Steven Bay Presents "Edward Snowden and Defending Against the Insider Threat"

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the next talk is gonna be really really interesting we've got one of our prior rock stars from last year's cyber event in San Jose Steve Bay he is here today well first of all most of you probably know the name Edward Snowden is there anybody that doesn't know that name in this audience Steve was Snowden's manager and for the first time today he's actually going to publicly talk about what happened while he was his manager what happened and talk to you through that because what he wants you to walk away with is how can you prevent identify and prevent a similar type of threat in your own organization and be able to identify that and deal with it the way he had to deal with this particular situation so returning rockstar Steve Bay well it's good to meet all of you thank you for the introduction I'm very grateful to be here today actually got called two weeks ago to fill in I'm a bullpen pitch pitcher here for this event but I'm glad to be here yeah so as was explained I was at Snowden's manager I was a I ran booze Alan's NSA security or NSA Hawaii work and higher ed to our company he worked for me for about a month and a half before he fled the country and I was fully engaged in the hunt and all the aftermath that happened with IDI and as he mentioned so when I was with Booz Allen I was a Booz Allen up until June I really couldn't talk about this situation while being employed by them I'm as you could imagine it's a very sensitive subject for Booz Allen but I recently left Booz Allen and and now the chief of mission security officer at a company called an evasive there medical device company I'm out of San Diego they focus on spine surgery so a little bit of my background just to give you some introduction on Who I am and what I do I was it started out my intelligence career started out as a persian/farsi linguist with the Air Force they have a training school up in Monterey spend two years there learning Farsi we got stationed at NSA in Maryland where I translated documents for any of you who don't know being a linguist is terrible work you Spanish I was a translation monkey yeah the document translated put in another folder and that was it it's rough but I did get some training and networks and technology I'm not formally trained as a cyber person as a network person my I've got an MBA and a master's international relations but I've done cyber for a long time and when I left the government or leaving I left the Air Force I joined Booz Allen working on an NSA contract and they put me in NSA cyber shop and really from then until 2013 I was tracking hackers I started out looking at intrusions and kind of swimming upstream very similar to the kind of stuff Brian's been talking about in the previous presentation and then I moved to Hawaii ran our work in Hawaii there and then did looked at the cyber threat from a nation-state standpoint and so it was there that I hired IDI also after after the fallout of the of the Snowden events I couldn't work on this say anymore due to very mysterious circumstances and mood or Booz Allen consulting commercial consulting side and did that sort of work so enough about me that's my background let's talk about it and one one quick note again this is kind of the first time I'm presenting this story out I'd love some feedback to hear if this was interesting to you things you liked or didn't like I also want to recognize a lot of you in the room I'm sure are big Snowden fans and a lot of people like how the country's very split on Snowden a lot of people think he's a hero and a lot of people think he's a villain I am NOT a fan of Snowden I do believe I have very negative opinions of him we got along fine when I when he worked for me I liked him when I worked for him but I don't think what he did was heroic I don't think he what he did was anything good for our country but that being said I fully respect all of you or any of you who do dig Snowden and what he's done I love that you have that opinion and you're welcome to it I'm not gonna you know I don't want this to be a trashing your beliefs your ideas anything like that but I do want to give you a perspective of somebody who was on the inside of it here all right so let me give you some background so I met Edie in February of 2013 I had two positions open I was looking for both highly technical people I mean well had one position I need somebody highly technical kind of a cyber background they didn't the the office that I was trying to fill the puss spot for didn't really care if they were a had intelligence analysis background that's kind of the model that Ed's dead fit the other office was one that wanted both intelligence analysis and technical background now however Hawaii is not a very good spot to find technical talent there's just it's not a hot spot for that especially technical talent that has a security clearance at the top-secret level and a polygraph which is what we were looking for so we're kind of looking for that a very unique solution and Ed was about an 80% solution so when I met ed we did we interviewed him he was an Employee Referral two of mine one of my employees referred him to me we interviewed him out at Wendy's in Wahiawa of all places and the reason for that was we didn't want to interview him on site at NSA Hawaii because it's just an appropriate to do job interviews there and but Bruce Allen's offices were down in Honolulu which was a half hour away plus Honolulu traffic is among the worst in the country so we figured let's find a neutral spot close to work where we could do it and Wendy's work great so it's jobs we interviewed Edie we he was a highly technical person he was very passionate about internet anonymization as he's come out and talked about he claimed to have run to tour nodes out of his home for those enough remembereth tour it's a it's a way to be anonymous on the internet called The Onion Router and he also claimed to have known a zero-day vulnerability within tor I don't know if that's been verified or anything but okay that's that's pretty neat so as we interviewed him my we have a set base of technical questions some stuff is very we start out very basic right what our port numbers what our IP addresses here's a traceroute how do you analyze it those sorts of things there's clear as we went through these questions that it was all very elementary to Ed so my technical director who is there doing the interview with me he's way more technical than I am took over the interview and basically didn't ask this exact question but it's kind of how I encapsulated basically said all right I've configured a server this way how do you happy and they basically nerd it out for an hour and it was really fascinating conversation I didn't try to interject too much so I would have like an idiot but those guys really had a good time and I was able to follow along needless to say at the end of the conversation we were both pretty impressed and we both felt inclined because of the nature of his background plus the big need to put him in an organization that the organisation that needed an analyst bum UN detect a person not just for technical which wasn't a perfect fit for him but ended up being good for us and somewhat good for us as best they could be in the long run more little more background on Eid he was a Dell contractor before he came to Booz Allen he was assist admin to just the fact the person who gave us the Employee Referral met him by having a computer issue and taking it to Ed and they got to chatting and then she got his resume and sent it to me so ed wasn't you know I don't know if this is popular belief or not Edie was not anybody senior he didn't have any special accesses he didn't have access so I'll get to a little bit to the prison program he was a relatively junior person at the agency and prior to coming to the NSA he did spend a short time in the military and he was at he worked for CIA for a time and I believe both in Europe and Japan and I've heard from a couple sources nothing verified that it may have been as early as 2007 2008 when he was in Japan that he that this idea of doing this and taking this information sparked so I don't have again I don't have a whole lot of evidence of that but that's just things that I've heard through the grapevine of the intelligence community all right so of working with Ed so Eadie started with us we gave extended an offer to him and at the end of February and he started with us on April 1st we had enough sent him to Maryland for two weeks for training he didn't have intelligence analysis background we need to get him some and that's where our top talent was we set him for two to two and for two weeks to Maryland he got some training he joined us on April 15th it's let's see so we ended up putting him in a cyber role where he was kind of tracking hackers similar to righted in Maryland before I came to Hawaii and again he didn't have the intelligence analysis background but the training helped a lot and honestly Ed's a very very smart guy if you haven't noticed you haven't seen the interviews he's a very smart guy I know a lot of people who were anti I'd like to try to downplay how smart you downplay some of those sorts of things that's not the case he was a smart guy highly technical I'd say the only really negative character trait that I noticed was he was arrogant but I mean was that a lot of people are what's the big deal so I didn't have a whole lot of negative concerns about Ed so he started with me and around April 15th he never we never did talk about privacy in terms of any official capacity he never complained to me about about what NSA is doing and it's a programs you never shed any concerns an article came out a couple weeks ago but month or two ago from Viacom all about how Ed informed the agency I swear that was the longest article that said absolutely nothing I've ever read I read and I was like did he not only did does this article not only did Ed never tell anybody anything about this the article doesn't even say he did it was kind of a strange Ivy was proud of a clickbait type article as I read through it anyhow it wasn't the one thing that I did do though is he left admit you left to talk and so we had my technical director in a couple other people would do training sessions regularly to try to get him up to speed on intelligence analysis and one particular in one particular night they did get into a very heated debate apparently about the Fourth Amendment and about privacy and those sorts of things but we didn't just take that as anything more than just people being having the right to have their own opinion and having the right to to share that opinion we didn't think anything negative of it we didn't think there was any likelihood of doing anything against the agency in fact he didn't mention anything about any suggestion that NSA he was about to steal all this data the other important point that I want to make is that Edie never actually had access to any of these programs that he'd reveal so the prism program which was a very first program that was released on around June 5th or 6th of 2013 that the Guardian released had never had access to that I'd say the only I had two red flags that that as I looked back that could have been red flags that we really weren't red flags but if I look back maybe and one was regarding the prison program so we didn't call it that in the in the agency but he came and asked me a couple times how does he get access to that sort of data I had access to that data I could run queries on it but the organization he was assigned to wasn't authorized to see that and I explained that to him there was actually one interaction of that that I had with him where I shared a little bit too much information that caused me to lose my access to the agency two or three months later during the investigation so I didn't even remember but he never had access to it he never unruly understood how the program worked he never entered the technologies behind it and certainly never understood the oversight and compliance in the hoops you had to jump through for any of these sorts of things NSA took does and took oversight in compliance and protecting civil liberties extremely seriously we were trained on it constantly over and over and over and over again I can't speak for other you know other compartmented elements of the agency but the areas that I was in and the accesses I had we were very very strict on protecting us personal data so late April comes along he starts being late for work a couple times and might the his government boss comes and you know it's doing a great job he's really mentoring our people really well training them up but he's starting to come in late for work I don't know what's going on so I talked to him about it and it tells me that he has epilepsy he's like well it's not the kind of epilepsy that you know you really have seizures in the middle of the floor or anything like that it's mortgage if you're kind of sitting there just kind of blackout and said the product problem comes with driving you know if I'm if I'm driving to and from work and I black out I could crash and those sorts of things so I don't know what's going on I've had it for a while if we had it under control and now it's starting to flare up again so obviously as his manager I try to offer support all right well let's you know take all the time you need make sure you get help for it you know if you're gonna miss work just give you a heads-up so I can let you walk you know your government leads no those sorts of things you're kind of a standard a standard operating procedure so end of May came and well middle of May came and around May 16th or 17th there's a Thursday or Friday he contacted me either came to my desk or emailed me I can't remember exactly and he tells me that the epilepsy is getting a lot worse Monday and Tuesday I have gonna be in all day medical appointments and I'm gonna be out of work and if those tests go bad I'm gonna have to take some time off work this was the other red flag there this is the one thing that I did notice was really weird is I said all right well you know you have my support hope everything goes well totally bad for you I said a lot more compassionately than that of course but but you know let's get short-term disability in play let's contact HR and get that rolling so that you can get paid during this you say well you know I've gone through this a lot short-term disability is a pain in the butt not really all that you know I don't want to deal with that again I think I'm just gonna go on leave without pay I've got plenty of money saved up which made no sense to me it's not hard to get that going and why would you leave money on the table when you can get paid for it but you know to each his own if you wanted to take me with pay take leave without pay no big deal so Monday May 20th comes along that turns out that was a day he flew to Hong Kong and Tuesday May 21st parenthetically was my birthday he emailed me and said the ten you know that the tests have gone bad I'm gonna have to take some time off work I responded I said I'm sorry to hear that let me know what you need please get in touch with HR let's get you paid let's take care of short-term disability and Wednesday night the next night emailed me back and says I said okay sounds good I'll get in touch with HR and that was the last I ever heard from him so this for the next two weeks well the next week and a half or ten days up to the end of the month I mailed them a couple times try to just logistically set things up make sure we were you know administratively taking care of time off and all that he wasn't responding it was crickets and in the end of the month came and time timesheets were due and I wasn't quite sure how how do I handle this a guy who's not responding he hasn't submit his time she how do you handle this so I called my boss who lived in churning Georgia and informed him that had been it wasn't responding to any calls he's on medical leave even though he hasn't filed any paperwork we don't know what happened to him and my boss smartly thank goodness he did this said all right well let me I know we're typically it's not the you know we don't the NSA doesn't really care a whole lot about medical leave but I'm gonna contact NSA security anyway let them know that somebody's missing and that really was a great move on his part Booz Allen we really followed the protocol NSA protocol does have to search situations to the teeth and it really protected us and Booz Allen but in myself as well so that was on a Friday and next Monday morning I got a call from NSA Hawaii security and said hey you know we don't normally and again this looking back I think they probably knew a little more than they than they let on knowing that something was was awry because they called me and said well you know we're gonna help you look for ed or for your missing employee we don't normally engage NSA superiors that normally help out on medical leave stuff you know they're missing they're you know they're probably just at home not responding or those sorts of things but you know we're a close-knit family here in Hawaii and you want to help you search for him so I think they so looking at that bit hindsight you have to note a little something at least that he wasn't maybe sick so that whole week the first week of June of 2013 he we were hunting for him I spent a little bit every day driving around the island looking for him calling a calling him I called his girlfriend once or twice nope no answer from any either of them and then I drove by his house a couple times on Thursday of that week I actually went around the island with one of the NSA security agent looking for him - just trying to contact people that he might know you know in my mind I thought he I thought was worried he was dead I was worried he had an epileptic seizure of some sort or blackout while driving on the island and drove off a cliff into the ocean that's that's what I was concerned about I thought that edy could be doing any of this didn't even cross my mind so it was about that Wednesday or Thursday that the Guardian story broke it was all over the news some of you may remember those days I was blown away it was a talk of the agency and couldn't believe that this stuff was getting out there and we were blown we really believed that it was all misconstrued and that the articles weren't accurate and I still believe that to this day so later as we continue a search later that week on Saturday after kind of doing my rounds yet again looking for him one of my best friend who happened to work with me and I went to church with him we were chit-chatting about this situation about this my employee who had gone missing and he made the comment now wouldn't it be crazy if Ed was the guy leaking all this stuff and I thought no way there's not a chance that would do that and then I create the comment this would be that would be like them that'd be the my worst nightmare that would be my absolute worst nightmare turns out the next day everything changed June 9th so that was a Sunday I'm Mormon LDS and I was in the leadership of our congregation and as we call the bishopric I was in our quick meeting that morning and I turned off my phone obviously that being got gauged in the in the meeting and I actually told a little bit of my hon just as introductions we were just kind of chit chat before the meeting started to all the people on the meeting I was looking for this guy all week and then all this crazy and I say stuff it's nuts I've been a crazy week and then the end of the meeting comes at 10:00 a.m. I turned my phone on my phone had exploded and the first text I see was a text message from this friend of mine who who's basically the whole tech the all the text said was sorry man looks like your worst nightmare came true and I actually shared this story to a BYU management's decided about a month ago and I got really emotional this point so I apologize um so I went and found an empty room in the in the church and I broke down I you know every negative thought one could have I had I was thoughts of you know I'm gonna lose my job I'm gonna be blamed I'm gonna get fired I'm gonna lose my family I may go to jail I'm gonna be the scapegoat what is this I started thinking about what is due to NSA what about all of our undercover agents and what if that sort of information gets out how what our people are gonna die over this you know all these things then I started think about my employees I had a team about 10 15 people that work for mayor we all are they all gonna get fired these are people relying on me for their jobs so all this rush of emotion that fell over me so I gathered enough composure I drove home and I pulled my wife into our bedroom and I broke down again I just cried on her shoulder saying it's him over and over just in panic it also have to be my day to conduct the meeting at church and and so you know my pride kicked in I gathered my composure I can do this I can I can handle it it's alright so I don't know I don't want to admit that I was that was that week and so I got up at 11 o'clock church started and I started conducting the meeting I stumbled over everything forgot sir and words to say you know half sentences I was just a disaster ended up getting a text from my boss asking me to uh saying he needed to talk and I spent the rest of the day on the phone with all the booze Allen leadership and then spent about three or four hours with FBI and whole in Kapolei Hawaii that night surprisingly the FBI deeds were totally cool I was expecting you know to be in that dark room with a hotline right Chaitanya and like being drilled it was it was there there were really cool guys and you just want to talk and you know it was nice to hear despite all those negative emotions that I felt earlier in the day nobody blamed us I the next day Monday obviously very awkward at work you know damage control time right it was it I couldn't back away from when I couldn't hide I had to own it and so I went in the first people I went to see which is direct government clients and I was a really good friend of those folks because that organization Hawaii was their parent organization was the one that I supported for a long time out in Maryland so I knew those guys really well went and talked to them and they were obviously they were pissed right I mean they were they were not happy but they could only imagine what I was going through as well so there's a lot of understanding and surprise to the most out comment I was visiting with the director of NSA Hawaii and and he made the comment that well you know Booz Allen got caught hole in the hot potato on time right now and that's pretty accurate he'd been planning this for a long time it turns out as he admitted later on a few weeks later he targeted our contract directly so somehow he figured out that our contract well and what we did on that contract was a type of data he need to get access to and want to get access to so he targeted us I've heard that perhaps that employee that gave us the employee referral coached him on the interview and the questions we would ask again so all this is kind of conjecture yes my conversations with people that I've worked with so you know don't take it as gospel but that's kind of how everything you know just things that I've learned since so yeah so that's that's kind of where we're at so let's talk a little bit about Edie today this is a part where those of you who are big fans might not like this slide too much so but that's okay again I don't have no problem with people who think Ed's a hero I don't doesn't bother me at all just different points different points of view on it okay so one I do believe that Edie has given up the goods to Putin 100% there's no doubt I just don't see any way in which he couldn't I try to compare I flip the situation right if a if a Russian intelligence analyst came to America with terabytes of top-secret russian data and asked for asylum I don't think the CIA is gonna put him up in an apartment in Boise and say have a good life I think they're gonna put him an apartment in Arlington and park a CIA agent roommate with him and next door to him and he said your price of admission is all that data and I'm there's no doubt in my mind that's exactly what's happened in Russia so I do that's one he's a really really bother me and that's this quote by the by the by the head of German foreign intelligence as well I also have been doing some research and reading on and again I don't have I haven't done the the in I don't have my clearance anymore it's like I don't have any inside information if I did I wouldn't share with you anyway but the damage he's done is immense it's really in many respects at least from what I've read what I understand has close to crippled NSA's collection capabilities and potentially enabled terrorists though of terrorists are operating differently nation-states are operating differently because they now understand how the agency does what they do right so the intelligence collection that we gather the data itself isn't the most sensitive aspect to it it's how you get that data and that's what had revealed and the other thing I wanted to point out is I did do this analysis as I did as I went through it I looked at all this to all the releases in that month of June I think there are 13 different releases only three of those revisions that anything to do with domestic collection the other nine or ten is three or four so other nine or ten were legitimate foreign intelligence capability that was perfectly perfectly legal and I would argue that the other ones were technically legal to is it gone through all branches of government approval and judicial approval but we can debate that another day but again that though that's that sort of analysis I think about it that tells me his intentions weren't altruistic but again people are welcome to their opinions on it and there's varying evidence on both sites all right so that's the kind of the story of IDI I could get into a lot more detail I want to try to keep it in time but really the point we wanted to share this because this is a cybersecurity conference is I want to talk about the insider threat right Edie was a massive insider threat he was in my mind that ultimate insider threat he is a person who had an agenda he'd been planning this for a long time possibly as early as 2007 as I'd mentioned and I mentioned that he targeted Booz Allen in our contract specifically this wasn't there's no way it could have joined us on April 1st so and thought whoa look at all this it's going on and he decided and then all of a sudden decided he's going to start terrible and terabytes of data out of it and then flee the country within a month and a half it's just not I don't see any feasible way in which that could have happened so what are some lessons we learned also the other thing that really gave ed an advantage was that he came from an IT shop to an analyst shop and you can imagine at a place like any agency where their sensitive stuff going this even happens at companies like the company I work for Federation of Duty's right your IT people are going to have certain accesses to certain data or to certain systems but may not have a whole lot of access to any sensitive data that they don't need to have access to they're just making sure everything's running whereas in an agency's case or something like that your analysts are going to have no access to the systems but have access to the data and though that sort of separation is important right that's one of the ways they internally protect well he was a sysadmin on Friday and he was an Intel analyst on Monday and even when he came in from what I understood of what I've read in the news articles the agency didn't take away his admin privileges immediately and as a result he had you know super user admin privileges as well as access to the intelligence analysis and as a result he was able to flip a switch on removable drives and it enabled his removable drives most places hopefully including your companies hopefully removable drives are disabled if not physically destroyed but they were they were logically disabled so certain things he was able to do to because of just miss protocol that enabled him to do what he did so ed was really that ultimate insider he had a plan he did get in T got in touch with the journalist is there I believe in January of that year so we've been talking with people about it and kind of planning it for a while he knew what he was doing so and obviously the damage that's been done is immense so let's talk about what insider threats are and who are the incentive threats so the reality is is your single largest vulnerability at your organization are your employees it's the people that work for it's the people who your HR person it's your science researcher it's it's your executive because especially anybody outside of IT or security because they're not thinking about security right there they don't know anything about it and so your largest vulnerability are your employees so you can see this that up here a full 62% of end users say they have access to data they probably shouldn't see and only 25% of the IT people and their companies monitor all employee and contractor email and file activity right so there's not there's a big gap between the amount of data that people have and what they should have as and then what is monitored and what it's done so that's a gap that needs too close and too few company to really recognize and understand the threat so I started at my company two months ago three months ago now some brand brand-new at it I've been meeting with all levels of leadership bit different business lines people have no idea about technology and I've had I had you know some of our products guys talk to me and say you know I'm not really sure I understand why this is important to me and he ran all of our R&D he was our R&D guy and I kind of had to break it down to my explain to him the China threat and Russia threat you know this is the kind of stuff that that Brian talked about just previously and we and and as I kind of explained that to him he the light bulb turned on a bit but there's people like that who don't they don't think in those terms right so the biggest I'd argue one of the biggest risks we have from an insider threat standpoint at the end the reason why your employees your big threat is because of an email use in web browsing so phishing is a big issue from my experience most significantly high percentage of the breaches in a company occur via email or web usage them but somebody clicking an email and insider clicking an email allowing a piece of malware to drop on a system those sorts of things so it's really important that we train our people on email use in web use another big area is unauthorized use of online file shares this is the problem my company's dealing with right now we as a medical device company have salespeople all throughout the country and in the industry there's always somebody companies that do this so it's very ancestry so you go from one company to another company to another company well why not if I'm gonna go to another company why should why not just siphon off all of my data and all this as much information I can and go to the next company in that way I can get launched off on a ground great start you know for this company so a lot of the ways in which they do that is they'll post up to Dropbox or box comm or onedrive or Google Drive or whatever and and pull information off the network another big area in cap are lofts are still the mobile devices where you know again like for our salespeople they have all their sales data on all data on their and they leave a laptop in the car and they go out for lunch come back windows broken laptops gone so there are certain you know those those provide now that is a huge risk area as well now the more damaging though less frequent threat are your malicious actors this is a Snowden type of situation right so these are disgruntled employees perhaps departing employees that I kind of talked about planted insiders I just gave a few examples here of things in the news that I've been reading about you know in just last month it was reported that an FBI techie admitted to being a Chinese spy so they had a physical human intelligence person probably wasn't even a human train purse probably just a Chinese national that they recruited that worked in the FBI and was feeding information of the Chinese sage at sages a company in Britain they had a big data breach an employee was arrested in connection with that and kind of enabling that data breach willingly and knowingly Snowden again we can debate whether whether if some people think he is an FSB person some people think he's he's altruistic but just some of the things that we've read about him than the Sony breach honestly I'm still not 100% it was North Korea I'll take the government's word for it this seems a little fishy to me but but there has been some talk in questions and even if it was North Korean event was an insider involved considering the breadth of damage that was done so malicious actors can do a huge amount of work having damage within a company all right so how do you defeat insiders there's a whole bunch of different ways to do it and let's start with with I would say the easier problem but some what is your employees who are not malicious your standard everyday employee one education and training is absolutely critical you need to have some sort of mechanism in place to do you know online training send out fake spear phishing emails and and kind of rickroll them if you will hold town halls just education education education get them thinking about how do you spot a bad email because they're getting they're getting really good we've had we've had some of our company that we're going to executives asking for wire transfers that you know from our CEO to our CEO CFO that there there pretty impressive and and luckily we didn't fall track to it but you know they can be hard they can be hard to recognize so some things you can and then some things we can do is air awareness and training and then you need to have executive leadership investment in cybersecurity in general if your organization is one where you kind of get the yeah yeah yeah it's kind of important we'll get around to it it's gonna be tough to anything done so we tough to get the money for it and we tough to get the executive support to make changes and there's certainly not going to be willing to change any significant business processes in order to support you securing the network further but there are also a lot of technical things we can do we can employ lease privilege ensuring that that each individual only has the accesses they need to do their job we need to be retaining logs and ensuring that that we have some sort of audit trail that we can go back and look at what happened and more importantly which ties into the Simmons security operations a way to monitor and detect off of those logs certain not just intrusion events which is what since often are known for in the insecure operation centers do but build use cases and alerts that look for things such as the spike in data leaving the network or the amount of data going to unauthorized file-sharing sites in fact you should probably just simply block and prevent the use of things like Google Drive or box or Dropbox or those sorts of things unless your company specifically use it I know a lot of companies today for instance are using Microsoft onedrive that's to share files and work and that sort thing that's great as long as it's supported by your company and you have security built around that fantastic but you need to be preventing unauthorized use of those other sites another big area is off-boarding procedures this is one thing my company is terrible at that I'm appalled as appalled like my second week that's at an off-boarding meeting about had a heart attack that our off-boarding procedures are terrible we rarely get from the people who don't work in San Diego we rarely get computers back and so we have from what the cost issue right we're not repurposing our licenses and we're losing computers so it's a cost issue we could be saving a whole lot of money if we were to do that sort of thing but from a security standpoint it's horrendous because that information just sitting out there and we the the former employees do lose access to those computers our actual our end point protections are pretty good in our IT processes so they're unable to login but it does cause a challenge and then DLP this is something I'm gonna be my company's really all my executives get on me all the time I'm worried about this person leaving and stealing all this information how are we going to do it do data loss prevention solutions there's a lot out there very semantics got a good one there's a whole bunch different companies that do it that they'll install an appliance or a software on one of your servers that will monitor and do specific data loss prevention tasks and you can implement so these are all different ideas this isn't holistic that you can do to secure your enterprise in your network from a malicious insider you know motion since you're never gonna build to defeat a malicious insider 100% right somebody's intent on doing something malicious they're gonna figure out how to do it but you can make it really hard and you can try to catch them in the act through a lot of these technical solutions as well as you know the education and training may not affect the individual insider who wants to do the malicious activity because they don't care but if you the people that work with them are more aware of the threats they might it's kind of that see something say something phrase that DHS likes to share which drives me crazy by the way to some extent but it's sort of that idea where you know if they're more aware they might identify strange activity that we that we can look into to defeat the etc so those are just some ideas you can take away look at your organization to how to protect yourself from insider threats alright so I like to give takeaways these events I like to make these things actionable so one remember that your insiders your biggest threat remember that malicious insiders do the most damage so make sure you employ an array of technical controls and monitoring and remember that your average employee no matter how awesome they are they're most likely going to be your cause of insider incidents so make sure that caught you have contents awareness and training and make sure you're your you have physical or technical solutions in place of those training solutions in place you're going fishing and web exploits so that's my presentation I hope it was interesting there's my contact information if you ever want to get in cut and get in touch or welcome to welcome to connect up on LinkedIn or whatnot so with that are there any questions well yes and no so when I was eight I didn't hire anybody after that with with my when I was running and I say Hawaii after that because just to fall out or everything so yeah I do prefer today to have more people interview I have a broader array of people looking into him or looking into the the candidate for into my current company we probably have people go through two or three rounds of interviews we have like six or seven different people interview I have a couple of tech people I have known my engineers that's like the his job is to grill and protective expertise that I also have security will interview them and I've got other various people on the team Kenny room as well so I will say I despite what he's done knowing what I knew at the time I would have hired him again knowing what I knew at the time right know what I know now obviously I wouldn't but what I knew at the time I don't I don't look back and think man how could I have hired that guy that was a big mistake in terms of just knowing what I knew right yeah I can't couldn't if certain things are outside of my control so any other questions well your loss yeah so it's it's still a sensitive issue for Booz Allen you know we've had some issues with various contracts interestingly this contract that we were on was never a threat I think it depends on the performance of the contractor the our contract had a really great reputation at the agency and we did really we took pride in being better than our government counterparts what we did we wanted to maybe we wanted to be an integral part of what the agency was doing at least what they asked us to do I think government contracting and for-profit companies I have no problem with it I do think it needs to be constrained to some extent but the reality is especially when you're talking about these technical elements and especially on the cyber side but anytime you're dealing with advanced technologies the government has a hard time being able to pay Talent what they what they know and deserve to get so private companies are in a better position to be able to provide that and so if a private company can get that that more that better talent and bring them in and to the government provide that service why not and there's just a huge competitive arm there's a lot of people myself included I didn't want to work for the government I saw the bureaucracy of it from my time in the Air Force I had no interest I want to be a contractor I wanted to work for a company that that you know I felt was going to be able to you know cut through some of the bureaucracy that I was able to avoid when I'm looking at my government counterparts so there there's arguments for both sides be I don't have a significant issue with for for-profit contractors as long as again there's nothing needs to be a lot of oversight then the they need to be strict and enforcing the rules and they're that are upon them and they need to actually doing a good job you know you got to be able to fire what they suck I mean one you know that's the if you're if they're doing a terrible job don't keep them around that's not another hand come up Oh Mike McCarthy with domain tools I actually have two questions for you the first is you mentioned that the boos contract may have been targeted do you guys have any hard evidence well he made that he did yeah he made that about we could do after that oh and I should also note an article went up today that a website called the cipher brief calm the reporters post an article I talked to her a couple days ago and they post an article about me presenting here and some of this stories while you're welcome to check out sorry okay and the second question you mentioned that you had access to the prison program we can call it that but essentially okay you also mentioned there was a very strict oversight and compliance process in place can you elaborate on what that looks like at all yeah yeah I won't talk about the program your just because the classified nature of it but the oversight compliance I had two auditors they audit every query in church that I made to do my job they audited and anything that looked remotely suspicious meaning not I would never I never and would never search a US or a five I partner for anything but anything that looked were somewhat out of the ordinary I would get questioned on and so there was a big process for that and within the trainings that they give you they they they hammered at home you do not use this to search any US person US company or partner as well so if I understand correctly Snowden had admin access from the role he was in before and because that didn't get taken away from him he was able to use that too that's my understanding yeah that's my understanding Thanks all right if not how about a big round of applause for Steve day

Info

Channel: ieeeComputerSociety

Views: 5,467

Rating: 4.7647057 out of 5

Keywords: Edward Snowden, Steven Bay, IEEE, IEEE Computer Society, Rock Stars, Conference, Cybersecurity, Cyber Threats, Insider Threats

Id: kQVLoNmYtKA

Channel Id: undefined

Length: 40min 23sec (2423 seconds)

Published: Fri Sep 16 2016