Managing access and insider threats.
Peter Draper: [00:00:00] Fifty-three percent of organizations believe detecting insider threats has become significantly harder since migrating to the cloud.
Dave Bittner: [00:00:08] Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe.
Joe Carrigan: [00:00:26] Hi, Dave.
Dave Bittner: [00:00:26] Got some good stories to share this week. And later in the show, Carole Theriault returns. She's speaking with Peter Draper from Gurucul about their "2020 Insider Threat Report."
Dave Bittner: [00:00:36] But first, a word from our sponsors, KnowBe4. So what's a con game? It's fraud that works by getting the victim to misplace their confidence in the con artist. In the world of security, we call confidence tricks social engineering. And as our sponsors at KnowBe4 can tell you, hacking the human is how organizations get compromised. What are some of the ways organizations are victimized by social engineering? We'll find out later in the show.
Dave Bittner: [00:01:09] And we are back. Joe, why don't you start things off for us this week?
Joe Carrigan: [00:01:12] Dave, my story is coming from my personal life.
Dave Bittner: [00:01:14] OK.
Joe Carrigan: [00:01:16] (Laughter) This is the season of giving, right?
Dave Bittner: [00:01:18] Yes.
Joe Carrigan: [00:01:18] And my wife is purchasing various gifts and things from places she doesn't normally purchase things from.
Dave Bittner: [00:01:24] Right.
Joe Carrigan: [00:01:25] And she has gotten two of these emails...
Dave Bittner: [00:01:27] All right.
Joe Carrigan: [00:01:27] ...That have come into her inbox, and she sent me both of them. And the email looks to be coming from the United States Postal Service. The email reads, greetings. Partial delivery attempt fail notice on - and then it has a date and a time. And it says the delivery attempt was unsuccessful because no one was present at the delivery address. So this notice has been automatically sent. You can arrange redelivery by contacting us with your postage reference number in the e-voucher here. And then here is a link, right? We'll get back to that in a minute. Here's the fear part. In the case the parcel is not scheduled for redelivery in 14 days, it's going to be returned to the sender, right?
Dave Bittner: [00:02:09] Right. Thereby ruining Christmas for everyone (laughter).
Joe Carrigan: [00:02:11] Exactly. Now, my wife had something that she was expecting.
Dave Bittner: [00:02:14] OK.
Joe Carrigan: [00:02:14] Right?
Dave Bittner: [00:02:15] Yeah.
Joe Carrigan: [00:02:15] This is how this works.
Dave Bittner: [00:02:16] Yeah.
Joe Carrigan: [00:02:16] She is expecting something. She fears immediately that what she has ordered is going to be sent back, and she's not going to be able to get it, and it's going to hang in limbo. And this - yes.
Dave Bittner: [00:02:26] Yes.
Joe Carrigan: [00:02:26] Exactly. Ruining Christmas for everybody.
Dave Bittner: [00:02:28] Right (laughter). OK.
Joe Carrigan: [00:02:29] So she sends this email to me and goes, is this real? And I said, probably not. But the first thing I do is I take the URL - I right-click on where it says here, and I say, copy URL. And I go to a website called virustotal.com.
Dave Bittner: [00:02:44] Ah, yes. Yep.
Joe Carrigan: [00:02:45] Right? And in there, you can paste a URL if you click on the URL tab, and it comes up as malicious, right? I tell her the URL is malicious. Two sites identify it as malicious. So this is probably fake.
Dave Bittner: [00:02:56] Yeah.
Joe Carrigan: [00:02:56] So the next thing I do is I fire up my Kali Linux VM. And I don't advise other listeners do this.
Dave Bittner: [00:03:02] (Laughter) As you do.
Joe Carrigan: [00:03:03] (Laughter) Right.
Dave Bittner: [00:03:03] Yeah. OK.
Joe Carrigan: [00:03:04] As I do, right?
Dave Bittner: [00:03:05] Yeah.
Joe Carrigan: [00:03:06] And 90% of the people out there - 99% of the people out there are not going to do this. But I do this.
Dave Bittner: [00:03:10] Right. OK.
Joe Carrigan: [00:03:10] I fire up my Kali Linux VM, and I open a web browser, and I enter the URL in the web browser, and it downloads a file.
Dave Bittner: [00:03:18] All right.
Joe Carrigan: [00:03:18] And it is a file that ends in dot-IMG.
Dave Bittner: [00:03:22] OK.
Joe Carrigan: [00:03:22] OK?
Dave Bittner: [00:03:23] An image file.
Joe Carrigan: [00:03:23] An image file. But that is a disc image. And when it shows up on my Kali machine, it looks like a little CD, which means it's mountable drive. It's essentially a virtual hard drive or virtual CD.
Dave Bittner: [00:03:36] Right.
Joe Carrigan: [00:03:36] So I go ahead and I mount it.
Dave Bittner: [00:03:38] OK.
Joe Carrigan: [00:03:38] Now, I don't know what happens in Windows because I didn't do this in Windows, right?
Dave Bittner: [00:03:42] Yeah.
Joe Carrigan: [00:03:42] But I think if you double-click on it, then Windows will automatically mount it as a drive. And then inside of that drive there is a file called voucher underscore PDF dot-EXE, right?
Dave Bittner: [00:03:54] All right.
Joe Carrigan: [00:03:55] And that is the malware, right? What I do is I take that and I copy that up to Virus Total as well, and lo and behold, of course, that file is malicious, very malicious. Many of the sites find it - and what it is, it's a malware dropper.
Dave Bittner: [00:04:08] OK.
Joe Carrigan: [00:04:08] It goes out and installs some malware. So you don't even know what kind of malware it's going to get unless you decompile it and look at it, which I didn't go through because I didn't have that kind of time.
Dave Bittner: [00:04:16] Yeah.
Joe Carrigan: [00:04:17] But I have saved it for a couple of our Ph.D.s who teach classes on this kind of stuff, and they will do that.
Dave Bittner: [00:04:22] Right.
Joe Carrigan: [00:04:23] They will take it apart and see where it's going or have their students do it as a research project. But this is exactly how this kind of scam works, how this kind of - installing some kind of malicious software on your machine. It could have been ransomware. It could have been just a keylogger or some kind of banking Trojan. It could have been anything. But this is how it works. They send out these emails to hundreds of people, thousands of people. It's cheap for them to do that. They give you a fright in the event you have ordered something because you think about - this time of year, there's a high percentage of people who probably have something arriving in the mail right now...
Dave Bittner: [00:04:50] Yeah.
Joe Carrigan: [00:04:50] That they're expecting. So they're capitalizing on that. Then to click on the images looking for this number so that they can respond to it, and once they click on that executable, the game's over.
Dave Bittner: [00:05:01] Now, there's something else about this file name as well, right? The way that it appears in Windows, there's something tricky about that?
Joe Carrigan: [00:05:09] That's right, Dave. There is a default setting in Windows, which I always change whenever I install Windows, and it's hide file extensions for known file types, right? And you can google how to unhide that, and you'll find a very simple way to do it. It involves going into the file explorer, clicking on the view menu and going into the options and finding some settings. But if you don't have that set, because executable, EXE, is a known extension, Windows won't show it to you. So it will look like it just says voucher underscore-PDF.
Dave Bittner: [00:05:42] So they're trying to trick you into thinking this is just a PDF file.
Joe Carrigan: [00:05:45] Yeah.
Dave Bittner: [00:05:45] The good, old, safe, harmless PDF file.
Joe Carrigan: [00:05:48] Right.
Dave Bittner: [00:05:50] Good, old, friendly, fuzzy, furry PDF file. Yeah.
Joe Carrigan: [00:05:54] And nobody ever does anything malicious with a PDF file, right, Dave? (Laughter).
Dave Bittner: [00:05:57] Well, yeah. Well, yeah, that's a good point, too.
Joe Carrigan: [00:05:59] You know, it's funny, but you can put an extra dot in here. I don't know why these guys didn't call it e-voucher dot-PDF dot-EXE because that would have been more effective. But they did call it e-voucher underscore-PDF. And if you're not technically savvy that might not set off a red flag to you.
Dave Bittner: [00:06:15] Sure. And think about how many folks are just like your wife who - but might not have someone like you that they can send it to.
Joe Carrigan: [00:06:21] Right.
Dave Bittner: [00:06:22] And they're curious, or they're scared that they're not going to get the stuff that they've ordered in time for Christmas...
Joe Carrigan: [00:06:27] Yep.
Dave Bittner: [00:06:27] ...Or whatever, and they get them.
Joe Carrigan: [00:06:29] They get them.
Dave Bittner: [00:06:30] Yeah. How do we protect against this?
Joe Carrigan: [00:06:32] Well, never click the link (laughter).
Dave Bittner: [00:06:33] Yeah.
Joe Carrigan: [00:06:34] That's the first thing. Be vigilant. Generally, the U.S. Postal Service will not send you an email. If you think about how this happened - right? - it's plausible. Chances are my wife gave the merchant that she bought these things from an email address. And then maybe that merchant told the USPS what the email address was, and maybe the USPS sent the alert. Not what happened, but it's plausible. It's a plausible explanation for how you got it. But, you know, vigilance is really the key. Having an up to date antivirus that watches out for malicious websites as well would protect you here. But, you know, just not clicking the link is the best option here.
Dave Bittner: [00:07:08] It's worth noting that the address that this came from - the email - was uspsstore.com...
Joe Carrigan: [00:07:14] Right.
Dave Bittner: [00:07:14] ...Which is plausible. There's nothing unusual about that.
Joe Carrigan: [00:07:17] That's a good point, Dave, because the United States Postal Service website is usps.com. And if you type in usps.gov, it redirects you to usps.com. So uspsstore.com is a good malicious link in terms of well-crafted, I mean...
Dave Bittner: [00:07:33] Right.
Joe Carrigan: [00:07:33] ...Not good. It's a bad link. Don't go there.
Dave Bittner: [00:07:35] Yeah, it doesn't call undue attention itself.
Joe Carrigan: [00:07:36] Right. It doesn't call undue attention to itself.
Dave Bittner: [00:07:39] All right. Well, keep an eye out. 'Tis the season, right?
Joe Carrigan: [00:07:42] It is.
Dave Bittner: [00:07:42] Yeah. All right, well, my story this week is from CTV News. This is out of Canada. It's written - a story by Nicole Bogart. And this is titled Police warn of new phone scam where criminals intercept your calls. This was out of Toronto. Now the root of the scam is something that is familiar to us. This is a thing where the bad guys call you, and they say that someone's trying to steal your identity, and you need to connect with the police to make this right. And...
Joe Carrigan: [00:08:11] Right.
Dave Bittner: [00:08:11] ...You need to give the police information, or the police are going to walk you through transferring your funds to protect your funds from these bad guys. So at the root of it, it's one of those things. But there's an interesting twist here that I think is worth sharing, and that is in the technical execution of the scam itself. So you get a call, and these people say there's a problem - we've detected a problem on your mobile device or your computer. And you need to call the police right away. Here's the number. You go to call the police, and the folks you're calling are not the police.
Joe Carrigan: [00:08:44] Right.
Dave Bittner: [00:08:45] It is the bad guys.
Joe Carrigan: [00:08:46] Yes.
Dave Bittner: [00:08:47] And they're using a technique called line-trapping, which I was unfamiliar with. And basically what they're doing is they're tricking you into thinking that the initial call was terminated, was ended, when, in fact, it wasn't. So what they do is they say, you need to call the police right now. Here's the number. And then one of the ways they do it is they play a dial tone sound so you think you've got a new line.
Joe Carrigan: [00:09:12] Right. Is this on a landline?
Dave Bittner: [00:09:13] Could be on a landline. Could be on a mobile phone. Now, remember who we're probably targeting here.
Joe Carrigan: [00:09:18] Yeah.
Dave Bittner: [00:09:18] We're probably targeting folks who don't even think about hearing the sound of a dial tone...
Joe Carrigan: [00:09:21] Right.
Dave Bittner: [00:09:22] ...Right? So you hear the sound of a dial tone. You dial in the number. Of course, it's not actually going anywhere because the original bad guys never hung up the phone.
Joe Carrigan: [00:09:30] Right.
Dave Bittner: [00:09:31] Then they play a ringing sound. Someone answers and says, you've reached the police. And off they go.
Joe Carrigan: [00:09:37] Right.
Dave Bittner: [00:09:37] So you think because you've made this phone call, that's instilling in you a sense of security that this is an independent call. You made this phone call. The police answered. And this must be real.
Joe Carrigan: [00:09:50] Right.
Dave Bittner: [00:09:50] I was not familiar with this line-trapping thing, so I actually reached out to a friend of the show, Ray Redacted.
Joe Carrigan: [00:09:57] OK.
Dave Bittner: [00:09:57] We've had him on before. Reached out to him and said, I've never heard of this line-trapping thing. What could it be? And he said, what they do is - he responded. He said, they spoof a dial tone to make the victim think they have a new call. The victim dials the police number, and the scammer plays a recording of ring noises. In reality, the first call was never disconnected. He said you can prevent this by calling yourself, by making sure that you've hung up and making the call. He also interestingly said that they - often, they'll use a Raspberry Pi and a Linux PBX package to make the whole thing more believable...
Joe Carrigan: [00:10:27] Yeah.
Dave Bittner: [00:10:27] ...Rather than using, you know, recordings and so on.
Joe Carrigan: [00:10:30] Right. There are open source PBX packages that run on Raspberry Pi that will let this happen remarkably easily.
Dave Bittner: [00:10:36] Yeah. So it's an interesting wrinkle on this scam we've talked about before. I suppose the way to protect yourself is to make sure that the phone call is actually terminated.
Joe Carrigan: [00:10:49] Right. When somebody calls you and says you need to call the police, look up that number. Don't call the number they give you. Never call the number somebody gives you, and never give information on inbound calls.
Dave Bittner: [00:11:00] Right.
Joe Carrigan: [00:11:00] Always say, I'm going to call you back, and then go look up the number for the person who has allegedly called you, and call that number.
Dave Bittner: [00:11:07] Right. Because they can just as easily give you a fake phone number...
Joe Carrigan: [00:11:10] Yeah.
Dave Bittner: [00:11:10] ...That when you call, they answer...
Joe Carrigan: [00:11:12] Right.
Dave Bittner: [00:11:12] ...Pretending to be who they want you to call.
Joe Carrigan: [00:11:14] Absolutely.
Dave Bittner: [00:11:14] And that's exactly what - that's sort of what's going on here.
Joe Carrigan: [00:11:17] Yes.
Dave Bittner: [00:11:17] All right. Well, it's an interesting one. One to watch out for.
Joe Carrigan: [00:11:20] I don't know. My advice when someone calls and says, you know, there's something going on, and you need to respond to this right away. Just hang up. It's like a fake virus scam. You know, you've got a virus on your computer. No, I don't. Goodbye.
Dave Bittner: [00:11:31] Yeah. All right, well, that is my story. It is time to move on to our Catch of the Day.
0:11:35:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:38] Our Catch of the Day comes from a listener via Facebook. This is someone who received a friend request on Facebook, accepted the friend request even though he really wasn't sure who the person was. And immediately, this person, who was claiming to be someone named Delores Lola O'Choa (ph) started right in with a scam. Joe, I've laid out the exchange here.
Joe Carrigan: [00:12:02] Yes.
Dave Bittner: [00:12:03] And I will play the part of Delores. And you can play the part of our friend, who is sort of stringing Dolores along.
Joe Carrigan: [00:12:10] Oh, very good.
Dave Bittner: [00:12:10] All right. Here we go. Hello. How are you doing?
Joe Carrigan: [00:12:13] Good.
Dave Bittner: [00:12:13] I'm happy to tell you about the international monetary funding company because they has changed my life to good. I got a cash of $150,000 from them after I get in touch with the claiming agent in charge. Have you heard about them?
Joe Carrigan: [00:12:27] I has no heard of them before. Is moneys good? How much moneys can they haves?
Dave Bittner: [00:12:33] They deliver a cash of $150,000 to me at my doorstep after I get in touch with their claiming agent who's in charge. This is legitimate and real. Even one of my friend just got the money yesterday. You can contact them right now to get this $150,000. Can I send you the claiming agent info now so that you will get in touch and claim this money, too?
Joe Carrigan: [00:12:52] I love that Dolores has included a picture of a huge stack of cash.
Dave Bittner: [00:12:57] Yes. Yes.
Joe Carrigan: [00:12:57] Awesome. Thanks you. Send the moneys to my house now.
Dave Bittner: [00:13:01] It will cost you $1,500 before you can get this $150,000 delivered to you.
Joe Carrigan: [00:13:07] OK. Send me the $150,000, and I'll send back $1,500.
Dave Bittner: [00:13:11] And then so the person who's leading this scammer along sends a payment request to the scammer for $1,500.
Joe Carrigan: [00:13:18] Right.
Dave Bittner: [00:13:18] Can't you read? You need to contact the company agent and make your $1,500 payment before they can bring the $150,000 to you.
Joe Carrigan: [00:13:26] Sure, go ahead and send over the $150,000, and I'll send back $1,500.
Dave Bittner: [00:13:31] Payment before delivy (ph).
Joe Carrigan: [00:13:32] What means delivy?
Dave Bittner: [00:13:34] The flight fees and charges. You will pay $1,500 first, and then they will bring you a cash of $150,000.
Joe Carrigan: [00:13:41] I no have it. Send the cash of $150,000 first, and I'll get you $1,500. Promise. So send it now.
Dave Bittner: [00:13:49] No, that's not possible.
Joe Carrigan: [00:13:51] And then he sends another request for Delores to send him $1,500 (laughter).
Dave Bittner: [00:13:54] Stop requesting money. How much do you have?
Joe Carrigan: [00:13:58] OK. Then just send me $1,500, and I'll send it back.
Dave Bittner: [00:14:01] No.
Joe Carrigan: [00:14:02] And he requests $1,500 again.
Dave Bittner: [00:14:04] Stop requesting money.
Joe Carrigan: [00:14:06] You were requesting money for me. You remember?
Dave Bittner: [00:14:08] I told you what you need to do.
Joe Carrigan: [00:14:09] But I hasn't gotten $1,500. Will you let me borrow it?
Dave Bittner: [00:14:14] How much do you have?
Joe Carrigan: [00:14:15] Nine dollars and 31 cents.
Dave Bittner: [00:14:18] I can only borrow you $1,000. If you have $500, you can let me know.
Joe Carrigan: [00:14:23] I'm trying to sell things to make more moneys.
Dave Bittner: [00:14:25] Go and sell them.
Joe Carrigan: [00:14:26] Then he requests $1,000 from Delores. Would you like to buy something?
Dave Bittner: [00:14:30] What?
Joe Carrigan: [00:14:30] (Laughter) And then he sends Delores a picture of a lava lamp. $25.
Dave Bittner: [00:14:34] Not interested.
Joe Carrigan: [00:14:35] Twenty-three dollars.
Dave Bittner: [00:14:36] Would you really want to get this $150,000?
Joe Carrigan: [00:14:38] Twenty-one dollars.
Dave Bittner: [00:14:40] Ugh.
Joe Carrigan: [00:14:40] Twenty dollars - that's as low as I can go for the lamp.
Dave Bittner: [00:14:42] I said no.
Joe Carrigan: [00:14:43] OK, OK - $19, my final offer. And then he sends a $19 send money request to Delores.
Dave Bittner: [00:14:50] GTFO. Are you dumb?
Joe Carrigan: [00:14:53] This is awesome (laughter).
Dave Bittner: [00:14:54] And it ends there, yeah. (Laughter).
Joe Carrigan: [00:14:57] This is one of the best ones we've ever seen. This is fantastic.
Dave Bittner: [00:15:01] Yeah. I think the lava lamp really...
Joe Carrigan: [00:15:05] (Laughter) The lava lamp is great.
Dave Bittner: [00:15:05] The picture - trying to sell the lava lamp to the scammer, really - it's a nice touch (laughter). All right. That is our Catch of the Day. Coming up next, Carole Theriault speaks with Peter Draper from Gurucul on their "2020 Insider Threat Report." But first, a word from our sponsors at KnowBe4. And now we return to our sponsor's question about forms of social engineering. KnowBe4 will tell you that where there's human contact, there can be con games. It's important to build the kind of security culture in which your employees are enabled to make smart security decisions. To do that they need to recognize phishing emails, of course, but they also need to understand that they can be hooked by voice calls - this is known as vishing - or by SMS texts, which people call SMiShing. See how your security culture stacks up against KnowBe4's free test. Get it at knowbe4.com/phishtest. That's knowbe4.com/phishtest. And we're back. Joe, it's always great to have Carole Theriault back on the show. This week, she speaks with Peter Draper. He's from a company called Gurucul. And they recently published an insider threat report. Here's Carole Theriault.
Carole Theriault: [00:16:27] Look, guys - I want you to meet Peter Draper, not the fictional character from "Mad Men" but a security expert at Gurucul. Now, Gurucul is a company that is a global cybersecurity company that's trying to change the way organizations protect their assets and data information from both insider threats and external threats. Let's see what we can learn from Peter Draper, the technical director for EMEA - Europe, Middle East and Africa. I can see why you need an EMEA acronym there.
Peter Draper: [00:17:00] Yes, definitely.
Carole Theriault: [00:17:03] Now, you guys have done this threat report. And I wanted to first start off with, what are the main findings for you? What were the things that struck you as really interesting in this report?
Peter Draper: [00:17:14] OK. So there's a number of key findings that came out of this. The ones that most people would be interested in are things like 68% of organizations feel vulnerable to insider attacks. That's a pretty big number from my perspective. If we look at some of the other key ones - let's just pull some of these, and then I'll talk about the ones that I'm interested in. So 53% of organizations believe detecting insider threats has become significantly harder since migrating to the cloud. Now, we all know cloud is a huge wave that's going to continue for quite some time, and the more we get there, the more risky things are and the more difficult it is to get visibility into there. So that's where some of the challenges come in terms of getting that visibility.
Carole Theriault: [00:17:59] Right. Because we hear a lot about cloud databases being hacked or not even having protection in place in the first place.
Peter Draper: [00:18:07] Without a doubt. And that's probably the biggest vulnerability that's out there, is incorrect configuration of cloud services, whether that be databases or even file stores. So S3 buckets in AWS - having them not configured correctly causes some huge problems. And we hear lots and lots of reports about the number of credentials, the amount of PII that's been stolen. Those are coming through daily. It is ridiculous the amount of data that's available out there now from those sorts of attacks.
Carole Theriault: [00:18:38] So actually, maybe let's just back up. So maybe you can just explain, first of all, what an insider threat actually is and how it's different from maybe an external threat.
Peter Draper: [00:18:48] OK. So we classify insider threat as anything with any of the count inside an organization. It doesn't necessarily mean that it's an inside individual that's doing any nefarious behavior. There are malicious insiders that, for some reason, may believe that the information that's available in the systems is theirs to take. They may be leaving the company or considering leaving the company. They may have a beef with somebody.
Carole Theriault: [00:19:14] Yeah. Yeah.
Peter Draper: [00:19:15] So that's sort of the malicious insiders. There's then the unintentional insider threat, and that is accounts that could be compromised by clicking on a bad link, by being attacked with malware - they've downloaded something, they've gone somewhere, they've watched a video - all of the usual attack surfaces that's available that could be compromising their account.
Carole Theriault: [00:19:36] I can understand that you've got this kind of one circle of insiders which are malicious - right? - so these are people that are up to no good or trying to take data as you explained. Then you've got these other insiders who, because of - maybe they're duped by an external attacker into giving their credentials or giving access to some systems internally. So they may be acting out of lack of knowledge or a lack of information or just, you know, they've been duped.
Peter Draper: [00:20:03] Yes.
Carole Theriault: [00:20:04] And they're used by these external parties.
Peter Draper: [00:20:06] Definitely.
Carole Theriault: [00:20:07] Their credentials are used in order to kind of access data. Is that fair?
Peter Draper: [00:20:11] That is definitely fair, yes. Yeah.
Carole Theriault: [00:20:13] Right. OK, so we've got these people that are running - cloud services are great because it allows people to work remotely and have access in real time to data everywhere. It's amazing. But people are not actually protecting it in the way it should be. So it's not so much that these cloud databases have vulnerabilities that third parties are taking advantage of. It's more that people are not configuring it correctly, and that is what's leaving it open to ne'er-do-wells.
Peter Draper: [00:20:39] Yes, definitely. The stats that we have at the moment are that 53% believe that detecting insider threats has become significantly harder with relation to the cloud.
Carole Theriault: [00:20:47] And I guess that's why it's so much more important that we authenticate the right people for the right data because that's basically the description of a hack - isn't it? - is an unauthorized person has access to good, solid data that is valuable.
Peter Draper: [00:21:01] The proliferation of password attacks, stolen credentials, password stuffing where attackers will try and effectively spray the passwords onto any system that they can get access to to see whether or not they can actually gain access because people share accounts, share passwords across multiple systems, it is challenging. Making sure people have the right entitlements and the right identity and access to the right resources is where a big portion of enterprise's time is spent. I mean, if you think - a user comes into an organization, what rights do you give them to your systems when they first start? How do you know? We like to look at peer groups and provide information to the security guys that says OK, in this particular department or in this particular peer group, these are the sorts of access that are required. So that's a starting point.
Carole Theriault: [00:21:48] Right.
Peter Draper: [00:21:49] But what normally happens is users will come into one department. They might move to another department. They might get promoted. They might stand in for somebody out during some vacation or something. And each time that happens, they get given more rights.
Carole Theriault: [00:22:04] Yep.
Peter Draper: [00:22:04] We call those access collectors because they keep gaining access and getting more and more.
Carole Theriault: [00:22:07] You know, that was the secret to my power when I used to work in the corporate world. I - after 15 years, I had the keys to most kingdoms, right?
Peter Draper: [00:22:14] Yeah, you could get anywhere.
Carole Theriault: [00:22:16] I could, yeah (laughter).
Peter Draper: [00:22:16] You could find anything that was happening, definitely.
Carole Theriault: [00:22:18] Exactly. I was a really good source of information (laughter).
Peter Draper: [00:22:21] (Laughter) That's a big issue because organizations, unless they are forced by governance - things like HIPAA and the various regulations that are pushing people to check and to validate and to recertify people's access - organizations just don't do it. And if they do do it, they don't do it regularly enough because it's difficult to get that information.
Carole Theriault: [00:22:43] Right. So that is a really, really good point you're making. On the IT side, you're basically saying make sure that rights are taken away as well as given as appropriate to what they need the rights for.
Peter Draper: [00:22:56] Yeah.
Carole Theriault: [00:22:56] But two, and a user would be really smart to be visiting IT maybe every six or 12 months - tell me what you think of this idea - and saying look; I don't need access anything more to this. Please remove my user access.
Peter Draper: [00:23:09] That would be the nirvana for the security guys, for the users to be coming to say I don't need access anymore.
Carole Theriault: [00:23:15] Yeah.
Peter Draper: [00:23:16] That really worked, yeah.
Carole Theriault: [00:23:17] OK. So this is the Christmas present that all you listeners out there can give to your local IT guy. Tell them all the apps you don't need access to anymore. And make sure they remove your username because then that clears you of any wrongdoing that happens in there as well because bad guys are going to want to try and get access to that. So if you don't have it anymore, no problem.
Peter Draper: [00:23:37] Excellent point, yeah.
Carole Theriault: [00:23:39] Cool. OK, that's good. Now tell me about - so 10 years ago, IT and users was the idea that it was like they were police.
Peter Draper: [00:23:46] Yes.
Carole Theriault: [00:23:46] And I think the industry has worked very hard to try and say look; security awareness is really important. We need to teach best practice, yada, yada, yada. But it's interesting how this might return us to an us versus them mentality.
Peter Draper: [00:23:59] Yeah, definitely. But we like to involve the users. We think it's really, really important to involve the users in this. Whenever you start to talk about insider threat, all the users - and let's be honest, the users are the people that keep your business going and do the things that you need them to do for your business to work. So all of those users are critical to what you're trying to achieve as a business. But they are starting to think it's starting to become a them and us because they're talking about us being a threat. Yeah, why am I a threat?
Carole Theriault: [00:24:25] Yeah.
Peter Draper: [00:24:26] But, I mean, this is - it's about engaging the users to be able to say, actually, look; this is what we're seeing on you. Do you believe this is true? If you don't believe this is true, then let us know because we can then start to look at that and investigate it.
Carole Theriault: [00:24:43] So the two big takeaways I have here - make sure that if you're using a cloud service at home or in the office, that it is properly configured. And that means that only authorized users can access appropriate data at the right time. And number two is to actually remove accounts that we don't need access to anymore. It's a good business practice, but it's also excellent for all you home users out there. Peter Draper, technical director at Gurucul, thank you so much for sharing all this information.
Peter Draper: [00:25:18] No problem. Thank you very much indeed for the time.
Carole Theriault: [00:25:20] This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:25:25] All right, interesting interview.
Joe Carrigan: [00:25:26] Yeah. Thanks to Peter for coming on the show. Sixty-eight percent of organizations feel vulnerable to insider threats.
Dave Bittner: [00:25:33] I kind of wish we had two different names for the categories of insider threats.
Joe Carrigan: [00:25:37] Right.
Dave Bittner: [00:25:38] Like, insider threats versus insider vulnerabilities.
Joe Carrigan: [00:25:41] Yeah.
Dave Bittner: [00:25:41] Because I think that term, insider threats, makes everybody think that it's people who are intentionally up to no good...
Joe Carrigan: [00:25:49] Right.
Dave Bittner: [00:25:50] ...Inside your organization. And so much of it is not that.
Joe Carrigan: [00:25:52] I agree with that. Insiders that are being attacked by an outside threat are not insider threats, right? They're victims of an attack.
Dave Bittner: [00:25:59] Right.
Joe Carrigan: [00:26:00] I agree. I think it's unfortunate that we call them insider threats. But this is how most of these things work. Ninety-five percent of malicious campaigns, the first kinetic action in those campaigns is an email that somebody clicks on. Now, a person that clicks on it is not acting with any malicious intent.
Dave Bittner: [00:26:15] Right.
Joe Carrigan: [00:26:16] But they're still being classified as an insider threat, and that may not be right. But...
Dave Bittner: [00:26:20] Yeah. Yeah, the vulnerability is inside the castle walls.
Joe Carrigan: [00:26:23] Exactly. One of the major points that Peter made was it's harder now that things go into the cloud - misconfigured S3 buckets - S3 stands for - is actually - I think it should be 3S, right?
Dave Bittner: [00:26:33] (Laughter).
Joe Carrigan: [00:26:34] Simple storage solution. Essentially just an Amazon cloud storage, and cloud just means somebody else's computer. And you're just putting things up on Amazon's drives. And then you can configure how access is granted to that. But essentially, because it's on Amazon's computers, it's accessible to the world, and people need to understand that.
Dave Bittner: [00:26:54] Right. And they must configure them. They forget to change the settings.
Joe Carrigan: [00:26:57] Or they just change the settings deliberately. I don't know how - I don't actually do much cloud work right now.
Dave Bittner: [00:27:02] Yeah.
Joe Carrigan: [00:27:02] I have done Amazon provisioning services for computers, and the way I configured it was, for logging in, we didn't allow user name and password; they had to use certificates.
Dave Bittner: [00:27:11] Yeah.
Joe Carrigan: [00:27:12] Which is a little more complicated but much more secure.
Dave Bittner: [00:27:14] I actually spoke to someone about this recently over on the CyberWire.
Joe Carrigan: [00:27:17] OK.
Dave Bittner: [00:27:17] And what I learned was that a lot of the configuration of these S3 buckets happens in an automated kind of way. So...
Joe Carrigan: [00:27:25] Right. Yeah, it's scripted.
Dave Bittner: [00:27:26] Yeah, it's scripted. And so they get spun up very quickly. Often many of them get spun up at the same time. And the development people are doing this, and the security people aren't always aware...
Joe Carrigan: [00:27:38] Right.
Dave Bittner: [00:27:39] ...That the development people are doing this. And that's part of the disconnect.
Joe Carrigan: [00:27:42] Yeah, that's very - I - you know, now that I work in security and - but I have worked in development. And one of the things that used to frustrate us in development was trying to get firewall rules set up or getting one service to be able to talk to another. And we'd have to go to the IT people - that really wasn't a security organization back at that time - and ask them to open a hole in the firewall for our services to talk to one another.
Dave Bittner: [00:28:03] Right.
Joe Carrigan: [00:28:03] And they'd have a bunch of questions, and we would answer their questions and all that. But it was a frustrating barrier to getting our work accomplished. Another interesting topic - and I've said this, and I picked this up from a previous boss of mine. He said, the higher up in the organization you go, the less privileges you should have because if you think about it, the guy with the most - that needs the most permissions is the individual contributor who has his hands on everything, right? If you're three layers of management up, if you're the CEO of a company, you don't need access to any of the code repositories. You don't need access to any of the S3 buckets you just don't need it, right? Your job is management and leadership; it's not technical anymore.
Dave Bittner: [00:28:39] Now, that's interesting. It makes me think about, you know, in any organization, who's the person who has the big ring full of keys?
Joe Carrigan: [00:28:46] Right.
Dave Bittner: [00:28:46] It's generally not - you don't see the CEO walking around...
Joe Carrigan: [00:28:49] Nope.
Dave Bittner: [00:28:49] ...With a big ring of keys jingling on their hip, right?
Joe Carrigan: [00:28:53] It's the custodian.
Dave Bittner: [00:28:53] It's the custodian. Right.
Joe Carrigan: [00:28:55] Right.
Dave Bittner: [00:28:55] Right. That person needs to have access to - and who do you go to when you need to get into a room?
Joe Carrigan: [00:29:00] Yeah.
Dave Bittner: [00:29:00] Go to the custodian or go to the security folks. Yeah.
Joe Carrigan: [00:29:03] Right. Actually, one of the things I do when I go into a new building is I immediately make friends with the facilities and custodians.
Dave Bittner: [00:29:10] Yes. Yes. That is such a good social engineering, Joe.
Joe Carrigan: [00:29:13] Thank you.
Dave Bittner: [00:29:14] It's so important. I do the same thing. It's so - because they have access to pretty much everything.
Joe Carrigan: [00:29:19] And they know when things are going to happen before other people do, right? And there was a guy I used to work with - his name was Sam - and I'd say, hey, Sam, what's going on? Any new office changes going on? And he'd know.
Dave Bittner: [00:29:33] Right. Right. Right. Right. Right. Yeah, that's funny. There's something else here they were talking about. When it comes to access - and that's how people build up the amount of permissions they have over time.
Joe Carrigan: [00:29:44] Yeah. They were saying it would be nice if people came to the security folks and said, I don't need these permissions anymore. That's never going to happen (laughter).
Dave Bittner: [00:29:50] No. No.
Joe Carrigan: [00:29:50] That is wishful thinking.
Dave Bittner: [00:29:52] Yeah. I think it's human nature to kind of hoard those privileges.
Joe Carrigan: [00:29:58] Right. Yeah. Either they want to hoard the privileges because they like having them or they - it's just not top of mind for them. You know, they leave the organization; they don't think about it. Either way, the organization is going to have to conduct its own security audits. This is called the principle of least privilege. You get the least amount of privilege you need to do your job.
Dave Bittner: [00:30:14] Yeah. A lot of organizations these days who are looking at something called Just-In-Time Privileged Access Management, which is basically - you only have access to the things you need access to right when you need that access, and as soon as you're done needing that access, that access goes away.
Joe Carrigan: [00:30:30] Right.
Dave Bittner: [00:30:30] And there are automated systems that manage this to try to attack this problem.
Joe Carrigan: [00:30:35] Right.
Dave Bittner: [00:30:35] So you don't have privileges building up. You only have what you need when you need it, and you can't just go looking for something that you looked at a month ago without making another request or something like that, so.
Joe Carrigan: [00:30:44] Right. Or maybe it's just during - you know, it's automated so that during business hours, you know, when you sit down and log in from a particular computer, you have access to it as long as you're logging in between, you know, 7:00 a.m. and 5:00 or 6:00 p.m., right?
Dave Bittner: [00:30:56] Right. Right.
Joe Carrigan: [00:30:56] After that time, you don't have access to the data.
Dave Bittner: [00:30:58] Right. Right. So, yeah, if you're logging in in the middle of the night from a computer that somewhere in China...
Joe Carrigan: [00:31:03] Right.
Dave Bittner: [00:31:03] ...It's going to say, this doesn't look right (laughter).
Joe Carrigan: [00:31:07] Right. No, you can't have the privileged access right now.
Dave Bittner: [00:31:09] Right.
Joe Carrigan: [00:31:10] That's a good idea.
Dave Bittner: [00:31:11] Yeah. All right. Well, thanks again to Carole Theriault for bringing that story to us, and thanks to Peter Draper from Gurucul for joining us on our show. We want to thank all of you for listening.
Dave Bittner: [00:31:21] And of course, we want to thank our sponsors at no KnowBe4. They are the social engineering experts and the pioneers of new-school security awareness training. Be sure to take advantage of their free phishing test, which you can find at knowbe4.com/phishtest. Think of KnowBe4 for your security training. We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:31:43] The "Hacking Humans" podcast is probably produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Joe Carrigan: [00:31:57] And I'm Joe Carrigan.
Dave Bittner: [00:31:57] Thanks for listening.