[BreachExchange] What Hamilton can teach us about insider threats

[Audrey McNeil]

https://www.csoonline.com/article/3267508/data-protection/what-hamilton-can-
teach-us-about-insider-threats.html

In cybersecurity, it’s often said that “hindsight is 20/20” when a breach
or leak occurs.

It’s not for lack of trying. The effort is usually there, with many
cybersecurity teams deploying an extensive array of strategies and tools
designed to mitigate risk to property, systems, and data. It’s unfortunate
when an incident occurs, but the key to thwarting future incidents often
lies with a little history lesson.

What can be learned by looking back at past incidents? I found myself (much
like I often do) thinking about this question while taking in the hit
Broadway musical, Hamilton.

I know what you’re thinking: “What does Hamilton have to do with
cybersecurity?” But bear with me – U.S. history can teach us a surprising
amount about cybersecurity threats. While the songs of Hamilton are catchy,
and the musical numbers are impressive, there’s much more to the story.
When I watched the show, I couldn’t stop thinking that Vice President Aaron
Burr exuded all the characteristics of a modern-day insider threat.

A brief history refresher (and definite spoiler): Burr and the musical’s
namesake, Secretary of the Treasury Alexander Hamilton, had a longstanding
feud full of corruption and deceit. Hamilton eventually paid the ultimate
price when Burr shot and killed him in a duel.

This insider threat all started with a form of betrayal that ultimately
changed American history forever…

Hamilton, and the insider threat

Alexander Hamilton and Aaron Burr did not start out as foes. The two were
initially close comrades and colleagues, practicing law together. According
to many, Hamilton looked up to Burr, and saw him as a trustworthy source.
Hamilton had no reason to believe Burr would threaten their relationship,
and later become a malicious actor.

The relationship turned sour in 1791, when Burr stole a Senate seat from
Hamilton’s father-in-law, switching to the Democratic Party to do so (Burr
and Hamilton were originally part of the Federalist Party). Instead of
staying loyal to the Federalists, Burr shifted allegiances for political
gain. This turn of events spiraled into a longstanding political dispute,
exposing Burr’s true nature as an insider threat willing to do whatever it
took for personal advancement, and threatening both political and personal
ties with Hamilton, as they were no longer on the same side.

Over the years, Hamilton and Burr’s feud led to many political snafus. The
tipping point came during the Election of 1800, where Hamilton encouraged
Federalists to endorse Thomas Jefferson over Burr for the presidency.
Federalists typically loathed Jefferson, but Hamilton saw Burr was a threat
and encouraged his colleagues to reach across party lines for the
endorsement. As we know, Thomas Jefferson ultimately became president. Burr
was his second in command.

Burr was furious that Hamilton would double-cross him and sought out ways
to get revenge. As Burr’s ill will against Hamilton continued to build up,
he eventually challenged Hamilton to what became an infamous duel,
resulting in Hamilton’s death. Burr’s rash decisions showcased his true
nature – a malicious foe who wanted revenge and was not going to let anyone
stand in his way.

An intent towards revenge is a mindset often seen with potential insider
threats.

Why insiders are a serious threat

Insider threats in organizations are easily disguised. Just as Hamilton
should have kept his guard up with Burr, organizations need to be careful
to protect data and assets from insiders – even if they seem benign or
trustworthy.

Anyone can be a potential insider threat. I’d like to think that if insider
threat software existed in the Hamilton era, things would have worked out
very differently from a historical perspective. The behavior trends alone
would have indicated intent!

To prevent insiders such as vendors, contractors or employees with access
to key systems and data from becoming the next Aaron Burr, organizations
should start by evaluating their trusted users and current cybersecurity
processes. Individuals, like Burr, who have an agenda for personal gain can
be seen as potentially malicious or posing a risk to the organization. To
reduce risk, companies can benefit from having visibility into user actions
and monitoring trends in behavior.

One of the challenges with insider threats and data leakage in
cybersecurity is the inability if many organizations to detect, in real
time, when users are exhibiting risky behavior or taking out-of-policy
actions. Whether exfiltrated for malicious reasons or through negligence,
once valuable data has been leaked via inappropriate means, there are
people or groups with ulterior motives who will look for opportunities to
use the data to their advantage.

As hackers find creative ways to capitalize on stolen data, organizations
need to put systems in place to identify instances of insider breaches or
leaks in as close to real-time as possible. Whether for malicious purposes
or based on user negligence, the results of insider threats can diminish a
company’s brand, reputation, and potentially shareholder value.

How you can identify the Aaron Burr of your organization

It can be challenging—but is of utmost importance—for organizations to
implement processes and technology to proactively detect insider threats,
streamline the investigation process and prevent data exfiltration.

Cybersecurity isn’t just about outsiders trying to get in! Insiders are
uniquely able to access and misuse systems and data in a variety of ways,
yet they are often overlooked when organizations “lock down” their data.

To stop insider threats, both malicious and accidental, organizations must
detect and prevent these threats – before they leak information outside the
organization. When trusted users with access to key systems or information
have malicious intent, like Vice President Aaron Burr, confidential data
and property can quickly become exposed.

So how can organizations avoid exposure of confidential information that
may result in disaster?

It starts with having eyes on the endpoint, striving to always be aware of
how vendors, partners and employees are interacting with and accessing
organizational information. But perhaps most importantly, individuals (and
organizations) need to place their trust not in their “friends,” as
Hamilton did, but in measurable, trend-tracking solutions and processes
that are powerful enough to address the scale of modern-day enterprises and
provide real-time visibility into what users are doing.

While many of today’s insider threats may not make the (global) history
books, the devastating impact of insider threats to an organization’s
finances and reputation will be felt for the foreseeable future. It has
never been more crucial to build processes and invest in solutions that
provide clear visibility into who is doing what, when, where, and why.

By gaining visibility into user activity, organizations will be able to
stem the tide of insider threat risks—and stop the next Aaron Burr in their
tracks.

The Hamilton show was great, by the way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180330/4215d34b/attachment.html>