topic How true is this? Greatest Insider Threat is the C-Suite> in Industry News

How true is this? Greatest Insider Threat is the C-Suite>

Caute_cautim — Mon, 09 Oct 2023 09:33:08 GMT

Hi All

From your experiences in the field? Is this true?

https://www.forbes.com/sites/louiscolumbus/2020/05/29/cybersecuritys-greatest-insider-threat-is-in-the-c-suite/#4cd3e357626f

Regards

Caute_cautim

Re: How true is this? Greatest Insider Threat is the C-Suite>

dcontesti — Mon, 15 Jun 2020 05:30:00 GMT

I'd buy that. I once had a Sr. Manager (C-suite) open an email with the subject ILOVEYOU.......

Re: How true is this? Greatest Insider Threat is the C-Suite>

Caute_cautim — Mon, 15 Jun 2020 05:46:26 GMT

@dcontesti I can only imagine, I hope it did not have a payload attached to it??

Regards

Caute_cautim

Re: How true is this? Greatest Insider Threat is the C-Suite>

denbesten — Mon, 15 Jun 2020 12:07:08 GMT

I had the same thing happen. @Caute_cautim, the reference is to this.

Re: How true is this? Greatest Insider Threat is the C-Suite>

CISOScott — Mon, 15 Jun 2020 15:01:50 GMT

My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. I would expect the C-suite to be targeted more, yes, and I see their point in that SOME C-suite executives have a "My way or the highway" type of rule. Cyber security has also been accused of being the other side of the coin being "No way, no how, not going to happen." It is our job to bridge the gap between the need to get business done and to do it in a secure manner. Along this path we often have to educate the c-Suite into better ways of doing their jobs (like not clicking on every email!). We also have to learn how to categorize risk appropriately, present the risks adequately and inform the business leaders of the potential ramifications of not taking security seriously or ignoring security to get the job done quicker. Usually if the c-suite wants to continue I just ask them to sign off on a risk acceptance form, showing that they have been made aware of the risks and are OK assuming the acceptance of the risk if it goes bad. This usually either satisfies my requirements or causes them to do some more research into what they were wanting to do.

Re: How true is this? Greatest Insider Threat is the C-Suite>

dcontesti — Mon, 15 Jun 2020 18:15:51 GMT

@Caute_cautim wrote:
@dcontesti I can only imagine, I hope it did not have a payload attached to it??

Regards

Caute_cautim

Yes it had the full payload attached.....when asked why he opened it, his answer "He was curious why someone would send him a note with that subject."

I can say that after this event, he led the charge for Security Awareness for Executives.....

Best

Re: How true is this? Greatest Insider Threat is the C-Suite>

Beads — Mon, 15 Jun 2020 18:18:38 GMT

Didn't see a publish criteria referenced in the article to support the conclusion just an argument stated as fact because the author says so.

My perspective would be to use a common criteria based on damage. A weighted average of initial monies lost, reputation loss and monies and reputation over time comparing the C-suite compared to 'all others' would be a better metric. I know I have seen far more minor losses over time by clerks and analysts that don't make headlines but can lead to a death by a thousand cuts. Where an executive may, well intentionally wire transfer 250,000 dollars to the Bahamas. Naturally, the exec gets a great deal of attention while the small incidents are soon forgotten. Well, until review time, of course.

A good, well meaning article but one lacking criteria to back it up. If there is such, just tell me and I will go back and reread.

Thanks,

b/eads

Re: How true is this? Greatest Insider Threat is the C-Suite>

sanjeev41924 — Mon, 15 Jun 2020 18:24:19 GMT

Considering that we are talking about Insider Threat, it would mean people with malicious intent to case harm. Describing C-Suite as a threat is, n my opinion, stretching truth a bit far.

Are they a vulnerability? Absolutely. They seem to be targeted more. Attackers tend to spend more time and resources when targeting them. Yes, they do end up clicking the wrong link or opening the wrong attachment but they also get a large number of emails.

They are a big vulnerability since the impact of their account compromise is big.

Guess which is the other group, almost universally, who tend to be clicker heroes? IT guys. Oh! the irony.

What can we do? More awareness and enforcing least privilege/ need to know. Perhaps that can mitigate this problem a little bit.

Re: How true is this? Greatest Insider Threat is the C-Suite>

dcontesti — Mon, 15 Jun 2020 18:28:35 GMT

@CISOScott wrote:
My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. I would expect the C-suite to be targeted more, yes, and I see their point in that SOME C-suite executives have a "My way or the highway" type of rule. Cyber security has also been accused of being the other side of the coin being "No way, no how, not going to happen." It is our job to bridge the gap between the need to get business done and to do it in a secure manner. Along this path we often have to educate the c-Suite into better ways of doing their jobs (like not clicking on every email!). We also have to learn how to categorize risk appropriately, present the risks adequately and inform the business leaders of the potential ramifications of not taking security seriously or ignoring security to get the job done quicker. Usually if the c-suite wants to continue I just ask them to sign off on a risk acceptance form, showing that they have been made aware of the risks and are OK assuming the acceptance of the risk if it goes bad. This usually either satisfies my requirements or causes them to do some more research into what they were wanting to do.

So on initial reading I agree that Threat may not be the correct word and not sure what the right one is.

However, I have always broken "Insider Threat" down as malicious user, compromised users and last but not least Careless users. I consider the C-Suite users referred to as being careless users.

Just my thoughts

Re: How true is this? Greatest Insider Threat is the C-Suite>

CraginS — Mon, 15 Jun 2020 21:26:25 GMT

@CISOScott wrote:
My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. uses them to do some more research into what they were wanting to do.

Kenneth's interpretation of the word threat, along with subsequent comments in this thread, illustrate an issue we see repeatedly in INFOSEC: tight definitions of key words must always be provided in the context of usage.

For those of us who have worked in the area of risk management, threat is used without any pejorative implication of motivation or intent. The best example can be found in continuity of operations planning (COOP) and business continuity planning (BCP). Major weather events such as thunderstorms, tornadoes, hurricanes, and floods are all threats, but none of those events are malicious. They just are.

The potential for misunderstanding the use of the term threat as illustrated here is why my risk taxonomy separates concepts into two terms: threat and threat actor. Phishing e-mails are threats. People who intentionally send phishing mails are threat actors. My best real world story on contextual definitions is when two mid-level managers got into a screaming match when they actually agreed with each other on firewall traffic policies. One was thinking of the TCP/IP stack definition of protocol, and the other was considering protocol in the looser usage in naming of such as ftp and http.

To further extend this definition of threat we need to address a specific insider threat concept, that of malicious and non-malicious intentional acts by insiders, the subject of my dissertation research. We know that users will intentionally violate selected security rules with no malicious intent, when doing so assists them in getting their primary jobs done. You can see me pontificate on this aspect in my 25 minute presentation, "Why don't they follow the rules? Maybe its the boss's fault!"

Craig

Re: How true is this? Greatest Insider Threat is the C-Suite>

CISOScott — Tue, 16 Jun 2020 11:08:49 GMT

Craig,

Thanks for putting it so eloquently. To me when I hear the word threat, it indicates an immediate response is required where a risk or vulnerability we have time to remediate or lessen the impact. If I have an active insider threat, I need to be monitoring, auditing, intervening, and actively trying to shut it down. If it is just an uninformed executive who might click on a phishing email, then I have time to ensure my user education is improved, to install an anti-phishing product, to have a one-on-one security briefing, etc. Where I live, a hurricane is a threat, but not in November through April, and only when there is a named storm. Which then we usually have days to weeks to prepare. Any user is a threat to do something bad, whether malicious or not, to me an insider threat is something requiring an immediate response. Perhaps insider risk would be a better title.....

Re: How true is this? Greatest Insider Threat is the C-Suite>

Shannon — Tue, 16 Jun 2020 20:50:50 GMT

One of the reasons I got into this field is that I was appalled by how lightly security would often be taken in organizations I was with before.

2 examples from a single organization, where I was working as a system admin: -

1) A director had a dedicated WiFi channel with full intranet access & unrestricted internet access, of which he'd tend to share the WPA key with whoever visited him --- it would never be changed!

2) The GM once called me to check an issue on his Mac; while I was at it, he excused himself to grab his lunch --- leaving me with full access to his laptop, with the emails & all the info there. (Worse, he didn't bother to log off)

(Most ironic was that this organization got itself certified in ISMS)

Anyways, back to these examples, while I see anything that may compromise IT Security as a threat --- be it malicious or not --- we might consider these as vulnerabilities that have been created, & could potentially be exploited. In the case of 1, an outsider could get access to the internal network to launch an attack or carry out reconnaissance; with 2, the GM's system could be used to send out fake emails, or there may be data leakage / theft.

So the parties that have malicious intentions and take advantage of these vulnerabilities could be seen as the threat actors, rather than the executives themselves.

What's your view on all this?