Phish, Spoof & Scam:Insider Threats, the GDPR and other regulations
Neira Jones FBCS, MScIndependent Advisor, Payments, Risk,
Cybercrime, & Digital Innovation
1 of 34 Observeit Webinar – 26th May 2016
Observeit Webinar – 26th May 2016
The digital & regulatory landscape challenges
2 of 34
ENVIRONMENTAL
CRIMINAL
BUSINESSES
• Digital, hyper-connected, always on
• No traditional perimeter• Extended supply chain:
staff, contractors and suppliers putting organisations at risk
• People are now the weakest link
• Evolve rapidly and change tactics
• Design malware relying on tools that users trust
• Have moved from targeting systems to targeting individuals first (phishing, ransomware, etc.)
• Complex regulatory landscape: GDPR, PSD2, Privacy Shield, PCI DSS...
• Digital transformation• Pressure to innovate• Complex infrastructures• Pressure to contain costs• Too slow to discover a
breach
Observeit Webinar – 26th May 2016
Good things come to those that bait…
Hacking the human...
3 of 34
Observeit Webinar – 26th May 2016
75% of incidents have a common denominator: PEOPLE*
4 of 34
Are People & Regulations a dichotomy?
• Want convenience & flexibility
• Are not aware of risks• Will find the path of least
resistance• Have redefined the concept
of privacy• Believe security is not their
responsibility
• Aim to foster competition & promote innovation
• Aim to protect people• Aim to reduce risk• Aim to foster better
behaviours• Aim to make
organisations more responsible
• Current & forthcoming regulations (e.g. GDPR, PSD2, etc.) apply to all, not only EU organisations.
• People are confused about digital risks and privacy.
• Regulations aim to reduce risks and improve privacy.
• Protecting PEOPLE is the common denominator.
• Managing staff to protect DATA will protect PEOPLE.
Observeit Webinar – 26th May 20165 of 34
Observeit Webinar – 26th May 2016
An evolving threat landscape
6 of 34
Source: Verizon DBIR 2016
75% OF INCIDENTS HAVE A COMMON DENOMINATOR: PEOPLE
17.7% miscellaneous errors
16.3% insider & privilege misuse
15.1% physical theft & loss
Observeit Webinar – 26th May 2016
TODAY, THREAT INTELLIGENCE,ADAPTIVE SECURITY, LAYERED DEFENCE
AND INCIDENT RESPONSEHAVE BECOME ESSENTIAL.
“Hours instead of days! Now, we have minutes instead of hours.”
7 of 34
Star Trek II: The Wrath of Khan, 1982
Observeit Webinar – 26th May 2016
CRIMINALS ARE GETTING BETTER AT KNOWING THEIR TARGETS (US)
8 of 34
WE NEED TO GET BETTER AT KNOWING OURSELVESAND THINKING LIKE CRIMINALS...
Observeit Webinar – 26th May 2016
Insider Threat Actors: Knowledge is key
9 of 34
IDENTIFY THE POSSIBLE INSIDER THREAT SCENARIOS
Miscellaneous errors
Insider & privilege misuse
Theft & loss
Phishing/ Social Engineering
Observeit Webinar – 26th May 2016
Insider Threats: Two possible strategies...
10 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
PROACTIVE REACTIVE
LET’S HAVE A LOOK AT HOW WE CAN BE PROACTIVE FIRST...
Exfiltrate or manipulate
data
Initial Compromise
ReconnaissanceCyber Kill Chain – Insider Threat: Negligent behaviour
11 of 34 Observeit Webinar – 26th May 2016`
Phishing
Email attachment
Email link
Person Alter behaviour
User device
Install malware
Steal & use credentials
Install Malware, Set up command
& control
Identify, acquire, aggregate data
70% of successful breaches start on endpoint devices (source: IDC)
Email securityPolicies/ Procedures
Education/ MonitoringGovernance Endpoint security
Encryption/ Tokenisation
Access controlMulti-factor auth
Exfiltrate or manipulate data
Monitoring/ Edu.Governance
Incident ResponseMonitoring/ Edu.
Governance
AUTOMATE!
AUTOMATE!
AUTOMATE!
Initial Compromise
Reconnaissance
Person Alter behaviour
User devices
Credentials abuse
Tipping point event
Unusual activity
User accounts
Network access
Exfiltrate or manipulate data
Capture & hide data
Search for data
Cyber Kill Chain – Insider Threat: Malicious behaviour
12 of 34 Observeit Webinar – 26th May 2016`
7.6% of successful breaches are caused by privilege abuse (Verizon DBIR 2016)
Personal circumstances, grudge, dare, greed,
collusion, etc.
Endpoint security
Access mgt/ Privilege Acct Mgt
Data ClassificationPolicies/Procedures
EducationUser Behaviour MonitoringGovernance/ Enablement
Incident ResponseContinuous Improvement
Monitoring/ Governance
Policies/ Procedures/ Education/ MonitoringGovernance / Enablement
AUTOMATE!
AUTOMATE!
AUTOMATE!
Initial Compromise
Reconnaissance
Person Alter behaviour
User devices
Use credentials
Normal activity
User accounts
Network access
Perform legitimate action
Initiate legitimate action
Cyber Kill Chain – Insider Threat: Miscellaneous errors
13 of 34 Observeit Webinar – 26th May 2016`
8.7% of successful breaches are caused by miscellaneous errors (Verizon DBIR 2016)
Trigger event
Cause damage by mistake
Deadlines, long hours, personal circumstances, lack of security controls, unaware of policy, non-segregation of duties,
insufficient governance, lack of coffee, etc.
Policies/ Procedures/ Education/ MonitoringGovernance / Enablement
Access mgt Privilege Acct MgtMulti-factor auth
Data ClassificationPolicies/Procedures
EducationMonitoring
Governance/ EnablementIncident Response
Continuous Improvement
Monitoring/ Governance
AUTOMATE!
AUTOMATE!
AUTOMATE!
Initial Compromise
Reconnaissance
Person Alter behaviour
User devices
Use Privileges
Normal activity
User accounts
Network access
Perform careless action
Initiate careless action
Cyber Kill Chain – Insider Threat: Theft & Loss
14 of 34 Observeit Webinar – 26th May 2016`
15.1% of incidents are caused by physical theft & loss (VZ DBIR 2016)
Trigger event
Personal circumstances, unaware of policy, lack of understanding,
insufficient governance, not enough coffee, etc.
Other
?
Physical documents, knowledge, access devices,leave passwords on postIt
notes, printers, etc.
Lose stuff or have stuff stolen
Policies/ Procedures/ Education/ MonitoringGovernance / Enablement
Endpoint securityEncryption/ Tokenisation
Access mgt/ Privilege Acct MgtMulti-factor auth
Data ClassificationPolicies/Procedures
EducationMonitoring
Governance/ EnablementIncident Response
Continuous Improvement
Monitoring/ Governance
AUTOMATE!
AUTOMATE!
AUTOMATE!
Observeit Webinar – 26th May 2016
Insider Threats: Two possible strategies...
15 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
Exfiltrate data
Exfiltrate or manipulate
data
PROACTIVE REACTIVEPolicies/ Procedures
EducationMonitoringGovernance Enablement
Email security
Policies/ ProceduresEducation
MonitoringData Classification
Governance/ Enablement
Incident ResponseContinuous Improvmnt
Endpoint securityEncryption/ TokenisationAccess mgt (incl. Priv.)
Multi-factor auth
?AUTOMATE!
Compromise Situation
Cyber Kill Chain – Insider Threat: Negligent behaviour
16 of 34 Observeit Webinar – 26th May 2016`
Phishing Person Alter behaviour
User device
Install malware
Steal & use credentials
Install Malware, Set up command
& control
Identify, acquire, aggregate data
70% of successful breaches start on endpoint devices (source: IDC)
Exfiltrate or manipulate data
Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/ Education
Incident Response/ Continuous Improvement
Multi-factor Authentication/ Privilege Account MgtPatch All The Things!!!
Server/ Network/ Application Security & MonitoringThreat Intelligence/ Data Leakage Prevention
AUTOMATE!
Person Alter behaviour
User devices
Compromise Situation
Credentials abuse
Tipping point event
Unusual activity
User accounts
Network access
Exfiltrate or manipulate data
Capture & hide data
Search for data
Cyber Kill Chain – Insider Threat: Malicious behaviour
17 of 34 Observeit Webinar – 26th May 2016`
7.6% of successful breaches are caused by privilege abuse (Verizon DBIR 2016)
Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/ Education
Incident Response/ Continuous Improvement
Privilege Account MgtServer/ Network/ Application Security & Monitoring
Data Leakage Prevention
AUTOMATE!
Person Alter behaviour
Compromise Situation
User devices
Use credentials
Normal activity
User accounts
Network access
Perform legitimate action
Initiate legitimate action
Cyber Kill Chain – Insider Threat: Miscellaneous errors
18 of 34 Observeit Webinar – 26th May 2016`
8.7% of successful breaches are caused by miscellaneous errors (Verizon DBIR 2016)
Trigger event
Cause damage by mistake
Omission, Data entry error, Programming error, Gaffe, Disposal error, Wrong
payments, Misconfiguration, Publishing error, Misdelivery, etc.
Policies/ Procedures/ Governance/ EnablementDisposal/ Decommissioning Policies
Process Control/ DevOps/ Workflow ManagementUser Behaviour Monitoring/ Education
Incident Response/ Continuous Improvement
Server/ Network/ Application Security & MonitoringPrivilege Acct Mgt / Threat Intelligence/ DLP
AUTOMATE!
Person Alter behaviour
Compromise Situation
User devices
Use Privileges
Normal activity
User accounts
Network access
Perform careless action
Initiate careless action
Cyber Kill Chain – Insider Threat: Theft & Loss
19 of 34 Observeit Webinar – 26th May 2016`
Theft & loss shouldn’t be confined to the physical only...
Trigger event
Other
?Lose stuff or
have stuff stolenAlso includes IP Theft...
Leave screen unlocked,leave devices unprotected, leave
confidential documents unprotected, Unsecure printing, disclose information to strangers, post too much details on social media, leave car unlocked, let stranger go
through doors, etc.
Policies/ Procedures/ Governance/ EnablementUser Behaviour Monitoring/Education
Incident Response/ Continuous Improvement
Endpoint security/ Encryption/ TokenisationServer/ Network/ Application Security & Monitoring
Privilege Acct Mgt / DLP
AUTOMATE!
Observeit Webinar – 26th May 2016
Insider Threats: Two possible strategies...
20 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
Exfiltrate data
Exfiltrate or manipulate
data
PROACTIVE REACTIVEPolicies/ Procedures
EducationMonitoringGovernance Enablement
Email security
Policies/ ProceduresEducation
MonitoringData Classification
Governance/ Enablement
Incident ResponseContinuous Improvmnt
Endpoint securityEncryption/ TokenisationAccess mgt (Incl. Priv.)
Multi-factor auth
Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow Management
Disposal/ DecommissioningUser Behaviour Monitoring/ Education
Incident Response/ Continuous ImprovementEndpoint security/ Encryption/ Tokenisation
Multi-factor Authentication/ Privilege Account MgtServer/ Network/ Application Security & Monitoring
Patch All The Things!!!Threat Intelligence/ Data Leakage Prevention
AUTOMATE!
AUTOMATE!
Observeit Webinar – 26th May 2016
Insider Threats: Two possible strategies...
21 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
Exfiltrate data
Exfiltrate or manipulate
data
PROACTIVE REACTIVE
THESE TWO STRATEGIES ARE COMPLEMENTARY...
Observeit Webinar – 26th May 2016
Insider Threats: An alternative view...
22 of 34
Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow ManagementDisposal/ DecommissioningData ClassificationEducationUser Behaviour MonitoringIncident ResponseContinuous Improvement
Endpoint securityServer/ Network/ Application Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Authentication/ Privilege Account managementPatch All The Things!!!Threat Intelligence/ Data Leakage Prevention
PEOPLE PROCESS
TECHNOLOGY
AUTOMATE
Observeit Webinar – 26th May 2016
Insider Threats: complementary strategies
23 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
Exfiltrate data
Exfiltrate or manipulate
data
PROACTIVE REACTIVE
THESE TWO STRATEGIES ARE COMPLEMENTARY......AND CAREFUL IMPLEMENTATION WILL PROVE WHAT MANY SECURITY PROS HAVE KNOW FOR AGES......THAT COMPLIANCE DOESN’T EQUAL SECURITY......BUT GOOD SECURITY WILL LEAD TO COMPLIANCE!
Observeit Webinar – 26th May 2016
GDPR: Process, Monitoring, Education & Governance
24 of 34
The GDPR specifies organisational and individual responsibilities for organisations responsible for the processing of personal data:
Transparent & easily accessible policies
Personal data is processed
securely
Verify that measures are
effective
Risk-based technical &
organisational measures
Data Protection
Officer
• Article 10.1• Process &
governance
• Article 18.1• Process &
governance
• Article 18.3• Process,
monitoring & governance
• Article 27.1• Process &
governance
• Article 32.b• DPO responsible
for application of policies, assignment of responsibilities, staff training & audit
Observeit Webinar – 26th May 2016
GDPR: Access control
25 of 34
The GDPR specifies organisational responsibilities for giving access to personal data:
Equipment access control Data media control Storage control Data access
control
• Article 27.2.a• Deny unauthorised
persons access to equipment used for processing personal data.
• Article 27.2.b• Prevent
unauthorised reading, copying, modification or removal of data media
• Article 27.2.c• Prevent
unauthorised input of data and inspection, modification, or deletion of personal data.
• Article 27.2.e• Ensure that
authorised persons only have access to personal data according to job need.
Observeit Webinar – 26th May 2016
GDPR:
26 of 34
The GDPR specifies operational control responsibilities for processing personal data:
Communication control Input control Transport control
Incident response & disclosure
• Article 27.2.f• Be able to monitor
& verify to which bodies personal data has been or may be transmitted or made available to.
• Article 27.2.g• Be able to monitor
& verify which personal data have been input into systems, when, and by whom.
• Article 27.2.h• Be able to prevent
unauthorised reading, copying , modification or deletion of personal data during transfer or transportation.
• Article 28.4• Document all facts
surrounding breaches of personal data and remedial actions taken for subsequent disclosure.
Observeit Webinar – 26th May 2016
Insider Threats and the GDPR
27 of 34
Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow ManagementDisposal/ DecommissioningData ClassificationUser Behaviour MonitoringEducationIncident ResponseContinuous Improvement
Endpoint securityServer/ Network/ Application Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Authentication/ Privilege Account managementPatch All The Things!!!Threat IntelligenceData Leakage Prevention
Article 10.1, 10.2, 18.1, 18.3, 27.1, 28.4, 32.bArticle 18.1, 27.1, 32.bArticle 18.1, 27.1, 27.2.b, h, 32.bArticle 18.1, 27.1, 27.2.a, b, 32.bArticle 18.3. 27.1, 27.2.a, b, c, d, e, f, g, hArticle 18.1, 27.1, 32.bArticle 18.1, 27.1, 28.4, 32.bArticle 18.1, 27.1, 28.4, 32.b
Article 27.1, 27.2.e, f, g, hArticle 27.1 , 27.2.d, e, f, gArticle 27.1, 27.2.b, d, f, hArticle 27.1, 27.2.dArticle 27.1, 27.2.a, b, d, e, gArticle 27.1, 27.2.a, b, d, eArticle 27.1Article 27.1Article 27.1, 27.2.a, b, f, h
AUTOMATE
Observeit Webinar – 26th May 2016
Insider Threats: Two possible strategies...
28 of 34
Reconnaissance Initial compromise
Set up Command &
Control
Identify, acquire &
aggregate data
Exfiltrate data
Exfiltrate or manipulate
data
PROACTIVE REACTIVE
...AND THAT’S NOT ALL...
...AND IT SHOULD BE NO SURPRISE!...
...THAT THE SAME PRINCIPLES CAN BE FOLLOWED FOR PCI DSS...
Observeit Webinar – 26th May 2016
Insider Threats and PCI DSS v3.2
29 of 34
Policies/ Procedures/ Governance/ EnablementProcess Control/ DevOps/ Workflow MgtDisposal/ DecommissioningData ClassificationUser Behaviour MonitoringEducationIncident ResponseContinuous Improvement
Endpoint securityServer/ Network/ Appl. Security & MonitoringEmail securityEncryption/ TokenisationAccess managementMulti-factor Auth./ Privilege Account MgtPatch All The Things!!!Threat IntelligenceData Leakage Prevention
Req 3.7, 4.3, 5.2, 5.4, 6.1, 6.3, 6.4, 6.6, 6.7, 7.3, 8.4, 8.8, 9.2, 9.4, 9.5, 9.7, 9.8, 10.8, 10.9, 11.6, 12Req 3.7, 6.3, 6.4, 6.5, 6.7, 9.6, 9.8, 12Req 3.1, 9.6, 12, Req 3.1, 12.6Req 4.2, 11.5Req 3.7, 4.3, 12Req 12.5.3, 12.10Req 12
Req 4.2, 5.1, 5.3, 9.9Req 4.2, 5.1, 5.2, 5.3, 6.1, 6.6, 10, 11.1, 11.2, 11.3, 11.4, 11.5Req 4.2, 8.2.2, 12.3Req 3.4, 4.1, 4.3Req 7.1, 7.2, 7.3, 8.1, 8.7, 9.1, 9.3Req 2.1, 7.1, 7.2, 8.1, 8.2, 8.3, 8.5, 8.6Req 6.1, 6.2Req 6.1, 6.6Req 4.2
AUTOMATE
Observeit Webinar – 26th May 2016
Insider Threats and other regulations
30 of 34
EU Payments Services Directive 2 (PSD2):• Article 79 mandates GDPR compliance for all payments institution;• Other stringent requirements on security, disclosure and authentication.
EU/ US Privacy Shield agreement:• Will put pressure on understanding where data is located, giving focus to
cloud services;• Increased focus on supply chain due diligence;• Will increase focus on sharing tools and other applications used by
employees.
Observeit Webinar – 26th May 2016
Here’s the Shocker...
31 of 34
MANAGING STAFF TO PROTECT DATA WILL PROTECT PEOPLE...
EFFECTIVE INSIDER THREAT MANAGEMENT...
...WILL GO A VERY LONG WAY TOWARDS REGULATORY COMPLIANCE!
Observeit Webinar – 26th May 2016
O brave new world, That has such people in't *• Regulations will force better behaviours• Security must be trilateral: PEOPLE, PROCESS, TECHNOLOGY• Effective Insider Threat Management is now crucial:
TRUST BUT VERIFY (your employees are your first line of defense, but also a big risk)
Monitor & study insider behaviours as attackers study you Adopt both Proactive and Reactive security strategies AUTOMATE!
• Don’t be afraid to look at new security technologies• Partnerships will be key
32 of 34
*Star Trek: The Next Generation, Emergence, 1994*Shakespeare: The Tempest, Act 5, Scene 1
Observeit Webinar – 26th May 201633 of 32
... WHERE INSIDER THREATS CAN BE MANAGED
Observeit Webinar – 26th May 2016
Thank you!
Neira Jones FBCS, MSc | Independent Advisor, Payments, Risk, Cybercrime, & Digital Innovation
34 of 34