agencies, cyber security, Cybersecurity, dashboard, ethical, ethics, hackers, hacking, information security, Infosec, insider, Intelligence, Malware, patch, patching, Pen Test, Penetration Test, PenTest, predictive analytics, security technology, strategy, threat, U.S., United States, USB devices
NOTE: Remember to look at previous and more current postings for other topics.
Two of the biggest threats facing organizations today are Insiders and Hackers – these two groups are causing true harm to the U.S. economy and economies of other countries around the world.
Detecting and finding insiders who have a malicious goal of stealing data, whether it is PII* or IP – is very difficult to accomplish successfully but it has to be done. (* definitions at end)
After Manning (Bradley/Chelsea…), Snowden and now Alexis (Navy Yard shooter), it appears the spot light is on individuals with access to sensitive content and holding security clearances. That is a very big spot light because there are a lot of people with access to various levels of sensitive content and a good number of them with very high security clearances.
Herein lies the problem, there are a lot of rotten apples in this country who hold no ethical standard of any caliber or have just flat out lost their moral compass somewhere along the way. They don’t really care if they are stealing data, information, and content – no matter how sensitive or proprietary or even how expensive it was to produce that material. Nor does it seem to matter to these individuals if the ensuing damage, as a result of the theft, causes massive ripple effects some of which may mean people lose their jobs (firm goes bankrupt) or the situation casts wrong aspersions on those people who may have had even loose association with the wrong-doer.
In the case of Insiders, during the course of their exploits, USB devices are a prime method of getting info out of a building.
This write up not only pertains to firms, agencies, think tanks and educational institutions but it also applies to the home users as well because they too need some of these topics I discuss below to keep their home computing devices (smart TVs, tablets, smart phones (if you can update it), PCs, laptops, printers and home monitoring systems) up to date.
So, what do we do to combat against these rotten apples…? Well, it looks like organizations are going to have to implement a raft of different technologies, maybe more than what a firm already has in place.
If no serious effort is undertaken to detect and prevent these bad apples, we are going to see ever more of our Intellectual Property (IP) taken by people who we supposedly put our trust in. People who for whatever reason;
1 – Anger (at the firm, i.e. for being passed on a promotion or a raise or at the world for just putting them in a sad state of affairs),
2 – Financial problems (name one or several),
3 – Greed (to sell content to the highest bidder or any bidder),
4 – Sabotage (back to anger – being wronged for some reason) of an organization’s data,
5 – Drugs (gotta feed that habit),
6 – New job elsewhere (taking proprietary data from their current firm).
This list goes on and on and on.
For whatever reason, these people will attempt to take out their frustrations or anger on the organization’s data or equipment or worse, the people who work there.
And you must know, some of these insiders at many firms are smart – some too smart for their own good. While some of them are just too dumb to realize how stupid their theft is in the long run, primarily for them, secondarily for the people and companies who are impacted by the theft.
There was the insider whale situation at JPMorgan (which JPM is now paying ~$1.2 billion dollars in fines and refunds). The JPM insider who caused the damage knew how to cover his tracks, for a while anyway.
Then there is E. Snowden. How the heck did he amass so much information, classified no less…??? Either he had another individual(s) who had access to that data and feeding it to him or he somehow gained access to things he should not have. And then how did he get that data out? I’m pretty sure he did not print it and carry it out the front door… or rather, I hope that was not the case.
I will propose some mitigations below. None of these mitigations are new but are some that many of my security colleagues have previously discussed and recommended.
Hackers! Whatever their ilk, they are continuing to get smarter. They are getting deeper pockets. They are joining forces, collaborating in order to share experience and knowledge.
These hackers, they come in many flavors, most of which you, the reader, are already aware of. They come from:
a – Script kiddies – yep, they are still out there but are on the low end of the spectrum – and they are getting pre-built hacker kits so they no longer really have to create anything (by the way, these kits are getting ever more sophisticated)
b – Hactivists – think of Anonymous and Lulzsec and others who are still causing harm, any group that believes they are fighting to right wrongs or to shine the light on any perceived lacking transparencies
c – Criminal groups – here is where we start seeing very deep pockets funding these criminal entities, some of these gangs, errr, I mean groups are committing crimes to fund their enterprises in order to get better at their hacking and theft of PII. That is a vicious Mobius type cycle, eh…?
d – State sponsored entities – I no longer know where to begin with this because you have undoubtedly heard of U.S. agencies engaging in what many now consider scurrilous activities. There was a period where it was just foreign entities to consider, but now…
Some of the tech that will be necessary, by no means all-inclusive, follows:
Behavioral Anomaly Detection software
Next Generation (buzz word alert)
— Firewalls — IPS & IDS software/hardware — NIDS & HIDS software
— Routers & Switches — AV suites — Heuristics & AI software
— Predictive Analytics software — SEIM devices — DLP software
— Whitelisting / Blacklisting — FDE (Drive, Folder or File) — VPN
New tech — > USB-ARM thumb drives – A DHS-funded program that is just now beginning to move into the private sector involves a technology being developed at Oak Ridge National Laboratory in Tennessee. It is called USB-ARM, it is an architecture that essentially authenticates USB-based removable media. When fully developed as a commercial product, USB-ARM will permit policies to be set so that anti-virus and antimalware scans can be run against a thumb drive before the operating system allows the device to become visible to the userLog files (see Note 1 below)
Use of that technology indicated above means it will have to be implemented and monitored – it simply has to. Many firms may not be able to afford all of the items listed and any others not indicated, nor the resources to staff the various security positions – and for sure, you do not want to put in place entry level individuals to keep cost down – they will not have the experience.
Another way to go is engage with one of the reputable Managed Security Service Providers (MSSP) out there. Do your research on picking a good MSSP however to avoid problems down the road. You will also want a very good Service Level Agreement (SLA) in place to cover most all situations (please look up SLA for more info on them) in the event of dire situations or legal actions.
Having security in the “Cloud” is starting to look more and more viable as a way to detect, primarily hackers and secondarily hackers. Make sure you have more than one line of communication to the cloud in case your primary line goes down.
Most of all, you will want as fast as possible communication line and hardware speeds as possible – using 256Kbps or even 1 Mbps no longer cuts the mustard as some say…
– Behavioral Anomaly Detection (BAD) software to ferret out activity that is not normal on the firm’s network – someone remoting in who should not be or from a location that is clearly not authorized; printing out sensitive info in its entirety, i.e. by a receptionist or salesperson; someone coming to work two hours prior to their normal time when there is no discernible reason to…
– Next Generation (buzz word alert) – software and hardware (and/or firmware)
— Firewalls to perform stateful inspections and deep packet inspection on most or all traffic into and out of the network
— IPS & IDS to detect unwanted intrusions into the network
— NIDS & HIDS software on individual computing devices to handle some of the anti-malicious work or in addition to the IPS/IDS
— Routers & Switches to route legitimate voice and data traffic but can also detect and prevent some of the malicious traffic
— AV suites to detect, prevent/stop and mitigate malware (caveat: AV suites have got to become even smarter than they are today because this software can no longer detect newer strains of malware as they are created so very fast – faster than AV companies can create new detection algorithms – and when you have polymorphic/metamorphic malware to combat, you need more and faster detection
— Heuristics & AI software to handle some of the analytical work on all the massive amounts of traffic as it transits the network (you know, connecting those dots)
— Predictive Analytics software – you will want dashboard type software with drill down capability for the best granularity you can achieve to see trends and activities on your network, which should be used in conjunction with that BAD listed above
— SEIM to collate data traffic and put it into a easily readable format for humans to go through and dig deeper into
— DLP software – you will want to watermark your sensitive content; PII, IP, financials, etc., to be able to detect and prevent the material from leaving your network without authorization – if you do not watermark your material, you will want to use key words to track and specific content
— Log files – Yes, log files – firms have got to maintain log files (this is where SEIM come in handy, the SEIM can collate and piece together the entire path of the traffic you specify and offloads it from humans who would be overwhelmed trying to go through the monstrously large log files – humans still need to be part of the picture however…)
— Policies – you will want multiple policies in place, acknowledged by all employees of the firm (from the CEO/top SES/senior General to the lowest clerk) and most of you, you will have to stringently enforce the policies you have created – they cannot collect dust on a shelf…
—– Group policies for servers and PCs in the workplace – you will want to lock down all USB ports except for those authorized to use USB ports
—– Use only a certain specific brand of USB devices with serial numbers to assist in locking down what kind of USB devices can be used on PCs in conjunction with the Group policies
—– Consider allowing specific PCs to have access via USB ports and those USB devices
—– Consider getting managerial pre-authorization for specific PCs and specific users (like SysAdmins) for specific times to combat the insider threat
—– SPECIAL NOTE:
When locking down USB ports, watch out for those smart monsters, ummm, individuals that configure USB storage devices to look like a keyboard or a mouse and connect them in-line with the actual keyboard or mouse to stockpile the data they are stealing.
You will also want to look at the newest technology out there for users, like Google Glasses – how are you going to combat that when users start buying those and bringing them in to the workplace, even though they are not supposed to. How are you going to know what kind of glasses they have in their shirt pocket or purse – they will be able to surreptitiously record any kind of data on the computer screen at will with something like that tech.
— Video cameras – this is not least, not by any measures, you will want digital video cameras that work, in the dark, with fast motion tracking, with excellent resolution (no more grainy images that are pixelated as you blow it up) – in multiple locations, from front doors, to side doors to back doors, to stair wells, rooftops, hallways in sensitive areas, in rooms of sensitive areas and other places you can legally place them
—– For these digital cameras, you can now get them with software to track devious behavior or look for patterns of odd behavior (this would be worthwhile to look into)
— Whitelisting – You add applications and web sites you want to approve on your network
— Blacklisting – You deny applications and web sites you ‘do not’ want on your network
— FDE / File or Folder encryption – basically you want to encrypt your data in case hackers try to invade your network or someone loses a laptop/hard drive or someone steals that laptop/hard drive
— Audits – conduct network audits on a random basis, looking for odd, illicit activities – and yes, no one seems to have time to go through logs, let alone audits – use filters to help cut down the work load.
— Patching – you will want to look into performing automated patching for all software, hardware & firmware as often as possible to plug holes against vulnerabilities in your network – automated patching has come a long way in the past 10 years, a very long way – patching manually, well, let’s just say it is no longer the best way to go
There is simply put, a great of information I could have written here on Insiders and Hackers and USB devices and it would have ended up as a book rather than a short(ish) paper.
The bottom line is, you will have to make a concerted effort to watch for behavioral changes in individual’s work activity and personalities – are the changes for the job, for the individual trying to grow career-wise or for the individual attempting to remove any and all data that person can, either by printing, or copying to USB devices or sending out via email.
Consider the individual’s position; is the individual in a sensitive position, high ranking positions or positions with access to highly sensitive IP. Use those parameters to help with possible insider threats, some of the unscrupulous may want to take IP with them to a competitor. And note, not all competitors have an ethical backbone to contact the company’s leadership where that IP originated from to report the possible theft.
Also, some individuals may not vocalize to any co-worker or give any visible indications that they may have turned to drugs and need to pay for the habit. Or the person may develop marriage problems, which ends up manifesting at work, in a bad way.
As for guarding against hackers, of various ilks, you will want to do Penetration Testing on your own network to look for holes and vulnerabilities. Ideally you would want to hire an outside source that has no biases in looking for holes.
For the time being, there is always going to be the threat of Zero-Day exploits (0-Days or O-Days). 0-Day malware explicitly target vulnerabilities that software, hardware and firmware makers are not aware of in their product but some enterprising criminal will continue to try to get away with for profit. It just ‘ain’t’ possible to detect all 0-Day vulnerabilities in software, hard/firmware during development and before release to the public – not yet anyway. You will have to be diligent in keeping up to day on everything you can to protect your network but there is one possible way to be safer, if not feel safer – perform Penetration Tests on your network.
You will want to do basic Pen Tests all the way up to serious Pen Tests. You do not want to do a hard core Pen Test and bring down your entire network for a day or two do you….?
AI – Artificial Intelligence
AV – Anti-Virus suites
DLP – these three letters are defined in several ways: Data Leakage Prevention, Data Leakage Protection or Data Loss Protection/Prevention
FDE – Full Disk Encryption (also folder and file encryption)
HIDS – Host IDS (for the PC or Server)
IP – Intellectual Property
IDS – Intrusion Detection System
IPS – Intrusion Protection System (IPS are picking up where the older IDS leaves off)
Malware – malicious software
NIDS – Network IDS (for placement around the computer network – at the perimeter and even within the perimeter)
PII – Personally Identifiable Information (financial, medical, personal)
SEIM – Security Event and Information Monitor (some title it as SIEM but it is the same thing)
USB devices – Universal Serial Bus devices, anything used to store data – thumb drive, flash drive, pen drive (literally an ink pen drive), a watch (yes, a watch with a built in USB port connection), mugs with a USB port, even eye glasses… and do not forget those external portable hard drives (now available with wifi connectivity)
VPN – Virtual Private Network used for more secure remote connectivity