happen:

  • Damage to their intellectual property
  • Damage to their reputation
  • Damage to their customers or other relationships
  • Serious legal ramifications (HIPAA, PCI-DSS, GLBA, GDPR, etc)

Businesses generate a lot of data.

As employees, it's our duty to protect the interests of our company and our customers.

According to Verizon's 2021 Data Breach Investigation Report, a large portion of data breaches were caused by Insiders, most of which were unintentional.

Privilege abuse was a major factor in these breaches.

Phishing is still extremely effective.

Insider Threats are a big concern for all sizes of businesses.

Technological improvements have significantly increased the potential damage of a threat.

Timeframe Tech Capacity
Pre-1900 Punch cards - Not convenient. About 80 bytes
1950s First Hard Drive - A bit unwieldy 5 MB
1960s Floppy Disk - more portable, but little data. 80KB
1980s Smaller HDDs - 5.25 in form factor. About 5MB @$1500
1990s Zip Drives - Portable, but special drive needed. And who can forget the "Click of Death". 100MB, then 250MB
Late 1990s CD-R,  CD-RW and SD Card - Practical for stealing data, but still required specialized drive. 650MB +
(64 MB for SD Cards)
2000s Cloud storage, faster drives (smaller size + more data) +++++++
Today 15TB HDDs and 2TB USB thumb drives Still growing.

The image of the Threat needs to change.

Don't just worry about this guy.

Also watch out for this guy?

2 Basic Categories of Insider Threats:

  • Malicious Insiders - Those who know they're Insiders
  • Unintentional Insiders - Those who don't

Each of these types of threats may have different motivations and/or goals (or none at all).

There is also the Compromised Insider, which is a bit of a hybrid of the two.

Malicious Insiders

These types of threats can be hard to detect
because they are legitimate users. 

A Malicious Insider is an Insider Threat who intentionally uses their authorized access to cause harm to their organization.

They very rarely act randomly or impulsively. This type of Insider usually spends quite a bit of time deciding to become an Insider and then planning out their activities. Usually some event (like being fired) is what triggers them to act.

Malicious Insiders

  • Leaking
  • Sabotage
  • Theft (Financial)
  • Data Exfiltration
  • Fraud
  • Espionage
  • Violence

Types of Actions:

They are often motivated by greed, disgruntlement or their own sense of ethics.

What Makes an Insider Tick?

  • Financial Problems
  • Family / Relationship Problems
  • Unhappy with Job or Disgruntled
  • Drug / Alcohol Problems
  • Anti-social Behavior / Loner
  • Temper / Provocative Statements

Most Insider Threats share some common identicators.

Should I Be Concerned?

  • Repeated Attempts or Desire to Access Unauthorized Material
  • Failed Access Attempts or Probing of Systems
  • Repeated Security Violations
  • Unauthorized Copying or Removal of Data or Assets
  • Bringing Unauthorized Electronics Into Sensitive Areas
  • Sudden Changes in Work Habits
  • Secret Travel / Meetings with Competitors
  • Disgruntlement Becomes Threats or Open Hostility
  • Sudden Unexplained Wealth / Living Beyond Apparent Means

When a Malicious Insider is approaching or has reached their tipping point, they often escalate their concerning behavior:

In short, yes, you probably should be concerned.

It's important to remember that these indicators don't automatically make someone a threat. They're just common traits or behaviors that prior Insiders have exhibited.

Don't rush to judgement.

But also don't be afraid to report your concerns.

Let's take a look at some actual Malicious Insiders.

Aldrich Ames

Ames, a former CIA counter-intelligence officer, began spying for the KGB in 1985. He informed the Soviet Union of nearly all CIA sources from their country, which likely resulted in their deaths. He was arrested and charged with espionage in 1994. 

In total, he received $2-5 million. At the time, he was considered the most prolific spy in CIA history, until the next guy on our list.

ESPIONAGE

  • He was intelligent, but a loner
  • Cycle of positive then negative performance reviews throughout his career (not always shared among bosses)
  • Excessive alcohol use (noted by multiple superiors)
  • Multiple serious lapses in security protocols
  • Extra-marital affairs and eventual divorce
  • Financial difficulties (his excuse for spying)
  • Foreign girlfriend with expensive tastes (he married)
  • Very high levels of access to information
  • Ultimately living well beyond his apparent means (reported by a coworker)

Indicators of Risk:

  • Most of Ames' espionage included theft of paper documents, often what he could carry at the time

Technology Notes:

Robert Hanssen

Hanssen, a former FBI agent, spied for the Soviet Union and then Russia between 1979 and 2001. He handed over thousands of documents and likely caused the deaths of dozens of foreign U.S. spies. His exploits have been described as "possibly the worst intelligence disaster in U.S. history."

Because of his position and access, he was able to evade investigators for over 15 years.

He was finally arrested in 2001.

ESPIONAGE

  • Financial stress (large family, also gifts for a female friend)
  • Egotistical and narcissistic (wanted to be "James Bond")
  • Assigned to administrative positions (killing the "James Bond" fantasies)
  • Disgruntled and angry
  • His wife discovered his spying, but he played it off
  • Flagged multiple times, but they were ignored
  • Prior to arrest, he became extremely paranoid

Indicators of Risk:

  • Hanssen was very good with computers and databases
  • His primary means of exfiltrating data was by copying it to a personal Palm Pilot

Technology Notes:

Terry Childs

In 2008, Childs was the Lead Network Engineer for the City of San Francisco, working on a critical network that controlled most of the city's network capabilities. He changed login credentials on the networking equipment, effectively locking out everyone but himself.

He was arrested, but it was 10 days before he surrendered the credentials.

SABOTAGE

  • He was the person who built the network, so he had extensive knowledge of it
  • The network was extremely complex, even though it didn't need to be (job security for Terry)
  • Childs was the sole administrator of this network (never addressed by managers)
  • He was a work-a-holic, rarely taking time off
  • He held "the keys to the kingdom" and a single point of failure (also recognized but never addressed by managers)
  • There was no Separation of Duties

Indicators of Risk:

  • Childs was able to install multiple unauthorized devices that allowed him, and him alone, to have remote access to the network

Technology Notes:

Chelsea Manning

In 2010, Manning, was a U.S. Army soldier assigned as an intelligence analyst in Iraq. She leaked nearly 750,000 classified documents and videos to WikiLeaks, who published them online.

LEAKING

  • Extremely unstable early family life (both parents were alcoholics, including mother's heavy drinking while pregnant, divorce, and a suicide attempt by her mother)
  • Family was considered troubled by their neighbors
  • Very small and bullied during childhood and early military service
  • Spent much of childhood in a foreign country
  • As a soldier, there were multiple signs of mental distress that concerned her superiors, but the need for intelligence analysts outweighed those concerns
  • In early military work, Manning was reprimanded for sharing video messages describing a Secret facility
  • She told a counselor that she opposed the Iraq War

Indicators of Risk:

  • Since childhood, Manning was very good with computers
  • She had access to a wide range of military data that was stored on improperly secured computers
  • She brought re-writable CDs into work that were labeled as music, erased the music, then copied the secret data

Technology Notes:

Edward Snowden

There are few people in IT as polarizing as Edward Snowden. He is a former intelligence consultant, who, in 2013, leaked highly classified NSA information about several government surveillance programs, before fleeing the country. 

LEAKING

  • He is extremely intelligent and young, with very little background to fully assess security concerns about him
  • He had ethical concerns about the work he was doing and tried to raise those concerns with his supervisors, but he was ignored
  • He left a high-paying job to become an NSA contractor (with the specific intent of gathering data to leak)
  • There was simply little to nothing that identified him as a potential security risk

Indicators of Risk:

  • He is a self-taught "computer whiz", beginning at the age of 15
  • He was able to steal massive amounts of data on laptop hard drives and thumb drives

Technology Notes:

Michael Bolton

Bolton was a senior programmer for Initech Software. His colleague, Peter Gibbons, recruited him and another colleague, Samir Nagheenajar, to steal money from the company, using a computer virus Bolton wrote that would take a  tiny fraction of each of Initech's accounting transactions.

The virus would have been undetectable, but a flaw in the code  allowed the theft to be discovered. A fire destroyed all evidence before it was investigated.

THEFT

  • Hostile work environment
  • Extreme frustration with corporate processes and technologies
  • Verbal disgruntlement and anger with company
  • Frustration with management
  • Office bullying (due to name similarities)
  • Identified as non-essential and facing layoff

Indicators of Risk:

  • Though Initech practiced Separation of Duties, there was neither monitoring nor antivirus protections that could have prevented this software from infecting the network

Technology Notes:

But an Insider Threat can also be an accident.

In those previous examples, there were numerous warning signs of potential malicious behavior, and it's important to not ignore those signs.

Unintentional Insiders

Monitoring and Training are essential to detecting and preventing these types of incidents.

An Unintentional Insider is similar to a Malicious Insider, in that they can also be any trusted entity, but the damage they cause is accidental or negligent, with no malicious intent.

Oops. My bad.

Unintentional actions are more common than they should be.

They happen by:

  • Falling victim to phishing
  • Unknowingly introducing malware (USB sticks)
  • Leaving devices (computers or phones) unlocked
  • Using weak or shared passwords
  • Spillage
  • Over-sharing on Social Media / TMI
  • Deploying developer-centric code to Production
  • Unintentionally giving excess privileges to employees
  • Improperly securing cloud resources
  • Allowing family to use the company laptop

Most people don't want to hurt their company, but Unintentional Insider Threats make up the majority of incidents. Some studies have shown over 80% of data breaches are caused by human error.

Better training and awareness can help to mitigate this risk.

Compromised Insiders

A common example could be as simple as an employee who clicked on an email link that introduced a virus into the company's network.

A Compromised Insider is a trusted entity who is acting as an Insider Threat without a direct desire to be a threat and being directed or exploited by another entity.  

A more complex example could be an employee who was tricked into installing malware created by an outside Threat Actor.

Stuxnet

It's a brilliant, and terrifying, demonstration of a Threat Actor accomplishing their goals without the victim even knowing that a serious Threat was currently in the works.

Stuxnet is a good example of a Threat Actor taking advantage of a Trusted Insider, by playing on the unsuspecting Insider's curiosity to entice the Actor to introduce a virus into a highly secured network.

Elicitation: The Compromised Insider 

  • People want to be helpful.

  • People want to appear smart and well-informed.

    • Especially when they think the other person is wrong.

  • People want to be liked.

  • People don't want to seem rude.

  • People sometimes show off or gossip.

  • People underestimate the value of their info.

  • People prefer to see the best in others and often misinterpret the elicitor's intentions.

External agents may try to use an Insider to gain information. Their goals are often opposed to yours, and they often take advantage of human nature to reach those goals.

Elicitation: The Compromised Insider 

It's important to remember that the Elicitor is trying to get information from you. Their goals may not align with your goals.

Be careful what you share.

The Perfect Insider

By the very nature of what we do, programmers and systems administrators are in the best position to be the most damaging Insider Threats. We often have the "keys to the kingdom", and, though some of us don't want to admit it, we're just as prone to mistakes, maliciousness or influence as anyone else.

Programmers and Sys Admins make the best Insiders.

We're also in the best position to recognize and stop potential Insider actions before they become a problem.

And we can influence the Awareness of other employees.

Company Executives usually have high levels of access.

That access means that they should be watched for malicious activity, but another group likely has more access...

Don't Become The Insider

  • Avoid talking about work outside of work.
  • Be aware of what you can and can't discuss.
  • Be mindful of curious strangers.
    • Deflect or ignore questions about sensitive material.
    • Remove yourself from the conversation, if necessary.
  • Maintain situational awareness, especially at conferences, trade shows, and after-hours social events.
  • Don't wear badges or other work ID outside of the office.
  • Don't take pictures of yourself wearing your ID.
  • Practice good password policy, both at work and at home.
  • Be extremely mindful of Social Media. Don't overshare.
  • Don't allow family to use work equipment.

Don't Become The Insider

  • Don't plug stuff in.
  • Lock your computers and phones.
  • Lock up or secure sensitive materials.
  • Use separate User and Admin logins for appropriate tasks.
  • Have a consistent deployment process, including code review.
  • Make sure to perform regular security reviews on any dependencies you use in your code.
  • Don't talk to the media. Refer them to your PR group.
  • Be aware of the risks to your business.
  • Be familiar with your processes for handling security incidents. 

Early identification and intervention are critical to stopping an Insider Threat.

Early identification and intervention are critical to stopping an Insider Threat.

Address the problem before it's too late.

Help The Insider Not Be A Threat

  • Implement a Cybersecurity Awareness program, and continue with recurrent training.
  • Offer assistance to employees who need it (EAP).
  • Foster a healthy work environment to minimize disgruntlement.
  • Monitor for malicious (or unintentional) actions.
  • Enforce good corporate password and other CyberSec policies.
  • Limit the access of unnecessary devices.
  • Limit exposure by not allowing connections that aren't needed.
  • Limit privileged users to only the permissions they need.
  • When an employee leaves, remove their access and monitor the systems they had access to.

Monitoring won't stop the Threat, but it can mitigate it.

Now back to our riddle:

How many potential Insider Threats are in the room?

Now back to our riddle:

How many potential Insider Threats are in the room?

The Programmer ...

Well, there's...

Programmer

Now back to our riddle:

How many potential Insider Threats are in the room?

The Programmer ...

Well, there's...

Programmer

The Network Admin ...

NetworkAdmin

Now back to our riddle:

How many potential Insider Threats are in the room?

The Programmer ...

Well, there's...

The Network Admin ...

The Boss ...

NetworkAdmin
Programmer

ANYONE can be an Insider Threat.

Now back to our riddle:

How many potential Insider Threats are in the room?

The Programmer ...

Well, there's...

The Network Admin ...

The Boss ...

And you.

ANYONE can be an Insider Threat.

And probably all the IoT devices scattered around your office.

Programmer
NetworkAdmin

Trust your people,

but also protect your systems.

Verify that the job is being done properly.

Are You Curious?

Thank you for coming out today.

Shawn Oden | codefumonkey@gmail.com | @CodeFuMonkey | codefumonkey.com

And Thank You to Ortus for having me out again.

Don't Go Breakin' My Heart (v1) (Into The Box 2021)

By Shawn Oden

Don't Go Breakin' My Heart (v1) (Into The Box 2021)

All companies must place some trust in their employees, but bad things can happen when one of those employees breaks that trust. How can you stop an Insider before they do harm. (Presented at Into The Box 2021)

  • 735