Wanna Bring Down the Globe

Title – Wanna Bring Down the Globe?
·         In this episode we’re gonna give a recap of the Wanna Cry ransomware, talk about insider threat in health IT security, Observe IT User Behavior Analytics, and more! Don’t touch that dial!
·         Intro
o    Welcome back! This is episode 2 of The Insider Threat podcast, for the week of May 22nd, 2017.
·         Quick Announcements Segment
o    We have gotten some really great feedback from the first episode, and I urge you to keep it up. In the future, I plan on having some guest interviews, to include folks from the industry and vendors who have a solution for tackling insider threat. Please continue to provide as much feedback as possible, as this is your show and you should be helping to drive its direction for the future.
·         Infosec Question of the Week
o    It’s time for your Infosec Question of the Week, where Google is king and the prize is nonexistent!
o    Here’s your question: How did notorious hacker Kevin Mitnick know that federal agents were near his apartment?
o    Send your response to InfosecAnswer@gmail.com. Be sure to include your first name, location, and the hashtag “colddonuts”.
·         Articles
o    As a recap of the WannaCry ransomware attack that plagued the world and our news feeds over the past week, there are claims that the initial infection of the worm was carried out by a malicious email attachment
o    An estimated 200,000 computer in 150 countries were infected
o    At one point, there was a DDoS against the server that was being used by the attackers for the decryption process, so victims who had already paid the ransom were out the money and still couldn’t access their files
o    The spread of the attack was stopped when a security researcher that goes by the name MalwareTech registered the domain address that was being used as a kill switch. Basically when the malware infected the system, one of the first things it did was try to communicate with the unregistered domain name. As long as it wasn’t active, it continued through the infection, propagation, and encryption. By the way – if you are in the media and you encounter someone in the security industry who wishes to remain nameless, please respect that.
o    The reason this worm was so impactful to begin with was the high number of legacy operating systems being used throughout the world. In many cases it was people who were using unlicensed copies of windows and were too afraid to update their computers because they didn’t feel like going through the steps to re-crack their windows version.
o    Researchers who have reverse engineered the malware claim that it was probably a product purchased and modified by amateurs, as it was poorly designed and appeared to be comprised of bits of code from other malicious tools literally copied and pasted together.
o    I’ve also included a link in the show notes to another piece of malware called Adylkuzz that is using the same vulnerability as WannaCry, but instead of encrypting your files it mines a cryptocurrency called “Monero”. For those who don’t follow cryptocurrency, Monero is a lesser known digital currency than bitcoin or ethereum. I wasn’t able to find any indication that this malware used phishing for infection, but I wouldn’t be surprised.
o    This entire episode with both worms just goes to show that we need to be teaching our employees to verify senders, links, and attachments before opening things that they shouldn’t. https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
o    Information Age Website – Cyber security professionals “admit to paying ransom”
o    Bromium, a security tool vendor that specializes in virtualization-based enterprise security that stops advanced malware attacks, announced the findings of their research conducted at the recent RSA Conference.
o    During the research, they surveyed security professionals on their own behavior. According to that survey, about 10% of security professionals admit to paying ransoms and not disclosing the incident to their bosses or anyone else in their organizations.
o    We have spoken about insider threat and ransomware already, but that typically involves users clicking on links or attachments. We haven’t yet however covered the human factor of security professionals and their own motivations behind their actions.
o    It is important here to remember that absolutely everyone involved in security – from the end users to executive management – is human. Just like everyone else, those of us in security are equally concerned about our own jobs. If you were to accidentally infect your corporate workstation with some sort of malware, would you go through the standard incident response procedures or would you find a way to take care of it yourself? This is an important question to ask, because the same fear of reprisal is what often drives the decisions of our users.
o    The study also claims that about 35% of security professionals admit to bypassing their own corporate security settings, but that one isn’t as much of a surprise to me. We often have to make configuration changes in the course of our day-to-day work and it isn’t malicious in nature. On the other hand, if this is being done in order to circumvent security controls for reasons outside of their normal job scope, this can be a very bad thing and we should know better.
o    Health IT Security website – 67% of Security Teams Say Insiders Top Data Security Threat
o    The author quoted findings from a survey conducted during the 2017 Secure Access Threat Report
o    Over 2/3 of security professionals surveyed believed that either malicious or unintentional acts from insiders were the greatest security threat to organizations
o    There were some other really good statistics in that article, so I will leave a link to it in the show notes. I won’t swear to the accuracy of the survey, though. Between us, some of the math just doesn’t seem to add up. But in all fairness, that could certainly be attributed to my own arithmetic deficiencies.
o    So I heard from another information security professional this past week that during an internal phishing campaign, 80% of the users clicked on the link in the email. That said, I’m not sure if the source of the email was internal or external, but that’s a pretty high percentage, especially when you take into account that there were about 2000 users in the organization. What can we do differently to get the point across? If you were in the situation I just described, what would be your next step? Do you start including things like this in employee annual performance reviews? Do you repeat the process until you can identify habitual offenders and use that information to focus your oversight strategy? Just some thoughts.
o    SC Magazine – Insider threat faces $300K fine for hacking former employer
o    So Yovan Garcia was caught hacking his employer’s website to adjust his overtime hours and they took him to court, claiming $318,661.70 worth of damages. The judge ruled in favor of the company, named Security Specialists, and he is going to have to work many extra overtime hours to pay up, that is if he is able to get a job after this.
o    On top of all that, after Garcia was fired from his company, he started his own consulting firm and sold a knock-off version of the software that his old employer developed.
o    When we trust our system, network, and even security administrators with privileged access to our environments, we can’t just assume that they are the “good guys”. Even people who should know better have the ability to make mistakes or cross the ethical line. It doesn’t preclude them from the same stringent oversight and separation of duties strategies that every other employee must adhere to. Actually, we might want to pay even closer attention to those who have admin rights to the systems or network. In this case, he probably thought that he could get away with it because of an assumption that nobody was watching.
o    Our last article today was written by Dr. Jessica Barker, who runs a security consultancy and, with a background in sociology, specializes in the human side of security.
o    She says that we often fail to acknowledge that there is an excessive security burden placed on the people using technology and that we don’t take the time to bridge the gap and see the overlaps between the human and technical vulnerabilities in our organizations.
o    We spend quite a bit of time with the hardening of our software, hardware, and networks, but we don’t spend nearly enough time hardening our people and culture and “the responsibility is on all of us to work towards the creation of a positive and empowering environment”.
o    I really like the approach that Dr. Barker uses when trying to address the human side of security, and one day I would really like to try to get her on the show to talk about it more. Sometimes we place too much emphasis on the security processes and technologies in our organizations as a band aide for the real problem, which is that users either don’t understand the security impacts of their actions or they simply don’t care.
o    As always, the links to these articles will be placed in the show notes.
·         Vendors
·         Observe it http://observeit.com
o    Not a sponsor of the show
o    From their website – ObserveIT empowers organizations to precisely identify and proactively protect against malicious and negligent behavior of everyday users, privileged users and remote vendors. They significantly reduce security incidents by changing user behavior through real-time education and deterrence coupled with full-screen video capture of security policy violations. This cuts investigation time from days sifting through logs to minutes of playing back video.
o    Some of the key features are session recording, alerting, risk dashboards, behavior management, shared account identification, and privacy protection.
o    This solution can be used to observe and record user actions to ensure that they are not violating the organization’s acceptable use policy during the course of their work day.
o    We spoke earlier about trusting privileged users with elevated access without periodically verifying that they aren’t doing the wrong thing. This tool can also be used for that purpose.
o    When it comes to service contracts with vendors, Observe it can be used to remotely watch third-party personnel and ensure that they are doing what they are contracted to do and billing labor hours accurately.
o    Finally, Observe it can be used for regular compliance requirements when it comes to auditing. It isn’t just generating logs of user actions on systems and the network – it is recording everything they do. This capability will certainly help with providing evidence of wrongdoing after a malicious act has occurred.
o    The first thing I was thinking about when researching this product was privacy. Well, they have thought of that, too. You can configure the system to require multiple unique passwords in order to play back the recorded sessions. In this case, you would have someone from Observe it enter their password, then a union representative or someone from legal enter theirs.
o    What do you think? Could you use this tool in your environment in order to help combat the risks associated with insider threat? Would you use this as your go-to solution or pair it with your security awareness training program?
·         Thought of the Week Segment
o    Our thought of the week comes from Dr. Jessica Barker when she was speaking to Microsoft earlier this year – “If you engage in changing your culture, if you engage in empowering your staff… then people go from being the weakest link to the biggest part of defense”
·         Outro
o    Thank you for listening to episode 2 of The Insider Threat podcast. Please remember to subscribe, rate, and share with everyone you know! Those reviews are key to building this out and improving for later episodes, so please feel free to leave suggestions and constructive criticism.
o    You can contact us on twitter @stevehigdon or email us at theinsiderthreatpodcast@gmail.com.
o    Thanks again and I’ll see you folks next time!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s