Hacking Humans 7.6.23
Ep 250 | 7.6.23

Indicators to insider threats.


Thom Langford: The prevalence of cyber and the fact that people have access to so much more data now means that insider threat is more often than not related to what people have access to in their day-to-day jobs.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast. Where each week, we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault joins us. She speaks with Thom Langford, CISO at London Insurance Markets. They're talking about insider threats. All right, Joe. Before we kick things off with our stories, we've got a little bit of follow up. But first, I want to recognize we are at Episode 250, I think that's right.

Joe Carrigan: That's right, quarter of a thousand episodes.

Dave Bittner: That's a mark worth noting, I believe.

Joe Carrigan: It is.

Dave Bittner: Yeah.

Joe Carrigan: I would say. Congratulations, Dave. Congratulations.

Dave Bittner: Likewise, right back at ya there, my friend.

Joe Carrigan: Two hundred and fifty episodes.

Dave Bittner: Yeah. All right, so we've got some follow up here. What do we got, Joe?

Joe Carrigan: So Waldo writes in. He says, "I love the show. Been listening for longer than I can remember." Well, at least 250 episodes, right?

Dave Bittner: Yeah.

Joe Carrigan: "I came across this video from IBM today and thought you might want to share it with your listeners. I'll be sharing with my friends and family." And it's a pretty good video. It's just on YouTube and it's a video about social engineering attacks. It tells you about all the stuff that motivates people for victims in social engineering attacks and how the attackers use it. It talks about credential harvesting and things like that. It's a good video.

Dave Bittner: Yeah.

Joe Carrigan: It's about 15 minutes long. You know, definitely worth a look and we'll put a link in the show notes.

Dave Bittner: Yeah, it's one of those things you can share around with your friends and family. And if they're interested, it might help bring them up to speed.

Joe Carrigan: Indeed.

Dave Bittner: Well-produced.

Joe Carrigan: Yes.

Dave Bittner: All right, well, let's do some stories here, Joe. Why don't you start things off for us.

Joe Carrigan: Dave, I'm gonna start off with talking about the Verizon data breach investigation report from 2023. That's this year, Dave.

Dave Bittner: Yep, yep.

Joe Carrigan: They released this I think last month or early this month. I can't remember when, but it's been out for a while. And we haven't talked about it yet here on this show.

Dave Bittner: Right.

Joe Carrigan: And if you are- if you just Google "Verizon DBIR," this is one of my favorite reports that comes out every year. Mainly because of the really nice pictures and all the really good summaries and some of the, I don't know, somewhat snarky language that they write these with. It's pretty amusing to read. I mean, it's not a dry report.

Dave Bittner: No.

Joe Carrigan: I actually appreciate that writing style. It might come off as a little bit unprofessional to somebody, but you know what? I'd rather read something that interests me and keeps me interested than something that bores me to tears.

Dave Bittner: Yeah, and I'll note that it is one of the most respected and anticipated reports every year and I've had the pleasure of interviewing some of the authors over on the CyberWire. And, yeah, it's one of the reports that you can recommend without hesitation.

Joe Carrigan: Yep, absolutely. I would agree with that. But on Page 31 of the report is where they begin their social engineering talk and one of the things they've said is that it says. "Social engineering incidents have increased from the previous year largely due to the use of pretexting," which is the lie that they tell you before they ask you for something.

Dave Bittner: Right.

Joe Carrigan: Because if I called you and said, "Hey, Dave. I'm a bad guy and I want you to wire me a bunch of money 'cause I just want it." You wouldn't do it, right?

Dave Bittner: Probably not, no.

Joe Carrigan: So I need to have some kind of lie to tell you that, "Hey, Dave. It's me, Peter, and I need you to wire some money to one of our sponsors because we overcharged them," or something, right?

Dave Bittner: Right, right.

Joe Carrigan: So that's what pretexting is. It's most commonly used in business e-mail compromise attacks. It's doubled since last year and the average loss in the social engineering attacks is now over $50,000. They break down the frequency in their report, their incident report. These are- I think these are- this is composed from incidences that Verizon's security organization that they contract out to other companies responded to.

Dave Bittner: Yeah.

Joe Carrigan: They responded to 1,700 incidences and over half of them had data disclosure and these were social engineering instances. The threat actors were almost all from the outside. There were some internal and some partner threats but they're listed here as like 1%. I'm gonna guess there's some- that's a rounding error and that they're somewhere less than 1%, but it's mostly gonna come from the outside, these social engineering attacks. And no surprise here. The motivation of these people is almost 90% financial. The other 11% is espionage where they want to get some information. But 90% is they're looking for money and I'll bet, and I'm not gonna bet, I'm gonna tell you that the other 11% is they're just monetizing it differently. They're just not costing the company money directly. If they're going in and getting a bunch of employee records, they're selling those records and monetizing it that way. If they're getting data, they're selling that data and monetizing it that way.

Dave Bittner: Right.

Joe Carrigan: That's what's happening. The data that's compromised is 76% of these attacks included credential compromises. Now credential compromises are really easy to prevent against and we're gonna talk about that in a few minutes. Some of them are internal, about a quarter of them come from internal people, so that's an insider threat. And that kind of ties in nicely with what we're talking about with our interview today. These people may not be malicious, but they are definitely working on the inside. I want to complain a little bit about some language in the report.

Dave Bittner: Hm, okay.

Joe Carrigan: And this is something that I am kind of a stickler for. It says --

Dave Bittner: You? Yes.

Joe Carrigan: Me.

Dave Bittner: Go on.

Joe Carrigan: That's right.

Dave Bittner: Go on, Joe. Go on.

Joe Carrigan: It says, "One of the more complex social engineering attacks is the BEC, this business e-mail compromising. In these pretexting attacks, actors leverage existing e-mail threads and context to request that recipient- the recipient conduct a relatively routine task such as updating a vendor's bank account." And then it goes on to say, "For example, they might have spun up a lookalike domain that closely resembles the requesting party. And possibly even updated the signature blocks to include their phone number instead of the phone number of the vendor." This is one of the things that kind of bugs me. Verizon's not the only group that does this and maybe I've already lost this battle, but a business e-mail compromise attack is when an- a business e-mail address has been compromised. It's much more devastating because the attack is coming from a legitimate business e-mail address as opposed to being from an outside one. Which could be mitigated against with something like DMARC or some other protections that let you know, "Hey, this is an outside." You know, that big thing that comes up that says, "This is an outside e-mail." You see that on a lot of e-mail systems. Even if somebody is impersonating your e-mail address closely, you'll still get that message because the machine knows, you know, the machines know this is a different domain. This is not coming from the inside.

Dave Bittner: Right

Joe Carrigan: Later on in the report, down on Page 34, it says. "Business e-mail compromise can be targeted internally, meaning that the attacker will leverage a compromised employee's e-mail account." So they get it right later on in the compromise, but I really think it's important to differentiate between business e-mail compromise attacks. Where someone has actually compromised a legitimate business e-mail address of somebody where, you know, the call's coming from inside the house. And an external attack where someone's just impersonating your address. I think that's an important distinction to make. Because you defend against both of those differently and I think that if you just call impersonation business e-mail compromise, if you think of it that way. There are different defenses that are available to you that you're gonna miss that are not gonna be there for you. In this report, the Verizon folks say they like a tool called the Center for Internet Safety's controls, you know, controls, security controls, Critical Security Controls is what it's called. And it's just they refer to it as CIS Controls, CIS, for Center for Internet Safety. And they talk about the protections you could put on accounts. And the- one of the big ones they list here in granting access is require multifactor authentication for externally exposed applications and network access. I would also say require it even in-house for e-mail access.

Dave Bittner: Mm-hmm.

Joe Carrigan: For accessing any of your suite-type products. Like if you have Microsoft 365 or Google Suite, whatever it is.

Dave Bittner: Right.

Joe Carrigan: Use multifactor authentication to authenticate people that. You know, the report is much more than these few short pages on social engineering. It's actually 89 pages long and it's a good read every year, so I would recommend picking it up.

Dave Bittner: You know, it's interesting, too, how, you know, we think about what sort of things we should apply multifactor authentication to. And people think of obvious things like your banking credentials and, you know, those sorts of things. But really, the key to all of this is your e-mail account.

Joe Carrigan: Absolutely, it is --

Dave Bittner: Because that's where you do password resets.

Joe Carrigan: Even on a personal e-mail account, whatever your personal e-mail account is, you should be using some kind of multifactor authentication on that because that is your- the keys to your kingdom. If I can compromise your e-mail account, I can compromise your bank account next.

Dave Bittner: Right. Right, yeah. I think it's a good reminder. All right, well, we will have a link to the DBIR. As you said, it is- it's an interesting read and one of those reports that's certainly worth your time. My story this week comes from the Stamford Advocate, which is from Stamford, Connecticut. This is- it's from Pat Tomlinson, who's a staff writer at the Stamford Advocate. And it's titled A Stamford Man Allegedly Stole $1 million from 700 DoorDash Drivers. Police say his victims are hard to ID.

Joe Carrigan: So a million dollars from 700 DoorDash drivers?

Dave Bittner: Yeah. So --

Joe Carrigan: That's more than $1,000 a person.

Dave Bittner: Yes, it is. So, you know, DoorDash drivers, this is one of the popular sort of jobs you can get in the gig economy here where you can sign up to be a DoorDash delivery person. And you'll have an app that you use and it'll ping you and say, you know, so-and-so wants- really needs, you know, a bag of Oreos. And it's your job to go to the store, pick up the Oreos, and deliver them to the person, and you get paid for that. So this story tracks- starts off by tracking a DoorDasher named Alexis Cleveland who said that she got a call during a DoorDash delivery. She was working for DoorDash. She's 29 years old. And she got a call, or a text rather, that said that she should not complete the order. And then after getting the text, there was a phone call which came from a person claiming to be a DoorDash support team member. And this woman says. "The guy said he was from DoorDash and he told me not to complete the order. He told me to go back to my car and then he had me verify my identity. He said there was a scam going on that Dashers were involved in and they needed to make sure I wasn't involved."

Joe Carrigan: Ah-ha.

Dave Bittner: Yeah, so this was part of a phishing scam. So what happens is the person who calls sent her a link via text and then asked her to sign in to her DoorDash account in order to verify her identity.

Joe Carrigan: Right, and that is a credential harvesting, so the --

Dave Bittner: Right, right. And, of course, the link doesn't go to DoorDash. But then he told her that she wouldn't be able to access her account or her earnings for about four days.

Joe Carrigan: Really?

Dave Bittner: So, yeah, so what do you think's going on there, Joe?

Joe Carrigan: So she's not expecting any deposits, is what's happening.

Dave Bittner: Well, I think what he's doing is he's trying to put a delay on her raising a red flag by saying, you know. "So here's what I'm gonna do. I'm gonna give you a fake link that's gonna look like a DoorDash login. You're gonna go to that link. You're gonna log in."

Joe Carrigan: "I'm gonna give your- my credentials to log in."

Dave Bittner: Right.

Joe Carrigan: "And then you're gonna go to my DoorDash account and change the destination for any money that I'm supposed to get to your bank account."

Dave Bittner: Or even just change the credentials altogether so that he has access and she doesn't.

Joe Carrigan: Right.

Dave Bittner: But by telling her that she won't be able to access the account for a few days, he's trying to put her off from worrying about that.

Joe Carrigan: Right.

Dave Bittner: And then he also said that if she did a certain amount of dashes over those four days, she would get a $900 bonus.

Joe Carrigan: I see. Yeah, this guy's essentially getting people to work for him for free, right? Right.

Dave Bittner: Yeah, right. So he's incentivizing her to put in some extra work to extra, you know, DoorDashes, and then he will take all of the money and reroute it to himself.

Joe Carrigan: Yes. That makes- I get it. That's actually a pretty smart scam.

Dave Bittner: Yeah.

Joe Carrigan: You have to find DoorDashers first and then, you know, so I don't know if that's how you go about doing that. Maybe you- I don't know. I guess you send each phone number a distinct- a unique link?

Dave Bittner: Yeah, I don't know. I'm not sure how. This article doesn't say how he went about finding DoorDashers, but I'm guessing that probably wouldn't be hard- probably wouldn't hard- be hard to buy that information, you know.

Joe Carrigan: Correct. I'll bet that information is pretty easy to come by.

Dave Bittner: Yeah. Yeah. So the police in Stamford, once they were on the case here, they found that he had over 1,750 transactions linked to over 700 different DoorDash accounts. And he had stolen over $950,000.

Joe Carrigan: Wow.

Dave Bittner: Yeah, over several years. So this started in 2020, so right in the midst of the pandemic.

Joe Carrigan: Right, when DoorDash was taking off, right?

Dave Bittner: Right, yeah, 'cause nobody wanted to leave their house.

Joe Carrigan: Right.

Dave Bittner: Yeah. So he's facing charges of first-degree larceny, third-degree identity theft, two counts of second-degree forgery, trafficking in personal identifying information. And first-degree computer crime for the alleged scam. So they're throwing the book at him. It says they seized $733,000 from his apartment.

Joe Carrigan: In cash?

Dave Bittner: I think so, yeah.

Joe Carrigan: Wow. I mean, the guy just has $700,000 laying around in cash.

Dave Bittner: Yeah. Yeah.

Joe Carrigan: That's like that scene in Breaking Bad when Walter White and his wife are standing there looking at all this money.

Dave Bittner: Right.

Joe Carrigan: What do you do with this?

Dave Bittner: Right. So obviously this hurts the DoorDashers. You know, several people lost several thousand dollars.

Joe Carrigan: Yeah.

Dave Bittner: A couple of people here, you know, ranging from a few hundred dollars to some folks who claimed they had over $5,000 stolen from this person, but --

Joe Carrigan: Well, maybe they get some of that back in that- from that large seizure of cash that they got from his apartment.

Dave Bittner: Yeah, that's what they're hoping for. And it's sort of a side note on this story. They said that they're having trouble identifying all of the DoorDashers who got scammed by this person.

Joe Carrigan: Yeah.

Dave Bittner: I guess because of the kind of transitory nature of these gig economies where people come and go. And, you know, as someone who found themselves scammed by DoorDash might say, "Well, I'm done with DoorDash," and then --

Joe Carrigan: Right, they might just stop doing the work. They say, "Well, that guy got four days of free work out of me. That's it. I'm done."

Dave Bittner: Right, right.

Joe Carrigan: I'm going to Uber Eats.

Dave Bittner: Right, exactly, exactly. So, yeah, interesting story, a clever scam, and I guess the lesson here is just to be wary if someone calls you from, in this case, you know, tech support or --

Joe Carrigan: Yeah. This is, again, don't trust the inbound phone call, you know. Make- say, okay, hang up and say I'm gonna call back customer or delivery support here and see if this is something going on.

Dave Bittner: Yeah.

Joe Carrigan: Don't, you know, when your phone rings or you get a text message, don't respond to it.

Dave Bittner: Yeah, and this story actually talks about how one of the folks who this person tried to scam did just that, that, you know, they called DoorDash and spoke to an actual DoorDash tech support person. And that person had no idea what they were talking about. And so then they knew it was a scam.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Right.

Dave Bittner: So, all right, we will have a link to that story in the show notes. Joe, it is time to move on to our Catch of the Day.

Joe Carrigan: Dave, our Catch of the Day comes from Ami and it's a first because it's an audio Catch of the Day.

Dave Bittner: Hm, all right.

Joe Carrigan: So Ami writes. "Hi, guys. I'm writing to share a victory. I've listened to your podcast for a while now and I appreciate the skepticism I've gained while on the lookout for social engineering. I've attached a voicemail that seems relatively benign on first listen, but it just didn't sit right with me. Please listen and then I will walk you through the warning signs." So, Dave, go ahead and play this- the file.

Dave Bittner: All right.

Unidentified Person: Yeah, so this is Sergeant Mark Gagnon with the Falls Church Police Department. This is regarding to an ongoing legal matter. You can reach me directly at (703) 239-4840. Again, my number's gonna be (703) 239-4840. This is Sergeant Mark Gagnon.

Joe Carrigan: Do that is an interesting voicemail that Ami received. Sounds real official. I mean, it- I think it might be AI-generated.

Dave Bittner: Hm.

Joe Carrigan: But if I were to pick what a police officer calling my phone would sound like, this is exactly what he would sound like.

Dave Bittner: Right.

Joe Carrigan: So it's a pretty good- I don't know if it's fake or whatever, but it's pretty good- it's a pretty good voicemail. So Ami goes on to say, "First, hearing a named police officer saying he's from a town near me is really concerning, so I was nervous. He also ends up saying that he'll speak to me soon, which I thought was also kind of intimidating and I think that whoever developed this piece of audio did that on purpose."

Dave Bittner: Yeah, it's kind of a call to action.

Joe Carrigan: Right. "As I paused between reacting and responding, I thought, wait. I'm not- I'm supposed to be panicked that a police officer is calling me and the officer saying he'll talk to me soon implies urgency. So that's also supposed to stop me from thinking."

Dave Bittner: Hm.

Joe Carrigan: "So I took a deep breath and kept thinking," which is excellent. Good work, Ami. There's a part where it sounds like he may be saying something that sounds like my name but that's kind of garbled." And I know exactly where she's talking about if you go back and listen to it. It- there is like this garbled portion of it. You can't really understand what's being said there and I think that's also by design. "The word that he used that really got me curious was legal, since police don't deal with legal issues. They generally deal with criminal issues."

Dave Bittner: Hm. Mm-hmm.

Joe Carrigan: "I did reverse lookup on the phone number and that was provided in the voicemail and it's not the phone number of a police department. Okay, so maybe it's his cell number, but the reverse search shows it's voice over IP number and it's associated with the name Norma P. [assumed spelling]. The caller says he's Sergeant Mark Gagnon. I Googled Sergeant Mark Gagnon and strangely, the first hit is Sargent Clark Gagnon from the Falls Church Police Department." So it's kind of like lining up a little bit but not all the way.

Dave Bittner: Right.

Joe Carrigan: Which is interesting. So Ami says she still felt nervous about the possibility of it being real so she had a former police officer friend of hers listen to the message and then he called the number and it sent him to voicemail. It was a woman's voice and he hung up. Then he called the Falls Church Police Department. They confirmed that there's no one by the name there. And then the scammer calls back to Ami's friend's phone and identifies himself as Sergeant Mark Gagnon with the Falls Church Police Department. And the person says, "Well, that's funny, 'cause I just talked to the Falls Church Police Department and they've never heard of you." And the scammer just hung up.

Dave Bittner: Yeah, right.

Joe Carrigan: Which is really good. "So my friend told me this and I felt validated, and elated, and I was happy that my gut was right. Thank you for all the valuable lessons over all these years and warning all the folks out there getting similar calls."

Dave Bittner: Hm.

Joe Carrigan: So, yes, Ami. I am very happy to hear that this worked out for you and that we have provided you the level of skepticism necessary to not be scammed by this. This is --

Dave Bittner: Yeah.

Joe Carrigan: Receiving that phone call not knowing what it is or what it could be can absolutely just shut you down. You'd be like, "I better call this police officer right now." Also, by the way, if you actually do get a call from a police officer talking about something, your first call probably shouldn't be to a police officer. It probably should be to an attorney.

Dave Bittner: Right, right. Right. Yeah, first, well, I'm- Ami did everything right here.

Joe Carrigan: Yes, she did.

Dave Bittner: You know, she just from beginning to end, so tip of the hat to Ami for that. This scam reminds me of one of my ongoing pet peeves which is a related scammee kind of thing where someone calls and they say. "This is Officer So-and-So from the Such-and-Such Police Department. Please give me a call back." And you call them back and they're just out soliciting money for donations.

Joe Carrigan: Yeah, for the FOP or something?

Dave Bittner: Yeah.

Joe Carrigan: Yeah.

Dave Bittner: Yeah, and they're not- I mean, it's, you know, I don't know what percentage of the money goes to the police or whatever. It might just be completely a scam. But similar to this, they're just using your reaction, your emotional reaction to be called by the police. They're taking advantage of that.

Joe Carrigan: Right.

Dave Bittner: And you just need to be mindful of it.

Joe Carrigan: Absolutely.

Dave Bittner: Yeah. If the police really want you, they will show up at your door.

Joe Carrigan: That's right. That's one of the things I forgot to mention. If the police have a warrant for your arrest, they will not call you in advance.

Dave Bittner: That's right. That's right.

Joe Carrigan: They will come and get you.

Dave Bittner: Yes, that is true. All right, well, our thanks to Ami for writing in. We do appreciate her taking the time. We would love to hear from you and you can e-mail us. It's hackinghumans@n2k.com.

Joe, it's always great when Carole Theriault joins us. And this week, she has a conversation with Thom Langford, who's the CISO at the London Insurance Markets. And they're talking about insider threats. Here's Carole Theriault and Thom Langford.

Carole Theriault: Well, listeners, today, we are talking with Thom Langford. He is a CISO in the London Insurance Markets and a trusted friend of mine. Hello, Thom.

Thom Langford: Hello, Carole.

Carole Theriault: Today, we're going to talk insider threats. So as a quick overview, insider threat is kind of defined as a cybersecurity risk that starts within the organization. So it typically occurs when a former employee, or maybe a contractor, or a vendor, or even a partner, with a legitimate user credential. And they misuse that to access data to the detriment of the organization's network system. Is that a fair definition, Thom?

Thom Langford: Yes, it is, but it's also, you know, the insider threat is not something that's new or has just come about as, you know, through cybersecurity. We've- there's been insider threats, everything from, you know, espionage, for instance, intellectual theft, you know, let's see, your workplace violence, for instance, or even just theft. Your financial theft, for instance. So, you know, financial control of who's channeling money out. That's still considered an insider threat. So it's part of a sort of broader category. But the prevalence of cyber and the fact that people have access to so much more data now. Means that insider threat is more often than not related to, you know, the what people have access to in their day-to-day jobs.

Carole Theriault: Yeah, so, I mean, it is a big kind of area. Do- is there any categorization inside that? Like is there a way of like measuring it or dividing it up so that we can kind of better understand the profiles of different people?

Thom Langford: Yeah, I mean very simply put, you've got effectively malicious and non-malicious threats. And they're exactly what they say on the tin. So, you know, malicious means that your insider is deliberately leaking information or is deliberately stopping your network from working or switching off computers. And that's normally the case with disgruntled IT- ex-IT employees who still have access to systems that they shouldn't have and things like that. And the other one is unintentional or, you know, non-malicious negligence. So people who are just trying to get their job done and might copy data onto a USB key, or accidentally send it to their spouse instead of to a client, or something like that. And I think it's worth saying that the unintentional, the non-malicious, is by a significant amount a far greater than malicious. People are just trying to do their jobs as best they can.

Carole Theriault: Right, so when we talk about insider threats, we are excluding third-party ne'er-do-wells or malicious actors from the cycle, from the supply chain. I don't know if you can call it that, but you know what I mean.

Thom Langford: Yeah, that's right.

Carole Theriault: Right.

Thom Langford: It's quite literally insider, so it's, you know, if there's a third party involved and they are asking you to divulge secrets or they're tricking you, than that sort of falls into a different category. They're social engineering you. You know, that's phishing, spear phishing, all those other sort of various names that we security professionals like to give it. Whereas the insider threat, like I said, the vast majority is wholly unintentional and it's purely because of ignorance, fear. You know, they're fearful for their jobs if they don't do something right. Or quite literally they are just trying to get their job done and they don't realize that copying data onto an unencrypted USB stick or something like that is actually not allowed and is letting data out. And then, of course, you've got the good, old-fashioned, mark one human mistake, which we all do. And, you know, we accidentally e-mail data to the wrong party, or ducking lawyer circles or legal circles, you e-mail it to the opposing counsel rather than to your colleague, for instance. And so --

Carole Theriault: Yeah, or you reply all. I've done that one.

Thom Langford: Yeah, reply all. That's a brilliant example. A reply all is such a good one because before you know it, everybody's got your innermost thoughts about everyone else who you didn't really mean to include.

Carole Theriault: Yep. It happens to a lot of people, the reply all problem, I'm sure. I don't know if there's fail safes today in big organizations, but God, I think it would happen- I worked in a big organization. It happened weekly.

Thom Langford: Yeah, absolutely, and then, of course, you get- and this is, you know, almost the lighter side of it. You then get the chains of, "Stop replying all. Stop saying reply all to reply all." You know, all that sort of thing.

Carole Theriault: Exactly.

Thom Langford: But really, there are- in some mail systems now, there are sort of capabilities that will say, "Are you sure you want to do that? It looks like you've got a document attached that people shouldn't have access to, etc." You know, and so all of there's lots of different things that can be done to minimize this. But really, you know, and some of it is technical, but really what it comes down to is behavioral change, you know, and education, and awareness.

Carole Theriault: Yeah, 'cause I was gonna ask you before we wrap up, what can a typical employee, right, so someone who's in the office or someone who's working from home. What kind of things would you look out for and what would you do with that information?

Thom Langford: Yeah, so it's anything- well, actually, I'll go back. The problem with a lot of this is that the, you know, our security departments, they're often underfunded. They don't have enough people. Security training and education, etc., is often seen as an afterthought. Or, you know, you get put in a room once a year for an hour, and have a PowerPoint shouted at you on what not to do, and all that sort of thing. And so to a certain extent, you know, organizations have themselves to blame for this because they're not giving people the tools that they need to address this. So one thing that people can do is actually start asking the questions. "Do we have training? Is there educational material out there that we can access, that allows me to make better decisions?" That's one side. The other side, of course, is there's very often in companies you get these cultures of blame. Where if somebody says, "Uh-oh, I accidentally e-mailed this to the wrong people," then they're immediately put on, you know, disciplinary or they get a warning, whatever.

Carole Theriault: Yeah, yeah.

Thom Langford: Whereas, actually, what we should be doing is embracing that because we want people to tell us about mistakes. We want people to tell us that there's something that may well happen because of an action that they accidentally took on the horizon. Rather than when that problem is jumping up and down on our feet right in front of us. And, of course, if you do discipline people for admitting their mistakes, people won't admit their mistakes. And then those problems are just gonna get bigger and bigger until they're massive and jumping up and down on your feet.

Carole Theriault: Couldn't say it better myself. Thom Langford, London Insurance Markets. Thanks so much.

Thom Langford: Thank you.

Carole Theriault: Mm-hmm. This was Carole Theriault for "Hacking Humans."

Dave Bittner: Joe, what do you think?

Joe Carrigan: You know, I really like the definition that Thom provides here, that an insider threat is when someone misuses access to gain information or to gain something. The only differentiating factor is that this person is not an external actor. They're an internal person and they're solely working on their own without the control of an external actor. So he's differentiating between a social engineering attack where someone's being manipulated and an insider threat where somebody is doing something that may or may not be malicious. Which is another important distinction. I like that Thom makes the distinction between malicious and non-malicious. Some of these non-malicious examples are just unintentional actions or just getting around the controls that are in place to help you do your job more quickly.

Dave Bittner: Right, right.

Joe Carrigan: I would say that if you have people trying to get around your security controls to do their job, you need to reevaluate your security controls.

Dave Bittner: Yes.

Joe Carrigan: But, you know, it's unique for each individual organization.

Dave Bittner: Yeah.

Joe Carrigan: Another distinction that Thom makes here is this is not new. None of this is new. It's just happening in new ways. And this is a point that Tim Leschke makes when he's talking about- he's our forensics instructor. One of the things he says is that we're not talking about new crimes. We're just talking about new ways to commit old crimes and new ways that evidence is gathered and processed. Aside from that, it's the same old crimes and the same old behaviors that people are doing and that's the same with insider threat. But since we've been moving towards this technology and having all these technological pieces out there, servers, and networks, and all this stuff. One of the big issues is that people have access to so much. I mean, I remember when I was first working in a corporate environment, a friend of mine said, "Hey, look at all this stuff that's just sitting out there on the network." And you could browse people's what they thought were private folders on the network. They were network folders. I could see everything that was on the network and that was just the way it was set up.

Dave Bittner: Yeah.

Joe Carrigan: It's very important to use the principle of least privilege as a concept and then to implement it and that's really the more important part is implementing it, right?

Dave Bittner: Yeah.

Joe Carrigan: And making sure that those controls are in place so that not just anybody can walk in to a document repository and look at all the documents. You know, if you have a contracts department that's working on bidding a new contract or something. There's absolutely no reason why somebody in maintenance who is- who works on existing contracts needs to know anything about it, right?

Dave Bittner: Right.

Joe Carrigan: Make sure that people- only the people that need to have access to the documents have access to it. I also like that Thom talks about how some of these non-malicious activities can be due to ignorance or fear. And then, of course, there is the what like he calls the very basic unintentional mistake, you know, the human error. And our favorite example of this is the reply all. Oh, how I hate the reply all.

Dave Bittner: Yeah.

Joe Carrigan: So there's an excellent control against this and that is whenever you send a message to a large group of people as a business communications person, copy everybody blind. Blind carbon copy everybody. And then put yourself in the to address if you're going to do that.

Dave Bittner: Yeah.

Joe Carrigan: Because that way when they click reply all, the only person that gets the reply is you, or don't put anybody in the to address and that way when they click reply all, they don't get anybody. There are simple controls you can put in place to prevent these kind of attack- or these kind of leaks. And there's also simple controls you can put in place to stop a lot of the other unintentional or even malicious action. And, of course, like I said before, principle of least privilege is king among those. Also, you're trying to change behavior with training and awareness, security training, and security awareness, and security awareness training. And one of the big things that Thom talks about here, when somebody makes a mistake, people are going to make mistakes. When they make those mistakes, penalizing reporting the mistake is itself a huge mistake because you're going to disincentivize the reporting of mistakes. Which means that you're not going to be able to get out in front of a mistake in the future. You're not going to be able to take control of the situation until it's too late. So when somebody comes to you and says, "I just screwed up. Here's what I did." You go- the first words out of your mouth should be, "Thank you. Thank you for telling me that you screwed up. I really appreciate the honesty. Let's work to get this cleaned up." At some point in time, you should say, "People make mistakes because people are prone to do so. You know, it's just human nature. We're going to make mistakes." Now I say this like a blanket statement sitting here in my ivory tower of academia. But I- so I understand that there are other places out there where that may not be an option. And you have to do your own risk assessment and evaluate the risks for your environment to make sure that that's something you can do. And I've had people write us and say, "You know, I can't do that in this environment." And I understand the reason, and the use case, and you're right. Sometimes people are expected, their job conduct, part of their job description, rather, is maintaining the security of information. And if you're just e-mailing that out willy-nilly, yeah, that's a problem.

Dave Bittner: Yeah, yeah. For sure. All right, well, again, our thanks to Carole Theriault for bringing us that conversation with Thom Langford. Good stuff and we appreciate both of them taking the time for us.

That is our show. We want to thank all of you for listening. Our thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. We'd love to know what you think of this podcast. You can e-mail us at hackinghumans@n2k.com. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our senior producer is Jennifer Eiben. The show is edited by Elliott Peltzman. Our executive editor is Peter Kilpe. I'm Dave Bittner.

Joe Carrigan: And I'm Joe Carrigan.

Dave Bittner: Thanks for listening.