Why disaffected employees are your greatest cybersecurity risk

Insider cybersecurity threats are just as potent as Russian and Chinese hackers. Some employees make mistakes, clicking on that bad phishing link. Unhappy or di...

Insider cybersecurity threats are just as potent as Russian and Chinese hackers. Some employees make mistakes, clicking on that bad phishing link. Unhappy or disgruntled employees, that’s another matter. Federal Drive with Tom Temin talk with someone who says such people are far more susceptible than average to social-engineering attacks. Tom’s guest was Max Shier, Chief Information Security Officer at Optiv.

Interview Transcript:  

Tom Temin And this idea of this disgruntled employee or someone who’s unhappy with their work, I guess in some ways since time immemorial, they are people you would have to worry about. But now with the cyber threats getting so potent, it’s something even worse. What have you found?

Max Shier Well, I think it’s a great topic to talk about because ultimately for cybersecurity professionals and practitioners, the insider threat, whether intentional or unintentional, has always been the biggest threat for government agencies and others that work in the defense industry or government industry. And to your point, the malicious insider, the intentional insider, is the one that really can cause the most serious damage, you know, the unintentional insider threat, the people that are just trying to circumvent security controls to make their jobs easier, or those that click on malicious phishing links, etc., those that really are more risky in that regard, the ones that are more open to clicking on the phishing threats or those that are open to attempts to solicit data over social media on LinkedIn, for example, which is a huge target for malicious hackers, etc. I think those different insiders are the ones that we as cybersecurity professionals over time have most worried about. And I think there are two different instances that we really need to target in different ways. The malicious insider, the ones that are intentional. I think those are really looked at with technical controls. We look at it with risk based alerting or user based analytics to try and detect those that maybe are doing something nefarious on the network that are outside of their normal day to day activities. And with the cybersecurity tools that are coming out today, I think that’s making our job a little bit easier in that regard, especially with machine learning and AI built into a lot of the cybersecurity tools that are coming out today. That is really helping us be more efficient in catching those malicious actors. Those are really helping us as cybersecurity practitioners become more effective in what we do. But you still have to go out and pay for those tools and implement them and they are expensive. And so there is some slow uptake by some agencies or other companies that are dealing with the government on implementing those tools. And so we need to make a concerted effort to continue to push for additional security requirements to enable companies to be able to go do those things. And also, I think as we implement those tools and prices come down a little bit, it can help enable those companies to implement those tools over time.

Tom Temin Well, let me ask you this. If someone is susceptible to phishing because they’re maybe worried about their job or they might have been recently laid off or they’re on administrative leave and still have access, whatever the case might be, are they susceptible to the same phishing attacks that everybody else is getting in the organization that might be targeted? Or is there some mechanism by which a fisher could discover someone is disgruntled and target them with a tailored type of phishing attack?

Max Shier Yeah, absolutely. I mean, with the advent of social media, it is absolutely a lot easier to understand who is more disgruntled within the workplace, who’s putting the information out there that they dislike a decision that was made at work or they’re unhappy in their job and with LinkedIn, with Facebook, etc… If you have your profile set to public, anybody can go out there and scrape your data and the posts that you’ve made, etc… I have several posts out there that have been made public because of the position I’m in. Right. So there’s a lot more opportunities, I think, for malicious actors out there to tailor very specific phishing attacks to people that are in specific positions. And you see that more and more, especially with generative AI out there, you can create a phishing attack in seconds that is very effective and can be very widespread, tailored to people that you’ve scraped off of LinkedIn. And so I think it’s even more important for us to be hyper aware almost about phishing attacks and making sure that we keep up on the security awareness for our employees and others that are in positions that may be susceptible to those types of attacks. And to your point, I think now, especially with the continuing resolution that occurred and the potential now for furloughs still in the future and the government shutdown in the future, I think there’s probably a heightened I don’t want to say disgruntled ness of employees out there, but obviously there are some concerns out there that may make them more susceptible to attacks, whether it be, you know, for financial gain or finding other positions, etc.. So, yes, to your point, I think we need to be more aware now more than ever, because our information is out there that we will be receiving more. Targeted phishing attacks. And I think specifically, as you have events like this within the government or otherwise, that you’re going to have malicious actors that are going to target those specific employees that are affected by those events to try and take advantage of them and make them more susceptible to attacks like that.

Tom Temin We are speaking with Max Shier. He is the chief information security officer at Optiv. And what is the general motivation of the people launching these attacks? Do they want the credentials and the assets of the individual, or are they still trying to get at the agency or the organization’s assets through this phishing?

Max Shier I would say it’s more tailored towards the organization, right? It’s value for their effort. You know, to them, the individual themselves, you know, getting access to their home network isn’t necessarily what they’re looking after. They’re looking for the big fish and getting credentials to their work assets so that way they can compromise the agency, whether it be for ransomware or if it’s a state sponsored actor for technology or information to further their attacks within the agency and move laterally within the government. And I think that ransomware may not be thought necessarily as a huge target for the government, but it is and it’s increasingly becoming so. And I think we’ve seen those types of attacks recently where emails have been stolen and other data has been stolen. And I think that furthers their ability to be able to attack the agency further or even move laterally within the government. And to your point, I think government employees and those that deal with the government will continue to get these attacks. And I would expect it to increase actually as time goes on.

Tom Temin And let me ask you this. When people that are alert are getting phishing attacks, very often there are clues in the content of the email that pretty much give it away. Even now, they still spell things wrong or there’s a weird return address. You know, the address, the threat origin is obviously not who the sender wants you to purport to be. Can artificial intelligence maybe be applied to that process of identifying what are the anomalies in a message that identify it as something you want to filter out, your filter should catch?

Max Shier Yeah, and today’s modern tools do that. And I think that’s where we’re really seeing a fire fought with fire and generative AI and other AI tools out there that are creating these phishing attacks that really remove the traditional red flags that you would see, such as misspelling, as you had mentioned, have been removed with generative AI. It’s just they’ve become extremely effective in creating templates for malicious actors to send out very effective phishing emails. And so you have to fight fire with fire now. And so AI and machine learning is being implemented in all of the email security tools that are detecting phishing attempts, etc. and they’re pretty effective. But the most effective tool is still the end user. And if they do get a phishing attempt or an email that they suspect to be a phishing attempt, they have to report that. And most modern tools now, or most modern implementations do have a button where users can click and say it’s an attempted phishing email, and then that would actually be reviewed by a security professional. And I think we still need to educate users and make that the highest priority to be on the lookout for those types of things. And if they do receive something that they’re not expecting, even if it looks legitimate, if there’s an attachment, don’t click on it. Contact the person that sent it to you to say, “Hey, did you send me this attachment? You know, I wasn’t expecting this email” and then report it and or talk to that person. And if they didn’t send it, then report it. But if you’re unsure or definitely don’t click on anything within that email, whether it be a link or an attachment.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories