Hi All
From your experiences in the field? Is this true?
Regards
Caute_cautim
I'd buy that. I once had a Sr. Manager (C-suite) open an email with the subject ILOVEYOU.......
d
@dcontesti I can only imagine, I hope it did not have a payload attached to it??
Regards
Caute_cautim
My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. I would expect the C-suite to be targeted more, yes, and I see their point in that SOME C-suite executives have a "My way or the highway" type of rule. Cyber security has also been accused of being the other side of the coin being "No way, no how, not going to happen." It is our job to bridge the gap between the need to get business done and to do it in a secure manner. Along this path we often have to educate the c-Suite into better ways of doing their jobs (like not clicking on every email!). We also have to learn how to categorize risk appropriately, present the risks adequately and inform the business leaders of the potential ramifications of not taking security seriously or ignoring security to get the job done quicker. Usually if the c-suite wants to continue I just ask them to sign off on a risk acceptance form, showing that they have been made aware of the risks and are OK assuming the acceptance of the risk if it goes bad. This usually either satisfies my requirements or causes them to do some more research into what they were wanting to do.
@Caute_cautim wrote:@dcontesti I can only imagine, I hope it did not have a payload attached to it??
Regards
Caute_cautim
Yes it had the full payload attached.....when asked why he opened it, his answer "He was curious why someone would send him a note with that subject."
I can say that after this event, he led the charge for Security Awareness for Executives.....
Best
d
Didn't see a publish criteria referenced in the article to support the conclusion just an argument stated as fact because the author says so.
My perspective would be to use a common criteria based on damage. A weighted average of initial monies lost, reputation loss and monies and reputation over time comparing the C-suite compared to 'all others' would be a better metric. I know I have seen far more minor losses over time by clerks and analysts that don't make headlines but can lead to a death by a thousand cuts. Where an executive may, well intentionally wire transfer 250,000 dollars to the Bahamas. Naturally, the exec gets a great deal of attention while the small incidents are soon forgotten. Well, until review time, of course.
A good, well meaning article but one lacking criteria to back it up. If there is such, just tell me and I will go back and reread.
Thanks,
b/eads
Considering that we are talking about Insider Threat, it would mean people with malicious intent to case harm. Describing C-Suite as a threat is, n my opinion, stretching truth a bit far.
Are they a vulnerability? Absolutely. They seem to be targeted more. Attackers tend to spend more time and resources when targeting them. Yes, they do end up clicking the wrong link or opening the wrong attachment but they also get a large number of emails.
They are a big vulnerability since the impact of their account compromise is big.
Guess which is the other group, almost universally, who tend to be clicker heroes? IT guys. Oh! the irony.
What can we do? More awareness and enforcing least privilege/ need to know. Perhaps that can mitigate this problem a little bit.
@CISOScott wrote:My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. I would expect the C-suite to be targeted more, yes, and I see their point in that SOME C-suite executives have a "My way or the highway" type of rule. Cyber security has also been accused of being the other side of the coin being "No way, no how, not going to happen." It is our job to bridge the gap between the need to get business done and to do it in a secure manner. Along this path we often have to educate the c-Suite into better ways of doing their jobs (like not clicking on every email!). We also have to learn how to categorize risk appropriately, present the risks adequately and inform the business leaders of the potential ramifications of not taking security seriously or ignoring security to get the job done quicker. Usually if the c-suite wants to continue I just ask them to sign off on a risk acceptance form, showing that they have been made aware of the risks and are OK assuming the acceptance of the risk if it goes bad. This usually either satisfies my requirements or causes them to do some more research into what they were wanting to do.
So on initial reading I agree that Threat may not be the correct word and not sure what the right one is.
However, I have always broken "Insider Threat" down as malicious user, compromised users and last but not least Careless users. I consider the C-Suite users referred to as being careless users.
Just my thoughts
d
@CISOScott wrote:My disagreement is with the use of the word threat. I view insider threat as usually having malicious intent. Maybe that is just my work in the intelligence field creating my bias. uses them to do some more research into what they were wanting to do.
Kenneth's interpretation of the word threat, along with subsequent comments in this thread, illustrate an issue we see repeatedly in INFOSEC: tight definitions of key words must always be provided in the context of usage.
For those of us who have worked in the area of risk management, threat is used without any pejorative implication of motivation or intent. The best example can be found in continuity of operations planning (COOP) and business continuity planning (BCP). Major weather events such as thunderstorms, tornadoes, hurricanes, and floods are all threats, but none of those events are malicious. They just are.
The potential for misunderstanding the use of the term threat as illustrated here is why my risk taxonomy separates concepts into two terms: threat and threat actor. Phishing e-mails are threats. People who intentionally send phishing mails are threat actors. My best real world story on contextual definitions is when two mid-level managers got into a screaming match when they actually agreed with each other on firewall traffic policies. One was thinking of the TCP/IP stack definition of protocol, and the other was considering protocol in the looser usage in naming of such as ftp and http.
To further extend this definition of threat we need to address a specific insider threat concept, that of malicious and non-malicious intentional acts by insiders, the subject of my dissertation research. We know that users will intentionally violate selected security rules with no malicious intent, when doing so assists them in getting their primary jobs done. You can see me pontificate on this aspect in my 25 minute presentation, "Why don't they follow the rules? Maybe its the boss's fault!"
.
Craig