MALICIOUS INSIDER THREATS AND CONDUCT RISK

Transcription

1 MALICIOUS INSIDER THREATS AND CONDUCT RISK Annie Searle University of Washington The Information School Puget Sound ISACA September 19, 2017

2 Annie s Background 15 years as co-founder and CEO of Delphi Computers Lifetime member, American Institute of Entrepreneurs Northwest Entrepreneur of the Year Matrix Table Woman of Achievement 10 years executive management at Washington Mutual Senior Vice President, reporting to both CIO and CRO 9 years at ASA Advisory and research divisions, including publications Annual participant, New York University Global Risk Network Forum Monthly column in ASA News & Notes newsletter Author, public speaker, UW Information School faculty Jackson School Global Cybersecurity Initiative Task Force Academic advisor, UW ISACA Student = Twitter

3 Conduct Risk Definition Risks attached to the way in which a firm, and its staff, conduct themselves.matters such as how customers are treated, remuneration of staff, and how firms deal with conflicts of interest. -- Thomson Reuters, 2013 From my own work, I would say that conduct risk is the overarching framework for insider threats as defined by either the SANS Institute or Carnegie Mellon s CERT Insider Threat Center.

4 Today s Workplace* It s a 24 hour proposition, particularly in infosec & cyber. 120,000 deaths a year from stressful workplaces, also 8% of health costs in this country. Higher attrition, lower engagement = less productivity. Stressors include: Scary times (global face-offs, political discourse) Excessive workloads, long days (average = 47 hours a week) Technology always on *Goh, Pfeffer, Stefanos. The Relationship Between Workplace Stressors and Mortality and Health Costs in the United States

5 Employees and the Workplace Here are some warning signs: Agrievement over performance review * Belief that she/he owns the app she/he supports* Reclusive and/or aggressive behavior with peers Excessive complaints Overreactions to problems Erratic attendance Personal life challenges or changes Team members coerced to misinform, skip steps, or ignore process to hit bonus target -- *Carnegie Mellon CERT

6 Main Root Causes of Conduct Risk Tone Monkey-see monkey-do Practice what you preach Culture Conflicts of Interest Lack of robust supervision Undue influence factors

7 Tone a term used to describe an organization s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickledown effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are most likely to uphold those same values. As a result, such risks as insider negligence and third party risk are minimized Ponemon-Shared Assessments Survey What We Know: Employees pay close attention to the verbal and non-verbal responses of their bosses. Most learn how to behave from observation, not from reading procedures manuals. Ethical dilemmas = social cues. Monkey-see monkey-do. Few use careful deliberation to make decision.

8 Tone and Top Unethical Behaviors Misuse of company time Abusive behavior Employee theft Lying to employees Violating company internet policies -- Ethics Resource Center 2015 Study How These Are Handled Drives Employee Perception Personal interactions How crises are handled Policies and procedures adopted by leaders -- Ethics & Compliance Initiative (ERC research arm)

9 Culture While firms may have their own definition of firm culture, we use it here to refer to the set of explicit and implicit norms, practices, and expected behaviors that influence how firm executives, supervisors and employees make and implement decisions in the course of conducting a firm s business. -- US Financial Industry Regulatory Authority, 2016

10 Culture: Practice What You Preach Strong Effective implementation of values Do right/good See something, say something Hiring the right people Weak Success at any cost Too much loyalty Fear of retaliation/retribution

11 Conflicts of Interest A situation in which a person is in a position to derive personal benefit from actions or decisions made in their official capacity. -- Oxford English Dictionary Most egregious current example would be the person who holds a 50 year lease on the Old Post Office Building, operates a business on that property which is not far from his residence, and is also the president of the United States. In this example, not only a conflict of interest, but undue influence over those who want access.

12 SANS INSTITUTE STUDY Eric Cole, August 2017 Defending Against the Wrong Enemy

13 Insider Risk Accidental/Unintentional A user who is tricked or manipulated into causing harm or whose credentials have been stolen in phishing or other user-focused exploits designed to let attackers pose as legitimate users to access privileged information Malicious/Intentional Someone who knowingly causes harm and damage to an organization by stealing, damaging or disclosing information

14 SANS Executive Summary 45% of respondents did not know potential for financial loss connected with an insider event; 35% could not place a value on such losses; Only 18% have a formal incident response plan that includes insider attacks, though 49% developing such; 62% believe they ve never experienced an insider attack, though 38% admit their detection and prevention capabilities on IP, Fraud and IT Sabotage are ineffective; 40% rate malicious insiders as most damaging threat; 36% rate the accidental/negligent insider as most damaging.

15 SANS Study Translation Firms understand the importance of insider threats, but no sign that budgets and staff realigned accordingly. Losses connected to such threats are by and large unknown or at least unquantifiable, which would lead to larger budget. If there is an incident response program, it is not focused here, but rather on adverse events and/or external threats. It s not that firms don t have insider threats, but rather that they don t have the tools. Though malicious employees at 43% are greatest concern, negligent employees come close at 39%.

16 Ranked Insider Threat Concerns Compromise of sensitive personal information Compromise of privileged account info, incl. credentials Exposure of confidential business information Reputation damage around breach or leak Exposure of intellectual property (IP) such as trade secrets, research, confidential road maps Compromise of personnel information Possibility of fraud or abuse Compromise of competitive advantage in the marketplace

17 Mitigation Checklist Identify most critical data in your firm Determine who currently has access Restrict access and reduce attack surface Get visibility into user behavior Know your threats Know your vulnerabilities Identify countermeasures to minimize or reduce the threat To do this work, behave like the adversary.

18 CARNEGIE MELLON Common Sense Guide to Mitigating Insider Threats, 4 th Edition

19 CERT s Top 10 Best Practices (of 19) Consider threats from insiders and business partners when performing enterprise risk assessments. Clearly document and enforce policies and controls. Incorporate threat awareness into security training for all. Start with hiring to monitor & respond to suspicious behavior. Anticipate and manage negative workplace issues. Know your assets. Implement strict password/account mgmt. policies on privileged users. Define explicit security agreements for any cloud services. Enforce separation of duties and least privilege. Stringent access controls and monitoring on privileged users.

20 ANNIE SEARLE How Does Conduct Risk Manifest and What Are Its Root Causes? from Conduct Risk: A Practitioner s Guide London: Risk Books, 2017

21 How to Reduce Conduct Risk Review the corporate values/vision statements Create a statement of values that points to desirable behavior, not a marketing slogan. Create/review the code of conduct Put a real communications program in place, with storytelling around behavior. Incentivize employees to do the right thing Recognize when employees and teams do the right thing. Protect individuals from retaliation. Build a fraud and misconduct plan Train employees on how to report misconduct or fraud. Create your own whistleblower program Guarantee anonymity, employee protection and a monetary award. Self-report without retaliation. Ask your senior leaders to reinforce ethical conduct with their own performance, not just when trying to save their jobs. I was wrong. or Thanks for your insight. or even How goes it?

22 on Twitter