View
109
Download
0
Category
Preview:
Citation preview
Final Project - OutlineTeam Don’t Click That
Team Don’t Click That
Brendan Jones - Cyber Threat Analyst
Britney DeSouza - Compliance Analyst
Sam Nicastro - Behavioral Analyst
Emma Halvorson-Phelan - Behavioral Analyst
Peter Macias - IT Risk Analyst
Alfredo Ortiz - IT Risk Analyst
Keith Heesemann - Information Security Officer
Alyssa Carter - Information Security Officer
What Happened?
IT Sabotage
Goliath National Bank (GNB) employed a contractor as a nighttime security guard who was heavily involved on the dark web and led a hacker-for-hire group. He used his security key to obtain physical access to the server closet that housed the e-trading system. He rendered the GNB network infrastructure unstable, eventually leading to a four hour outage across the GNB.
How was the attack discovered?
The four hour outage that was caused by the injection of malware was a clear indicator that something not right.
IT staff discovered the malware after the outage and determined that the attack was conducted by an employee with access to the server closet
What made the attack possible?
Goliath Banking lacked the proper security measures appropriate. They failed to follow any sort of guideline in their security infrastructure and were thus deemed an easy target.
● Failed to implement any security guidelines (NIST)
● Ignorant of security risk
● No background checks
Identify
Risk Identification
Possessed legitimate privileged access to Goliath Banking’s networks.
Abused privileges
Illegally distributed trading algorithms on the dark web.
Risk Assessment
What are the appropriate assessment points?
● Type of data obtained● Data’s role in Goliath Banking● Severity of situation
○ Impacts of the data circulating on the dark web
○ Vulnerabilities ○ Critical assets i.e. server closet
■ Threats
Protect
How can this attack be prevented?
●Trust Programs
●Interactive training programs
●Exercising the “Active Bystander” Technique
●Employees are capable of detecting common insider threats
●Internal and External access is monitored
●Data Loss Protection○ Redundancy
●Modifying the Hiring process
●A good model for Employee Departure
Safeguards
Technical
Monitor Employee Behavior
Limit Access
Data & System Integrity
Detection Software
Administrative
Separation of Duties
Policies and Enforcement
Communication
Established Hierarchy
Hiring Process
Background ChecksPrevious Experience
Affiliated Groups
Social media analysis
Periodic Psych EvaluationsBaseline and Continuous
Understanding Employee goals
Interview ProcessCandidate Behavior
Communicating
Encourage an NDA if sensitive IP is at risk
Employee Departure
Severing Access Both physical and virtual
Monitoring System access2 - 4 weeks post departure
Permissions changedPasswords, keys, etc.
Employees should be screened
Employees should be treated respectfully
Discourage disgruntlement
Detect
Detection
● Baseline assessments for employee activities - set a standard for what is normal activity and unusual.
● Monitoring Internal and External access in real time.○ Using Risk Fabric and similar software
● Keep track of audit logs on employee's badge access and network usage
● Track employee web content to see if there is any risky usage● Have up-to-date virus/anti-virus scanners
○ Hitman pro, Kaspersky, Malwarebytes, etc.
● Usage of sophisticated monitoring software, that has a red-flag system.
Technical Infrastructure
Insider Threat Personnel
● A dedicated branch/team/employee for monitoring/investigating● Allocating Resources to relevant areas.● Monitoring systems - Specific employees have access to monitoring software 24/7,
in order to address attacks or unusual behavior after work hours.● False-positives - dealing with erroneous reports and non malicious behavior. This is
closely tied to developing a “normal” behavior baseline.● Developed systems in place to allow any employees to report suspicious activity.
Detecting Threatening Behavior
●Suspicious results from Psychological Testing
○ Implicit Attitudes
○ Physiological Anxiety measurements
●Aggressive Personalities○ Usually associated with past drug abuse
○ Typically unapproachable
●Abnormal Workplace behaviors○ Unnecessary work tasks being attempted/completed
○ Displays secretive personality
●Accessing confidential information at unreasonable hours
Human Factor Statistics
Verizon’s “2015 Data Breach Investigations Report”70% of cyber attacks involve a secondary victim, adding
complexity to the sabotage.
59% of employees steal proprietary corporate data when they quit or are fired
50% of the worst breaches in the last year were caused by inadvertent human error, rising from 31%.
Only 64% of organizations adopt cyber risk assurance is information/cyber security risk assessment (most common method)
Response
Response Planning
● The Form of Attack○ Inside Job○ Social Engineering○ Exploitation
Malware○ Blackmail/
Extortion
More often than not a cyber attack will fall into one or more common scenarios. As the cyber security response team, it is effective to be prepared for these scenarios in advance.
Investigation Procedures
In the case of Goliath Banking’s recent attack, it would fall under an inside job along with exploitation malware as it was an insider that exposed IT systems to malware that lead to the network being disabled.
○ Who is the Subject and what position?
○ Their Technical Background?
○ What Digital Devices typically used?
○ What are the Company policies regarding remote access?
○ Which Data systems were accessed?
○ Were commonly accessed systems audited?
Mitigation
● Severing access to the system if necessary, depending on the size of the incident.
○ Limited access during investigation stages● Removing certifications of Individuals involved ● Contacting the appropriate authorities.● Issuing the proper punishment.
○ Taking legal action○ Terminating employee’s
● Following up on non malicious actors and ensuring they do not act incorrectly again.
Communications
● Internal- Inform the workers that are affected by the threat- Minimize exaggerations to prevent unreasonably high anxiety levels for workers. - - - Train workers to view this stressor as a challenge, not a threat.
● External- Only use when necessary, outsiders do not need to know the organization’s procedures and IP
-“Keep it in-house”-For example; use law enforcement only when needed.
Recovery
Recovery
“Develop and implement the appropriate activities and maintain plans for resilience and to restore any capabilities or services that were impaired due to cybersecurity event”
Most vital step in overall process of combating an insider threat
Recovery Plan
Isolate and Restore
Public Relations
Internal Communications
Regulatory Reporting
Recovery Plan
Isolate and Restore Can take between 1-7 days
Detect and quarantine affected systems within the GNB server closet
Physically and virtually replace affected hardware and software
Incident EvaluationCreate incident response team
Senior management
Preserve evidence
Discuss severity and causes
Conducting interviews
Releases to press
Evaluating improvements and future prevention tactics
Recovery Plan
Internal CommunicationsLess than 1 day
Communicate recovery activities internally
Provide adequate information of new prevention procedures
Regulatory Reporting New York State Law
Immediately after isolation (1 day)
Must notify all NY residents affected
Government agencies notified through attorney general website
Recovery Plan
Public Relations Done alongside recovery process
Internal and External Public Relations (PR) teams for immediate response public
Offer only necessary and prevalent information
Credit monitoring for all impacted parties
Social media updates
What we learned?
- We learned that threats are imminent but with the proper procedures in place, we can mitigate the costs and damages.
- Handling/having access to data should be treated with the highest security and be scrutinized
- Anyone can be an insider threat.
- Cybersecurity attacks are always going to be a problem.
- Insider threat programs should be robust enough to provide clear instructions for companies to follow
Team Don’t Click That
Contact us:1-518-555-5555Don’t@ClickThat.com
Recommended