140 likes | 293 Views
Insider Threat Assessing & Managing ‘People’ Related Risks to Technology. John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011. Why I love this topic….
E N D
Insider ThreatAssessing & Managing ‘People’ Related Risks to Technology John Rostern, CRISC, QSA Northeast Managing Director September 14, 2011
Why I love this topic… The potential size of the fraud is directly proportional to the level of access and the degree of trust placed in the individual. • We have met the enemy and he is us… - Pogo • Social Engineering; because there is no patch for human stupidity!
If I were targeting a company…. Evil Plan #626 rev 0.9 Identify capable IT staff (system admin, network admin, DBA, etc) Determine how to compel/coerce/suborn them to your cause Select your target company Get these persons hired by the target company Pay them over and above their salary to keep them ‘engaged’ Wait a period of time while the ‘employees’ become ‘trusted members’ of the company Extract insider knowledge to target information or tangible assets Determine your target(s) Time your move Leave the ‘trusted employees’ to face law enforcement
Insert really boring statistics HERE to scare and impress the audience…
Technology Risk Interdependencies • End Users download Malware that allows their computer to become part of a BotNet • Executives at targeted companies advertise personal information on their Facebook pages • The Executives are ‘spear-phished’ when they open a bogus email crafted based on their personal information • Internal, secure, systems are infected • Data is exfiltrated • IF the leak is discovered we hold a meeting and wonder how it happened… Must have been China!
The Fraud Triangle Uncontrolled access to information creates opportunity Are you creating opportunity?
‘Risky People’ • Persons with extraordinary access to information assets • C-Level Executives • CEO • President • CFO • Board Members • ‘Privileged’ IT Staff • Systems Administrators • Database Administrators • Programmers • Third Parties • Commercial Software Vendors • Outsourced IT Staff • Offshore Programming Resources ‘I know what I’m doing…’ ‘I need to do my job… ‘Trust us!’
Mitigating Risky People • Do they have more access to information than needed? • Who are they? • When were they last background checked? • Do you have background check requirements specific to job responsibilities? • What other compensating controls can be or are in place? • ‘2 Man System’ requirements • Segregation of duties • Continuous monitoring • Ad hoc audits
Who is watching the store? • Consider • Security operations vs. oversight roles • Potential conflicts of interest • Who owns RISK for the organization?
Align the CISO with Risk Owners • Align Security Operations with the IT organization • Separate oversight functions under the CISO • Dotted line relationship aligns policies, standards and procedures with risk • The ability to say NO
Key Takeaways • Who are the Riskiest People in my organization? • How well do I know the people in my organization with access to information assets? • Is my organization engaging in ‘Blind Trust’ instead of ‘Control’? • Consider • Stricter background check requirements for privileged staff • Recurring and/or ad hoc background checks for certain roles • What is the role of your CISO? Where does he/she report? • How your network, systems and application architecture does or does not support effective segregation of duties • Data Analytics as part of regular audit procedures • The use of Continuous Controls Monitoring Ecommerce Servers Доверяй, но проверяй Trust, but verify… - Ronald Reagan