Not a day goes by that I don’t get a half-dozen articles in my inbox about “insider threats” and how to stop them. The problem with every article I get, is that they are all following the same model we’ve followed ever since the term was coined:
Treat every employee as if they evil and don’t trust them;
Monitor everything they do;
Lock down everything and make them beg for access; and
Wait for them to screw up and then nail them to the wall.
There are two things I strongly feel organizations fail to realize:
LOYALTY is the single most effective control to protecting an organizations intellectual property, sensitive information, or other hard or soft assets; and
99.999 of staff an organization hires comes through the door with the strongest level of loyalty they will probably ever have for their organization
So the question I always ask executives is this:
What are you doing to keep that level of loyalty near where it was when you first hired your staff?
My first thesis is that by the time we detect the classic signs listed in most articles and government policy documents, it’s too late. By then, your staff has already decided to make the turn from loyal, productive employee, to being disgruntled and potentially harmful to the organization.
My second thesis is that we need to reach staff who are at risk of becoming disgruntled BEFORE the classic trip wires light-up; in-fact, we need a NEW set of trip-wires, ones that can take a good person and makes them disgruntled.
I’s not a complete list, but here’s some questions agency executives and the C-suite should be asking about their organization:
Does HR do a good job screening new hires before you hire them?
Do new staff get placed into the job that was promised to them?
Do hiring managers fully explain what the expectations are for all jobs?
Do all new hires receive the training they need to perform in their job?
Do employees have access to all the tools and information they need to perform?
Are employees given the opportunity to advance, change jobs, be creative?
What does the organization do to stay aware of staff well being?
How does leadership ensure alignment with staff values, beliefs, aspirations?
How well does the organization train, select, and place its managers?
How well do managers know their staff? family issues? substance abuse issues?
What does the organization do to identify poor managers?
Does the organization take quick action to resolve staff concerns?
Does the organization take quick action to remove poor managers?
Think about these questions before you continue to treat all of your staff as “enemy combatants” – they were loyal when you hired them; so what are you doing to them to turn them against you?
P.S. I failed to mention that investing well in the 13 areas above also gets you:
Staff that cares about the mission (and you)
Increased productivity, better work environment
Managers who actually can enjoy being a manager
Lower staff turnover, lower recruiting costs
Reduced security vulnerabilities, staff more proactive regarding security
I just gave this presentation to nearly 200 attendees of the ICTTF Cyber Threat Summit 2015 in Dublin, Ireland.
For those of you that attended; thank you!
Through this presentation I hope I was able to communicate three points:
How company/agency executives put their agencies at risk by blindly trusting that they are doing all that can be done to secure their networks, applications and data;
That leadership’s approach to motivating employee’s to practice better cyber hygiene needs to mimic principles of behavioral economics theory that advertisers use; and
By changing the way they ask questions to their senior staff (mainly their CIO/CISO), they can a) have better proof that necessary cyber protections are in-place, and b) they will have a better understanding of the unaddressed cyber risk their company/agency faces.
Day Two at IACP and straight in early on Sunday morning to attend the Cyber Threats and Attacks Facing Law Enforcement Agencies session. Having attended the last two Cyber Threat Summits in Dublin, Ireland, I am well aware of the challenges we are all facing everyday in trying to protect our technology.
Mark Gage opened with a very worrisome statement, saying that we spend so much money trying to protect everything else in our lives, but not enough care is given to protecting our information and identity networks. We are at risk every single day, just by viewing Facebook or opening up an untrusted email attachment our phones/laptops can become infected, and spread malware.
We should all know better, in-fact we do know better, we know the risks associated with all these things, but yet we are all capable of making silly mistakes and suffering the consequences.
Mark says the most important thing is to educate your staff, consult with those you share systems with, do not use the same password for everything, and make your password changes a minimum of 90 days. It’s also critical that we keep all software up to date, particularly anti-virus software, and implement back up procedures. For companies, he suggests paying money to employ IT staff or contractors.
George Arruda spoke next of the worst day for him in Sept 2013, whilst driving on holiday in Florida, he received a phone call, which gave him the news he dreaded – a virus had locked down ALL of Swansea Police Department’s files thanks to a vicious virus called Cryptolocker!
The only way to get the files back was to pay a ransom of bitcoins, to some criminals out there in cyberspace. He didn’t know who there were, or where they originated from, but he gave the order to pay and get the files back.
A cyber security expert was called in and he advised against this, but they eventually began the transactions of transferring bitcoins and they started to get data back. The main problem here was that they did not have back up, so they were indeed in a vulnerable position.
Having amassed a very large amount of data, this incident shook the Swansea PD. On the back of this, George gave advice to everyone – Back Up Everything and teach your staff NOT to open anything suspicious, and only have ONE administrator access with a password.
Steve Sambar warned of the dangers of terrorist cyber attacks, and the worry of, if they attack, what do we do? Who will be responsible for handling it? How long will it take to cover? We face so many threats every day, human error, insider threats, external threats. Many big corporations have suffered already. For example, Target had 40 million accounts hacked in Dec. 2013, and Ebay’s database with 233m users was hacked in Feb. 2014.
Jim Emerson had the last word, delivering a fast paced description of the emerging threats and challenges. Everything is happening faster, he said, and we have to understand the reality of what cyber security is.
He showed two short videos from IACP about cyber security, these are available on the IACP website. Jim wants us to:
Check carefully where is the suspicious email coming from.
Be aware of who you connected to.
Jim also stressed the importance of this being a day to day footrace, and it never ends. He is right, and we do not want to be sorry when it is too late.
This was my second year attending LEIM and certainly the most enjoyable as the setting for this year was the beautiful Fairmont Scottsdale Princess Hotel. Coming from a country (Ireland) that has been deprived of good summers for the last few years, I was overwhelmed by the glorious sunshine.
As I walked around the beautiful grounds of the Fairmont Princess, enjoying the heat, I took in the perfectly manicured lawns, the towering cactus displays and the perfect little bunnies. This was just heaven and so far away from the cold, rainy Dublin I had left some days previous.
I’m glad to say as I write this from my kitchen in Dublin; the sun is streaming in the window, and is bringing back memories of Scottsdale!
I discarded my swimsuit and dressed more appropriately for the Opening Ceremony of LEIM 2013. Scott Edson, the past year’s Chair, opened LEIM with a warm welcome for everyone and a brief outline of the next few days events and sessions. He was joined by Alan G. Rodbell, Chief of Police, Scottsdale and Bart Johnson, Executive Director, IACP; they too gave a brief introduction and welcomed all.
After the opening I went along to my first plenary session of LEIM, The Evolving Role of Technology in Policing. This sessions also included results from the previous days Information Technology (IT) summit. Tom Casady spoke about technology changes over the years and how it changed law enforcement.
The telephone was a big innovation from the 1930’s, and is still a critical tool today.
Cars and motorcycles changed everything for the average policeman patrolling the street on foot.. Harley Davidson credits Detroit, Michigan as being the first purchaser of police motorcycles as early as 1908. The use of cars and motor cycles by police was widespread by the 1930’s.
Two-way radio with the invention of the Motorola Police Cruiser Radio Receiver in 1936 again changed policing for the better. This was a rugged one-way car radio designed to receive police broadcasts. These have of course evolved into the Police Scanners we know today.
In 1968 the first 911 call centre began where people could contact police on a simple but easy number to remember, in an emergency. This highly successful contact is still used to this day.
The typewriter was used from the early 20th century and of course has evolved from the 1960’s, to the computers and laptops that are used today.
Finally, in 1974, the stun gun was invented. It became an invaluable tool to subdue fleeing or potentially dangerous persons, and gives officers a less lethal alternative to firearms in many situations. As many lives as it has saved, it is still a subject of controversy, as it’s use has been implicated in some instances of serious injury or death. But having seen its use over the years, and in particular, the British police recently using this device to subdue the two terrorists responsible for the killing of Drummer Lee Rigby in Woolwich on May 22nd, I do agree with police being armed with them.
Of course technology has evolved from all this, to the brilliance of what we have today. From Cell phones, Laptops, Augmented Reality, Wearable Technology, i.e.: Cameras, Voice Recognition, Facial Recognition, Predictive Analytics, DNA Biometrics, Embedded GPS and to Social Media using Twitter and Facebook as a means of getting information from the public at the time and place of a crime or disaster.
There are a few articles and more information on this subject below:
Bradley Manning, US Army soldier who released 750,000 documents to wikileaks
Jacob Tyler Roberts, another young man who shot up an Oregon mall
Adam Lanza, young man who killed 26 at a Newtown, CT school
Marijana Bego, NYC art gallery owner who jumped to her death yesterday
The answer? One or more people knew something was wrong BEFOREHAND.
I am now convinced that EVERY incident, whether it is a tragic shooting, a terrorist act, espionage, or a sole suicide, there were signs ahead of time that something was not quite right with the individual(s) involved.
So what can we do? We have to take better care of each other. When we see signs that someone isn’t quite the way they used to be, call them on it. Ask questions. Take action BEFORE something bad happens.
Scared that you’ll embarrass them? scared you’ll embarrass yourself? If so, just think how you will feel if you don’t take action and something even worse happens…how will you feel then?
In Bradley’s case, the Army knew there were reasons NOT to put him in a position of trust, and they did anyway!
In Jacob’s case, his own roommate said he acted weird and talked about moving and selling his possessions!
In Adam’s case, the school district security officer knew he had disabilities!
And, in Marijana’s case, many people around her knew she was erratic and not happy.
I would hate to be in any of those person’s shoes…
so, for 2013, let’s try and take better care of each other, and vow to intervene early, maybe we can save a life.
“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”
While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.
On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force(ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.
I just found this report published by the National Criminal Justice Reference Service (NCJRS). Developed by Nils Krahnstoever, General Electric (GE) Global Research, it describes the development of a wide range of intelligent video capabilities relevant to law enforcement and corrections, and describes features of video surveillance that can help to enable early detection and possibly prevention of crimal incidents.
The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001
ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.
It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.
So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.
Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy – when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.
Here’s the press release from Gatso-USA:
GATSO USA Forms Unique, Strategic Partnership with Nlets
Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.
Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.
From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.
From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).
The main points I took away from this press release were:
Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
And, because it’s behind Nlets firewalls, security is not an issue.
Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.
After I read the press release, I thought that it would be a good case-study for the topic of this blog – it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing – some might even say it had all the makings of a Will Smith movie. 🙂
To help set the stage, here are a few facts I found online:
Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).
There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?
Maybe; maybe not. Here are nine questions I would ask:
Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?
How these questions are answered will determine whether or not we should worry…
Did I miss any other important questions?
Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .
The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.
As always, your thoughts and comments are welcome.