ITMG Insider Threat News – September 21, 2020

itmgnews092120

No Internal Investigation Is Complete Without ESI

When allegations of employee misconduct are alleged, companies must respond swiftly. Indeed, “insider threats” can cause significant damage to a company. These threats come in many different forms, including: Accounting fraud; Theft of assets; Unauthorized access to or manipulation of data; and Threats, sexual harassment or other inappropriate forms of behavior or communication. And so, when a threat is perceived or reported, an internal investigation – which aims to assess the validity of the alleged misconduct within the organization – may be necessary. Although such investigations necessarily involve different steps and goals as the facts require, a typical element of an investigation includes collection and examination of written or recorded evidence, interviews with suspects and witnesses, and computer and network forensics. McDonald’s Corp. v Stephen J. Easterbrook, (Index No. 2020-0658, [Del. Ch. Aug. 12, 2020] [Complaint]) reminds us that collecting and reviewing electronically stored information (“ESI”) is a critical step in a thorough investigation.

FBI Director Wray: Chinese theft has ‘perverse effect’ of US taxpayers funding Beijing’s advancement

FBI Director Christopher Wray said intellectual property theft campaigns against the United States by the Chinese government, including economic espionage aimed at U.S. government-funded research, has the “perverse effect” of U.S. taxpayers funding China’s rise. Wray, who has served as FBI director following former FBI chief James Comey’s firing in 2017, made the comments during an appearance before the Democratic-led House Homeland Security Committee’s hearing on worldwide threats on Thursday. “The Chinese view themselves as in an international talent war, and they recognize that American innovation and research is the envy of the world and, frankly, the envy of China,” Wray told lawmakers. “And when they can’t innovate and research themselves, they send people over here — in some cases, legitimately, but, in many cases, not — who engage in intellectual property theft, taking information, American research, and bringing it back to China to advance China’s national security goals, which has the perverse effect, since a lot of this research is taxpayer funded, has essentially the perverse effect of having American taxpayers funding China’s advancement at our expense.”

Using Access Controls to Thwart Insider Threats

Almost half of our Top 10 list for Insider Threats have some reference to access control, whether it is implementing multi-factor authentication (MFA) or making sure old accounts are purged.  Access control is a big part of mitigating the Insider Threat.   With outside attackers frequently leveraging compromised credentials, or malicious insiders abusing their own access, losing control of who can log in and where they can go lies at the heart of the problem. The access control problem falls into two main categories.  The first problem is keeping external attackers from compromising credentials or using them when, not if, they do.  The second problem is keeping internal users from abusing their existing access to malicious ends.  There can be overlap, of course, when an insider steals a colleague’s credentials, for example.  But the “first line of defense” lies in a different place depending on where the attack originates. The first layer of defense against external threats trying to steal credentials is user education.  That shouldn’t be a surprise, considering how many users fall for phishing attacks, social engineering lures, or lose their credentials to malware.  That’s not even counting people who reuse ID and password combinations or choose weak passwords in the first place that can be easily brute forced.  Educating your user base on good password hygiene is critical.  Users should be creating strong passwords and not reusing them, rotating them periodically, but not so often they get forgotten, etc.  Giving them the tools and support they need can reduce the risk from credential compromise.

SMEs are going digital, but what about cybersecurity?

The unprecedented changes that have taken place in the wake of COVID-19 are throwing up compelling reasons for large as well as Small and Medium Enterprises (SMEs) to rethink their business models. The current pandemic has its negative impact on human life and the economy. However, if you look at the brighter picture, it has forced SMEs to embark on their much needed digital transformation journey. And this time, going digital is much more than just having a mobile app or a presence on social media, it’s about a comprehensive strategy aligned to the business goals with clearly defined metrics. However, going digital also adds a new challenge for large as well as small enterprises…

US Espionage Act prosecutions jump under Trump, Assange extradition trial hears

Donald Trump’s administration has prosecuted national security leaks more aggressively than any presidency in US history, Wikileaks founder Julian Assange’s extradition hearing has been told. Lawyer and historian Carey Shenkman said the US president is on track to exceed the number of Espionage Act cases brought under Barack Obama’s two terms in less than four years. Assange, 49, is fighting extradition to the US to face 17 charges under the 1917 law, as well as an 18th charge alleging he plotted to hack computers. Giving evidence by videolink and holding a telephone to his ear – following technical glitches that have beset the hearing – Shenkman described on Thursday the Espionage Act as “extraordinarily broad” and “one of the most contentious” in the US.

Researchers discover six-year espionage campaign targeting Iranian dissidents

Researchers announced Friday that they had discovered a “large-scale” six-year campaign by Iranian-linked hackers to surveil Iranian dissidents and expats, including through targeting accounts on the instant messaging app Telegram. A report released by Check Point Software Technologies said that, beginning as early as 2014, Iranian entities targeted government dissidents including resistance group Mujahedin-e Khalq and the Azerbaijan National Resistance Organization through attacking their mobile devices and personal computers. “The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime,” Check Point researchers wrote in the report. The Iranian-linked hackers used multiple methods to surveil and attack the victims, including an Android back door that posed as a service for Persian speakers in Sweden to apply for a driver’s license, extracting two-factor authentication codes from SMS messages, recording the audio surroundings of a phone, and hijacking Telegram accounts.

Making Your Organization Operationally Resilient to Insider Threats

Daniel Costa of the Software Engineering Institute (SEI) at Carnegie Mellon University, writes about operational resilience in the face of insider threats: This September is the federal government’s second annual insider threat awareness month, and this year’s theme is resilience. The SEI has a significant body of research in resilience, and in the CERT National Insider Threat Center, we apply many of the principles and best practices for resilience to the insider threat problem. In this blog post, we will discuss the relationship between resilience and insider threat, discuss how to make organizations operationally resilient to insider threats, present strategies for making your insider threat program resilient, and highlight some of the key activities the CERT National Insider Threat Center will be conducting in support of National Insider Threat Awareness Month. Making Your Organization Operationally Resilient to Insider Threats: Operational resilience is an emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit. Operational resilience isn’t something an organization does. An organization is operationally resilient, or aspires to be.

Chinese hacking groups are bullying telecoms as 2020 goes on, CrowdStrike says

For suspected Chinese hackers, U.S. telecoms represent a tempting target for espionage. Six suspected Chinese hacking groups have zeroed-in on entities in the telecommunications sector in the first half of this year, according to CrowdStrike research published Tuesday. While CrowdStrike did not identify the groups by name, attackers have likely been running their hacking operations in an effort to steal sensitive data about targets, or to conduct intellectual property theft, researchers at the threat intelligence firm determined. CrowdStrike also did not identify the targets. The telecommunications sector was among the top most-targeted sectors in the first half of 2020, the company said, alluding to behavior that aligns with previous espionage patterns from hackers with suspected ties to Beijing. Publication of the report coincides with a fresh warning from the U.S. Department of Homeland Security that a Chinese intelligence agency is exploiting known software flaws to gather information from U.S. federal agencies, and amid an ongoing U.S. government effort to safeguard research into a COVID-19 vaccine, which Chinese hackers are alleged to have targeted.

Outsmarting the Insider Threat During National Insider Threat Awareness Month

As entire workforces remain in remote working conditions, the danger of insider threats is as unmistakable as ever. It is critical for businesses to recognize that this form of threat from legitimate users has always been more elusive and harder to detect or prevent than traditional external threats. Additionally, while the most common insider threats are not usually motivated by malicious intent, and the damage they cause is unintentional, it is no less ominous to business viability. This September marks the second annual National Insider Threat Awareness Month. Last year, the U.S. National Counterintelligence and Security (NCSC) and National Insider Threat Task Force (NITTF) partnered with federal agencies to launch the initiative to bring awareness to this crippling threat type. In honor of the month, below are some tips from leading cybersecurity and IT resilience experts that cover how an insider threat could manifest itself and what organizations can do to prevent these issues in their companies’ networks and applications.

Why Antitrust Practitioners Should be Interested in Espionage…

The Five Eyes Alliance has its origins in cooperation between US and UK intelligence agencies during the Second World War. It solidified into the secret relationship between the intelligence agencies of Australia, Canada, New Zealand, UK and US during the Cold War. Its soubriquet “Five Eyes” came from the protective marking on intelligence material shared between the five allies – AUS/CAN/NZ/UK/US EYES ONLY. The alliance remained in the shadows for decades – details of some of its programmes coming to public prominence in the revelations by Edward Snowden in 2013. Increasingly, the Five Eyes has become a more public arrangement. In June this year, Five Country Ministerial (FCM) meetings were held between Finance, Foreign and Home Security Ministers. In the past couple of years, the Five Eyes have adopted joint positions on a range of issues, from encryption in internet platforms, rare mineral supply, resilience in critical national infrastructure, the implications of COVID-19 for domestic security, economic recovery, and the situation in the Indo-Pacific region. Most recently, Five Eyes Anti-Trust Regulators have agreed protocols on information sharing, described by my colleague Francesco Liberatore below. This is particularly intriguing, as it is the furthest departure of Five Eyes activity from its core intelligence sharing and national security rationale.

Discover more from ITMG

Subscribe now to keep reading and get access to the full archive.

Continue reading