Weekly Video: December 19, 2022
12–19–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday December 19th and this week’s One Big Thing is insider threats.
Let’s jump in.
Insider Threats Have Evolved, Defenses…Haven’t
Recent conviction of unauthorized access - in this case in service of an adversarial nation state - insider Twitter.
Last week, a former Twitter employee was sentenced to 42 months in federal prison for his role in “accessing, monitoring, and conveying confidential and sensitive information” to the Saudi Royal Family and the Kingdom of Saudi Arabia.
Notably, he did this from his role as a Media Partnerships Manager for the Middle East and North Africa region - meaning it should’ve been pretty straightforward to define the data he would and wouldn’t need to perform his role.
We learned from the testimony of their CISO, Mudge, in his whistleblower report to Congress that not only were internal controls severely lacking, but access to sensitive systems and data was overly broad, not based on a business need, and certainly not following the principle of least privilege - giving users only the access they need to complete tasks specific to their role.
Details such as allowing employees to install software on their laptops (including spyware), didn’t take action on the thousands of daily failed login attempts to Twitter’s engineering systems and allowed more than 5,000 employees privileged access to production systems.
The report - delivered to Congress - includes the quote “Every new employee has access to data they do not need to have access to.”
All of this increases risk to the business.
There’s an additional wrinkle to the story here, as well. As was the case with Twitter, insiders can be coopted by threat actors with financial incentives. Particularly this year, and particularly this time of year, we’re facing an acutely elevated threat that’s likely not getting enough attention in the board room.
There’s no question that costs - particularly consumer costs - have risen dramatically. While gas prices may be temporarily back to something that resembles “normal,” many employees, even white-collar tech workers, are feeling the pinch.
For some, valuation drops mean their stock options are now underwater, and their equity-heavy compensation packages aren’t going to pan out.
For others, it’s tough to make ends meet and the holidays only add stress.
Add the threat of layoffs, or the fact that many companies are dialing back or outright eliminating end-of-year bonuses (despite strong performance as a firm), and you’ve got a recipe where insider threats are essentially on sale.
Employees who would have never considered doing something like this in the past may now be vulnerable. An envelope with ten or twenty thousand dollars in it can buy a lot of access.
So, in response to this, it’s imperative that companies deploy both technology and policy/procedures to prevent and detect this type of activity.
What would this look like?
From a prevention perspective:
Least Privilege. It’s best practice for a reason to limit access by default, and only expand access (to systems or data) when there’s a justified business need.
Dual Control, Separation of Duties, or Rotational Responsibility. More common in the financial world, where at least once a year, a person in a critical position takes mandatory vacation long enough to process a payroll cycle or some other recurring activity that is critical to the organization.
From a detection perspective:
Anomalous Activity
User looking at something they shouldn’t look at, or have never looked at before.
Significant amount of access compared to normal “pattern of life” activities (particularly being saved in a single location or gathered).
Exfiltration (to a USB stick, by email, to a cloud sharing service like OneDrive, etc.).
Even just having telemetry on these types of activities is a tall order for many organizations, but it’s critical if you’re hoping to be able to identify this type of activity - during or after it occurs.
While it’s not always a comfortable lens to look at your employees as a risk or threat vector, companies that fail to do this will continue to pay the price.
Update: Rackspace’s Ransomware Incident
Still down. Hoping to eventually maybe have some .PST files for customers to download - which still isn’t exactly “restoration of the service.”
Fundraising
From a fundraising perspective, last week was surprisingly light, totally just about $4B in new fund announcements.
We may see a couple end-of-year items trickle in, but my hunch is that the next two weeks are going to end pretty quietly.
You can find details on the stories above in the links below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
Links