This week I sat in on several educational sessions and expert panels at the Advisen Cyber Insights Conference in Chicago, where Swiss Re's Nancy Bewlay presented. One panel – on internal cyber threats – peaked my interest because so much of the discussion around recent headline data breaches, such as Target, TJ Maxx, and Michaels, is on network security and the need to have tight information security controls in place to protect against the risks of outside hackers.
However, as boards of directors, c-suites, and governments focus on the threats of outsiders, has the focus on insider threats been diminished? Is the risk of an Edward Snowden working at your company now… just old news?
Panelists discussed methodologies in place at certain government-supported organizations to provide forewarning and protect against a rogue employee executing a cyber breach. Referring back to the Edward Snowden example, the best defense is other employees. The investigation into the Snowden breach highlighted that other employees knew of Edward's feelings and suspicious activities. Had these suspicions been reported, this breach could have potentially been avoided. But is this creating a culture of employees scrutinizing and tattling on each other the only way for a company to protect itself?
A panelist from CERT, the Computer Emergency Response Team, at Carnegie Mellon University ( http://www.cert.org ) provided examples of how behavioral and technical indicators can be used to identify risks of an internal threat. Interestingly, the way we all type our passwords has a unique "fingerprint." The way each of us types is rather consistent, especially when typing a password that we may type multiple times a day. However, when we as humans feel stressed, nervous and uncomfortable, these emotions impact how we type our passwords, and this change can be detected by computer systems. Therefore, systems of critical infrastructure that could impact many lives can disallow access when this password fingerprint is off from normal, possibly requiring a supervisor password entry in such a situation. This could potentially thwart an internal attacker.
Another example highlighted how employees of government agencies with access to classified information must report life changes that would impact behaviors to their employers, such as divorce or taking new medications. Computer systems at these agencies can track at what time of day employees access certain restricted files, if they are printed, and to what printer (i.e., printing restricted information at 8pm to a printer in a different wing of the building). Analytics can link this abnormal activity with classified info to the life change which would be impacting the employee emotionally. Furthermore, using Big Data, systems can mine all government databases and uncover that this employee purchased a one-way airline ticket to a random foreign country. This would raise red flags and potentially stop an internal breach.
This discussion was eye opening and got me thinking about how internal cyber risk is not usually a hot topic but perhaps should be.
How do you and your organization assess and deal with internal cyber risk? Should it be a larger topic of discussion?