2. About Mike
18 Years in IT
9 Years in Security
CISSP, GPEN, GWAPT, GCIH
Speaker: DerbyCon, BSidesMSP, ND IT Symposium,
NDSU CyberSecurity Conference
3. Defining the threat
Mistakes
Sensitive data exposed
Unintentional data destruction or contamination
Outages caused by misconfigurations
Malware outbreaks
4. Defining the threat
Bad actors
Theft of IP, sensitive data, $$$
Insider trading
Intentional data corruption, deletion
Denial of Service
Terry Childs - 2008
5. The Insider Threat
Verizion 2016 DBIR
≈ 18% of all breaches due to insider actions
riskbasedsecurity.com
32% of all exposed records in 2015 due to insider
mistake. 191M in one event.
≈ 49% of all exposed records due to all insider actions
11. Prevention - web
Block outbound web access by default
Require all users to go through web proxy
Block access to external email providers
Ensure local/regional ISP mail systems are also
blocked
12. Prevention - web
Block access to known file sharing sites
Use proxy vendor classifications
Block access to all uncategorized websites
Prevent egress from servers
13. Prevention - network
Deny by default
Ensure all egress avenues are blocked, including
SSH, telnet, SMB, CIFS, HTTP/HTTPS
Grant unrestricted egress by exception only
Tie to user ID, not IP
Disable split tunneling on VPN connections
14. Prevention - applications
Consider whitelisting technologies to prevent unknown
executables from running
Significant management overhead initially
Worth it in the long run
15. Removable Media
Deny access to use removable media
USB AND CD/DVD-R
Permit by authorized exception only
Regularly review removable media authorizations
Encrypt all removable media
17. Data Classification
Implement data classification scheme
Identify what data is sensitive
Separate storage of sensitive and non-sensitive data
18. A word about DLP
DLP is not a panacea
Useless without a data classification program
You MUST perform HTTPS inspection
What about encrypted zip in email?
20. Privilege Management
Restrict access to local AND directory administrator groups
Separate accounts for admin and daily use
Regularly review access to admin groups
Group users by job function
Regularly x-ref group membership to job functions
Privilege review whenever employees change roles
21. Restrict Access
Deny access to sensitive data by default
Provision access to data by group / role
Individual access by exception only
23. Monitoring
Email
Develop reporting for outbound email usage by user
Network / Web
Develop reporting for outbound data usage by user
Compare outbound reports against baseline
Look for spikes in usage; review
24.
25. More on monitoring
What about packets bouncing off the firewall?
1 IP to an external IP on many ports or to many IPs
may be sign of probing
Some attacks exfiltrate over DNS
https://www.sans.org/reading-room/whitepapers/
dns/detecting-dns-tunneling-34152
26. Tuning for monitoring
IDS/IPS - DO NOT enable all the things!
Details will be lost in the noise
Test in small batches, only enable useful / actionable
alerts
Enable reputational and behavioral blocking on local
client firewalls / AV - i.e. Symantec Sonar
27. Logging
Send all logs to SIEM
Log all authentication attempts
Both successful and failed
NSA “Spotting the Adversary with Windows Event
Log Monitoring”
28. Logging
Log access to sensitive data directories
Log firewall activity
Process logging
Consider file integrity management and change request
system
29.
30. Antivirus
May be ineffective against emerging threats but useful
after the fact
AV alerts from system boot or scheduled scans
should be investigated - something bad is already on
the system
Investigations can x-ref proxy logs to identify
infection vector, subsequent calls to botnet / threat
actor
31. Hardening systems
Same methods used to prevent against external
threats
Remove “low hanging fruit” for insiders
Disable unnecessary services
Remove unneeded software
Patch quickly, patch often
32. Share auditing
Routinely scan for file shares
Unprivileged user without special group permissions
Identify shares allowing anonymous or “Authenticated
Users”
Sample each accessible share for unprotected
sensitive data
33. Education / Resources
SANS: Securing the Human
site:sans.org intext:”insider threat”
https://www.cert.org/insider-threat/research/controls-
and-indicators.cfm
34. Wrap up
Prevention is key
Restrict privileges
Restrict network egress
Block removable media
Monitor for abnormal behavior
Logging is essential
Review shares for unprotected sensitive data
Educate, educate, educate