SS-NEWS-03: CNA and Insider Threat

Episode 3 March 29, 2021 00:43:28
SS-NEWS-03: CNA and Insider Threat
Security Serengeti
SS-NEWS-03: CNA and Insider Threat

Mar 29 2021 | 00:43:28

/

Show Notes

This week we discuss two articles around CNA (an insurer that provides cybersecurity insurance) taking down some of their systems, and an insider threat case.

CNA Links:
https://www.cyberscoop.com/cna-cyber-insurance-breach/
https://www.cna.com/
https://assets.kpmg/content/dam/kpmg/ae/pdf/closing-the-gap.pdf
https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance-2021/

Insider Threat Links:
https://www.bleepingcomputer.com/news/security/resentful-employee-deletes-1-200-microsoft-office-365-accounts-gets-prison/
https://businessinsights.bitdefender.com/businesses-vengeful-it-contractor

Follow us @SerengetiSec on Twitter!

View Full Transcript

Episode Transcript

[00:00:14] Speaker A: Welcome to the security Serengeti. We're your hosts, David Schwindinger and Matthew Keener. [00:00:19] Speaker B: We're here to talk about some recent headlines and provide some insight and analysis and practice application that you can take into the office to help protect your organization. [00:00:29] Speaker A: The views and opinions expressed in this podcast are ours and ours alone and do not reflect the views or opinions of our employers. [00:00:36] Speaker B: Yeah, if you believe we are actually employed, 50 50. All right, so our first headline that we're going to talk about is topper insurer CNA disconnects systems after cyberattack. And we got this from cyberscube. And there's actually some bits of information we pulled off some other sites, including CNA's website itself, assets, KPMG, because apparently KPMG has enough money that they can just throw at the domain folks and have their own domain. It's kind of fancy. And woodrufflawyer.com, which I guess is a cyber lawyer liability company or another insurance. [00:01:22] Speaker A: Another insurance company. They had some interesting things to say about cyber insurance in general. [00:01:26] Speaker B: Right. So the gist of this article is that CNA, who provides cyber insurance as well as other types of insurance, was hit with a cyber attack that prompted them disconnect their systems from its network. So the attack caused a network disruption that impacted certain CNA systems, including corporate email. These are quotes from their actual page that they have posted on their site. And out of an abundance of caution, we have disconnected our systems from our network, which continue to function. [00:01:59] Speaker A: That's interesting. What type of attack would you disconnect your systems from the network? I mean, ransomware is the obvious one, but that would mean they don't function anymore. [00:02:09] Speaker B: Yeah, I mean, it's really about the context because what are they saying is continuing to function, the compromised systems, the network overall? I don't know. It's one of those lawyers, it's part of that lawyer speak that they throw up on there that sometimes is more confusing than clarifying. But on their page they say, oh, we will update customers if we found that they've been impacted. So they haven't even finished their analysis yet. So a lot of this is really vague in general, or what they have on their site is really vague in general, just to indicate, yeah, there's a problem and we're working on it. But the CNA company is one of the top 15 property and casualty insurers and among the top twelve for cyber insurance overall. So this event apparently happened on March 21, and they are currently working with third party experts and have informed law enforcement about the incident. So they are still trying to figure out exactly what happened. But one of the interesting things on there that they mentioned that it impacted corporate email, but if you go to their page, they ask people to email them, which is kind of weird. So I'm not sure exactly what the impact email was. If they're saying, oh, well, we can't contact you or you can't contact us via the normal channel. You need to use these specific email addresses and yet say that email has been impacted. So it's a very confusing statement. [00:03:53] Speaker A: I just checked their MX records. They're using proofpoint for their. But that's not an actual mail server, that's just mail, just a relay. Yeah. [00:04:02] Speaker B: Really. [00:04:02] Speaker A: I was hoping to see if they're using office 365 or something locally hosted, but they don't have it publicly listed. [00:04:07] Speaker B: Well, if you look at the who is for their domain, they appear to be using Google Cloud. [00:04:14] Speaker A: Is that for their current domain though? Because I imagine one of the things they probably, and we talk about this a little bit later maybe, but like having a backup website that you can flip your DNS over to that's completely separate from your infrastructure in case something happens to it might be an interesting thing to do. [00:04:33] Speaker B: Yeah, you just change the DNS record, but in the who is it said that that record had not been updated since last November. So I don't think they changed where that was pointing to. So if they're using, maybe it could be that they're just using Google Cloud for their website. But if the website was not affected, I'm not sure why they took down the website and just have this posting which indicates that they're undergoing some challenges right now. [00:05:04] Speaker A: Yeah. [00:05:06] Speaker B: So the communications there, and I think we talked about this a couple of weeks ago when we were talking about news last time, is that communications in an event are really important to be clear, concise and uniform to ensure that the stakeholders, whether it be customers, vendors, regulators, et cetera, have some level of confidence that you know what you're doing in handling the problem. Now, according to the article, one of the chief concerns, according to coalition CEO Joshua Mata and his company provides cyber risk management tools and cyber insurance, is that the threat actors may be aware of companies that have applied for insurance and those that have purchased it, as well as what coverage they have for extortion or ransomware, as well as the limits and deductibles on those policies. And I can see how some of that. So I guess we kind of get into this, know, why does this even matter now. So I think what he's talking about is not quite as far down the rabbit hole as I went with. Well, assuming that CNA doesn't just give a policy or issue a policy to customers without evaluating their organization, then they have done some kind of determination in order to determine the risk level, which is going to give them an idea about how much they're going to charge this company, how high those deductibles are going to be, whether they're going to give them insurance at all. And I think that in order to have that, they're going to have that information on their site or in their systems. So not only do you understand the policy details about the CNA customers, you may have an idea about their weaknesses and the challenges they're having or where they're falling down at as far as their overall cybersecurity stance or posture. [00:07:21] Speaker A: Sorry, I'm not paying attention over here. I've been diving into passive total. It does look like they switched their infrastructure on the 22 march. So that's interesting. It's not really a surprise. [00:07:32] Speaker B: What, they switched it to Google? [00:07:34] Speaker A: Yes. They were hosting it on continental casualty company was the organization that owned the ASN. They actually owned their own netblock. [00:07:45] Speaker B: Okay, so now that makes sense why they have that up on Google. That was something that they could quickly transition. [00:07:52] Speaker A: Mean they didn't, they kept their domain registration. They just switched where it was going to. Probably bought some cheap space on Google and threw up that page. [00:08:00] Speaker B: And actually, depending on, I assume that you could probably just do that with a credit card. So you wouldn't necessarily have to have something pre staged in order to be prepared for that kind of switch then, because they were able to get it done in a day or less than a day, it shouldn't be too bad. [00:08:16] Speaker A: To do that, but it'd be nice to have that kind of pre planned to kind of know ahead of time because that definitely takes away from effort. Time and effort. You should be putting in instant response to kind of focus on how are we going to get back in touch with our customers. [00:08:30] Speaker B: Right. It takes the thinking out of the response. It's kind of like any kind of Dr. Situation or even physical altercation if you'd done martial arts training or whatever and just respond or react. I interviewed one time with a company and I was asking them about their Dr. Plan, and they were like, oh, well, we think we would do this. We would think we would do that. And I was like, well, you obviously have some kind of Dr. Plan that you've already contemplated. You just need to write that down. So when it comes to it, you guys aren't going to be basically fielding opinions from these different people. Well, I think we should do it this way. We should do it that way. You actually have it written down on paper. So as I was mentioning a minute ago, that if CNA is doing assessments of the organizations that they're insuring, this is something you should consider when you're dealing with your own cyber insurance company. What have you told them about your preparedness? Did they do an assessment or pen test, or did you provide them a copy of one as part of the negotiations? Determine what kind of policy you're going to have. Is there a requirement for you to send them regular reports about how well your organization is doing? Regular vulnerability assessment reports, regular pen test reports? [00:09:54] Speaker A: Actually, that's a question for me. From me. I don't know how cyber insurance operates. If they just do a single point in time assessment, your protections can drift over time both in negative and positive ways. You don't maintain your inventory, you're not updating your security software, you're not getting your patches out there. But on the other hand, you could be improving your security significantly, which should drive down your rates. I wonder what kind of update process they have. [00:10:27] Speaker B: Well, it could be that they're doing it based on your contract. So if you have an annual contract, maybe every year at renewal, they're like, okay, well, we got to do it. A reassessment in order to resign the contract or issue a new contract. [00:10:42] Speaker A: Yeah, they definitely should because they don't do that for my own insurance, although I guess for homes, not much changes. [00:10:51] Speaker B: Well, the thing with that type of insurance, though, if you were to have home insurance. Right. They're going to issue the policy and everything that. But if you go back and you install a security system, you can go back to your insurance company and say, hey, I've installed this, provide evidence, and they can lower your deductible or lower your rate based on the fact that you have that. [00:11:15] Speaker A: But the impetus has to come from you to go to them and say, so it's a push system, not a pull system. [00:11:24] Speaker B: Right. I think different insurance companies are probably going to do this differently because I imagine that at some point, vehicle insurance companies will give you a discount if you put a black box in your car. [00:11:36] Speaker A: Yeah, Allstate does that. I just had a discussion with someone from Allstate the other day, and they pointed out that they were the first company that did that. [00:11:44] Speaker B: Yay. [00:11:47] Speaker A: They're not required yet, though. Yet I'm sure they will be in the future. [00:11:52] Speaker B: Well, maybe they've been touting that for quite some time. But what I'm thinking is that maybe they're going to want to start putting black boxes on people's networks, much like they would in the car, and say, hey, if you do this, then we'll give you a discount. [00:12:06] Speaker A: Yeah. Especially with some of that breach and attack simulation tools out there. Right, exactly where they just tell you they might or might not put their own black box. But yeah, they could tell you, you have to put this simulation tool in, you have to set it up this way, and then you've got to feed us your results. [00:12:24] Speaker B: Right. [00:12:24] Speaker A: Like maybe the dashboards or something. Maybe not. Maybe not all the results because there'd probably be some private issues and privacy issues and revealing too much information, et cetera, et cetera. [00:12:37] Speaker B: Yeah, because I imagine right now, I mean, cyber insurance is still pretty new, so I imagine that some of the smaller insurers are probably just saying, well, give us your sock two, and we will make an assessment based on that or something along those lines, standard cyber reports, to determine what that level is going to be at. But the more mature it gets, the better they become at risk modeling for this business, the more data elements or whatever they're going to start collecting in order to make those determinations. [00:13:14] Speaker A: Yeah, that's where this is going to get really valuable is in five or ten or 15 years when they have enough of a history of data to start predicting who's going to be popped. And you'll see that in the rates or, yeah, we'll give you insurance, but we're going to charge you a million dollars a year. And you're like, wait a second, the average cost of an incident is like 2 million. I'm going to be popped within the next two years. [00:13:37] Speaker B: Yeah, I think a lot of these cyber insurance companies that have been providing cyber insurance to local municipalities that have been hit really hard with ransomware over the last year are probably really rethinking how they're doing this. [00:13:52] Speaker A: Yeah. Be a little unpleasant. [00:13:58] Speaker B: I would imagine. [00:13:59] Speaker A: So. [00:14:01] Speaker B: I'd just be curious to see what kind of conversations those guys are really having about this whole ransomware and cyber insurance stuff that's really taken off relatively recently. We're talking about cyber insurance being new, but cyber insurance paying out for this ransomware stuff is even newer than that. There are probably some really interesting conversations that they're having internally about how they're going to do this going forward. But some of the other things that you should consider about this situation is that they may have gotten what we just talked about. So if the attackers get these reports, then they're going to have a list of who's insured, possibly the weaknesses of that company, and then they may be able to take that information to pivot to the customers from the insurer to know who makes the most sense to attack, because they've got something that you can exploit. You know they're insured, you know what their deductible is. So you have basically a high fidelity indicator that, hey, if we hit these guys, we ransomware, they're going to pay. [00:15:18] Speaker A: I mean, if you extend that into a future incident where they have some sort of black box with one of those breach and attack simulations, you're practically giving them a roadmap on how to get in. That would be interesting. I wonder if there would be lawsuits at that point. [00:15:37] Speaker B: Well, depending on what that black box is, if they throw an attack IQ or some other vendor on there, then that's an appliance. But if they're doing some kind of, hey, we're going to throw this Nessa scanner on your network. We're going to run periodic scans and we're going to take that data. [00:15:52] Speaker A: Yeah, that's a little different. [00:15:54] Speaker B: Yeah, because if they pivot from that insurance company into that Nessa scanner, then you're in real trouble. Right. [00:16:01] Speaker A: I think they would almost certainly do it as a third party at that point, though. I don't think they would directly put their own operated boxes. I think they would do it as a third party. Or you have to have a piece of this type of technology and you have to forward us reports rather than saying, we're going to put our own systems in your network, because I think that'd be a huge liability. [00:16:27] Speaker B: Yeah, probably. But it also could depend on what their IT department is or what their own cybersecurity folks want. Because you know how cybersecurity engineers are. Like, we can build it ourselves and it'll be awesome. You're not wrong. You end up with that kind of thing. You're like, I don't know, is it really going to be that awesome? Have you thought about maintaining it and all that? [00:16:48] Speaker A: That's what's the part that nobody ever thinks about, right? People just want. Nobody wants to maintain it. Maintenance and operations, terrible. Nobody wants to do that. [00:16:55] Speaker B: Well, no. I mean, whenever you go into budget, it's always like, okay, how much does the software cost? They don't go into saying, okay, well, yeah, sure, it costs half a million dollars, but really the expense is much larger than that because you have to have 40% of an employee's time to maintain it. You have to buy this hardware, you have to buy this dedicated storage, et cetera, et cetera. So no one, at least no place I've really been, talks about realty total cost of ownership when they're buying an application. But I guess we kind of gotten off track here a bit, I guess. But something else I was thinking about going through this article is, so you got a cyber insurance company, they're assessing risk of other companies. Are they assessing themselves against that same criteria, saying, oh, if we were to insure ourselves, what would we say about our posture? Are they eating their own dog food? I think that would be an interesting thing to know. I'm not saying we ever will, but it just made me curious about if they're taking their own, and this could actually even help themselves improve those models if they're taking those things and modeling them against themselves and saying, oh, well, if we make these changes, then that reduces our risk so we can change our offerings to our customers. [00:18:18] Speaker A: It's funny you mentioned that because that's also something related that I think insurance companies are going to have some super valuable information on, and that is which security technologies and which detection methods are the best because they're going to be able to take. And again, we discussed this a little bit beforehand because they're not going to share this information. But if we could somehow get all of the information from all the insurance companies on what systems everybody had and what their postures were and what their policies were, and then how, which of them got compromised. I think you could be able to actually pull out best practices from that. Like, if you had this policy or if you were using this vendor, you were 30% less likely. And I get that it's never that simple. There's also the configuration, there's also the coverage. Did you get it installed on every system versus you forgot that one RDP facing system with the four letter password? But I think it'd be really interesting. I think they'd have a lot of information on what is actually best in security. [00:19:24] Speaker B: Yeah, I mean, everything that you're talking about are these data elements that they should be throwing into their risk models if they're running on those huge antiquated mainframes in their basement. [00:19:34] Speaker A: Yeah. The problem is that we're never going to see them. They're going to have this to themselves, and the only way we'll ever find out is if we could ever directly compare quotes, we'd be like, hey, CNA quoted us 50,000, and then the next person, oh, they only quoted us 40,000 this year. Well, yeah, and then again, trying to compare apples to oranges is tough. [00:19:54] Speaker B: Yeah, well, I mean, it could be another profit generating aspect for them, though, to take that data and then spin it off to a security consulting company or something like that and say, oh, well, you guys go out and start consulting with these organizations about how to get them better. And, oh, and by the way, why don't you pitch that they should be insured by us. [00:20:18] Speaker A: Yeah. And then we'll give them better rates if they follow your instructions, too. [00:20:22] Speaker B: Right? [00:20:23] Speaker A: It's interesting. [00:20:24] Speaker B: It's a free market at work. [00:20:25] Speaker A: That would be interesting. [00:20:27] Speaker B: And as we were mentioning before, also that the change of the website and everything, consider preparing for an incident before it happens. Are your backups ready? Do you know how to communicate to your customers if your website is down or your main communication channel is down? Are you doing tabletop exercises in this type of event? [00:20:53] Speaker A: Yeah, that's what we were discussing before. While you're in the middle of your CISO and your CIO are knees deep and trying to respond to this major event, and the systems are shut down, they're trying to get things back up and running, and then the lawyers and the comms team are at their back going, we need to talk to our customers. We need to talk to our customers. None of our mail is working. That is not a distraction you want. [00:21:16] Speaker B: At that time, right. Actually talking about having an enterprise incident response and then having your cybersecurity be a subset of that. Keep them separate. But a security incident is just a type of enterprise incident that impacts the organization differently. [00:21:37] Speaker A: Yeah, I'm sorry, what I meant was, you don't put them on the same bridge. [00:21:41] Speaker B: Oh, right. [00:21:43] Speaker A: You've got the technical people working on the technical problem, and then you've got a separate group of people working on the response from the corporation. How do we announce this? What's our press release look like? What's our legal liability will look like? All that stuff. [00:21:59] Speaker B: Right. Communication path, especially. So the bottom line for this, what should you do about it, is make sure you treat your insurance provider just like you would any other third party, because they're going to know stuff about you that others aren't. So take that in consideration when you're working with them about how they're securing that data, not just trust that, oh, they're doing a great job. No, if they do do an assessment of your organization prior to issuing the policy, you should probably really take that to heart and do the work. If they point out shortcomings, because there's two main reasons to do that. One, they may give you a better rate if you can prove that you've actioned what they said you were falling down on. And two, you'll be ready should someone get that data and try to leverage that against you. We mentioned a moment ago about tabletops. So there are templates and stuff you can get through isaacs, and there are actually third party consulting companies that will run tabletops for you as well, so that you don't necessarily bias your tabletops by building them yourself. [00:23:22] Speaker A: Yeah, and it seems like it's pretty easy there to bring somebody in for a couple of. Run a tabletop for you, and especially if you've never done it before and you have no idea what to do or how to do it, have them come in and demonstrate it for you. Tell them you want them to teach you how to do it. They come in, they run it for you, take good notes, and you can turn around. Run it again in three to six months yourself. Use a template you found online. The hardware stuff doesn't have to exactly match your own. Don't have to spend a ton of time trying to make sure that it's exactly what you guys have. Although your it people will probably complain. It's always something we heard. Well, our systems don't function exactly that way. Shut up. What if they did? You're missing the point. [00:24:04] Speaker B: Yeah, it's close enough for government work, right? [00:24:07] Speaker A: Yeah, I mean, the whole point is to discuss it and put it in mind and figure out what you're going to do ahead of time instead of at the time. [00:24:14] Speaker B: And not only that, it helps you identify what procedures or stuff you're lacking or things you need to address. [00:24:23] Speaker A: Yes. You'll get to that point in your tabletop where you're like, and, all right, and what if this happened? What would we do? Or this just happened, what are you going to do about it? And everybody's going to stare at each other and they're going to be like, I don't know. [00:24:37] Speaker B: Right. I've never thought of that. [00:24:39] Speaker A: You're finding that out ahead of time. Some of these things are easy enough to just, you come into the office on Monday and you say, hey, backups. When was last time we tested the backup? And if the answer was we confirmed it was working last week, like, oh, that's good. That's cool. And now you know. [00:24:56] Speaker B: Yeah. And maybe consider, would those backups be affected by a ransomware? Are those going to be encrypted also? But I think that about does it for that topic. Anything else you can think of, Matt, we should discuss for that one? [00:25:15] Speaker A: No, I think that's enough insurance for one day. [00:25:17] Speaker B: You never have too much insurance. Just ask them, they'll tell you. Next topic we're going to talk about is actually taken from two different articles, both on the exact same incident. So the first one is resentful employee deletes 1200 Microsoft Office 365 accounts, gets prison. That's from bleeping computer. And then there's business. Beware of the vengeful IT contractor. And that's from Bitdefender. So what happened was in 2018, a contractor who'd been dismissed from the company and subsequently fired from the consulting company he was working for used his credentials to log into that customer company and delete over 1200 of 1500 Office 365 accounts. And then he made the mistake of coming back to the US two years later and they nabbed him at the airport. So a little bit of background on exactly what happened here. So this fellow was working for a consulting firm, and they hired him out to one of their customers to help them migrate to what was then Office 365. Now they call it Microsoft 365. And in January of 2018, he was pulled from that contract because the customer said he was doing subpar work. And then in May, I guess, the consulting company finally caught on to the fact that he was basically subpar overall and let him go, after which he then returned to India. And then in August of 2018, which is what, seven months after he was originally let go from the contract, he, quote, unquote, hacked into the customer organization and deleted those accounts. And apparently deleting all those accounts made it so the company could not communicate with its customers or vendors and ended up costing them two days of downtime and over half a million dollars. [00:27:24] Speaker A: Weren't we just talking about something like this? [00:27:28] Speaker B: It does sound familiar. And in addition to those two days of downtime, they ended up dealing with problems from this deleting of those accounts for three months and overall, long lasting problems where employees couldn't get to their contacts. So if you're talking about a sales guy and he loses his contacts, that's a big deal. And some employees could not get to holders that they could access previously. [00:27:57] Speaker A: I don't know. I can think of some sales guys. I wish I would lose my contacts. [00:28:03] Speaker B: Yeah, well, usually you don't end up being on the lucky side of that problem? No, but if you use Lotus notes, those could go away at any time. I'm sure that's better. Why does this matter that this company did this? What can we take away from this? So account management is hard and it's even harder for dealing with contractors versus full time employees. Even if you have an automated system to do identity access management, those are usually tied into HR systems. And a lot of HR systems don't necessarily have contractor information in there so that the identity system can action hires and removals. And sometimes HR is not involved at all in the acquisition of contractors. And because contractors are not treated like employees, it causes gaps in your process. Maybe they don't get a laptop, or maybe their account access is limited, or maybe they only get certain types of accounts. So because there's a difference there in how you handle employees, you may have the employee path down really well, but the contractors, because they deviate from that. You can't simply overlay that same process on a contractor onboarding or offboarding. And you should also consider limiting the access to SaaS solutions. [00:29:44] Speaker A: One of the benefits of SaaS solutions, they usually have better logging than default logging enabled on Prem. [00:29:49] Speaker B: Yeah, but do you get those logs into your sim? [00:29:51] Speaker A: I guess that really depends. Yeah, I was just thinking, one of the things I was thinking about here is the fact that it was office 365. So those logs were probably what the default logging in office three and pretty good. That made it really easy for them to go figure out exactly who deleted all the accounts. If it had been on Prem, especially if he deleted the logs after himself, it may have been a lot more difficult to figure out who specifically did it. [00:30:18] Speaker B: Well, if you're not doing log management, but that's going to a centralized logging facility also. [00:30:25] Speaker A: Yeah, I guess it's hard to tell, but just from the sound of this, they're subpar HR work. I can make a guess they're probably not. Probably not doing much in terms of insider threat then. They only had 1500 people. Companies only have 1500 people. Usually don't have a robust security group. [00:30:45] Speaker B: Yeah, well, security team is probably one guy in the IT department or a couple of guys in the IT department or. It depends on what they do though, because they may only have a small company, but their revenue may be such that they can hire an MSSP to do some of that work and your mileage may vary there. But what you can do in order to hopefully prevent this kind of thing from happening to your organization is sit down with all the stakeholders and actually workflow out your employee and your contractor onboarding and offboarding process. Make sure you have hr there it contracting and or procurement people who are involved in bringing on that employee, getting them access, getting them the devices they need, et cetera. So go sit down with all those stakeholders, and it's probably going to take you a couple of hours to sit down and get everybody in the room and workflow this out. But it'll be well worth it to have that documented, because once you have that documented, then you can ensure that, if nothing else, you ensure that your hiring managers are trained on the process and understand the process and how they fit into it. When you bring on an employee, you should do these things. When you offboard an employee, you should do these things. Same thing for contractors. And if you're lucky enough that your organization can afford to purchase an identity access management solution, then you can take that workflow and you could build it into that. Or if nothing else, you could build it into your ticketing system so that that workflow is in the ticketing system so tasks are generated. And if hiring manager would go and say, hey, I want to hire a contractor, they go into the ticketing system to say, click on that ticket, submit it, and it already has the process to workflow built out in that ticketing workflow. [00:32:58] Speaker A: It seems like that's certainly easy enough to do, at least your manual checklists, even if you don't have the automation built in, especially for a smaller company. Pretty much every ticketing system has the ability to insert like a manual checklist, right? [00:33:12] Speaker B: Yeah. And also you can indicate who's responsible for each one of those checklist items. So if you build out your workflow with swim lanes on it, then that makes it even easier to ensure that gets translated into a process, whether it's manual or automated. [00:33:31] Speaker A: Yes, and that's what I'm looking for, accountability to it. So go back and figure out where it broke down if it fails as. [00:33:39] Speaker B: Well, not necessarily to indicate blame, but how you can improve that step. [00:33:44] Speaker A: Yeah, but that'll help you at least figure out kind of what step did it break down. Why did it break down? Such and such is working on it. They were super busy. They had 50 tickets that day, et cetera, et cetera. [00:33:56] Speaker B: Right. And something else this indicates is that this may not be exactly what happened in this instance, but when you know someone is going to depart the organization, you'd probably put some steps in there to say, all right, when someone submits a two week notice, we're going to do something to increase our monitoring level over those individuals, because you'll have people stockpiling, talking about sales guys. Sales guys will take key information from the organization in order to help them make sales to those people that they built the relationship with at this organization, at their next organization. [00:34:35] Speaker A: That's the main reason to hire a sales guy way. Right. [00:34:38] Speaker B: A lot of these. Well, some people will consider that those types of pieces of information that they have theirs and not necessarily the organizations. Right. So it doesn't necessarily mean that they're malicious, but they may misunderstand the ownership of some data elements that they work with all the time. [00:34:57] Speaker A: I mean, I can understand, like, even from my position, I work on a policy or procedure for weeks or months, and then if I leave, I don't get to take that with me. I can take the experience of doing it, and it'll definitely make it easier to do a second time. [00:35:10] Speaker B: Yeah, well, you could always do. Unfortunately, I don't have the reference for me, but I was working for one organization. They were seriously working on some insider threat stuff, and the insider threat guy was looking at case studies, and there was a chinese fellow who was working for, I want to say it was IBM as a programmer, where he would go to work and he would be programming at work, and then he would go home and he would basically recreate the programming he had done at work. At home. So you could always do that. [00:35:48] Speaker A: I guess that's technically still. [00:35:51] Speaker B: Yeah, because that's really hard to get to catch. [00:35:57] Speaker A: Yeah. [00:35:57] Speaker B: I'm not saying it's ethical or anything, and I don't even know how the guy could do that because I could not recreate a sentence that I wrote at home that I'd written the day before. [00:36:09] Speaker A: It was an espionage thing or was he working two jobs? [00:36:14] Speaker B: I'm not sure. They caught him before they got out of the country because he printed it out on paper and he got caught trying to smuggle it out of the country. [00:36:24] Speaker A: Interesting. Sounds like a security related, though. [00:36:29] Speaker B: I mean, everybody would assume that anything to do with the chinese deals with the government over there, but I can't say for sure this was related to me by the entire threat guy. I didn't read it, so that's why I don't have the reference for you. I can see if I can find it, though. [00:36:48] Speaker A: No worries. [00:36:52] Speaker B: But what else you can do about it? We talked about having an identity access management system, so if you have one of those, that would obviously be ideal over a ticking system or any manual process. So something like a core security that used to be curry on or sailpoint that can automate the processing of onboarding and offboarding so that it happens in an automatic fashion. When you get rid of somebody or when they no longer work for the organization, you don't have to remember to go and do this step, that step, that step, et cetera. [00:37:26] Speaker A: It's interesting. [00:37:27] Speaker B: And some of those, I think I mentioned it before, that some of those systems, if they tie into the HR system and your contractors are not in the HR system, then they're going to get missed by that automated process. So whichever solution you implement, make sure that contractors are taking into consideration when you're deploying that or when you're implementing it or when you're integrating that. And of course, one of the things that also fell down here outside of removing the individual's access is he accessed that organization who was in California, their Microsoft SAS from India. Now, Vero, you should really limit access to SaaS solutions or any as a service solutions if you can, by either region. If all your employees are in the United States, there's no reason that your SaaS solution should be able to be accessed by someplace outside the country or even if you're not having, and this is probably different because of COVID and everybody's working remote force access to that solution only from the corporate IP space. And make sure you have MFA on all of those. And the MFA is part of the offboarding process where you disable their token or you take their physical token from them when they leave the organization. And depending on the SaaS solution, we were talking about logging a minute ago. So Microsoft in M 365 has really good logging and you can get that data into your sim. But a lot of SaaS solutions are not really good with getting that log data. So you can monitor that and look for this kind of activity. So make sure you engage with those providers when you are well, it may be too late, but if you are considering a SaaS provider, make sure you talk to them about what logs they can provide you. Do they tell you who logged in, when they logged in, where they logged in from, and what access they took while they're in there? Because in a SaaS solution you are still responsible for user access and the data that's in that SaaS solution, that's not on the vendor. So you have to protect yourself in those situations. [00:39:51] Speaker A: And you're definitely going to want to do that for the SaaS ones, especially because you will find out very quickly that a lot of them will not keep those logs potentially, or the logs will have to be requested specially. You may not have access to them. Like you said already, a lot of them will not be able to deliver it to your stem, but sometimes it'll be enough just knowing that they have them. And also you'll want to know their retention period. Do they keep it for a couple of days? They keep it for 30 days, especially for some of these insider threat ones. Depending on how destructive they are and how sneaky they are, you may not find out about it for days, weeks, or months. [00:40:28] Speaker B: Yeah. And make sure when you talk to them about that, ask them about your level of access to those laws, because they may say, oh, yeah, we got it. But if they're the only ones looking at it, they're not looking at it because they're not responsible for it. So you have to make sure that you understand, if they have it, are you going to be able to get access to it, whether that's preferably through log shipping to your sim or something like that, or if you have to log in on a regular basis and check something or something along those lines. Any other suggestions, Matt? [00:41:04] Speaker A: No, just that we mostly tend to focus on external. Even with all the talk lately about internal threat and how important it is that you watch your internal users, in my experience, we still are excessively focused on external users. Well, external attackers, external, unauthorized users, and just constantly focused on what they might do to us. And we don't spend nearly enough time looking at the people that already have access to our network. [00:41:35] Speaker B: It's kind of funny when you think about it, though, because when an attacker gets on your network, usually they are using one of your accounts so they look just like they're an insider. [00:41:47] Speaker A: Yes. They're using Powershell, they're using RDP, they're using the same tools your own people are using to go back and forth. So by not looking for insiders, you're basically not looking for attackers once they've compromised his account. [00:42:00] Speaker B: Feel like it ought to have one of those more, you know, stickers on that. [00:42:05] Speaker A: Go find a sound effect. If someone's got the time, add it in. [00:42:10] Speaker B: All right, well, I think that does it for this article then. And this episode, actually. [00:42:18] Speaker A: What? [00:42:19] Speaker B: All right, all good things must come to an end. [00:42:23] Speaker A: All right, well, guess that's all the articles we have for today. Thank you for joining us. Follow us at Sarangetti Sec on Twitter and subscribe on your favorite podcast app.

Other Episodes

Episode 81

October 10, 2022 00:29:18
Episode Cover

SS-NEWS-081: Malicious OAuth Apps and Poor Crypto Returns

Malicious OAuth apps are coming for your Exchange admins!  Oh noes!  Also, Powerpoint gets in the malware delivery game and it turns out that...

Listen

Episode 126

December 06, 2023 00:51:19
Episode Cover

SS-DISC-131: Custom GPT's for Security

This week we did something a little different.  There's been a list of Security GPT's that's been making the rounds, so we tested a...

Listen

Episode 51

March 07, 2022 01:04:42
Episode Cover

SS-BOOK-51: Book Review - Daemon by Daniel Suarez

In this episode we review and discuss a book that was nominated to the Cybersecurity Canon, but not accepted - Daemon by Daniel Suarez....

Listen