SlideShare a Scribd company logo

IQ4 Final Presentation (1)

Chathura Wickramage
Chathura Wickramage
1 of 40
Download to read offline
+ Insider Threat Fraud Case Study The Threat Within - CWA University at Albany December 10, 2015 “Regardless of the technology in place to protect data, people still represent the biggest threat” - Alex Ryskin
+ Team 2SECURE ■ Chathura Wickramage - Information Security Officer ■ Valecia Stocchetti - Cyber Threat Intelligence Analyst ■ Daniel Roberti - Cyber Threat Analyst ■ Nicholas Manzella - Security Operating Center Analyst ■ Nicholas Godfrey - IT Risk Analyst ■ Christina Frunzi - Behavioral Analyst
+ Understanding Insider Threat “It’s not a matter of if, it’s a matter of when.”
+ What Is Insider Threat? ■ The ability of someone from within a company or organization, who usually has LEGAL ACCESS to files/systems, to initiate an attack with little chance of being detected without proper security measures. ■ Something that appears to be an attack, can appear normal on screen. ■ Can be both malicious and non- malicious. ■ Perception vs. Reality
+ Who Can Be An Insider? ■ Ordinary Employees ■ Executive Management ■ Vendors ■ Contractors ■ Maintenance ■ Visitors ■ Former Employees ■ ...It can be anyone! Insiders who pose the largest risk to an organization.
+ ■ Tangible Assets ■ Money What are they after? ■ Intangible Assets ■ Customer Bases ■ Vendor Relationships ■ Data ■ Intellectual Property ■ Patents/Trademarks Copyrights ■ Trade Secrets/Crown Jewels
+ Why Do They Want It? ■ Motive ■ Reason to commit the crime - Greed, Disgruntlement, Revenge (The Big Three) ■ Opportunity ■ Poor Security, Lack of policy, etc. ■ Rationalization ■ “I did it because…”
+ Case Study
+ Company Profile: Main Street Banking Headquartered in New York, NY 50,000 Employees Global, operating in 90+ countries across Americas, Asia, Europe & Latin America directly or indirectly via subsidiaries, affiliates or joint ventures.
+ What Happened? A lead software developer, Mark Smith, at Main Street Banking devised a scheme by which he could earn fraudulent rewards points by linking his personal accounts to corporate business credit card accounts of third-party companies. He cashed in the rewards points for gift cards and sold them at online auctions for cash. Ultimately, he was able to accumulate approximately 46 million rewards points, converting the points into $300,000 cash.
+ Who is 2Secure? We are a part of Main Street Banking’s Security Operations Center. As a team, we have been entrusted with analyzing and solving the problem described above. We have utilized the NIST framework along with many other additional documents to comprise what we feel is the ideal insider threat protection plan. Insider threat is not an easy problem to solve. It requires not only technical controls but also heavily relies on behavioral controls. Insider threat is not 100% preventable, however, the key is to detect it quickly and mitigate the risks.
+ What made the attack possible? ■ Employees not properly trained on how to detect insider attack. ■ Poor governance ■ Proper system controls not in place to detect an attack. ■ Poor access controls in place.
+ How was the attack discovered? ■ An anonymous tip by an internal employee who knows the suspected insider was sent to the Security Operations Center (2Secure).
+ Governance
+ Governance ■ Objectives ■ Support the business. ■ Defend the business. ■ Promote responsible Information Security Behavior. ■ Identify Stakeholders ■ Create RACI Matrix ■ Responsible ■ Accountable ■ Consulted ■ Informed
+ Governance
+ Risk Assessment
+ Risk Identification & Assessment ■ Risks Identified ■ Attacks using legitimate credentials to bypass access controls. ■ Unauthorized access to confidential information. ■ Theft of customer data. ■ Unusual activity and protocols observed on the network. ■ Unauthorized disclosure, modification or destruction of information. ■ Assessment ■ What is the asset? ■ What is its function? ■ What type of data is stored? ■ What is the criticality level? ■ How will it impact the company if compromised? ■ Risk = Threat Likelihood * Magnitude of Impact
+ Prevention & Protection
+ How could the attack be prevented? ■ Modifications to the Hiring Process ■ Background Checks ■ Psychological Testing ■ Social Media Disclosure ■ Prior Employment Terminations/Call References ■ Credit Score Disclosure (With Consent) ■ Periodic Checks on all of the above ■ Communication ■ Conduct Weekly Team Meetings ■ Schedule Bi-Weekly Check-Ins With Each Team Member ■ Semi-Annual Evaluations/Annual Reviews
+ How could the attack be prevented? ■ Awareness & Training ■ Training employees to recognize an insider attack and how to report it anonymously ■ Create best practices & develop safeguards to mitigate ignorance/negligence/carelessness. ■ Policies ■ Create a Whistleblower protection policy to protect the anonymous person ■ Have current employees & new hires sign off on the policy to cover the company legally. ■ Enforcement ■ Enforce the policies and develop a plan on how to monitor when a policy is violated. ■ Stakeholders need to demonstrate an interest to help the overall problem at stake, not just help with implementation.
+ How could the attack be prevented? ■ Access Controls ■ Create a hierarchy for current or desired access levels. ■ Install software that will track permission levels - Normal behavior VS Abnormal behavior. ■ Monitor all employees including ones who have higher access controls. ■ Implementation of timeframes ■ Install monitoring equipment that will record the session. ■ Have a team/employee that reviews the session to ensure that there is no suspicious activity.
+ How could the attack be prevented? ■ Separation of Duties (SOD) ■ Identify processes and procedures along with the employee(s) responsible. ■ Create a tier structure so one person does not complete a process from start to finish. ■ Rotate roles to ensure that another set of eyes is on a particular process. ■ Data Security ■ Implement mechanisms to verify integrity of software, firmware and information. ■ Implement detection software/processes of third party sites.
+ Detection
+ What detection techniques should have been utilized? Behavioral Detection Indicators: ■ Accessing the network while off the clock. ■ Working odd hours and/or excessively willing to take overtime. ■ Takes excessive notes. ■ High interest in topics not pertaining to their job duties. ■ Demonstrating high risk behaviors such as: ■ Past/current drug or alcohol abuse ■ Struggles financially ■ Excessively gambles ■ Exhibits hostile/aggressive behavior
+ What detection techniques should have been utilized? Anomalies and events ■ Ensure that there is coordination between all stakeholders to detect anomalies and events. ■ Analyze traffic & event patterns for the information system. ■ Develop profiles representing common traffic patterns and/or events. Security Continuous Monitoring ■ Implement a software that will track permission levels to detect ‘abnormal behavior’ (as compared to normal behavior). ■ Limit, restrict and monitor all internal and external applications. (i.e 3rd Party Banking Sites)
+ What detection techniques should have been utilized? Security Control Monitoring ■ Routine scans should be conducted regularly, such as: ■ Low-Impact Systems: Every day ■ Moderate-Impact Systems: Every hour ■ High-Impact Systems: Every 5, 10 or 15 minutes ■ Automated Processes ■ Vulnerability Scanners, Web Application Scanners, Patch Management Software, Security Information and Event Management ■ Audits should be performed on a regular basis.* ■ Rotate Log Files ■ Transfer Log Data ■ Retain Log Data ■ Analyze Log Data *Frequency depends on the criticality of the system.
+ Respond
+ Establishing a Response Plan Establish a Team of People ■ Outsourced vs. In-House ■ Recommendation: In-House ■ To eliminate risk of exposing issues to media and law enforcement when not intended to. Determine how the team will be organized ■ Centralized vs. Distributed ■ Recommendation: Distributed ■ Consists of several teams, each responsible for their own unit along with a central team to coordinate and communicate the plan. Cost Assessment ■ Determine resources required, money needed and time.
+ Establishing a Response Plan Identification of Stakeholders ■ Management for policies, budgeting and staffing support. ■ Information Security Staff for support with systems and organization. ■ Legal for rules, rights, and regulations guidance. ■ Public Relations for communications with the media. ■ Human Resources for employee relations support. ■ Physical Security for building security management and regulation. Stakeholder Buy-In - Imperative that they: ■ Maintain an expressed interest. ■ Continually upkeep, improve and enforce the plan. ■ Adapt to changes in new emerging technologies, security patches, laws and regulations.
+ Establishing a Response Plan Determine Scenario(s) and How to Respond ■ Is it malicious/non-malicious? ■ Where is the source of the attack? ■ What permission levels are in place for that employee (if attacker known)? ■ Locate the intrusion, seize the evidence. Assessment of the Scenario ■ Volatility of Evidence ■ Network traffic, memory, hard drive, data analysis ■ Network (more dynamic) vs. Hard Drive (less dynamic) ■ Availability ■ How will this affect day to day operations? ■ Assess the damage and limit the loss of resources.
+ Establishing a Response Plan Training Plan ■ Employee Training (New & Existing) ■ How to identify insider attacks, eliminate negligence and properly report an insider attack. ■ Creation of a website to provide up-to-date insider threat resources to employees ■ Set up an anonymous tip line to protect the employee from the attacker targeting them. Communication Plan ■ Who: Know who you are going to inform in the case of an insider threat. ■ When: Know the order of who you are going to inform. ■ What: Know what you are going to tell them, not every party needs to know all of the details. Overall Plan Evaluation ■ Evaluate effectiveness of the plan ■ How long with the solution prevent the problem? ■ Improve and continually update to adapt to changes.
+ Establishing a Response Plan Seizure of Evidence ■ To seize or not to seize? ■ Servers - crucial to operation of the company, ideal to make a forensic image instead. ■ Hard Drives - may be able to seize and investigate in the lab. ■ Utilize Chain of Custody Forms ■ Provides admissibility if used in court. ■ Documents evidence in every step of the investigation.
+ Establishing a Response Plan Behavioral Considerations: ■ Frequent field observations ■ Follow legal action to ensure the problem employee is not introduced to another company ■ Prevent file-sharing ■ Tighten monitoring measures ■ Improve previous precautions ■ Enhance employee awareness ■ Record the incident and the actions following ■ This keeps a reference for when another incident takes place and helps to ensure the same mistakes are not repeated.
+ Response Plan in Action ■ Initiation of the Plan ■ Contain attack to mitigate the effects. ■ Isolate the system to protect from infecting other systems. ■ Eradicate the damage caused & disable account privileges. ■ Availability - Ensure that systems can operate & monitor the activity. ■ Evidence - Ensure admissibility for legal purposes. ■ Refer to legal guidelines and regulations on how to properly handle evidence. ■ Documentation ■ Logs should include events, times, dates and be signed. ■ Team of two should have access to logs to ensure integrity.
+ Recovery
+ Recovery Plan in Action ■ Recovery is important to... ■ Restore systems to normal operations. ■ Confirm that systems are functioning normally. ■ To prevent similar incidents from happening in the future. ■ Prioritize Incidents ■ Determine a time frame when the company will fully recover. ■ Large Scale Incidents: Months & up to a year. ■ Small Scale Incidents (such as this one): 6-8 weeks with proper management of recovery plan.
+ Recovery Plan in Action ■ Once the system is clean: ■ Test, monitor and validate systems are back in production to verify the systems are not that systems are not re-infected or compromised again. ■ Address Vulnerabilities or Loopholes: ■ Tighten Access Controls ■ Establish access permissions with least user privileges that are required. ■ Grant software developers elevated but temporary access when required. ■ Install Monitoring Software ■ Monitor software developers or any employee who requires increased access controls. ■ Monitor the system in general for at least 30-60 days to make sure the vulnerability has been identified and corrected. ■ Recover the stolen money ■ Determine how the company will recover the stolen goods (i.e. Civil Court)
+ Recovery Plan in Action ■ Communication ■ Notify all involved/affected parties. ■ Notify employees that this type of behavior has zero- tolerance. ■ Have a Zero-Tolerance Policy for all employees to sign off on to cover the company legally. ■ The Insubordinate Employee… ■ Should be terminated immediately. ■ Access permissions should be removed to ensure they do not infect the system anymore. ■ Vulnerability Scans ■ Detect and remove any vulnerabilities within the system or network.
+ Thank You! Questions? Contact us at: Chathura Wickramage <cwickramage@albany.edu> Valecia Stocchetti <vstocchetti@albany.edu> Daniel P Roberti <droberti@albany.edu> Nicholas Manzella <nmanzella2@albany.edu> Nicholas Godfrey <ngodfrey@albany.edu> Christina Frunzi <cfrunzi@albany.edu>

Recommended

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 

Recommended

Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)Digital Forensics by William C. Barker (NIST)
Digital Forensics by William C. Barker (NIST)AltheimPrivacy
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.pptBiggBoss4Unseen
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hackingAnant Shrivastava
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹totodeung
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 
Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 

More Related Content

What's hot

2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MoreCTruncer
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.pptMuzamil Amin
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesCamilo Fandiño Gómez
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹totodeung
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness Net at Work
 

What's hot (20)

2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
 
Physical Security.ppt
Physical Security.pptPhysical Security.ppt
Physical Security.ppt
 
Pen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and MorePen Testing, Red Teaming, and More
Pen Testing, Red Teaming, and More
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
basic knowhow hacking
basic knowhow hackingbasic knowhow hacking
basic knowhow hacking
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
data hiding techniques.ppt
data hiding techniques.pptdata hiding techniques.ppt
data hiding techniques.ppt
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Guardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level ExecutivesGuardium Data Activiy Monitor For C- Level Executives
Guardium Data Activiy Monitor For C- Level Executives
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹해킹 대회 리뷰 및 실전 해킹
해킹 대회 리뷰 및 실전 해킹
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 

Viewers also liked

Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_TurnerBob Turner
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 

Viewers also liked (6)

Insider Threat_BAH_Turner
Insider Threat_BAH_TurnerInsider Threat_BAH_Turner
Insider Threat_BAH_Turner
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
 

Similar to IQ4 Final Presentation (1)

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
Cybersecurity Crisis Management Introduction
Cybersecurity Crisis Management IntroductionCybersecurity Crisis Management Introduction
Cybersecurity Crisis Management IntroductionNaor Penso
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessArt Ocain
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
EVERFI Webinar: Training Under the New York Cybersecurity Requirements
EVERFI Webinar: Training Under the New York Cybersecurity RequirementsEVERFI Webinar: Training Under the New York Cybersecurity Requirements
EVERFI Webinar: Training Under the New York Cybersecurity RequirementsMichele Collu
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2Ron Miller
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesSpectorsoft
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 

Similar to IQ4 Final Presentation (1) (20)

Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Cybersecurity Crisis Management Introduction
Cybersecurity Crisis Management IntroductionCybersecurity Crisis Management Introduction
Cybersecurity Crisis Management Introduction
 
Irm 8-blackmail
Irm 8-blackmailIrm 8-blackmail
Irm 8-blackmail
 
Irm 12-insiderabuse
Irm 12-insiderabuseIrm 12-insiderabuse
Irm 12-insiderabuse
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
EVERFI Webinar: Training Under the New York Cybersecurity Requirements
EVERFI Webinar: Training Under the New York Cybersecurity RequirementsEVERFI Webinar: Training Under the New York Cybersecurity Requirements
EVERFI Webinar: Training Under the New York Cybersecurity Requirements
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2RonaldG.MillerCISSPv2
RonaldG.MillerCISSPv2
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Why_TG
Why_TGWhy_TG
Why_TG
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
User Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To CompaniesUser Behavior Analytics And The Benefits To Companies
User Behavior Analytics And The Benefits To Companies
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 

IQ4 Final Presentation (1)

  • 1. + Insider Threat Fraud Case Study The Threat Within - CWA University at Albany December 10, 2015 “Regardless of the technology in place to protect data, people still represent the biggest threat” - Alex Ryskin
  • 2. + Team 2SECURE ■ Chathura Wickramage - Information Security Officer ■ Valecia Stocchetti - Cyber Threat Intelligence Analyst ■ Daniel Roberti - Cyber Threat Analyst ■ Nicholas Manzella - Security Operating Center Analyst ■ Nicholas Godfrey - IT Risk Analyst ■ Christina Frunzi - Behavioral Analyst
  • 3. + Understanding Insider Threat “It’s not a matter of if, it’s a matter of when.”
  • 4. + What Is Insider Threat? ■ The ability of someone from within a company or organization, who usually has LEGAL ACCESS to files/systems, to initiate an attack with little chance of being detected without proper security measures. ■ Something that appears to be an attack, can appear normal on screen. ■ Can be both malicious and non- malicious. ■ Perception vs. Reality
  • 5. + Who Can Be An Insider? ■ Ordinary Employees ■ Executive Management ■ Vendors ■ Contractors ■ Maintenance ■ Visitors ■ Former Employees ■ ...It can be anyone! Insiders who pose the largest risk to an organization.
  • 6. + ■ Tangible Assets ■ Money What are they after? ■ Intangible Assets ■ Customer Bases ■ Vendor Relationships ■ Data ■ Intellectual Property ■ Patents/Trademarks Copyrights ■ Trade Secrets/Crown Jewels
  • 7. + Why Do They Want It? ■ Motive ■ Reason to commit the crime - Greed, Disgruntlement, Revenge (The Big Three) ■ Opportunity ■ Poor Security, Lack of policy, etc. ■ Rationalization ■ “I did it because…”
  • 9. + Company Profile: Main Street Banking Headquartered in New York, NY 50,000 Employees Global, operating in 90+ countries across Americas, Asia, Europe & Latin America directly or indirectly via subsidiaries, affiliates or joint ventures.
  • 10. + What Happened? A lead software developer, Mark Smith, at Main Street Banking devised a scheme by which he could earn fraudulent rewards points by linking his personal accounts to corporate business credit card accounts of third-party companies. He cashed in the rewards points for gift cards and sold them at online auctions for cash. Ultimately, he was able to accumulate approximately 46 million rewards points, converting the points into $300,000 cash.
  • 11. + Who is 2Secure? We are a part of Main Street Banking’s Security Operations Center. As a team, we have been entrusted with analyzing and solving the problem described above. We have utilized the NIST framework along with many other additional documents to comprise what we feel is the ideal insider threat protection plan. Insider threat is not an easy problem to solve. It requires not only technical controls but also heavily relies on behavioral controls. Insider threat is not 100% preventable, however, the key is to detect it quickly and mitigate the risks.
  • 12. + What made the attack possible? ■ Employees not properly trained on how to detect insider attack. ■ Poor governance ■ Proper system controls not in place to detect an attack. ■ Poor access controls in place.
  • 13. + How was the attack discovered? ■ An anonymous tip by an internal employee who knows the suspected insider was sent to the Security Operations Center (2Secure).
  • 15. + Governance ■ Objectives ■ Support the business. ■ Defend the business. ■ Promote responsible Information Security Behavior. ■ Identify Stakeholders ■ Create RACI Matrix ■ Responsible ■ Accountable ■ Consulted ■ Informed
  • 18. + Risk Identification & Assessment ■ Risks Identified ■ Attacks using legitimate credentials to bypass access controls. ■ Unauthorized access to confidential information. ■ Theft of customer data. ■ Unusual activity and protocols observed on the network. ■ Unauthorized disclosure, modification or destruction of information. ■ Assessment ■ What is the asset? ■ What is its function? ■ What type of data is stored? ■ What is the criticality level? ■ How will it impact the company if compromised? ■ Risk = Threat Likelihood * Magnitude of Impact
  • 20. + How could the attack be prevented? ■ Modifications to the Hiring Process ■ Background Checks ■ Psychological Testing ■ Social Media Disclosure ■ Prior Employment Terminations/Call References ■ Credit Score Disclosure (With Consent) ■ Periodic Checks on all of the above ■ Communication ■ Conduct Weekly Team Meetings ■ Schedule Bi-Weekly Check-Ins With Each Team Member ■ Semi-Annual Evaluations/Annual Reviews
  • 21. + How could the attack be prevented? ■ Awareness & Training ■ Training employees to recognize an insider attack and how to report it anonymously ■ Create best practices & develop safeguards to mitigate ignorance/negligence/carelessness. ■ Policies ■ Create a Whistleblower protection policy to protect the anonymous person ■ Have current employees & new hires sign off on the policy to cover the company legally. ■ Enforcement ■ Enforce the policies and develop a plan on how to monitor when a policy is violated. ■ Stakeholders need to demonstrate an interest to help the overall problem at stake, not just help with implementation.
  • 22. + How could the attack be prevented? ■ Access Controls ■ Create a hierarchy for current or desired access levels. ■ Install software that will track permission levels - Normal behavior VS Abnormal behavior. ■ Monitor all employees including ones who have higher access controls. ■ Implementation of timeframes ■ Install monitoring equipment that will record the session. ■ Have a team/employee that reviews the session to ensure that there is no suspicious activity.
  • 23. + How could the attack be prevented? ■ Separation of Duties (SOD) ■ Identify processes and procedures along with the employee(s) responsible. ■ Create a tier structure so one person does not complete a process from start to finish. ■ Rotate roles to ensure that another set of eyes is on a particular process. ■ Data Security ■ Implement mechanisms to verify integrity of software, firmware and information. ■ Implement detection software/processes of third party sites.
  • 25. + What detection techniques should have been utilized? Behavioral Detection Indicators: ■ Accessing the network while off the clock. ■ Working odd hours and/or excessively willing to take overtime. ■ Takes excessive notes. ■ High interest in topics not pertaining to their job duties. ■ Demonstrating high risk behaviors such as: ■ Past/current drug or alcohol abuse ■ Struggles financially ■ Excessively gambles ■ Exhibits hostile/aggressive behavior
  • 26. + What detection techniques should have been utilized? Anomalies and events ■ Ensure that there is coordination between all stakeholders to detect anomalies and events. ■ Analyze traffic & event patterns for the information system. ■ Develop profiles representing common traffic patterns and/or events. Security Continuous Monitoring ■ Implement a software that will track permission levels to detect ‘abnormal behavior’ (as compared to normal behavior). ■ Limit, restrict and monitor all internal and external applications. (i.e 3rd Party Banking Sites)
  • 27. + What detection techniques should have been utilized? Security Control Monitoring ■ Routine scans should be conducted regularly, such as: ■ Low-Impact Systems: Every day ■ Moderate-Impact Systems: Every hour ■ High-Impact Systems: Every 5, 10 or 15 minutes ■ Automated Processes ■ Vulnerability Scanners, Web Application Scanners, Patch Management Software, Security Information and Event Management ■ Audits should be performed on a regular basis.* ■ Rotate Log Files ■ Transfer Log Data ■ Retain Log Data ■ Analyze Log Data *Frequency depends on the criticality of the system.
  • 29. + Establishing a Response Plan Establish a Team of People ■ Outsourced vs. In-House ■ Recommendation: In-House ■ To eliminate risk of exposing issues to media and law enforcement when not intended to. Determine how the team will be organized ■ Centralized vs. Distributed ■ Recommendation: Distributed ■ Consists of several teams, each responsible for their own unit along with a central team to coordinate and communicate the plan. Cost Assessment ■ Determine resources required, money needed and time.
  • 30. + Establishing a Response Plan Identification of Stakeholders ■ Management for policies, budgeting and staffing support. ■ Information Security Staff for support with systems and organization. ■ Legal for rules, rights, and regulations guidance. ■ Public Relations for communications with the media. ■ Human Resources for employee relations support. ■ Physical Security for building security management and regulation. Stakeholder Buy-In - Imperative that they: ■ Maintain an expressed interest. ■ Continually upkeep, improve and enforce the plan. ■ Adapt to changes in new emerging technologies, security patches, laws and regulations.
  • 31. + Establishing a Response Plan Determine Scenario(s) and How to Respond ■ Is it malicious/non-malicious? ■ Where is the source of the attack? ■ What permission levels are in place for that employee (if attacker known)? ■ Locate the intrusion, seize the evidence. Assessment of the Scenario ■ Volatility of Evidence ■ Network traffic, memory, hard drive, data analysis ■ Network (more dynamic) vs. Hard Drive (less dynamic) ■ Availability ■ How will this affect day to day operations? ■ Assess the damage and limit the loss of resources.
  • 32. + Establishing a Response Plan Training Plan ■ Employee Training (New & Existing) ■ How to identify insider attacks, eliminate negligence and properly report an insider attack. ■ Creation of a website to provide up-to-date insider threat resources to employees ■ Set up an anonymous tip line to protect the employee from the attacker targeting them. Communication Plan ■ Who: Know who you are going to inform in the case of an insider threat. ■ When: Know the order of who you are going to inform. ■ What: Know what you are going to tell them, not every party needs to know all of the details. Overall Plan Evaluation ■ Evaluate effectiveness of the plan ■ How long with the solution prevent the problem? ■ Improve and continually update to adapt to changes.
  • 33. + Establishing a Response Plan Seizure of Evidence ■ To seize or not to seize? ■ Servers - crucial to operation of the company, ideal to make a forensic image instead. ■ Hard Drives - may be able to seize and investigate in the lab. ■ Utilize Chain of Custody Forms ■ Provides admissibility if used in court. ■ Documents evidence in every step of the investigation.
  • 34. + Establishing a Response Plan Behavioral Considerations: ■ Frequent field observations ■ Follow legal action to ensure the problem employee is not introduced to another company ■ Prevent file-sharing ■ Tighten monitoring measures ■ Improve previous precautions ■ Enhance employee awareness ■ Record the incident and the actions following ■ This keeps a reference for when another incident takes place and helps to ensure the same mistakes are not repeated.
  • 35. + Response Plan in Action ■ Initiation of the Plan ■ Contain attack to mitigate the effects. ■ Isolate the system to protect from infecting other systems. ■ Eradicate the damage caused & disable account privileges. ■ Availability - Ensure that systems can operate & monitor the activity. ■ Evidence - Ensure admissibility for legal purposes. ■ Refer to legal guidelines and regulations on how to properly handle evidence. ■ Documentation ■ Logs should include events, times, dates and be signed. ■ Team of two should have access to logs to ensure integrity.
  • 37. + Recovery Plan in Action ■ Recovery is important to... ■ Restore systems to normal operations. ■ Confirm that systems are functioning normally. ■ To prevent similar incidents from happening in the future. ■ Prioritize Incidents ■ Determine a time frame when the company will fully recover. ■ Large Scale Incidents: Months & up to a year. ■ Small Scale Incidents (such as this one): 6-8 weeks with proper management of recovery plan.
  • 38. + Recovery Plan in Action ■ Once the system is clean: ■ Test, monitor and validate systems are back in production to verify the systems are not that systems are not re-infected or compromised again. ■ Address Vulnerabilities or Loopholes: ■ Tighten Access Controls ■ Establish access permissions with least user privileges that are required. ■ Grant software developers elevated but temporary access when required. ■ Install Monitoring Software ■ Monitor software developers or any employee who requires increased access controls. ■ Monitor the system in general for at least 30-60 days to make sure the vulnerability has been identified and corrected. ■ Recover the stolen money ■ Determine how the company will recover the stolen goods (i.e. Civil Court)
  • 39. + Recovery Plan in Action ■ Communication ■ Notify all involved/affected parties. ■ Notify employees that this type of behavior has zero- tolerance. ■ Have a Zero-Tolerance Policy for all employees to sign off on to cover the company legally. ■ The Insubordinate Employee… ■ Should be terminated immediately. ■ Access permissions should be removed to ensure they do not infect the system anymore. ■ Vulnerability Scans ■ Detect and remove any vulnerabilities within the system or network.
  • 40. + Thank You! Questions? Contact us at: Chathura Wickramage <cwickramage@albany.edu> Valecia Stocchetti <vstocchetti@albany.edu> Daniel P Roberti <droberti@albany.edu> Nicholas Manzella <nmanzella2@albany.edu> Nicholas Godfrey <ngodfrey@albany.edu> Christina Frunzi <cfrunzi@albany.edu>