In today’s podcast, we are going to address the Insider!
This can be as simple as someone clicking on a malicious link to something as complicated has having a rogue employee! If you are business owner, large or small, this podcast is right up your alley and it is imperative for you to pay close attention. Your business could be at stake!
In this podcast, we are going to be covering the following:
- External vs. Internal Insider
- Triggers / Environment allowing to occur
- Organizational Factors
- Behavioral Indicators
- Key Questions to ask yourself:
- 5 Steps to Reduce your Business’ Insider Threat Risk
- PTM – Amazon EC2
Other associated links and resources mentioned in today’s show or on posted this week:
- Insider Threat – FBI
- Jawbone Sues Fitbit for stolen data
- Insider Threat Program – Cert.org
- Insider Threat Mitigation Guidance – SANs.org
- Insider Threat Program Best Practices – Computer.org
- Account Takeovers is a serious problem and an article within Ars talks about Universal Second Factor being the savior.
- blogVault article talking about too frequent back ups. A service or build out bigger infrastructure is the answer
- CYBERCOMMAND becomes a full combatant command.. basically means the cyber realm can become a combat zone
- 3 Chinese men charged with insider trading by hacking into merger and acquisition law firms. The insider!
- Critical Vulnerability with PHPMailer used by WordPress Drupal, 1CRM, etc. to send email. No know exploit – Yet!
I hope you enjoyed the podcast and it provides you value securing your business and WordPress site!
Click here to leave us an iTunes review and subscribe to the show!
I know you will enjoy this episode.
Thank you for listening!
“WordPress Security Daily”
BONUS – Don’t forget you can use the content in the podcast/training for Continuing Professional Education (CPE) credit!
Can’t listen right now – Read the transcript below.
Shon: Welcome all you all been doing this wonderful week. I hope you all had a great Christmas and Happy New Year. We’re now into 2017. It’s awesome. 2017 is going to be a great year. I just know it and I hope it’s going to be great for you all, as well. So, we just it’s going be a good year to start kicking stuff off and we’ll be just to see where WordPress and Security goes this year. There’s just a lot of stuff in the news and I was talking to my folks over the weekend and we’re just amazing how much things have changed and how the world has changed and especially in dealing with online business and with pretty much everything. So, it’s going to be awesome as far as how this year goes. I’m really super excited about 2017. Before we get to the meat of this today’s podcast we’re going to go over our sponsor for this week and that’s sucuri at sucuri. net.
Hey, have you ever felt that your site’s been hacked, have ever had that wonderful sinking feeling in your stomach that you go, oh, no, now what. All right. You know, I’ve talked to so many people online, especially developers that have had people get hacked and they’re like these guys they don’t know what to do. People are just confused on what to do. They’ve been hacked. Now, what? It’s like, I don’t know what to do. So, you’re totally confused about how security and how best to protect your site and to ensure your brand and livelihood is safe. Sucuri can help you out. They offer a wide range of products and services that can clean hacked and defaced Web sites providing you the actual protection capabilities required for your site. I mean, here are just a few of the services that they can give you. Web site malware removal and clean up, web site of application firewalls which we’ve talked about on this broadcast numerous times and just distributed denial of service mitigation which is detos attacks. They can help with that as well and there’s so many more things that they can offer up to use from a service standpoint. Check them out at sucuri.net. That’s sucuri S-U-C-U-R-I. That’s sucuri.net. All right. Let’s get back to the podcast.
Okay. We’re going to really go over some things in the news area and I’ve only got a couple that I’ve got to get into because I really want to get into the meat of this podcast but there’s two main topics. Actually three that I really want to cover. First one is account takeovers and Ars Technica put out a really good post that I think I need to do a podcast on and that’s two factor and they actually have the thing, they’ve used a thing called the plug up. It’s a security key and I guess Google has been using it with all their employees now for over two years and they love it. They said it’s been working great and they actually Google prefers it over your standard two factor authentication.
So, if you’re asking what is two factor, well, two factor is your memory at they have something you’ve known something you have. First factor is something you know, second factor something you have. Well, the second factor is a little just a little key that slips in your USP drive and then it allows to act as that’s something you have. Now, we’ve used.. there’s all kinds of different ways of doing this but basically in a nutshell this is a way that you can have that second factor in your computer. You just plug it in USB drive. You enter in your PIN. You’re done and they’ve recommended it. I’ve just kind of just seen what it’s been able to do. It’s actually really nice. You don’t have that big old key fob. You don’t have it on your phone. I’m a fan of that phone but there are some tradeoffs with risk as far as security goes on your phone and having that capability in it. So, I’ll be interested to see where this goes. I think this is a really good step forward and if Google’s been using it for that long they actually recommend it. That doesn’t mean it’s by all means the panacea and it’s the thing that’s going to work for sure but it’s definitely has some merit to it. So, we’ll get some more things that we’ll talk about it more here in the future podcast but considering everything that’s been happening on the news about e-mail and everything else that goes within systems that Univac versal second factor is a really important thing.
So, we’ll have it on the show notes but ARS Technica and are talking about a real small U.S. Beaky. So,in this news article we’re going to be talking about there were three Chinese men that were charged with insider turned into mergers and acquisitions call M&A law firms. Now we talk about the insider and it’s actually in today’s podcast going to be is about the insider. These guys they were able to make more than four million dollars and I think there’s a British article that’s at the register and it’s at $3.2 billion. 3.2 million pounds is what they were able to get and how they did this is they hacked into the server of the CFO and also of his main financial director and they ended up finding out what was going to happen with M&A mergers and acquisitions. They then would place stock trades based on the knowledge of these M&A action.
So,if you have ever dealt with this before, M&A activity is very hush- hush. It’s very tightlipped and nobody wants to talk about it because it can affect stock price, so if companies get sold, bought whatever, it can run the value of the price of the stock up or it can take the value of the stock down which in turn can cause a total price of the company. Right? So, these guys hacked in there. They got revert remote access to their system and they targeted their e-mail accounts. So, it is a phishing attack that went in and they then got access to their to the system. They went after their e-mail accounts and they ended up just sucking out information as much as they could.
Now, they attempted to get many more firms but it sounds like there was at least two of the five that they went after that they got full access to and they also attempted to get there more than a hundred thousand times. I mean, they were hitting these guys all the time trying to get access to their sites or to their information. Now, that is a quote, they had an article I thought was interesting is this case of cyber meat securities fraud should serve as a wakeup call for law firms and law firms around the world. You are and will be targets of cyber hacking because you have information valuable to would be criminals and I said this time and time again to friends of mine that are lawyers. You guys are targets whether you like it or not, you’re targets.
So, you better put stuff in place to make sure you protect your stuff and this comes in the case of teaching your employees and this is you even the CFO or the fact of the financial directors teach them what to look for in the event that they get hacked and put triggers in place to stop it. So, they basically they stole public or nonpublic information through unauthorized access to these law firms and it caused all kinds of issues. You know, it’s just it’s just crazy. So, again there’s a plethora of these that are going out throughout the internet. You need to check them out. You need to be careful of them and you need to educate your people about them.
All right. Let’s roll right in the training part of our podcast. Okay. So, in this part of the podcast we’re talking about the insider threat program. What do you need for your company, your business to have an insider threat program? Now, the important part about all of this is if you have a business, you have employees at any point in time they can steal from you. Period. They can do it from their email, they can send emails out. They can download on USB drives. They can do almost anything. So, something you have to be aware of when you build an insider threat program is are when you know you deal with the places that they are capable of doing this and in today’s world it is more apt to happen then potentially in the past. Now, the reason I say that is because the loyalty to the company or the brand was much more significant in the past than it is today. Today company.. people feel that you know what, the company owes me and or this is my knowledge. I’m going to do what I want with it. So, you need to keep that in mind when you’re building an organization and you need to understand what should you do from maintaining or keeping your intellectual property from your to your company and not having to deal with it, your employees walking off with it. So, let’s go real quick in the definition of an insider threat is a malicious threat to an organization that comes from people within the organization such as employees, former employees, contractors, business associates who have inside information like the newscast before concerning the organization security practices, data and computer systems. Okay, so that’s insight or so.
Now, we all know what is it, do inside or do that, steal stuff and ships it outside. Bad, bad idea. Okay. So, you have different kinds of an insider. You have an external insider and you have an internal insider. Now the external insider is someone who’s gained access to your environment externally or potentially could be no longer with a company which could be like an internal insider but they basically have gotten access. Now, what how this works is if you looked at the last if we talked about the last news article and people clicked on a fishing link and then they got access into the systems, right. Well, the moment that you click on a fishing link and they get access into your systems you now are allowing an external insider into your environment. They become you. So, they become your credentials. They become what you are online. So, they become you. That’s the external insider. Now the internal insider is someone who’s currently within your company who’s acting out these things right there. They’re out stealing your stuff. They’re out sending stuff, work stuff home and how this happens really also insipidly with the internal insider is the fact that they start e-mailing maybe work home and next thing you know they have a whole bunch of their data sitting on their server at home or on their system at home or in the cloud right if they’re using Gmail. So, that’s the internal insiders.
You have two external and internal insiders. So, you ask yourself what is their motivation? I mean, everybody loves me. Why would they steal it from me? Right. That’s kind of some owners thought processes. Joe’s been with me for ten years. Why would he steal? Okay, well, again if it’s an external they may not be the person stealing from you but it may look like they’re the person stealing from you. But if they’re internal that anything can happen. I’ve talked to numerous H.R people about this. They go, well, we have ARC have core principles in our company. No one is going to steal from us. I’m sorry to say that you know what those core principles are great and they need to be there. However, anything can happen within a person’s life and the moment that that happens boom, is over. They’ll start stealing stuff. If they think they can get a competitive advantage and make more money or whatever, more prestige or whatever, there is their motivational factor. They’ll do it. If that trigger is triggered, trigger is triggered I think that’s right. A trigger is tripped. That’s it. So, keep that in mind is that you need to keep always uplift your people. Always be a good boss. Be a leader but at the same time it comes back to old Ronnie Reagan trust but verify and the other action is that, you know, in case of a third party, target target.com you are basically your target stores.
The HVAC they’re heating ventilation and air conditioning, they hacked. They got hacked by a third party. So, how your third parties get into your environment will also be a factor. So, it’s not just the motivation of an employee who decides to do something bad. It could be a third party that you have access into your.. into your network. So, keep that in mind too. So, again it can be greed, disgruntled revenge, bored, you don’t know, but bottom line is you’ve got to really check there’s some good big signs about people of what they might potentially be doing and specially if they have access to sensitive data. Keep an eagle eye on them. Watch out for them. So, what does preconditions? Okay. So, they have to overcome some inhibitions that they have and a person must do these things to move forward with the plan to basically steal the data that comes out to it. What are the inhibitions? Well, their morals, their fear, their loyalty maybe their risky behavior they know that they’re not really prone to that or that maybe they are prone to that. It can be very hard from that standpoint or very easy depending upon the corporate culture and the workforce demographics. So, do you have a lot of younger people, do you have older people that have been around for a while and they have more loyalty.
So, do people within your organization have perceived ideas? You know, the company takes care of me so I’m going to back up the company. Company doesn’t take care of its people, so you know what? I don’t really care. They don’t pay enough. I want more time off et cetera. Those kind of ideas can make these things be more exacerbated or get worse. So, those are yet to have some preconditions in place. What are some triggers that would be within your environment that would allow this to occur? I like to use his quote. Success happens when opportunity and preparedness meet and what I mean by that is prepared to divorce the layoff, the ego, all those different things. These can happen to any employees. They’re prepared. They have a divorce. They have.. they have a layoff whatever. The opportunity is you basically have unfiltered, unmonitored access to the Internet. Nobody is watching them. You have poor or ineffective security practices in place. That’s what happened so no one’s watching what’s occurring.
So, now if you know, so you just think about it. If you know someone’s watching what you do and you have these divorces or these layoffs or whatever happen in your life you might think twice about doing something. You still might do it but you think a little bit harder about doing it. If you know that no one’s watching anything you’re doing and you can get away with it and these things happen as well forget them. I want to do what I want to do, right? So, that’s what you need to consider if your business is having things in place to basically put them in check. Slow them down. Now, stat’s of this is that it costs that they’re saying from the 2015 Verizon data breach is about a hundred and forty five thousand dollars for a breach Insider and that can result in about fifty four days. So, that’s huge. So, if you’re a small business you think about it and Insider could cost you a hundred and forty five thousand dollars.
How many of you guys out there would go out of business for that kind of breach? So, consider that that’s just for not having a program in place. It also opens you up to be legally liable. Right? If you don’t have a program and these things.. these things happen potentially from your third parties or whoever you work with, you could open you up to legal issues. So, you just need to really consider that. That’s the organizational factors put in place as far as their program goes. If you have a deployed workforce this can add some level of issues with it, less ability to build a corporate culture that can cause some issues with it. Is your global workforce, you know, if it’s just all over the place global attitudes, different personalities based on the culture of that environment may have something to do with it.
Certain companies of the United.. certain people in the United States are more loyal. You get other companies like say China, for example, that China’s culture in this isn’t bad about China at all. It’s just China’s culture is that they have to move on to new roles every couple of years. So, if that’s the case, you know, you just know that going into it, so those are different cultural norms you have to understand when dealing with especially in a global workforce. So, what are some of behavioral indications that you can consider when this happens? Well, are they having work issues? You know, they’re not performing like they used to. What are their internet browsing habits? Are they all over the map, right? Are they always on the Internet? Are they costly down loading stuff? Are a bored out of their skull, right? Are they hostile, are they vindictive or are you getting caught with criminal behavior or maybe that you’re aware of. These are big indicators of something that could be happening and are they acting contrary to your company’s principles or core beliefs. So, again that it’s not going to stop everything but the times that I’ve seen it from an insider standpoint in my background.
Every time that something like this has happened it has been from the fact that there have been plenty of indicators, plenty of warning signs of something going on and if some would pay attention to it it could have dramatically reduced the time when the effect happened or could have even stopped that or eliminate it completely. So, something to consider there.
Okay. So, before we go into our next piece of our podcast, we’re going to do a quick time out for word from our sponsors and our sponsors for this week is sucuri, S-U-C-U-R-I.net sucuri security. So, as you know we’re persecuted daily is all about security. Yes, we are and with over ten thousand WordPress sites being hacked each day it’s amazing. It’s imperative that you get the security you need. Security is just a company that will help you get with your security needs whether you’re small one person startup or a medium to large multi national company. They can help you provide everything you need to stay secure. I mean, it’s awesome and if you’re a developer or a person who’s responsible for the installation and management of a Web site that they can help you and that’s ..that’s what the part about love about it is that they’re available to help you whether you are a small company or a large one. If you ever been concerned or even overwhelmed with managing the security for your site I talked to lots of people and they say this. Security can help you and have you been hacked or have no idea who to turn to to clean your site and trust that they’ll get it done right. I mean, that’s a huge thing there. Do you have multiple types of platforms that you are responsible for for maintaining WordPress or June Drew Paul. All of those. I mean, that’s huge. So, Sucuri is a multi-platform company that can help you 24 by 7 three sixty five in many locations globally. Now here are just a few of the products and services that they offer up to people malware removal and cleanup. Okay, we talked about the continuous scans for malware and hack attempts and that the part with that is that they have the plug in that will help you with that as well and even external malware scans Web site blacklist monitoring and removal and then also web site application firewalls. I mean, that in of itself is a huge factor that you really need to consider for your wordpress site specially and near distributed denial of service mitigation which is a big factor you see on the Web today as far as from the data attacks and everything else has been going on with the detos. So, detos is huge and they actually have an area that I thought was really interesting with PCI compliance. They take care of that for you and that can be a very sticky subject and it’s good to have people that can help you walk you through that. So, another item that I feel is super important is are the analysts at sucuri. They provide in-depth analysis and realistically thought leadership to the community through their blog. I mean, that’s huge and they provide you detailed information on current hacks, security protections, insights and how you can get better at your site and your business. I use a lot of their stuff out there. I bring it up. They also have a malware recovery and how to clean your site document that you can use that they truly do give back a lot in this space which is really cool. They offer up three options their web site’s security stack basic, pro and business. Now, each option has different levels associated and you need to check out your site to get a good idea of what’s the best option for you and your business. Lastly, you know, talking with Tony and Dre, they are down to earth people who really want to help the entire WordPress community while providing great services to the community. So, check them out. Sucuri.net that’s sucuri at sucuri. net. All right. Let’s get back to our podcast.
So, mitigation strategy, some key questions to ask yourself is do you have sensitive data within your organization that could cause you legal issues if released lost or compromised. Do you have that stuff in your system? Yeah, you do. If you have it that could cause you lots of issues. Do you have an insider threat program in place within your organization? If you already have one that’s a good thing, right? Do you need to just make some changes to it? Do you have an onboarding or operating process in place for your organization, people that come on, people leave. Do you have that ? Is your H.R. department completely connected with I.T. and are there processes in place? You know, that’s a big factor there, just do you.. are you talking to them if you have any.. Or maybe you’re in H.R department but if not do you have something there that would help when somebody comes on and off and are they connected to what’s going on in I.T.
Do you allow third parties to connect in your environment? How do they do that? You know, what do they do and when they connect in and stop stopping points you put in there to protect from what they’re doing. Do you monitor, control their access? So, do you have access to that? Do you watch what they do? Do you audit their access within your environment? Are you watching what they’re doing and do you have legal wording in your contracts with these third parties around cyber breaches. What are they going to do if they get a breach? How are they going to tell you? Is that all in your contract and the question is are there legal requirements that require you to have an insider threat program in place. Some legal things may require you to have that, depends upon which aspect you may deal with. Right? So, if there is a deal with the government they may require you to have something in place as an insider threat program and it may not be as simple as just is it documented. Do you have an instant response plan in place to help mitigate potential insider threats? Possibly right. Do you have that in place? If you do, awesome but if you don’t what can you do to help to put one in place quickly. How do you define what are your crown jewels, your data classification? Do you even know what you need to protect, right? You can’t protect it all. So, what do you need to really worry about and then are you watching the watchers? So, if you have a security company doing this, are you watching them? So, what I’ve told multiple leaders within various organizations, are you watching the security guy. You need to because they can go rogue just like anybody else can and it’s easier to go rogue if I’m the guy who’s got all the information and you know what. Don’t worry about me. I get to take care of. Well, that’s scary and when I’ve dealt with other companies I’ve basically what I say is when they say, well, security can have, you can have all these different rights. No way. Take away their rights. I don’t want them just because of situations like that. Not that I’m a go rogue. That’s not going to happen. But again that’s just something to consider.
There’s many, many more but this will get you started kind of thinking about that. So, there’s five steps to reduce business insider risk. First off, educate yourself. This is what we discussed is that you need to educate yourself and this is part of podcasts helping you with this but understanding what is an insider. So, these are the precursors before we get into the steps but you need to educate yourself and then the questions that you need to ask yourself, which we’ve kind of talked about is what are ..what are these questions and how should you be concerned about them and what should you do when dealing with the insider threat. So, step one is understand what is important to find your crown jewels. Define what is that you need to protect and you ask yourself who decides what is important. Are you the person that is the owner? Is it maybe somebody who does your R&D, maybe somebody that is one of your engineers. Who knows, but who decides what is important in your data. Step one. Step two, know your current security posture, understand what security controls you have in place now. Is the baby wide open, yeah, bring it on. Or is there controls in place? Understand the security products that you need to help you out with this. Step three. Set up an insider threat program. Take the principle as we talked about, set something up.
There’s good examples online. There’s free resources or you can pay someone to do it to help you with that. I’d be more than happy to help you with that but there are other options out there as well but that comes out an entry and exit processes, training and awareness for employees to find implement security products based on risk. Those key things, right? Then, have an instant response process in place to help you with that. Step four. Ensure separation of duties lease privilege. Do not let anybody have the keys to the kingdom. You’ve got to keep them out. Right? Do not allow somebody to be able to go and escalate their capability higher than what they should. Limit their keys to the kingdom. Separation of duties lease privilege. Step four. Got it? Step five. Monitor user behavior. Okay. So, insider threat indicators and in the cited threat detection. Watch what they’re doing. If they’re making funky things and they’re acting funny, set up some way to trigger on that and again we talked about some recent examples that have been in the news. You just google it. There’s lots of different opportunities that happen in this space. Lots of them, and I’ve seen just even like this past week there were two more that popped out. So, again if you’re a small, medium size business even if it’s just one person, you need to really you don’t have to have it all documented so perfectly unless you’re that kind of person, but knowing these steps will help you a lot especially as your business grows and expands to make sure that you put it in place at the foundation because that’s the worst thing that you want to do is try to come back and try to dig all this out later. It makes it a lot harder. So, that is the insider threat program.
All right. So, let’s roll right into Amazon EC2. So, what the heck is EC2? Amazon. It’s called it’s Amazon Elastic Cloud Compute IE Amazon. E then two C’s, right? EC2 allows for resizable computing capability or capacity. So, what does that mean? Well, basically what it is in a nutshell is it allows you to scale up and down on your capacity. So, if you’ve got lots of servers you need to build up, it will let you do it or you can turn them off if you don’t need them. So, you pay for only the capacity that you use. That’s it. That’s all you need to worry about and which is really nice. You’re not paying for servers that are sitting in a building that are just running and there’s not use on them. It provides developers great tools to build on these things and you can use their API which is basically there explain the space of the communication piece from one point to the cloud. It allows you to use there to create an API using their software development kit and bottom line is Amazon EC2 is a cloud. You’ve got computers in the cloud. You can scale them up or scale them down based on what you need. Okay. So, it’s awesome. Right? In fact, that if you got a builder that you want to scale up or scale down and you don’t have to go out and buy systems to do this and that’s an issue that it takes time to buy systems. You got a bind, you get to spec them.
You gotta do all that. You can just go out there and click, click, click, click and you’ve got systems up and running. So, I love it. That’s right. Cost wise, something to consider. The cost of these systems will be similar to what you would pay with in your data center from an initial standpoint. So, if you run them all the time your costs can get expensive. If you run them the way you would normally run like you turn them on, turn them off your limited usage kind of stuff, then the cost will be roughly about the same. I say roughly because it just depends on how you use it but roughly about the same as if you had something in your data center. The channel, the good part about it though is, that if you don’t want to use them you shut them down or if you just blow them away you don’t even have to deal with it, right? So, once you pay your bill and say you know what I need it for this short instance, I don’t want to be stuck with a bunch of servers. It’s a great opportunity for that. So, they uses virtual servers which they call them compute instances and they are in Windows and Linux. They don’t want any Mac but it’s basically Windows and Linux platforms of servers that they use and it’s really good for some use cases around this where it’s small and economical business needs something. It’s very useful in that you if you cluster servers to use them to use a lot of computing power. That would be another solution for that and also if you’re using their computer memory storage or GPS capabilities, they have lots of different buckets that you could put it in.
\So, depending upon your use case it could be very useful for you but there’s cases where it may not be and you need to really kind of understand that is. The good thing is it’s easy to resize. No long term commitments. You pay ahead and you can get if you pay you can get some level of discount. It’s cool. The security from security point of view I love it. They’ve got a built into what they call a virtual private cloud. They’ve got that built into it and they have tools that will help you secure your network. It basically allows you to connect into it and you can use your security and so it’s really awesome what it can do. I highly recommend though. If you’re going to go down this path get a little bit of education on it. Maybe talk to somebody that has building this area so that they can give you some guidance going into it because it could get a little overwhelming at first but once you get into it you’ll figure it out. It’s just talk to somebody before if you’re pressured you’re put on large stuff in the cloud before you go out there and do it just so that you have a good understanding. It doesn’t mean they have to do it for you but they can at least give you some education on how to best secure your stuff. It also does auto scaling which allows you to go up and down basically sets of automatically cool scale up, scale down based on what you need. The downside with that is it can get expensive.
If you don’t watch it and companies them bit by this before is that they just go, oh, yeah, we want it all and then at something they get hit with a didas tax scales up and now you’ve got a huge bill at the end of the month. So, or end of the week. So, something for you just to consider with that. Though, the downsides with it again costs get away from you if you don’t watch them. Secure is available but you need to understand how to best configure it and it typically costs are about a wash when you’re dealing with internal servers but it’s great for small or big businesses depending upon what you need. So, it’s a tool. It’s a tool that you can use for your business if you want that capability. All right. So, as we close out this week show we’re press security daily podcast, I wanted to express my appreciation once again to sucuri at sucuri. net and then the real deal really, we really are and if you need security services they can help you out. I really I wouldn’t recommend it if I didn’t feel they could meet or exceed your expectations. Check them out at the sucuri. net at sucuri. net. All right. So, feel free to stop by we’re here daily for any free content that I have on my site Regus on iTunes. Please share the love, we would love to send you do something on iTunes for us and have a blessed day in the rest of the week. We’ll catch you on the flip side. See you next week. See you.