Shawn Oden | codefumonkey@gmail.com | @CodeFuMonkey | codefumonkey.com
Pilot (1992) >> Programmer (1999) >> DBA (2016)
I'm basically a geek who is sometimes too curious for my own good.
One day, you're sitting alone in your office...
One day, you're sitting alone in your office,
A Programmer
when in walks...
A Network Admin
One day, you're sitting alone in your office,
A Programmer
when in walks...
A Network Admin
And a Boss.
One day, you're sitting alone in your office,
A Programmer
when in walks...
How many potential Insider Threats are in the room?
A Network Admin
And a Boss.
One day, you're sitting alone in your office,
A Programmer
when in walks...
An Insider Threat is someone (or something) with authorized access to a system, who can, wittingly or unwittingly, use that access to harm or degrade that system.
This can be an employee, a contractor, a vendor, a trusted visitor, a former employee ...
An Insider Threat is someone (or something) with authorized access to a system, who can, wittingly or unwittingly, use that access to harm or degrade that system.
... and even other systems or devices that can authenticate into a network.
This can be an employee, a contractor, a vendor, a trusted visitor, a former employee ...
A Threat Actor is essentially the "bad guy" behind the Insider Threat.
If they lose control of their data, bad things can happen:
As employees, it's our duty to protect the interests of our company and our customers.
Timeframe | Tech | Capacity |
---|---|---|
Pre-1900 | Punch cards - Not convenient. | About 80 bytes |
1950s | First Hard Drive - A bit unwieldy | 5 MB |
1960s | Floppy Disk - more portable, but little data. | 80KB |
1980s | Smaller HDDs - 5.25 in form factor. | About 5MB @$1500 |
1990s | Zip Drives - Portable, but special drive needed. And who can forget the "Click of Death". | 100MB, then 250MB |
Late 1990s | CD-R, CD-RW and SD Card - Practical for stealing data, but still required specialized drive. | 650MB + (64 MB for SD Cards) |
2000s | Cloud storage, faster drives (smaller size + more data) | +++++++ |
Today | 15TB HDDs and 2TB USB thumb drives | Still growing. |
Don't just worry about this guy.
Also watch out for this guy?
Each of these types of threats may have different motivations and/or goals (or none at all).
There is also the Compromised Insider, which is a bit of a hybrid of the two.
These types of threats can be hard to detect
because they are legitimate users.
They very rarely act randomly or impulsively. This type of Insider usually spends quite a bit of time deciding to become an Insider and then planning out their activities. Usually some event (like being fired) is what triggers them to act.
They are often motivated by greed, disgruntlement or their own sense of ethics.
Most Insider Threats share some common identicators.
When a Malicious Insider is approaching or has reached their tipping point, they often escalate their concerning behavior:
In short, yes, you probably should be concerned.
Don't rush to judgement.
But also don't be afraid to report your concerns.
Ames, a former CIA counter-intelligence officer, began spying for the KGB in 1985. He informed the Soviet Union of nearly all CIA sources from their country, which likely resulted in their deaths. He was arrested and charged with espionage in 1994.
In total, he received $2-5 million. At the time, he was considered the most prolific spy in CIA history, until the next guy on our list.
Indicators of Risk:
Most of Ames' espionage included theft of paper documents, often what he could carry at the time
Technology Notes:
Hanssen, a former FBI agent, spied for the Soviet Union and then Russia between 1979 and 2001. He handed over thousands of documents and likely caused the deaths of dozens of foreign U.S. spies. His exploits have been described as "possibly the worst intelligence disaster in U.S. history."
Because of his position and access, he was able to evade investigators for over 15 years.
He was finally arrested in 2001.
Indicators of Risk:
Technology Notes:
In 2008, Childs was the Lead Network Engineer for the City of San Francisco, working on a critical network that controlled most of the city's network capabilities. He changed login credentials on the networking equipment, effectively locking out everyone but himself.
He was arrested, but it was 10 days before he surrendered the credentials.
Indicators of Risk:
Technology Notes:
In 2010, Manning, was a U.S. Army soldier assigned as an intelligence analyst in Iraq. She leaked nearly 750,000 classified documents and videos to WikiLeaks, who published them online.
Indicators of Risk:
Technology Notes:
There are few people in IT as polarizing as Edward Snowden. He is a former intelligence consultant, who, in 2013, leaked highly classified NSA information about several government surveillance programs, before fleeing the country.
Indicators of Risk:
Technology Notes:
Bolton was a senior programmer for Initech Software. His colleague, Peter Gibbons, recruited him and another colleague, Samir Nagheenajar, to steal money from the company, using a computer virus Bolton wrote that would take a tiny fraction of each of Initech's accounting transactions.
The virus would have been undetectable, but a flaw in the code allowed the theft to be discovered. A fire destroyed all evidence before it was investigated.
Indicators of Risk:
Technology Notes:
Monitoring and Training are essential to detecting and preventing these types of incidents.
Unintentional actions are more common than they should be.
They happen by:
A common example could be as simple as an employee who clicked on an email link that introduced a virus into the company's network.
A more complex example could be an employee who was tricked into installing malware created by an outside Threat Actor.
It's a brilliant, and terrifying, demonstration of a Threat Actor accomplishing their goals without the victim even knowing that a serious Threat was currently in the works.
People want to be helpful.
People want to appear smart and well-informed.
Especially when they think the other person is wrong.
People want to be liked.
People don't want to seem rude.
People sometimes show off or gossip.
People underestimate the value of their info.
People prefer to see the best in others and often misinterpret the elicitor's intentions.
External agents may try to use an Insider to gain information. Their goals are often opposed to yours, and they often take advantage of human nature to reach those goals.
It's important to remember that the Elicitor is trying to get information from you. Their goals may not align with your goals.
Be careful what you share.
By the very nature of what we do, programmers and systems administrators are in the best position to be the most damaging Insider Threats. We often have the "keys to the kingdom", and, though some of us don't want to admit it, we're just as prone to mistakes, maliciousness or influence as anyone else.
We're also in the best position to recognize and stop potential Insider actions before they become a problem.
And we can influence the Awareness of other employees.
That access means that they should be watched for malicious activity, but another group likely has more access...
Monitoring won't stop the Threat, but it can mitigate it.
How many potential Insider Threats are in the room?
How many potential Insider Threats are in the room?
The Programmer ...
Well, there's...
How many potential Insider Threats are in the room?
The Programmer ...
Well, there's...
The Network Admin ...
How many potential Insider Threats are in the room?
The Programmer ...
Well, there's...
The Network Admin ...
The Boss ...
ANYONE can be an Insider Threat.
How many potential Insider Threats are in the room?
The Programmer ...
Well, there's...
The Network Admin ...
The Boss ...
And you.
ANYONE can be an Insider Threat.
And probably all the IoT devices scattered around your office.
Shawn Oden | codefumonkey@gmail.com | @CodeFuMonkey | codefumonkey.com