Lessons Learned from Snowden’s former NSA boss: Strategies to protect your data
Abstract:
Internal vulnerabilities cannot be ignored. Employees have access, inside knowledge, and from time to time, if disgruntled, may be motivated to do significant damage to the organizations they support. As a trusted and cleared contractor at NSA, Snowden extracted millions of top secret documents and released them to the world.
In this presentation you will hear the inside story of the Snowden affair from his former boss, Steven Bay, and the lessons we learn from it from a cybersecurity perspective. You will develop a better understanding of who insiders are, why they do what they do, and strategies you can deploy to better protect your organization.
Want more tech news? Subscribe to ComputingEdge Newsletter Today!
Transcript:
Amir Draquez Good day and welcome to the IEEE Computer Society’s presentation on lessons learned from Snowden’s former NSA boss strategies to protect your data by Steven Bay. My name is Amir Draquez and I’ll be moderating today’s presentation. But before we get started, I’d like to mention a few housekeeping items. You will be able to personalize and enlarge the screen. You can enlarge any tab to its full size by dragging from the bottom right corner, or by clicking the green button on the top, right? You can access more information or hide the current tabs using the icons at the bottom of the screen, you can control the volume and playback on the screen of your computer. With the media player on the side, left left side of the presentation window. You may also need to adjust the massive volume of your computer. At the end of our presentation, we will have time for questions and as questions occur to you, please type them into the box provided on the left hand, press the submit, but you do not need to wait until the end of our presentation.
If you experienced any audio or visual difficulties, please click on the help icon located on the bottom of your screen. If you’re not able to resolve the issue, please submit the comment by using the Q and a box. A representative will respond. Now, I would like to introduce our speaker for today’s webinar. Steven Bay is the director of security, operations and threat intelligence at security on demand. With over 15 years in cyber security, his career has spanned government enterprise and consulting services for a majority of his career. He served as an analyst supporting the NSA via the us air force and Booz Allen Hamilton. While at Booz Allen, he served as Edward Snowden’s boss, just prior to Snowden’s flight from the United States. Following his time, supporting the agency, he designed and implemented information security programs for fortune 500 companies and served as CIS. He holds an MBA from Thunderbird school of global management and an ma in international relations from Webster university, ladies and gentlemen, Steven Bay.
Steven Bay Thank you, Amir. And I am thrilled to be here today and to be able to share some of my thoughts and my experiences and hopefully some some good things you can take away with you back to your organization to help detect insider threats. As mentioned, I was Snowden’s boss when everything kind of went down. So I’ve been intimately involved in insider threat incidents and events, and arguably perhaps the biggest insider threat in U S history to some extent. And so there’s a lot of things we can learn a lot of great application that we can take back to our organizations. So we’re going to start out today by talking about insider and really defining what they are and who they are. So the way we’ve mapped out insider threats, there’s, we’ve got five profiles of insiders. You’ve got your disgruntled employees, your spies, your espionage folks there who are those who are fraudsters.
You have your ignorant kind of careless employees and departing employees the first through your disgruntled spice and fraudsters. Those are your malicious insiders. And I think when most people think of insider threats, it kind of fits in that realm and that domain, your disgruntled employees, or those who have some reason to be angry or upset with your organization, whether it’s you know, maybe they got passed over for a promotion. They have a manager or a boss or somebody that they’re not very keen on that has treated them poorly, or they feel wronged in some way. Now it’s important to note, if we talk about disgruntled insider threats and really the insider it’s a whole is insider threats are not necessarily in and of themselves, a cyber security domain, at least it’s certainly at a corporate level and organizational level minimizing risk of insider threats under the CSO or within cyber security.
There are a significant element to it and an important part of it, but really insider threats should sit at the HR level where, because it’s an issue of people and it’s an issue of motivation and insider threats. Also, aren’t just a data loss issue. You also have a very real physical threat for example, a little over a year ago. So YouTube had an active shooter issue on campus where it was an employee who caused a physical threat and harm to them, to other employees on their campus. And this suggests that insider threats are, again, are at, are not just, you know, data loss or cyber security or hacking because very real physical security elements. So it’s important to know that as you, as an organization build your insider threat programs, that it’s kept at a higher level than just it and information security, and that will help really drive an effective for you.
So your disgruntled employees are those again, are those that serve as a physical cybersecurity and they really have some sort of motivation for why they’re angry, why they’re disappointed, why they’re going to do what they do, your spies or espionage. This is something that we continue to see a lot of. In fact, just in the last year, there’ve been numerous reports out there of individuals in the United States getting arrested due to stealing intellectual property on behalf of China in particular, but other countries as well. In fact, in one case the individual that was arrested, it was only about two or three months away from moving to China, themselves and setting up based the same company in China that he would then run and own and build, right? And so this is a very big intellectual property. Theft is one of the primary ways in which China in particular big and other countries have built their economy and, and really close the gap with the United States costing us companies, billions dollars annually.
So is there, they’re really seeking intellectual property, your R and D they’re also there to for intelligence, right? So a lot of there are espionage issues too, where you’re not just intellectual property, but there’s infiltration of where employees may be recruited by foreign intelligence service, or maybe planted from a foreign intelligence service to develop intelligence, whether it’s on a company or within the government or some other organization as well. The next categorization is your fraudster. People who are driven by greed, antral difficulties, basically they’re doing it for the money, right? So these are insiders that are there to steal money from you. and in some cases is your blue falling on hard times, maybe they are having financial difficulties at home. Having a hard time making ends meet their home is on the verge of getting foreclosed. Maybe they’ve got huge gambling debts, you name it right?
Other times people may have lots of money, but they’re just really greedy. And they think that they deserve more or want more. So these folks look for ways to be able to steal any from your organization. the next one is a group that I think most of us, I don’t want to say overlook, especially in cybersecurity, but I see here, the data breaches occur because of your trusted employees. This is all of us. These are people who have no malicious intent. We’re not in your organization, did you harm, but maybe we’re not, we’re not bank paying attention or we’re not trained well enough or whatever reason. But when that email comes in, that is a fake email that looks legitimate. And we click that email and we infect our networks or systems, or cause since we’re a data for each that’s, we’re technically an insider threat in that regard, we’re the ones enabling that data breaching and in the 2017 Verizon DB report up to 66% of data breach has occurred as a result of phishing or other traffic types of social engineering.
And so it’s important for organizations to really look at how they do training and awareness events for their organization to ensure that their employees are trained on how do we, how do I detect and understand and differentiate phishing emails. And we’ll talk about this a little bit later in the, in the presentation, you’ve also have your departing employees, your departing employees, you’re often overlooked, right? These are people and most organizations are concerned about departing employees, of course, but these folks are insider threats because they’re, they’re really potentially stealing data. And there is a small physical security threat from departing employees as well, depending on how, if they were fired, if they fill in kind of like the disgruntled that they felt like they’ve been wrong, you do have that threat as well. But for the most part, your department, employee, people who are taking data from the organization to give them a leg up in their, in their new role, you take a sales person, he’s going to a competing company and maybe they take their sales list and the contact list and a little bit of intellectual property to take to their job, to give them a leg up your developer, who does, who develops code or, or programs or products.
It feels like a lot of other unique developed and the code they developed really belongs to somebody and they start to take that with them. Well, that’s all data loss and that all costs the company money and potentially causes them to lose market, share to competitors when those things are used against them. And so we want to have policies in place and procedures in place to minimize the likelihood of those things occurring. Now, where does Snowden fit in all of this will Edwards snow, Tim really straddles that line between disgruntled and spy. Now the spy piece is a little less definitive, right? There’s an element of, could we classify him in the espionage piece based upon what he later did by releasing all that data out to the public, through the media and foreign countries, grabbing that information, secret data, and then using that for their operations or to better understand a threat.
So that could kind of fit him in the espionage area as well, but certainly he was in the disgruntled space, but those of you who weren’t as familiar with this to know the story, you know, it’s not his stated motivation for what he did centered around. the things that he saw during his time at each, that he believed were obscene is perpetrated by the U S government against the American people. In that claiming that the United States government was fighting. I was watching leaning on America. He said he felt his duty duty, his disability to reveal and make it known to the American people. whether you know, that these abuses were occurring. And so he became very disenfranchised with NSA, with U S government intelligence, operations, and procedures, et cetera. So he definitely fits in that disgruntled space. And let me tell you a little bit about my story and it’s Snowden as an insider threat.
So we’re going to dive into now is just my experience with Snowden and give you some background on what happened with me and and how all of that went down. So I met Snowden in February or late January, early February of 2013. And these dates are really interesting to me because they show how quickly something can unravel, right? So Noden fed to Han on millions and he revealed to the world that, that same year, and I didn’t even meet him until end of January early February. And I had a few open positions. And then we did the job interview. Edward was employee referral of mine. One of my, one of my employees had given him, had met him, had worked with him as Edward at leading into this, with this distance administrator. This is another other important to conception is that Snowden was not intelligent salads.
He had never been intelligence analyst during his time at CIA or NSA until he joined the team at NSA. And he was a contractor doing systems administrative work. And so there was separation of duties. He never actually was trained or really had a hands on experience with intelligence, which I think caused some of the MIS miscommunication. Some of what I view as as he gave context to the things that he’s still in his releases he really kinda misinformed or misinterpreted what these things meant and what NSA was doing with the programs he revealed. So I think that’s an interesting point is that he never, he was never an intelligence analyst prior to coming to my team, despite the fact he’d begun planning to do what he’d quite a long time. In fact, he has admitted that he targeted my position and was coached for the resume.
So he definitely knew what position he wanted to get. He wanted. He knew that the position that I had open would give him access to the type of data he was looking for and so on and so forth. So in the interview, we had a really interesting conversation. Both me and my technical director came away quite impressed with his technical capacity. You know, we were really looking for three primary skillsets. We were looking for somebody who had the talk secret security clearance at the full scope polygraph which, so we could just get them in quickly and process everything. We were looking for. Somebody with really strong technical skills understood the internet and network technologies understands, hacking, understood the foreign cyber threat, right? How did the Chinese hack versus the Russians versus Iranians versus other groups, right? It could at least speak somewhat intelligently on that.
Speaker 0 00:12:51 And that wasn’t a critical element, but certainly understanding the technology behind all of the cybersecurity risks that are out there was really important. And the third requirement we had was that we needed them to be an intelligence analyst and have experience in that regard. So when we come to conclude the interview, it was pretty evident that he was, he didn’t have that Intel analysis experience, but I’d ask some questions to try to gauge his analytic capability. Could he, how does he do it putting different pieces of the puzzle together? Does he, what kind of questions does he ask? And he seemed to be really well that pressed us with the technical capacity. And there’ve been a lot of people who tried to denigrate Ed’s technical expertise in the past, which I think is, is an a kind of a mystery to us. I think to really understand Snowden, we need understand that he really was technical.
He was an expert in internet anonymization. He was very good on and ran a couple of tour nodes out of his house. If you’re familiar with tore the anonymization tool, even claim to know a couple zero day vulnerabilities within chore. So we really felt strongly that despite him not having intelligence analysts experience that he would be a good fit on the team to come in and work with our cybersecurity partners to help develop intelligence. And so we went through that process of hiring him. He later joined our team on April 1st of 2013. so the first two weeks of employment with us, he actually flipped to Maryland and he spent two weeks in Maryland at NSA headquarters doing training after two weeks there, he came back and he joined us in Hawaii. And so it was really only about a month and maybe a week that he, that I was actually, I actually worked with him closely before he fled the country about a week and a half, maybe two weeks after starting with us.
He came, he said, Hey, Steve I need to let you know that I’ve got epilepsy. And the epilepsy is not the kind of epilepsy where I dropped down as having seizures or anything like that. It’s, it’s more, I just kind of blackout and I’ve had it under control for quite a long time, but for whatever reason, the last couple of weeks it’s really been flaring up and starting to worry me. So just so you know, I’m going to have to occasionally miss work a few times or come in late for medical appointments, you know, being the manager and want to take care of him. You know, I expressed my support, my sympathy. So you’ll take the time you need, let’s make sure you’re taken care of. And so this is one of the first lessons we learned about insider threats is I’ve looked back at my experience with Snowden is that insiders in order to often do what they do, especially if they work in a kind of an open environment like we have at the agency, need to figure out ways to change their behaviors and their patterns.
Speaker 0 00:15:18 Now, I don’t know, it’s not an actually has epilepsy. He may, and it mentions it in the movie that he has epilepsy. So maybe he really does, but it certainly wasn’t impacting him at that time, the way that he claimed it was. And so what he had done is he used these medical appointments as his way to be able to download data, right? So if he had a medical appointment starting at 9:00 AM, that would know, maybe take an hour or two. And it was probably down in Honolulu. It was about a 40 minute drive getting back up to our facility. He gets up there to say, starts work at noon that allows him to get a full working and he can work till eight or eight 30. And really after five 30 or six, it’s kind of a ghost town in there, right? There’s not very many people there just like any other workspace in the world.
And so it really gave him about an hour and a half, maybe two to two hours, even up to three hours, depending on the day to be there more or less by himself without having prying eyes and without people asking questions, which then afforded him the ability to download, to plug in some drives and download all that data. How did he plug the thumb drive in, in the middle of the Workday with people sitting all around, somebody would have noticed and called them out on it. And there would’ve been a pretty significant security impacts there, right? And so what he had done is he uses epilepsy as the excuse to be able to change his work habits, change his work times in order to do what he did as we get closer to him leaving about the weekend before he left. after a couple of weeks of this, he came to me again and he said, Hey, Steve, the epilepsy just keeps getting worse.
The doctors are really confused as why. And they want me to come in all day, Monday and Tuesday of next week to for medical tests and those medical tests go bad. I’m going to have to take some time off of work. and they’re not gonna let me drive and they’re not gonna let me come into work. And so I get, again, I gave him my support, you know, I hope it all works out. We’d hate to lose you. And he even expressed sympathy or, or I guess sorrow that so to speak as being kind of a new employee. So he kinda said, you know, I, I, I know that I’m a new employee and it always stinks the new employees cause these kind of problems. I really apologize about that. And, you know, he was, he was aware of what he was doing and the impact it was going to have on us.
And so that Sunday after we, we later learned was the day that he flew to Hong Kong. And then Tuesday night after his two days of quote medical tests, he emailed me and he said, Steve medical tests went really bad. I’m going to, you know, I’m going to have to take time off before. Can I should mention before that, that, you know on that front Friday when we were, and one thing I did say is, Hey, if you do need to take time off work, let’s make sure we get in touch with you, get in touch with HR and get the paperwork going for short term disability. Let’s make sure you get taken care of and get the money you need deserve. And the only, this is the only weird thing he ever said, they kind of made me raise an eyebrow, but it wasn’t the kind of eyebrow raising or anything that would cause me to make a logical leap from what he says to he’s going to steal millions of documents and flew to Hong Kong and released them out to the world, right?
What are you done? What he said was, you know, Oh, well, you know, I’ve had this problem for a long time. I’ve missed work on it. I’ve got a big, big nest egg saved up already in savings. I’m just going to go on, leave without pay. I really don’t want to deal with short term disability. You know, all of that bureaucracy. I said, well, you know, it’s not really that much work. It’s pretty easy, pretty quick process, a little bit of paperwork. And you know, you’re, you’re leaving free money on the table, right. You said, we’ll even sell, you know, it’s just kind of how I feel. It’s like, all right, well, whatever you want, that’s fine. So when he emailed me on Tuesday night and said that the test went bad, they didn’t have to take time off work. I replied and said, you know, I’m sorry to hear that I had to get better soon.
You know, we’re here to support you, let me know what I can do. And please get in. Let’s get in touch with HR and get you that short term disability on Wednesday night, he emailed me back and he said, thanks, Steve. I really appreciate that. I’ll get in touch with HR. I’ll talk to you later. And that was the last time I ever heard from him. So over the next couple of weeks ed or ed obviously didn’t respond to any of my phone calls and my emails. I checked it out a few times. He hadn’t given me any information on, in terms of paperwork or doctor’s notes or anything I could use to get the short term disability going for him since he wasn’t taking care of it. And time sheets were coming due at the end of the month. Right. And May 31st. So as that, the end of the month came, I contacted my boss out in Georgia and said, Hey, Snowden, isn’t responding to anything.
I’m really worried about him. but you know, also from an administrative standpoint, I’m not really sure how to handle this, right. He’s I, you know, do I go on and fill his time sheet out for him, et cetera, et cetera. So my boss gave me the advice I needed, and then he being you know, kind of saving my bacon a little bit. He actually reached out to NSA on that Friday, the last day of may or one of us States and me and S and let them know that we had a person missing NSA, like most sensitive organizations have a policy about people missing, right? If somebody doesn’t show up for work, you have to start looking for them and inform the security team that day. That moment, right there is no waiting a day or two to see if they show back up at a place like NSA, when you’re dealing with that level of security.
Now, because ed was on medical leave, it was a little bit different, right. There wasn’t really wasn’t any sort of requirement for us to inform him that he wasn’t responding to things. You know, in fact, my concern, I, it never even crossed my mind that he did what he, that he was going to do what he ended up doing. Right. My concern was, it was something bad had happened to him. Maybe he had ignored the doctor’s advice and was driving along some cliff side road in Hawaii and drove off the cliff and was lost in the ocean somewhere or something, or a little less dire than that. You know, I fit that. I thought most likely it was it. Maybe he flew home to Maryland had gone off the grid for a little bit and was just recovering with his family out in Maryland. so that, that’s all I ever thought up until the day that he revealed himself to the world.
On Monday of that next week, I got a call from NSA security and they said, Hey, this is the folks in Hawaii. And they said, Hey, Steve. And I knew these folks pretty well from all, from managing my team and facilitating their clearances and getting their access to the agency and such. And so it was, it was a pretty good relationship. Is it, Hey, Steve you know, we hear you got a guy missing. We know we don’t normally get involved in medical issues like this when people are gone, but you know, we’re pretty close knit family here in Hawaii. We want to help you look for looking back and kind of thinking about that experience. It’s a lot to me it’s likely NSA security may have known more than he was just out on medical leave, right. That I didn’t know, regardless. We spent that, that next week scouring the Island for Snowden, whether it was calling, trying to call him, email him.
I drove by his house a couple of times we tried finding his girlfriend’s phone number and getting in touch with her. And she never, she didn’t return any of the calls. We couldn’t find her. I believe NSA security maybe even reached out to his parents. we, I actually visited places that he was known to hang out, just trying to do our due diligence to try to find it. And again, it, it never crossed my mind that he had, he was going to about to do what he did now. It was about Wednesday or Thursday of that week. When the article that you see on the screen on the right from the guardian was, was published. And, you know, this particular article SPE specifies that U S is secretly collecting private data from AOL, Apple, Facebook, Google, Microsoft, pal, tox, Skype, Yahoo, and YouTube right now in the article, it’s really guiding us and leading us to believe in this Snowden’s interpretation of this is that NSA is using that capability against the American people. And that’s really where the big controversy came out now, in my experience there and others, that that is a really what NSA was doing it all with us, with us capabilities at all. But that’s what we were all led to Buddha. So, as you can imagine, this sent shockwaves amidst all of us working at the agency, no matter where we were at.
Over the next car full of days, we had two more articles come out. One from the Washington post and one from a third publication. I’m not, I don’t remember where it was from, but continual, continually just raising this craziness that we were dealing with and, and the shockwave through our organization.
And so, Oh, conversations about it. In fact, on Saturday of that week, I was out all week on, on leave. I was actually, my, my wife is out of town. So I was watching my boys. And so I was actually on leave while I was looking for Snowden and I, for the first time that week I’ve been able to talk to one of my coworkers. We both thought we were good. Friends, went to church together, and our desk touch. He was in, he was a guy that worked for the army army Sergeant major and our army Sergeant anyway. And we were chitchatting and he said, you know, Steve, wouldn’t it be crazy if ed were the guy leaking all this stuff? And I literally laughed. And I said, dude, there’s no way. There’s no way ed would do something like that. But math, if you did, it would be my absolute worst night. Well, sure.
The next morning I was sitting in the church meeting kind of a leadership meeting and we were just gotten done telling all the folks in the meeting all about my crazy week and looking for ed and how he’d gone missing. And then how crazy it is that all this stuff was being leaked out to the media about NSA. And then Ashley mentioned about my friend’s comment, which I still didn’t believe up to that time. But after I had my factoring, all that in about 10:00 AM, the meeting ends, I walk out and I turned my phone on and my phone had blown up with miss phone calls and text messages. And it’s it just so happened that the first text message I saw was from that friend of mine from the day before. And all the text message said was, sorry, man, it looks like your worst nightmare came true.
And I knew exactly what he meant. And I found an empty room in the church where I could be alone and I just melted down. I lost it. I freaked out and every sort of irrational thought one could have fell on my shoulders. It was ranging from things like, you know, I’m going to be blamed for this. I’m gonna get fired. I’m gonna lose my job. I’m going to go to jail and lose my family to can impact my employees. Right? My, all my employees are going to get fired. Booz Allen is going to lose their government contracts all the way up to the big macro stuff. You know, geopolitical stuff to you know, NSA collection sites. You’re going to get compromised. CIA black ops folks gonna get offed. terrorists are gonna run while trying, it’s gonna take over the world. You name it, all this stuff, just dumping on my shoulders at this time.
And I was panicking. I, I kinda got myself together enough to drive home. And my wife had just gotten back from, from Japan the day before. And I told her all about this, my crazy weekend. I pulled her into our bedroom and all I could do was cry on her shoulder and just say, it’s him over and over and over. But I got my I got my, my wits about me after a few minutes and, and, you know, got back up on the horse. It was time to lead, right. And you know, we’re all going to face those periods in our life. And we’ve when we face crisis. But something major happens. What really matters is, is how do we respond to it and what are our values? And it’s really in those circumstances where our values and our ethics really, really shine and come out.
And one of the big lessons I learned about E-Pro from crisis management for example, is how important taking care of your employees are? You know, I, during that day in the aftermath of all of that, I talked to all levels of Booz Allen, leadership, NSA, security, and leadership and everything. And, but I, for whatever reason, I’m glad that I did this. I took the time to individually call all of my employees. I had 15 people that worked for me at the time I called all of them and gave them the time they need to talk. Now, most of them, because snow not only been our employee from what they had had no idea, I didn’t really know the guy. Right. They knew he was on our team and they were shocked when all of this came out, but they barely knew him. So it was kind of a, you know, they weren’t all that distraught about it.
But we had, I had a couple of employees in particularly the lady who, to whom he from whom he was a, an, a, an employee referral, really struggled and really took it hard. And we spent five at a time talking and working through things and she was panicking and freaking out just as much as me. And I found that taking care of my people, the people that rely on me for their livelihood, it was probably the best thing that I did over that day. So later that night, the call came that I was expecting, which came from NSA security. And they said, Hey, Steve, we want to meet with you and FBA and FBI want to meet with you tonight. Can you meet us down at the FBI offices at 6:00 PM? And so I say, sure. And I hop in my car and I drive down this, and this is points kind of where panic starts to set in.
Right? I’ve seen all the movies. I know what to expect, where I’m expecting to sit in this dark room. I got this big, hot lamp shine. I mean, I’m getting grilled and interrogated. And luckily it wasn’t anything like that. It was three hours of asking multiple questions about what I knew about him and my relationship was, and a lot of the same questions over and over. But to see if my story was changing, it was a pretty stressful event. And luckily, you know, those folks, the NSA folks were pretty cool. It wasn’t too brutal, but but it was a stressful situation. And then to wrap the story up the next day I went into, I had to go into work and it was really time to respond with the actual client that he worked for. We were contractors, right? We had clients that we were supporting and I put my bag down, I’d be landed straight to his director.
And the client would worked for different teams. And you know, one of the, another big lesson I learned about crisis management is don’t cast off of lane. I had nothing to do with lists, no date. I didn’t have a planet. I wasn’t involved in it. I had no idea I was as shocked as anybody else. But the last thing I was gonna do was throw up my hands and say, Hey, it’s not my fault. Don’t look at me. Right. I went into that into the office of of that the team leadership there for the government. And I said, Hey, this is failures on me. What can I do to make it better? And that really went a long way to smooth things over and to fix that relationship. And then later that day, I ended up meeting with the director of NSA Hawaii, and he really put it best.
He said, you know, Steve, you really got caught hole in the hot potato and time ran out. He he’d been planning this for a long time. He was going to do this regardless of who he worked for. He just happened to work for you. And that’s really the way it worked out. And so from there things evolved things changed, right. but long story short Snowden kind of became in this, through those actions that he took kind of the stereotypical, or I guess the poacher trial, if you will, of insider threats. And that’s what we’re going to talk about now is kind of what do we learn from my experience with Snowden and about insider threats and how do we protect ourselves from it? So let’s talk for, to talk about an insider threat profile, and this is how I’ve profiled ad from an insider threat.
And a lot of these and variants of these are really going to be pretty similar with all insiders, all malicious insiders, just folks who have planning something they’re doing something intentionally. So first of all, almost all insiders have some sort of excuse me, how some sort of driving motivation for doing what they did. They do. ed obviously was he saw a significant need, significant injustice being perpetrated on the American people from American government and this ties into his narcissism. And he also viewed it as I see this injustice. And I’m the only one that can, that can write this in just a second, bring enough attention to it. No one else can do it. I have to do it. And, you know, in the interview that I had with Snowden, you know, people have asked me before here, did you see any sort of negative character traits or, or what was he like, you know, was there any, any red flags?
So there really weren’t any red flags. And I’d say the only, you know, I liked, I liked him a lot. He and I got along well, we had some really good conversations. I even think our personalities meshed fairly well. But one thing I did notice about snow from a negative standpoint was that he was very arrogant and very narcissistic. He was just very, very confident in his skills. And I’m almost to the point of looking down on people, but that wasn’t enough to make me not hire the guy. Right. I wanted somebody who was confident and experienced and have some expertise, but I think that level of narcissism really drove him to do what he did. You’ll also see, as I touched on earlier that insider threats often develop excuses for abnormal behavior because they have to change the behaviors in one form or another, especially if they didn’t come in with an intention or they need to, they need to operate some different way, right?
So they, they make up excuses. There’s also often external influences, not for Snowden. His external influence is where the media support and there’s even arguments. And a little bit of research. That’s gone out there to suggest that there may have been third party group providing a little bit of solidarity and aid. There’s some evidence out there that he may have been associated with the group anonymous very early, as early as 2004. And a lot of that’s more of needs to be vetted out more, but it’s possible. There were other groups out there providing aid and support to some extent. And I’m not saying he was an asset of the Russians, the Chinese or anything like that, but more that there was a you know, a lot of times for snow or there’s snow, and it looks like he had that media support. You had the aid and then for other insiders, there’s almost always some sort of family pressure, even if their spouse or somebody in the family isn’t driving them or encouraging them to do what they did.
They feel a pressure, whether it’s financially or some other element to, to need to to do what they do in terms of doing damage from an insider standpoint, right. Then you also, what’s interesting about insiders also is that they learn how to afford technologies. It’s amazing how many insiders are really not all that technical, but yet when they have a motivating person, motivating purpose and a drive, they almost very quickly become technology experts and are able to exploit various security weaknesses or build, or figure out how to build a, a piece of software. Something that can help them exploit something or whatnot. And so they, they will take, they’ll take advantage of those things, but also spine is that insiders will be very diligent and understanding what security protocols are in place. And what’s being from the policy standpoint, what’s being enforced and what’s not.
And we’ll take advantage of those, for example, with Snowden, right? he grabbed it, he was very technical. So made it a lot easier for him. You know, NSA, like every other form of government organization has this rule that says, thou shalt not use thumb drives yet. Snowden was able to download all this data by using a thumb drive, right? Obviously they, the NSA had a security policy in place, but that security policy wasn’t very well enforced. And because no one who had the expertise and figured it out, he was able to exploit that without that weakness within NSA security and enabled them to do what he did. Right. So it’s important that as we, as organizations and we build better threat programs that we’re taking these things into consideration, and we’re working with the security team to ensure that yes, if we have these policies, that those policies are being enforced right now, as we talk about bullying inside of our security program, one thing I want to caveat and mention is that we have to walk a fine line because we don’t want to build a culture of mistrust.
We don’t want the people to feel like they’re constantly being spied on all the time and it’s all strict and it’s no off all work, no play kind of a thing, right? We want all of us want a culture that will well, that people will enjoy. We want them to work there and all that. So it’s important to balance respecting your employees, privacy with the security. And that’s a very fine line. And and there are ways to do it simply by maybe tracking the IP addresses and computers. I’m looking for network and behaviors on the network that if you see behaviors that are abnormal or things you’re concerned about, then you can go find out who’s behind it rather than spying on each individual person all the time. Right? So there are some things you can look at. We’re going to talk now about some of the solutions we can employ to help protect ourselves.
All right. So first we talked about security policies, right? And enforcing them now security policies are a lot of organizations do a good job of security policies. And the reason for that is when it comes to compliance, it comes to things like in this framework or PCI or a SOC two type two, and the different things we need to be compliant for. A lot of them require you to have certain policies, right? And in order to pass those compliance audits, you have to demonstrate those policies and then demonstrate how their forest, even if they’re not really enforced all that well, right? So obviously what you want to develop smart security policies. And I encourage all organizations to develop an insider threat policy. What are are what is it kind of ties into acceptable behavior and acceptable use of, of it devices and incorporates the security parameters by which we’re going to detect and monitor our employees.
And then we want to train our workforce. Now we talked about the ignorant careless. Now 66% of data breaches occur because of phishing and social engineering. That is as much an issue of training, as much as anything else right now we can go in and we can go out and buy security solutions for email that will help block a huge portion of phishing emails and prevent URLs from being embedded or we’ll review attachments, et cetera, but things hackers are innovative and they’re always changing. They’ll find ways to get around a lot of that. And from my experience, my time consulting and working in cybersecurity, I found that simple training is the number one best way to make it, to decrease the amount of folks clicking on bad emails and decrease that risk for an organization from a fishing standpoint. And so if you let’s say, if you can decrease that 66% of data breaches in your organization occurring because of fishing down to 30%, you have made a significant impact.
And those are metrics. You can go back to your leadership, your organization and say, this is the impact we’re having. We we’ve, we’ve gone out, we’ve run a couple of phishing tests. We’ve shown, you know, the first time we did a fake phishing email that went out to the organization, we had a 20% click rate. This is the third time we’ve done it now. And this third time, we only had a 5% quickly. We’re seeing a huge improvements. This is great for our security and we’re in a lot better place. And those, those would not only improve your security and, and make you more robust, but it also makes you look good and give you, you know, you’re doing your job and it, and it’s, those are metrics you can use to report up, right? So train your workforce. We talk about training. It needs to be, my recommendation to organizations is to conduct a training monthly or some sort of awareness.
It doesn’t have to be a training, just have to be boring, where somebody gets up in the ass for 50 minutes and force everybody to death. It could be a fake phishing email. It can be a an online interactive training, kind of like what the government does a lot. You can do. you can have a new cybersecurity newsletter that goes out. That includes a little fishing reminder in it. There’s a variety of different options. You can take, you can take it, you can go out and hire a speaker to come in and give a presentation about insider threats and security and phishing or whatever it may be. And then also take advantage of October national cyber security awareness month, the government, and like us, certain other organizations give out some great resources for that. You can, you can, I would argue, I would see Jesse plan, a weekly event or something to kind of make it a big deal, put up little plackers around the environment, et cetera, et cetera, but do things to make October in particular, among as well as throughout the year, a a focus on cyber security to raise awareness.
And then finally, as I mentioned earlier and forced the policy, trying to, if you’re going to have policies in place, if you’re going to say they’ll shout, not use thumb drives, then make it possible to enforce that policy, right. Disable the disabled the thumb-drive, or the USB drives or even, and probably would have been more effective for the agency would be to physically to staple them, right? Whether it’s if jamming a screwdriver in there and making them unusable, just connecting them, removing them or whatever it may be, right. Do those sorts of things. So forcing your policies are very, very important. It’s great to have them, but policies aren’t worth the paper they’re written on. If you’re not enforcing them, the next is separation of duties. Now, this is an interesting one that I think one of the ways in which Snowden bit, the agency now Snowden, as I mentioned at the beginning, it was an it admin.
He worked, he worked at assistance administrator, and then he left their organization on a Friday and joined my organization on the intelligence side of the house on a Monday. Now, I don’t know this for sure, but it seems probable that Snowden didn’t have his it admin rights withdrawn that day that he left, that it may have taken a few days after he joined my team. And that may have been what allowed him to go on his computer. And if the, if the agency did have, if they had it logically the thumb Beck’s logically turned off that he may have been able to turn those on and do and take other administrative actions, right? He basically, for a couple of days may have had keys to the kingdom, both having administrative rights to the network, as well as the intelligence analyst type rights and accesses that he got when he joined my team.
And so separation of duties is critical. And then the example I like to give is your it admin in your account, right? Your it admin is going to be managing all of the systems on your network, and they’re going to have access to the databases and the servers that are hosting all of your financial data. But those it admins don’t have the right of the privileges to be able to view and edit that data without without permission, right? And on the end, because they risk ruining the financials and making them an accurate and doing significant harm to the organization because they don’t know what they’re doing. And in the same vein, your accountant just didn’t have the admin privileges on the databases, on the computer and other systems to be able to make changes to the system or the networking like the app, because heaven forbid they do something wrong because they’re not trained for it.
And cause that database to crash or cause a network to collapse or whatever it may be. Right? So organizations purposely and smartly perform separation of duties by keeping roles, responsibilities, siloed, so that to protect against insider threats and also to ensure that things don’t break. And so if you’re not doing this daily, I highly recommend you apply separation of duties. And this is one of the areas that may have had an impact in preventing Snowden had again, if it is the case, the NSA didn’t revoke his admin privileges, the day that he left at T site may have, may have at least a limited the damage from what he was going to do, but what he ended up doing the next area is security, operations and monitoring. Right? So when I go on and I do my consultant organizations, one of the first questions I asked is how do you know if you’re hacked?
Right? How do you, how do you identify these things? Security operations is how we know if we’re hacking generally, because unfortunately too many times when I asked that question, organizations answers and their responses to me, it’s essentially they essentially are asking or say, well, you know, usually something breaks or, and so somebody calls the help desk and that’s how we know or, well, we bought a SIM tool and we have a few logs going in. So that will give us the occasional alert. But usually those aren’t managed very well, right? They have a little bit of security monitoring, but not near enough, but what security operations does is it allows you to have visibility to what’s occurring on your network, right? You can do, you can begin to detect things like data exfiltration or unauthorized system accesses, elevation of privileges, which is what Snowden probably used to get someone to do some of the things he did or the use of removable media, right?
How come is this NSA being so concerned about security? Why, when, when Snowden plugged into thumb-drive didn’t alarm bells go off in the SOC at NSA saying, Hey, somebody’s using a thumb drive or when he’s downloading huge amounts of data off of the internal network onto his computer or thumb drive, was it that picked up? Why weren’t those rules in place? Right? So there are certain alerts you can build to help detect those things. Even more effective is behavioral analytics, right? It’s can we apply a level of analytics against our users at baseline their, their activities and their behaviors, right. If we know that a particular user accesses, particular databases, or even their own system at certain times of day, most often, or from certain computers, certain IP addresses, and then that changes. And we judge off of that and say, Hey, well, here’s an anomaly.
Here’s something we don’t see before. For example, one of the things that’s been reported in the Snowden investigation is that he had socially engineered a colleague of ours to give him their password. And apparently he used that username and password to access a couple of systems. He shouldn’t have had access to perhaps if with behavioral analytics, it’s possible that having baseline that original users activity coming from a certain IP and certain systems and all of a sudden seeing it coming from a different IP abnormally could’ve potentially generated an alert, right? And so having some level of security detection, monitoring, and detection that layers on top of that behavioral analytics and even an element of machine learning and anomaly detection can go a long way. That’s the organization that I work for, that that’s kind of our bread and butter of what we do. So we encourage all organizations at the least employ some sort of SIM technology, which can get pretty cumbersome to manage on your own.
So either kind of employ your own SIM technology, have your own internal SOC or go with an MSSP who can help has the expertise already built in to help with that monitoring and make sure that their use cases are in place to help detect insider threats as well. And also as you’re sending information to your Sam and use cases to many organizations are, are mostly concerned with the East West traffic, which means which means you’re going from the outside the internet in or inside your network out to the internet. But we also want to send internal to internal data because that’s where we can apply analytics. On top of that, to be able to look for insider threat techniques, including endpoint protection software, those laws can be sent to your SIM as well and generate alerts. By the way, if at any point you have any questions on this or other things I’m about to present, don’t hesitate to ask them.
There is a, a team. There is a Q and a button on your screen there that you can click and ask questions. And we’ll address questions in a few minutes here. All right. And the last one is data classification in DLP right now, obviously NSA is going to have this in place pretty well, but from an insider threat standpoint, this can go a long to providing you a lot of a lot of security, right? You’re going to have infer. You have information and data in your network that you care about that are really, it’s really important, kind of your crown jewels. If you’re a, you know, an R and D company, it’s going to be your CAD files, your research, all of your findings. It really make you unique at the place, but whatever it is that are your crown jewels, you want to start, you want to have that stuff classified, whether it’s whatever you call it, tough secret or confidential or whatever, right?
But maybe your marketing stuff and the stuff you put on the website, that’s all still your internal data. But that’s my classified. That is public. If you don’t really care, if people are taking screenshots or downloading stuff or white papers or whatever off your network, then you have other data kind of in between that you want to control. So employing a data classification solution and classifying all of your data can be really effective. And then layering on top of that, a data loss prevention software that can monitor where those, those files are moving across the network and when they’re edited. And they’re in fact, there’s even some DLP solutions out there that will prevent you from copying a segment or a document out of a confidential file and pasting it into an email. There are software that will prevent you from uploading things to Dropbox or Google drive or whatever unauthorized file sharing software.
There are right now, obviously the cloud and O three 65 or one drive or Google drive or whatever, whatever you’re going to have, file sharing solutions that are authorized. And you’re going to want to white list those from your DLP. And those are great, but you want to have, you want to have data, access controls and data loss prevention controls for things that are unauthorized, right. So think about solutions for data classification, data access controls will come preventing unauthorized file online file sharing, et cetera, et cetera. So those are some of the primary solutions. So just a few things. There’s so many things we can do from an insider threat program to help develop and secure your environment and try to protect yourself as much as possible from insider threats. And granted, you’re not going to be able to protect yourself from every insider threat, just like you can protect yourself from every hacker, right?
Somebody with the motivation will find a way to do some damage. What we’re trying to do is you’re trying to decrease the likelihood of it happening as well as the impact it has on your organization. If it happens in going back security monitoring piece right over here just briefly touching on this. One of the big things we see in cybersecurity is this concept of dwell time or time to detection. So many organizations when they’re hacked have hackers sitting on their network anywhere from four to six months, if not longer, I mean, the Marriott breach that was announced back in December reported that the hackers may have had access to Marriott’s network for up to four years, think about how much data is being stolen, how much money that’s costing. In fact, one study that I read suggested that up to every month, hacker sit on your network is up to a million dollars in revenue.
That’s costing your organization. So the sooner you can detect an insider threat or a data breach or whatever it is, the better off you’re going to be both because you’re going to lose less data and it hopefully should cost you less money to do the IIR and to recover from it overall. Right? So that’s where a lot of these solutions are really designed to decrease hacker dwell time, as well as to decrease the amount of time. And an insider is able to do damage to your organization. Cause some insiders will sit there for a long time, especially the financial folks, and we’ll try to siphon off money as much as possible. Right. So so that’s all I’ve got. If you have any questions, please if you have any questions, please post them and ask them in the Q and a box. If you interested, you’re welcome to reach out to me or contact me or add me on LinkedIn. My contact information is there on the screen. so feel free to reach out and give me feedback. I do love to get feedback on and ways we can improve. but welcome anything you have. So I’m going to pause here and that’s and Amir, do you want me to address the questions or do you want to kind of go with it?
Amir Draquez Oh, no problem. Steven. Questions for you – let’s see. Our first question here is is your organization allowed to actually confirm medical appointments with the doctor? And what about holding passports or flagging unexpected international departures of your stack?
Steven Bay So that’s it. Yeah. Good question. So no, I don’t, I don’t believe that we do have that right. To confirm medical appointments because of the patient doctor privilege. Right. But so what I’ve learned is, so what I’ve learned is when they’re going on short term disability, you can require a doctor’s note of some sort. Right. And so I really, I can’t confirm medical appointments and even now I wouldn’t, even if I could, that’s probably not something I would like to do. Cause I don’t want my employees feeling like I have this culture of distrust and I’m questioning everything they do. Yes. I’m a little more jaded. I’m a little bit more cynical than I used to be because of my experience, but I still don’t want to mean that. But, and so if they have to take a sick day, they want to take a day off to get better or whatever.
I usually don’t require a medical note or any sort of confirmation, but if they’re going to be substantial time taken, then yeah, absolutely. They need to provide some sort of a doctor’s note or something to get short term disability or leave without pay or whatever it is that’s in place about the other part of it, holding passports or fighting unexpected International’s practice of staff. you know, that’s really only something I have seen the government do and maybe I’m, haven’t heard of it, but it’s possible some of the big companies you deal in really sensitive things, maybe even work with the government may do that for select employees. But again, I’m not even sure if that’s legal or if it is, I’m not sure that’s something you really even want to do again, from a culture standpoint, it doesn’t seem very kosher, but I know that, I know that NSA, for instance, they don’t necessarily hold passports, but you know, that will be, I do believe again, I haven’t had this confirm. I do believe they have an element of monitoring flights that regard, but I’m not a hundred percent on that. Okay.
Amir Draquez All right. Great. Here’s the next question. Do you think that when people change jobs or start new positions, that is when opportunities are exploited and because of human desire not to seem insensitive?
Steven Bay Yeah, I think there’s, yeah. I think that that’s one of the most dangerous times is when people change jobs to start new positions, right. We talked about product depart employees, you know, all of us when we moved to a new position, we want to make a good first impression we want good job. I think we’re all a little bit nervous. You know, this job might be a little stretch for me. I, how, how could I be successful? And so I think we do begin to look for opportunity to split it, but I think we also do see insider threats later on as well, especially from the disgruntled side, if something happens or if after a period of time working there, they see cracks and they see polls, they see some way to exploit within the environment, some sort of hole they can exploit to make it, make it successful some way for they think, Hey, there’s a surefire way for maybe me to steal a little bit of money or take this data without ever getting busted. I think that does occur as well.
Amir Draquez Yeah, sure. We go what would be the single most valuable cybersecurity solution for detecting or preventing an insider threat?
Steven Bay Oh man. Well, I would suggest it’s hard to say the single most valuable, you know, obviously if it’s from an insider threat from a from a, a trusted employee standpoint where they’re not doing it maliciously, I already touched on, I think training is the most important, but obviously training and policy enforcement from you know, is it going to do a whole lot with your malicious insiders? Probably from a data loss standpoint, I would say either security monitoring detection, like having a sock in place, maybe an MSSP or something that has use cases that can help detect it. W either that one web you’re trying to be one a and then one B would be a robust DLP program that can at least with data classification that can kind of help keep data from being copied out and all that.
But again, those can even be exploited pretty heavily as well. but that that’s probably, and then the other area that I might say kind of tied to that and kind of get past the single, the single point of that for part of that. Right. But I’d probably kind of say having controls on your firewalls routers, whatever that, that earlier your network, that prevents access to unauthorized file sharing, right? So don’t prevent access to Google drive one drive Trop box, whatever it may be for people to be able to upload things to, or don’t, you know, don’t allow Gmail use internally, if you can avoid it. Or if you do have your DLP or your email security prevent things from being pasted into it or whatnot, you know, those sorts of things. So, yep. And you’re anything else.
Amir Draquez We have run out of time, ladies and gentlemen, I’d like to thank Steven Bay, our speaker for this informative presentation, I and a special thank you to our audience for taking the time to attend as well as participate in all those who have registered and possibly will listen a little bit later. thank you to our host Atripla computer society. Have a great day.
This transcript was automatically generated. To suggest improvements in the text, please contact content@computer.org.
