WEBVTT 00:00:00.000 --> 00:00:06.332 align:middle line:90% 00:00:06.332 --> 00:00:08.290 align:middle line:84% In this video, we're going to be talking about, 00:00:08.290 --> 00:00:09.970 align:middle line:90% what is an insider threat? 00:00:09.970 --> 00:00:12.650 align:middle line:90% 00:00:12.650 --> 00:00:15.650 align:middle line:84% Now, an insider threat is a malicious threat 00:00:15.650 --> 00:00:17.510 align:middle line:84% to an organization that comes from people 00:00:17.510 --> 00:00:22.320 align:middle line:84% within the organization, such as employees, former employees, 00:00:22.320 --> 00:00:24.410 align:middle line:84% contractors, or business associates 00:00:24.410 --> 00:00:27.830 align:middle line:84% who have inside information concerning the organization 00:00:27.830 --> 00:00:31.400 align:middle line:84% security practises, data, and computer systems. 00:00:31.400 --> 00:00:33.530 align:middle line:84% Now, I like this description a lot, 00:00:33.530 --> 00:00:35.630 align:middle line:90% and this is from Wikipedia. 00:00:35.630 --> 00:00:39.080 align:middle line:84% What I would also add is these users tend 00:00:39.080 --> 00:00:41.690 align:middle line:84% to have some sort of network-level access, 00:00:41.690 --> 00:00:44.600 align:middle line:84% some sort of login email account, logging 00:00:44.600 --> 00:00:47.310 align:middle line:90% into the network, whatnot. 00:00:47.310 --> 00:00:51.260 align:middle line:84% Now, this is essentially what an insider threat is. 00:00:51.260 --> 00:00:55.130 align:middle line:84% Now, an insider threat can be a deliberate malicious act 00:00:55.130 --> 00:00:57.770 align:middle line:84% or it could be an unwitting participant. 00:00:57.770 --> 00:01:01.430 align:middle line:84% So not all insider threats are people looking 00:01:01.430 --> 00:01:02.745 align:middle line:90% to do harm to the network. 00:01:02.745 --> 00:01:05.120 align:middle line:84% It could be someone that really doesn't know that they're 00:01:05.120 --> 00:01:08.360 align:middle line:90% doing some sort of harm. 00:01:08.360 --> 00:01:12.040 align:middle line:84% So according to the Verizon report in 2019, 00:01:12.040 --> 00:01:14.110 align:middle line:84% let's take a look at how serious this is. 00:01:14.110 --> 00:01:18.250 align:middle line:84% So 57% of database breaches involved an insider threat 00:01:18.250 --> 00:01:20.020 align:middle line:90% within an organization. 00:01:20.020 --> 00:01:24.010 align:middle line:84% 20% of security incidents and 15% of data breaches 00:01:24.010 --> 00:01:26.650 align:middle line:84% were due to misuse of privileges. 00:01:26.650 --> 00:01:30.790 align:middle line:84% 61% of internal actors are not in the position 00:01:30.790 --> 00:01:34.030 align:middle line:84% with a high level of access or stature. 00:01:34.030 --> 00:01:37.300 align:middle line:84% In 4% of insider and privilege misused, 00:01:37.300 --> 00:01:41.210 align:middle line:84% breaches were uncovered using fraud detection. 00:01:41.210 --> 00:01:43.630 align:middle line:84% So these are pretty big numbers, especially 00:01:43.630 --> 00:01:46.670 align:middle line:84% considering these are attacks within your own network. 00:01:46.670 --> 00:01:50.080 align:middle line:84% It's not, per se, a person from the outside, 00:01:50.080 --> 00:01:52.270 align:middle line:84% they do some scanning reconnaissance, 00:01:52.270 --> 00:01:55.580 align:middle line:84% and they exploit a vulnerability on your network. 00:01:55.580 --> 00:01:57.970 align:middle line:84% These are people working within your organization. 00:01:57.970 --> 00:02:00.620 align:middle line:90% 00:02:00.620 --> 00:02:04.960 align:middle line:84% So a malicious insider is a current employee or, again, 00:02:04.960 --> 00:02:08.050 align:middle line:90% a contractor. 00:02:08.050 --> 00:02:11.770 align:middle line:84% It's generally someone who's upset and wants to harm 00:02:11.770 --> 00:02:13.690 align:middle line:90% your network or company. 00:02:13.690 --> 00:02:16.030 align:middle line:84% This also could be someone that's 00:02:16.030 --> 00:02:21.230 align:middle line:84% doing this for monetary purposes or other reasons. 00:02:21.230 --> 00:02:28.120 align:middle line:84% It could be hacktivism or some other reason. 00:02:28.120 --> 00:02:30.637 align:middle line:84% But the bottom line is they know what they're doing, 00:02:30.637 --> 00:02:32.470 align:middle line:84% and they're trying to do something that they 00:02:32.470 --> 00:02:35.890 align:middle line:90% shouldn't be, on your network. 00:02:35.890 --> 00:02:38.730 align:middle line:84% It could be a current employee who 00:02:38.730 --> 00:02:41.490 align:middle line:84% allows access to an outsider for money, revenge, 00:02:41.490 --> 00:02:42.900 align:middle line:90% or other reasons. 00:02:42.900 --> 00:02:46.050 align:middle line:84% And recently, we saw this with Twitter. 00:02:46.050 --> 00:02:49.320 align:middle line:84% Allegedly, an employee was on a forum. 00:02:49.320 --> 00:02:54.830 align:middle line:84% They were giving out access to anyone that would pay. 00:02:54.830 --> 00:02:57.620 align:middle line:84% Malicious hackers paid them I think it was $2,000, 00:02:57.620 --> 00:03:02.730 align:middle line:84% and they gained access to a lot of high-level Twitter accounts. 00:03:02.730 --> 00:03:05.220 align:middle line:84% Also, current employees who choose to do mischief. 00:03:05.220 --> 00:03:09.138 align:middle line:84% Again, it might be something not necessarily harmful 00:03:09.138 --> 00:03:11.430 align:middle line:84% to the network, but it could be something mischievous - 00:03:11.430 --> 00:03:14.430 align:middle line:84% maybe changing of the website, putting 00:03:14.430 --> 00:03:20.790 align:middle line:84% some sort of hacktivism, hacking activism, banner, 00:03:20.790 --> 00:03:23.910 align:middle line:84% or a mark on the web page, or something like that, 00:03:23.910 --> 00:03:26.100 align:middle line:84% or posting as someone else, whatnot. 00:03:26.100 --> 00:03:28.870 align:middle line:90% 00:03:28.870 --> 00:03:32.990 align:middle line:84% It could also be an employ who can range from a custodian 00:03:32.990 --> 00:03:35.640 align:middle line:84% to an intern, to management, again, a contractor. 00:03:35.640 --> 00:03:38.090 align:middle line:84% These all can be malicious insiders. 00:03:38.090 --> 00:03:41.660 align:middle line:84% It could also be employee who quit or was terminated 00:03:41.660 --> 00:03:43.670 align:middle line:84% and does damage to the company or network. 00:03:43.670 --> 00:03:46.722 align:middle line:84% They use either their account to delete data before they leave 00:03:46.722 --> 00:03:49.670 align:middle line:84% - we've actually seen this before. 00:03:49.670 --> 00:03:53.703 align:middle line:84% That's happened, where an employee, they were let go. 00:03:53.703 --> 00:03:56.120 align:middle line:84% That employee said, well, could I have a couple of minutes 00:03:56.120 --> 00:03:57.050 align:middle line:90% to clean out my desk? 00:03:57.050 --> 00:03:59.680 align:middle line:84% And instead of actually clearing out their desk, 00:03:59.680 --> 00:04:01.222 align:middle line:84% they actually logged in their account 00:04:01.222 --> 00:04:04.100 align:middle line:84% and started deleting out years' worth of data. 00:04:04.100 --> 00:04:08.420 align:middle line:84% Also, a person that was terminated or quit, 00:04:08.420 --> 00:04:11.870 align:middle line:84% may also use an old account that's still active 00:04:11.870 --> 00:04:13.580 align:middle line:84% and continue to log into the network 00:04:13.580 --> 00:04:15.560 align:middle line:84% after they're terminated, after they leave. 00:04:15.560 --> 00:04:18.425 align:middle line:84% These are all examples of a malicious insider. 00:04:18.425 --> 00:04:21.060 align:middle line:90% 00:04:21.060 --> 00:04:23.190 align:middle line:84% An unwitting insider, I would say 00:04:23.190 --> 00:04:24.690 align:middle line:84% would be a current employee, doesn't 00:04:24.690 --> 00:04:26.065 align:middle line:84% know that they're doing something 00:04:26.065 --> 00:04:28.440 align:middle line:84% that is harmful to the workplace or network. 00:04:28.440 --> 00:04:30.930 align:middle line:84% This employee may be tricked, again, 00:04:30.930 --> 00:04:34.650 align:middle line:84% a victim of social engineering, such as clicking a bad link 00:04:34.650 --> 00:04:37.010 align:middle line:84% or enticed to take action, again, 00:04:37.010 --> 00:04:38.670 align:middle line:84% that's not necessarily good for them 00:04:38.670 --> 00:04:41.300 align:middle line:90% or good for their organization. 00:04:41.300 --> 00:04:43.800 align:middle line:84% It could also be an employee who simply let someone tailgate 00:04:43.800 --> 00:04:47.730 align:middle line:84% past a security checkpoint, an employee who 00:04:47.730 --> 00:04:50.640 align:middle line:84% plugs in a USB drive that they happen to find. 00:04:50.640 --> 00:04:52.890 align:middle line:84% And they plug it into the computer, 00:04:52.890 --> 00:04:55.127 align:middle line:84% plug it into the network, and it has a virus. 00:04:55.127 --> 00:04:57.210 align:middle line:84% They don't know it has something harmful in there. 00:04:57.210 --> 00:04:58.085 align:middle line:90% They're just curious. 00:04:58.085 --> 00:05:03.260 align:middle line:84% They plug it in, and a payload gets dropped on the network. 00:05:03.260 --> 00:05:06.870 align:middle line:90% That was an unwitting action. 00:05:06.870 --> 00:05:09.320 align:middle line:84% It could also be an individual on the network team 00:05:09.320 --> 00:05:12.290 align:middle line:84% who forgets to deactivate an account 00:05:12.290 --> 00:05:15.140 align:middle line:84% or leaves unnecessary accounts left on the network 00:05:15.140 --> 00:05:17.630 align:middle line:84% that a malicious hacker may use later. 00:05:17.630 --> 00:05:23.150 align:middle line:84% It also can be misconfiguration of a server, a misconfiguration 00:05:23.150 --> 00:05:25.730 align:middle line:84% of user rights, giving people too many rights 00:05:25.730 --> 00:05:28.760 align:middle line:84% that they really don't need, and thus, causing a problem. 00:05:28.760 --> 00:05:31.880 align:middle line:84% This would be an unwitting insider attack. 00:05:31.880 --> 00:05:35.360 align:middle line:84% It's people that do things that actually harm the network, 00:05:35.360 --> 00:05:41.610 align:middle line:84% but they're not cognizant that they're actually doing harm. 00:05:41.610 --> 00:05:43.820 align:middle line:84% So how do we mitigate these types of attacks? 00:05:43.820 --> 00:05:45.500 align:middle line:90% Well, audit your accounts. 00:05:45.500 --> 00:05:49.670 align:middle line:84% Monitoring active accounts is important. 00:05:49.670 --> 00:05:51.170 align:middle line:84% You've got to be sure what account - 00:05:51.170 --> 00:05:54.730 align:middle line:84% if the accounts are there, should they still be active? 00:05:54.730 --> 00:05:56.480 align:middle line:84% You should also take a look at user rights 00:05:56.480 --> 00:05:58.910 align:middle line:84% - making sure that people have enough rights 00:05:58.910 --> 00:06:02.060 align:middle line:84% do what they need to do, but not so much that they really 00:06:02.060 --> 00:06:03.620 align:middle line:90% don't need that. 00:06:03.620 --> 00:06:08.650 align:middle line:84% Disable accounts - accounts need to be disabled quickly and as 00:06:08.650 --> 00:06:10.520 align:middle line:90% soon as it needs to be done. 00:06:10.520 --> 00:06:13.240 align:middle line:84% You also may consider automation to handle this. 00:06:13.240 --> 00:06:15.595 align:middle line:84% User training - training users to identify 00:06:15.595 --> 00:06:18.190 align:middle line:84% a social engineering attack and how 00:06:18.190 --> 00:06:21.340 align:middle line:84% they may be an unwitting insider attacker, 00:06:21.340 --> 00:06:24.040 align:middle line:84% could actually help the organization quite a bit. 00:06:24.040 --> 00:06:26.842 align:middle line:84% Restricting accounts, again, restricting your accounts 00:06:26.842 --> 00:06:28.300 align:middle line:84% to only have as much rights as they 00:06:28.300 --> 00:06:31.450 align:middle line:84% need to do their day-to-day work will help quite a bit. 00:06:31.450 --> 00:06:33.850 align:middle line:84% But also, you need to be cognizant 00:06:33.850 --> 00:06:37.750 align:middle line:84% of what they really need to do and what they don't need to do. 00:06:37.750 --> 00:06:41.260 align:middle line:84% And that's going to be a little bit of a balance there, too. 00:06:41.260 --> 00:06:43.720 align:middle line:84% Monitoring - network monitoring tools 00:06:43.720 --> 00:06:46.060 align:middle line:84% can help keep awareness of what's 00:06:46.060 --> 00:06:49.500 align:middle line:90% going on in your network. 00:06:49.500 --> 00:06:50.917 align:middle line:84% So this was about insider attacks. 00:06:50.917 --> 00:06:52.875 align:middle line:84% The next video we're going to be talking about, 00:06:52.875 --> 00:06:54.570 align:middle line:84% why employee training is important, 00:06:54.570 --> 00:06:56.562 align:middle line:90% and also go over some tips. 00:06:56.562 --> 00:06:57.520 align:middle line:90% Thank you for watching. 00:06:57.520 --> 00:06:59.510 align:middle line:90% I'll see you in the next video. 00:06:59.510 --> 00:07:01.000 align:middle line:90%