Amrit Williams, BigFix CTO continues the conversation with author and speaker Michael Santarcangelo on the nature of insider threats and how to manage them.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter, and I am back with Michael Santarcangelo, catalyst, author, and speaker. Michael and I were speaking about the insider threat and how that’s defined, and the impact that has on the organizations. Michael brought up some good points about the importance of us looking at people, information, and risk. I wanted to expand on that.

So Michael, let’s dig right back in. You sort of left off with some good thoughts on people, information, and risk, and the importance of those things together.

Michael Santarcangelo: Thanks Amrit. What I started to take a look at, and this started, not just with the book, it’s fascinating how when you finally put your ideas out in front of everybody and you digest the feedback, you can really grow. What I started to realize was that, we really do need to manage people, information, and risk.

Let’s just take as a quick aside looking at numbers. I love metrics. Is it possible of course to obsess on metrics to the point where they no longer provide value? Yeah, of course. You need metrics. We need to measure stuff in a way that gives us the context to make decisions. What I find fascinating, and this isn’t just security, this is society, we continue this divide with people where we are divorcing them from the consequences of their actions. In so doing, we start to notice this cascade of stuff. What happens, and as we try to measure it, and we just try to pave it forward by coming up with another technology. That is the old, the mouse got smarter, so we built a better mousetrap.

You think that we would start to break that cycle. Well, the way I started to look at it was, what if we don’t measure risk in terms of absolute, and what if we don’t measure risk just, well, I looked at the network, this is the problem. What if instead we backed off for a second and said, wait a minute, there are three fundamental parts of this equation, and maybe not so much from the equation perspective, but we have people that are involved. I think it would be disingenuous to suggest that people weren’t the lifeblood of an organization. With limited exception, businesses exist because of people, and not just to give them jobs, it’s people that make decisions, it’s people that interact, it’s all sorts of things.

The true lifeblood now is information. That’s what we trade on. That’s what we protect. It’s what’s important to us. Those two have to work in to risk. If you look when PricewaterhouseCoopers came out in October, and they said — they did their state of the security. So this — I guess, we are due for the refresh. But the one that came out in 2008, I am still taken with the fact that 71% of companies admitted that they do not know where their information is. This is astounding to me. Not that the number was so high, that 71% knew it and admitted it.

Amrit Williams: I was just going to say, I am surprised by the number too, I thought it would have been more like 100%, I have no clue.

Michael Santarcangelo: Well, I think it’s the real number, right? But think about this, if I come to and I go, so Amrit, are you completely screwing up your infrastructure? What’s your answer, no, I am good.

So if I come and say, hey, do you know where your information is? What are you going to say, of course I do. 70% said no, we don’t have any idea. But this is the fascinating part to me, that misses the point entirely. Because if you don’t understand the context of the information and the consequence of the information, it doesn’t matter.

What I mean by that is, so what happens if the information is not just disclosed; we are so obsessed with disclosure, what if the integrity of it is modified? What if it’s not available when somebody needs it to make an informed decision? If you look at the way that businesses are operating, and the need to operate, it’s not just the information, it’s who is using it, it’s how they are using information.

I did an engagement last year, army base, and I had information to share with them. I hold up a USB drive and I say, hey, who wants the information off the drive? And they all got that panic look on their faces. Oh no, man, you can’t use that here. I went, oh, you have got one of those polices. They went, no, technically, if you stick it into one of our computers, it will be wiped out, encrypted, and really it will be dead to you, and the information off of it is gone. Seriously, we can’t use it. I went, oh, alright, what do you guys want to do?

Well, about five hands reached into a bag and they pulled out CDs and they go, you have got a CD burner, right, just burn it on CD. I went, okay, wait a minute, you are security people, are you possibly suggesting that we are going to violate the security policy here? Deadpan, yeah, that’s exactly what we are suggesting.

So now I go, alright, wait a minute, did you come up with this yourself? No, it was some private, other hall, nothing to do with information security, information assurance. None of it. He was a guy that had to get a job done.

If you think about the military, and you are a private, if your captain says, get this done, you don’t say, well, sir. They don’t want a well, sir, answer, they want it done. So the guy said let me pop in a CD, took care of it.

So now here’s my question, do you guys have shredders that can shred CDs? Deadpan looks, they go, nobody thought about that.

See, I don’t care how people get around it. If you want to tell me you encrypted a laptop and it’s great and it’s really secure, fantastic, prove it. Show me how people are using it. Did you just make it harder for somebody to do their job, so therefore you pat yourself on the back, so you can do a happy dance, oh, we protected everything, but at the end of the day you made it harder, congratulations, you just increased your risk, and you hit it. It’s like telling a bunch of kids not to drink, but then giving them a bottle of vodka. How is that going to work out? All they are going to do is hide it. And vodka I am told, I have no personal experience, but I am told vodka doesn’t show up on your breath.

So if you look at this, we have to understand how people are using the information, anthropologically, not judgmentally, how are they using it, and what’s the context and the consequence. Is it printed out? Is it written down? Are they ferrying it back and forth over the Internet? Are they using Gmail to do that? Are they putting on USB drives? Are they burning it to CDs? Are they bringing it home? Is it showing up on their laptops and their home computers?

Now, you can go further down that rabbit hole, but if you just stop right there and think about that, it gives me a completely different picture of risk, than sitting on an ivory tower saying, well, we just completed a roll out where everybody has encrypted laptops. Well, we are secure. No, we are not. No, we are not.

By the way, why then are we still experiencing 10,000-12,000 laptops abandoned at airport security checkpoints every week, not stolen, abandoned? I can’t imagine leaving a laptop behind. I can’t imagine leaving a dime behind, but let alone a laptop. If you are so disconnected from it, you don’t take any responsibility whatsoever. So I think when we start to look at this stuff, we have to think about people.

Amrit Williams: Well, let’s say — I think people are really, really important, I don’t want to lose that concept, but I have got to ask you a question, because I think this — I have been having this conversation with people for a long time. You have basically laid out a scenario here where there is multiple vectors for information to ingress or egress out of a device; there is the USB, the CD-ROM, a whole bunch of stuff. This organization chose to lock down the USB for whatever reason. There is an easy way to bypass that, people just use CDs.

I have heard arguments used in the past that because we can’t do BCDEF, we shouldn’t do A, even though we can. If you look at a home that has six windows and two doors and you are able to secure the four of the windows and one of the doors, well, there is no point in doing that if you can’t secure all the doors.

I think that to a certain extent, there is validity in eliminating vectors, even if you can’t eliminate them all. There is validity in making it harder for someone to unintentionally bypass corporate policy. I think there is also a realization that it’s very difficult to stop one who intentionally wants to bypass policy and has some skill, at least enough skill to burn a CD and plug it in.

So I wanted to stop there before we get back into people and get your thoughts on that, because I think it’s an important concept that we don’t talk about that much. When is just enough good enough, and is it good enough? If you can’t do everything, should you do nothing?

Michael Santarcangelo: I am going to answer your question by bringing it back to people. I couldn’t agree with what you said more. Here’s the caveat though. Let’s use the windows and doors. So If I can gain entrance or exit from a building through windows or doors, and I am used to walking through the front door everyday, and all of a sudden I come in and now it has got a fortress and it’s a lock, and I can never use it again. I could break a window. I could go around to the back. But man, I am going to be pretty stuck. If there is a quicker path and I can just now leave my window open and I can come in through the fire escape, oh, and by the way, there is no alarm there and no one is checking for it, well, because everybody used to be able to walk into the front door and now they can’t, so I have taken away a vector point. Did I actually increase or decrease the risk?

Well, if now everybody is leaving their windows open, and they are leaving them unlocked, and they are using the fire escapes and they have set up all these other things, because they have made it easier, because no one ever explained why we were locking the front door in the first place. Well then, that’s poor implementation.

Amrit Williams: Yes, you are right.

Michael Santarcangelo: If we say to people, hey, we know x, y, and z, this information is important to you, and we know that there is a lot of risks out there. Look, I have had a laptop stolen, I know other people have had a laptop stolen. We are going to take some actions that are going to help you protect your laptop. No, we can’t protect against everything, we are going to try to help it. We are going to take these particular actions, because these are known problems. We engage them in a dialog, oh, then we can make a lot of changes. The distinction is, managing risk in one dimension versus managing risk and including humans into it, it doesn’t necessarily change the end result, it changes the approach, which then changes the success rate.

Amrit Williams: I agree with you. I do still think that it means an organization does need to understand the controls that they are implementing and policies they are implementing for the unintentional and negligent versus the intentional and malicious. There is no way really to effectively implement the controls and the processes to deal with the unintentional and the negligent without including the human factor.

But I wanted to switch gears as we go into the next segment, and I really appreciate this conversation, but when we come back what I want to talk to you about is a comment that you made, which is, many IT professionals, I believe, are divorced from the consequences of their actions. So this is a pretty important concept that a lot of people don’t understand. So when we come back I would love to talk to you about that. Michael, thanks for joining me today.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.