Treacherous 12 Part 6: Malicious Insider

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Treacherous 12, number 6.
00:00
Malicious insider.
00:00
[NOISE] In this lesson,
00:00
we want to talk about the risk of a malicious insider,
00:00
the impacts that a malicious insider
00:00
can have within a Cloud environment,
00:00
and techniques to address
00:00
the risk of a malicious insider.
00:00
[NOISE] A malicious insider.
00:00
Why would they do this?
00:00
Well, it's just natural that some human being,
00:00
some employees may become disgruntled or may,
00:00
because of financial circumstances,
00:00
feel the need to potentially expose
00:00
>> cloud environments to
00:00
>> vulnerabilities or make changes
00:00
in the cloud environment that cause a negative impact.
00:00
Malicious insiders could potentially
00:00
sell information or work in coordination
00:00
with criminals who want
00:00
to gain access to the information within
00:00
cloud environments and/or perpetuate
00:00
>> future compromises.
00:00
>> A malicious insider may also do different things
00:00
that substantially cause incur costs
00:00
for the cloud organization or just waste
00:00
resources through
00:00
intentional incompetence and frustration.
00:00
Now, one of the other things
00:00
about the cloud environment,
00:00
because you may be relying on
00:00
a cloud services provider and all
00:00
these other third parties who are
00:00
doing your apps or your access,
00:00
the risk of a malicious insider gets multiplied
00:00
across all these different organizations that are
00:00
helping to orchestrate and manage your
00:00
>> cloud environment.
00:00
>> That's why controls to detect and
00:00
mitigate the impacts of
00:00
a malicious insider are very important.
00:00
First and foremost,
00:00
having employees who are consistently trained
00:00
and cross-trained across your cloud environment is
00:00
essential to detect malicious insiders.
00:00
For people to know what
00:00
they should be doing and what constitutes
00:00
unusual behavior so that they can raise
00:00
the alarm when suspicious activity
00:00
is detect it, is crucial.
00:00
Other key principles to
00:00
diminish the impact of a malicious insider.
00:00
First and foremost, is segregation of duties.
00:00
This is particularly difficult within
00:00
small organizations with a limited budget.
00:00
They may not have enough employees,
00:00
they can have one employee do
00:00
one task in the cloud and another do another,
00:00
so one employee may have access to a number of
00:00
different services and it
00:00
goes against the best practice of segregation.
00:00
However, where possible,
00:00
employees really should have
00:00
different jobs and duties so that
00:00
one person who is making
00:00
configurations can't apply them straight to production.
00:00
They either have to be approved by someone
00:00
else or they don't do the implementing.
00:00
Regardless, this prevents one individual
00:00
who is a malicious insider from
00:00
having a large amount of
00:00
latitude to have a big impact within a cloud environment.
00:00
One of the other ones is least privilege.
00:00
This is just confining a user's abilities and
00:00
privileges within the cloud environment to
00:00
the minimum necessary to do their job.
00:00
Now, this can be very difficult
00:00
for organizations because,
00:00
in the desire to be nimble or adaptable,
00:00
they don't necessarily want to
00:00
define the roles and responsibilities
00:00
so tightly that a person can't do anything.
00:00
It really depends on the business case.
00:00
How well defined and locked
00:00
down roles are within your organization.
00:00
Organizations or people are
00:00
handling very sensitive information,
00:00
it's very important that the roles,
00:00
tools, and correct procedures
00:00
need to be very well-defined
00:00
to enforce the least privilege.
00:00
Then lastly, to discover any malicious activity,
00:00
you really need effective logging and
00:00
monitoring on your cloud environment.
00:00
If someone on the inside
00:00
begins to do something malicious or unusual,
00:00
you want the people in
00:00
your sock to be able to identify that behavior.
00:00
The difficulty with a malicious insider
00:00
is that those people who are
00:00
monitoring the environment may have
00:00
a personal relationship with this person.
00:00
It's harder to detect the malicious activity before it
00:00
really has
00:00
shrunk consequences within the cloud environment.
00:00
All right, quiz question.
00:00
>> Limiting certain users' access
00:00
>> to a cloud database to read
00:00
only because they need to review
00:00
transactions is example of what principle?
00:00
One, least privilege, two,
00:00
segregation duties, three, mandatory vacations.
00:00
If you said least privilege, you'd be correct.
00:00
We aren't allowing this user to make changes to
00:00
the database or delete data because
00:00
their role really only requires
00:00
them to review transactions.
00:00
It's appropriate to limit their access
00:00
>> only to read only.
00:00
>> Segregation of duties would
00:00
be another level off of saying, well,
00:00
this person is a database administrator, therefore,
00:00
they can add and change and as
00:00
well as administer the levels of access.
00:00
This person's role only requires
00:00
>> review of transactions,
00:00
>> therefore, these are two different jobs.
00:00
Lastly, mandatory vacations.
00:00
This is often discussed
00:00
technique to prevent fraud within organizations.
00:00
If you have a malicious insider who's somehow
00:00
abusing the cloud resources to do
00:00
a personal scheme or use those resources for
00:00
our personal project that's not one of the things
00:00
the [LAUGHTER] company wants done,
00:00
that malicious insider may need to
00:00
constantly be monitoring the environment.
00:00
Forcing people to take vacation is often a strategy to
00:00
disrupt the maintenance of
00:00
our fraudulent programmer scheme that's going on.
00:00
In summary, we talked about
00:00
the threat of malicious insider,
00:00
talked about the impact that
00:00
malicious insiders can have within a cloud environment,
00:00
and we talked about various methods to
00:00
address the risk of malicious insider,
00:00
namely training, least privilege,
00:00
segregation of duties,
00:00
and effective logging and monitoring.
00:00
All right, I'll see you in the next lesson.
Up Next