Insider Threat Prevention: Protecting Your Backups from Within

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we look at insider threats.

Everyone's so focused on ransomware and external attacks, but what about

the person sitting right next to you?

You know the one with admin privilege who just got passed over for a

promotion or that contractor in another country who just got offered

six months salary to copy some files.

We break down the three types of insider threats, the malicious actor, the careless

employee, and the compromised insider.

I share some war stories from consulting.

Persona, brings up some recent cases like the Coinbase and Apple breaches.

I hope you enjoy it.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that there were no backups of the production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

This is the backup wrap up.

Welcome to the show.

I am w Curtis Preston, AKA, Mr. Backup, and I have with me a guy who's

really good at asking questions, but not necessarily when I need them.

Asked.

Persona, how's it going?

I am good, Curtis.

Uh, I do ask a lot of questions.

It's not my fault because usually when we're having these conversations,

you're in the middle of something and I'm in the middle of something.

Right.

we're both in the middle of something.

You go, have you thought about the x, Y, Z parameter?

And I'm like, that's really good thing.

Like I'm driving, you're working.

I.

One of us should probably write that down.

Yeah.

No, no, no.

We do write it down.

We do.

We text it, but then the problem is it gets lost in all the texts and that,

would help if we didn't text each other like 157 times a day.

I think it's actually 158, but yes.

Yeah, yeah.

So now I'm like, dude, I need the questions.

And you, what did you give you?

Like structure, gimme structure.

Gimme a document

Yes.

to write it in.

Because I'm so good at structure.

knows, anybody that knows anything about me, knows structure.

Well, and literally all you had to do was create a blank document in Google

Docs and just add and share it with me.

That's all you had to do.

You didn't have to put any content, nothing.

It took, it took so long to do that.

Persona was so long, so much effort.

Oh, Curtis,

Anyway,

but, but here's what, here's what.

But, but wait.

But before we go on, so I think one of the problems you're gonna find though, is.

Like, you know, like in my conversations when I ask a question,

then a follow up, then another follow up, then another follow up.

It's like I don't always have everything up front, so I think

the document might turn into that.

So you might need to comment and respond or chat live about the co. The questions.

So then we can get to the next level of questions.

Google Meet.

Is that what you want me to

No, I'm just saying use it over the phone call and we'll have to

go over the questions because it might spawn additional questions.

Spawn.

Spawn.

That is that.

a movie.

Did you ever see that spawn?

I did not see the movie.

It was a graphic novel and then turned into a movie.

I literally don't remember anything about the movie other

than that there was a creature.

it's also what they do in video games when like you spawn somewhere, like you come

Yeah.

You

to.

Yeah.

Yeah.

So this week we're gonna talk about something that comes up a

lot, and there are some people.

You know, there's a term that comes up a lot called rogue admin,

which is a sort of a subset of this topic that we're gonna talk about.

And there's some people that think that that's a boogeyman

and that doesn't really exist.

What we're talking about is insider threats.

What, uh, and I think it's something that people should be concerned with.

Do, do you agree?

Oh yeah, a hundred percent.

And I think the big thing with the insider threat, like these

are people you are trusting to do something for your company, right?

You've hired them, right?

They have a job, they have a responsibility.

Maybe they're managing your IT infrastructure or your application,

but at a flip of a switch, they could do something that exposes

your company and could potentially cause it irreparable financial harm.

Yeah.

Either, either accidentally or.

I was about to say on purposely, intentionally, either

accidentally or intentionally.

Yeah, and, and it actually, since you did talk about the accidentally

or intentionally, I think it, one thing that we, before this call you

were talking about is sort of like the three types of insider threats

Yeah,

that exist.

Do you want to kind of go over those?

yeah.

So there are, there are three types of insider threats.

One is like the active, actual person that is, um, actually.

Looking to do harm to your organization.

Right?

then the second is the,

you know, the, the, the careless person or you know, the person that isn't

following policy or isn't concerned about security and they do things that

cre that could create the third type of insider threat, which is technically

not an insider, but it's an insider.

has been compromised

Yeah.

they downloaded the wrong piece of software.

They put their, uh, password on a sticky note, you know, they got on a Zoom call

and the sticky note is in the background.

Yeah.

Um, you know, all, all that sort of stuff.

are sort of the,

Yeah.

types that we'll talk about,

Yeah.

And, and, and just quickly on that too, I know a lot of times when, or

when I mentioned it too, right, it's insider, we normally think about, oh,

it's an employee of the company, but remember it might be a partner, it might

be a service provider you're using.

It might be a contractor.

Right.

It might not even be someone in tech.

I think when most people think about the insider threat, they think about the first

category, which is an actual insider.

And, and it could be an employee, a partner, uh, a contractor,

but someone that you have given access to your company.

Right?

And I do think that, uh, there, there was a, a lecture I, I saw one day.

was actually about the merger of Cray and SGI,

Mm-hmm.

um, and the, the person was the cybersecurity person and he was

describing the cybersecurity.

Um, what would you call it?

The, the mo of each organization.

And he described one and I honestly, to this day, I don't remember which one was,

which one he described as a hard crunchy interior with a soft, gooey exterior.

And the other was a hard crunchy exterior with a soft chewy interior.

And I think most companies are the latter.

They have,

Perimeter defenses.

Perimeter defenses, but once you're inside, that's it.

And all

No.

off.

Right?

So.

can think of one company that I worked with that was the former,

and it was because the type of data that they had was so sensitive.

They were, they were very concerned about insider threats and so.

It wasn't assumed that once you were in, you were okay.

You needed to, you needed specific access to access different

resources, not just from a

you know, and, and, and like that, but also like, like where

you were and what you were doing.

Uh, only then would you, would

Was this, was this the same company that basically did not

let you do backups because backups needed to touch everything in the

environment and they were like, Nope.

Okay.

Yeah.

Well, well, I, I think that's a slight mischaracterization of that company.

There, there was a group that didn't want to give me access to

everything, and, and somebody had to like, Hey, hey, hey, Curtis is

doing the thing Leave Curtis alone.

We'll figure it out when the project is done.

Once, once everything has access to everything, then we'll figure

out how to sort of lock it down.

Yeah,

Um, but Curtis has a big enough project enough to do.

I worked on that project 95 hours a week

yeah.

close to a year.

Yeah.

and so I, and it was so difficult that it was actually local here,

uh, but it was like 45 minutes away.

company got me a corporate apartment nearby.

Um, so that I could get four hours

I'm asleep.

Um,

So

yeah.

on this topic though, right, of the sort of the malicious insider.

Right.

Um, one, I don't know if you remember this case Curtis, but there was the

scenario, actually there are two that I'm thinking of and I don't know

if one of 'em kind of bleeds over.

There's, remember there was a company called Unify, which

I use their networking gear.

Yeah.

And they're a publicly listed networking company, and they had a whistleblower

who came up and said, Hey, by the way, this company got attacked and

all these credentials got leaked.

And it turns out he was actually an employee who had stolen the

credentials of the company and had faked the entire attack.

Yes, I do remember that story.

Yeah.

right.

And the only way they were able to prove it was him was because they went and they

looked back at all the data and they were like, yeah, this is actually his data.

And I think he had set up like VPNs to download the data and turns out that,

And

uh,

yeah, they, they correlated like his VPN login to the attack

yeah.

of that.

I do, I do remember

Yeah.

Yeah.

And that is a true, like, number one insider threat.

Yeah.

I think of another.

Probably the most, the most infamous one that I can think of, and I

believe the name was Roger Durio.

Uh, I I, I, I

FBI Agent.

wrong.

No, no.

He was, he was a guy that he didn't like his bonus or he got

let go or something like that.

And so he, to find the story, you Googled logic

Agent.

Oh.

that they used.

He, he basically set off a logic bomb is what they called it, which basically

deleted everything, And, which included like, you know, some of the backups and

Oh,

And, uh.

like, if like his access or his username didn't exist or something like that.

Right.

Yeah.

Yeah.

it just blew up the whole place.

Yeah.

was the first really big one that I remember.

He was caught, he was prosecuted.

Um, but I, I think a lot of these are not caught.

They're not prosecuted.

Yeah.

And when we think about this type of insider threat, like some people

might just throw their hands up and go, well, what am I supposed to do?

They're inside.

What, what can somebody do to, to stop this type of insider threat?

And this is like a lot of what we talk about, right?

It's like, okay, do you at least have the logging and monitoring in place

to be able to capture some of these?

And are you using, uh, proactive security tools to actually flag for anomalies?

Like, Hey, this person is accessing resources, they normally don't, or this

person is downloading 20 gig files.

Is that normal?

From a security perspective.

Right.

And then I think from a backup perspective, I'm sure you

have some ideas around this

Well, I was gonna add to the security perspective.

This is why we talk about the concept of leased privilege, because the idea

is just give the person, each person.

The power that they need to do their job, but only their job.

it, it's probably the hardest part about proactive cybersecurity, right?

Because it's so much easier to just give like you and me all power.

Right?

Uh, you, you've got root everywhere.

Um, and

I, another, another good story, and this is another local

company, happens to be a clothing.

Uh, company and I remember being sent there to install.

I'm pretty sure it was NetBackup.

I was there to install NetBackup and the guy walks in and he goes, he's like

the password for all of those servers.

It's Elvis.

And the password for all these servers is Apollo.

See you later.

And he just left.

Right.

It was the root password right.

That he was giving me.

And then I'm, and so, and, and he just handed me the keys to

the kingdom with no monitoring.

No.

And I'm lugging in directly as root because I'm at the

console, so I can do that.

and then at some point some other guy walked in and was.

Who are you?

Like he sees me sitting there at the server with a root prompt.

like, who are you?

I'm like, I'm the guy doing the thing.

He's like, is nobody watching you?

Is nobody, what are you?

he like, ran out and it was like a whole thing.

But, um, yeah.

So that, that's.

That's, that's what not to

Yeah.

the way, that's another thing that's important to do with the, with the

concept of least privilege, right?

Is you, you never log in as root as administrator.

You log in and you become that and that way, and you establish, you

can establish that both through policy and through technology.

You can say it's just sometimes it's difficult to, to completely

eliminate it, but you can say it's, you can only log in as root or

administrator on the console, for

Yeah.

Um.

You should never be logging in as root or administrator, uh, you

know, directly you should be, uh, you know, suing to it or pseudo.

And even then, you should be like, especially in Lennox and

Unix, you should be using pseudo whenever possible to do the thing.

Yeah.

run pseudo sh

Yep, exactly.

prompt and then you do the thing and then you get out.

You should, the best practice would be to, again, you can establish this through.

Policy, as you can say, when you're doing things that require root, do this.

Yeah.

Um, and, and, and you should try to limit the number of things that require root,

Yeah,

Um, yeah.

so one thing to also mention, I know with this topic we're discussing mainly around

like people accessing infrastructure, deleting infrastructure, but as part

of insider threat, you also have to think about people exfiltrating data.

Yes,

And that's one thing.

So I think just earlier this week, uh, I read an article where Apple was suing a

former employee who had worked on Division Pro classes and had left and joined Snap

mm.

and basically before he had left.

Sorry, I just, I just came to me.

Either Snap or Metas glasses.

I don't know, one of those similar sort of companies.

And before he left, he basically didn't say where he's going.

He gave two weeks notice and then he started downloading a bunch of documents

onto USB drives and walking out with it.

And so Apple sued to basically say, you stole our ip.

Which is critical, right?

When you're trying to be competitive,

yeah,

right?

And so that's another thing to also think about from, uh, insider threat,

is it's also the exfiltration.

Yeah.

Yeah.

And again, that's why you monitor things.

That's why you, you know, and, and when you have something like

that where you have an employee or contractor that leaves, uh, you

should have an offboarding process.

That includes looking at their accounts, looking at their hardware that they

have, uh, and then doing forensic.

Uh, especially anybody that you think that you in any way suspect, right?

Yeah.

pharyngeal, pharyngeal.

We could do digital forensics against that laptop or any other device.

And you, you, you would be amazed at the kinds of things that you

can uncover by having a, you know, a, a, a digital forensics, uh,

Yeah,

process.

and it, but it was interesting though because I was reading the article

and they were saying whatever the guy did, and whatever Apple's policies

are, they're like, we couldn't fully determine what he actually stole

Yeah.

because he had sort of covered his tracks.

Yeah.

from a backup perspective, really it's, the big thing is, is, is applying to,

you know, two things come to mind.

One is applying the concept of least privilege to the backups.

And, and, and I think we, I think we talked about this in the past.

We, we could have a whole other, we should have a whole other

episode about how to do that.

Um, and, and then the other thing that comes to mind is, again.

Immutable, immutable, immutable, immutable that no matter how much power someone has,

they shouldn't be able to prematurely.

You're struggling with words today, Curtis?

They shouldn't be able to prematurely.

That's weird.

I don't know why that's so, it's a struggle today.

Delete backups prior to their, uh, expiration date um, um.

And so that's what, that's where true immutability comes into play.

Um, so let's talk about the,

you, you forgot you, you forgot one, which I'm quite surprised.

what the 3, 2, 1 rule.

No.

Oh,

Four eyes.

Oh yeah.

The,

Yeah.

well, that falls under the, basically the whole lease privilege thing.

But, but yeah.

Another thing you could do with backups is the, the, this thing called four eyes

or, uh, MPA multi person authentication.

And that's where if you're doing these things, which are dangerous

things like reducing the retention on backups, deleting policy configurations.

maybe prematurely expiring backups.

Right?

Whatever it is.

If you're doing any of these things, it requires a second person authentication,

um, and often referred to as for eyes.

Yep.

Yeah.

Good point.

So let's talk about the, let's talk about the second person.

And this, this is the,

Second or,

the second type of insider

Thank you.

which is this, this, um.

Um, lackadaisical, lazy, a person who just doesn't care.

Or maybe let's just face it, maybe they're just dumb.

Maybe they just, they shouldn't be in it.

Um, or that they shouldn't have privileges that can do damage.

Right.

And we've talked about, this is where the thing that comes to

mind here is like, know before.

Mm-hmm.

The, this idea of, of a company that you use test the cyber

intelligence of your team.

Right.

And, and I'm a big fan of that.

I, I don't wanna necessarily endorse know before, I don't, I'm sure they

have competitors, but they're, they're, they're, they're the ones that I,

that, that I know of, the, the most, we used them, uh, at a previous employer.

And, um, I do want to make the point.

Though that if you identify someone who, um, is not doing the right things, it's

not about publicly shaming that person.

Right.

It's about, um, identifying the weakness doing education.

Now, if you identify the weakness, you do the education and then

nothing sticks.

Um, at some point you, I don't think you should be considering

punitive things, right?

Having said that, at some point, if a person repeatedly drinks acid.

Perhaps they shouldn't be in the department that produces acid.

Yeah,

it's like the risk profile, right?

Yeah.

The risk profile.

If, if they're, if they're, if they continue to show being a high risk person,

which is what things like no before do, um, then perhaps it's, it's time to

move them to a less secure, uh, role.

Yeah, I agree with that and I think.

That's something that's probably easy for many companies to

onboard, like most companies have.

Like, Hey, here's your standard cybersecurity policy training.

You should be doing this like once a year and refresh based basically once a year.

Right.

That way everyone sort of has like a bare minimum,

Yeah.

right?

Because

do believe in, I believe in very frequent.

Yeah.

Yeah.

Rather than one giant training once a year, I believe in like monthly or

quarterly, smaller amounts of training.

Because what you're really trying to do is you're really trying to keep it forefront,

Yeah.

to keep that in mind of like, listen, you have power, you

have abilities to do things.

We're not concerned so much about you, but about someone who might become you.

Yeah.

Um, and do bad things,

And also the testing, like I like with no before, right?

It sends out fake emails.

Yeah.

That gets you to try to click and try to phish users and then they're

like, Hey, you did something wrong.

Let's go do some additional training to help you understand

what you should be doing.

Yeah.

And I do believe in some type of reward to people who identify the

fake emails and then, uh, report them.

Yeah.

Right.

Um, I, I, I, I'm a much bigger fan of the carrot over the stick,

Yeah.

Um, and I think I do, I do remember this was somebody that

came on the pod where they, um.

They said that the company had sent out

Flowers

that it, the flowers, yeah.

On's

on Valentine's Day that the flowers were delivered or at the front desk

Click

the person?

Yeah.

And then I think they had said that.

I think it was a woman who received flowers and she like blew it off

because she's like, my husband won't send me flowers or something like that.

Right?

Yeah.

Oh, it, it was the person was a cyber person

yeah,

the, the hus, the wife was somewhat knowledgeable

yeah.

cyber stuff, and she's like, my husband would never send me flowers.

I remember this, I remember saying that a few minutes.

Everybody thought that they were loved.

Yep.

That, that was a little cruel, I think.

But, but I, but I like this idea of constantly testing it, you know, and

stuff and using the carrot and, and, and, and not to stick, but, um, and so

the, the, the third category is really.

The first category, it's just that, and basically how to respond to

it is, is kind of mostly the same.

And that the third category being you now have an insider

that is, that isn't an insider.

have someone who has used some of the techniques like phishing, uh, social

engineering, uh, by the way, social engineering, my favorite reference.

And so again, go watch sneakers please, if you

Yep.

sneakers.

I love that movie first off.

It's just a good time and it's got so many stars in there.

Yeah.

And although there's some tech that's like, okay, come on.

You know, like the magic box that can unencrypt everything.

Sure, we'll let that go.

But there's the, the scenes that they do there on social engineering.

And I'm thinking about.

Scene with, uh, Robert Redford, where he's got like a, it's supposed to be

like a box of cake and like balloons, and he's supposed to be let in.

Uh, he's like, oh,

Oh, yeah,

yeah, I can't do his thing.

I can't reach my badge.

Can you, can he buzz me in?

And the guy buzzes him

yeah,

right.

doesn't hurt that he looks like Robert Redford, but.

yeah.

But again, remember, I know a guy

Yep.

does physical penetration testing and he said he has never not gotten into a

place, his job is to get into a place that he's not supposed to get into.

Take a photo and then get the hell out before he gets shot, literally.

Okay?

And uh, and he said he is always, he's always gotten in.

Yep.

engineering is an incredibly powerful thing, right?

Uh, people want to be nice, they wanna be helpful, you

Yeah, so there's an article I recently read in the news about

this third type of insider threat.

So Coinbase, uh, I don't know if you know, they had a data breach recently

Mm-hmm.

and it turns, and I don't remember how many tens of thousands

of account data got leaked.

It turns out that what had happened is bad actors had bribed a contracting firm

in India who Coinbase outsources to.

And that Indian contracting firm basically handed over,

Wow.

account information from Coinbase to these bad actors?

So I'm not allowed to make any Indian jokes.

Right.

No,

it doesn't have to be Indian.

It could be any, it could be a contractor anywhere.

Right.

But everyone's always open to a certain value, right.

everyone.

Yeah, everyone

As a price.

everyone has a price.

Yeah.

Um, and, um, the.

I, I do, I do think that, again, not, not against India, but there

are a number of countries, India, Philippines, um, not sure where else

people do this kind of thing, but what's happening is there, there's an economic

disparity between us and this other country, and that's why we're there.

Right.

And I just think you should take that into consideration when you're thinking.

About, again, going back to lease privilege, give them the ability

to do what they need to do, but realize that there is an economic

disparity, which would, I think make them, when I say easier to

bribe, it's not, it's not that they.

they're personally easier

Yeah.

It's the amount of money, like if I offer them a million bucks, that's a lot more.

Yeah.

I, I, I don't even have to offer a million bucks.

I can offer 'em a hundred thousand and it means so much more to

Yeah,

than, um, you know, whatever.

try and do it.

Yeah.

it's something that you should take into account,

Yeah, and this is where I think it's important to vet your contractors,

your third parties, right, even on an ongoing basis to make sure,

do they have policies in place?

Are they also doing the same sort of monitoring and auditing that you do to

be able to catch these sort of things because you are giving them access to your

systems and your customer data, right?

So.

There's also, uh, there's the famous target story as well, um, where Target

was, um, breached because of a device.

That was connected to their air conditioning system.

That's what, that's what I remember.

And, and it basically, it was traced back to poor cybersecurity

practices on the part of

The um, air, the HVAC system.

Yeah.

Um, so you're, you're, you're always, you're only as strong as your weakest

link and your links everywhere.

You're, you're always, you're only as

strong as your weakest link.

One of your links includes

every one of your suppliers.

remember we talked to someone who was doing penetration testing.

They needed to break into a company.

They tried going through their networks, they couldn't get in, and then they

ended up realizing in their lobby they had a TV of a certain brand, so they

went and bought it from the local store, and then they found a vulnerability

on it, and then they basically got into the company through their tv.

yeah, that was Dwayne Lalo.

And that was a great, I, I loved his story.

I loved, uh, we should link to that whole episode here.

That like if you haven't seen or listened to that episode, you really should.

And one of my favorite parts that he go, that he goes into there is

how much he loves the backup system from a red teaming perspective.

Right?

Again, red teaming is the, the sort of proactive.

or proactively attacking a company for the purposes of looking

for vulnerabilities, right.

Yeah.

opposed to the blue team, which is the defense team,

Yep.

uh, which is our, our friend Mike Saylor.

Yep.

So, um, yeah, we need to have Dwayne back on.

I'm sure he is, got more stories,

Oh yeah.

yeah, so again.

The, the, the second group of the, the, the, you know, the lame people

creates the third group, which essentially becomes the first group,

Yep.

right?

And so this is why, again, going back, this is why that yes,

you need to do all the things.

You need to do the monitoring, but you also need to do.

concept of leach privilege and, uh, just limiting what an individual person can do.

Right.

And, um, you know, the HVAC controller be able to send controls reports of

how cold it is, and that's it, it shouldn't be able to log to a server.

Yeah.

that's a, you know, that's exact exactly the kind of

thing we're talking about here.

Limiting.

And, and you know, our former employer was really good at that with, with,

you know, the cloud design, where it's like the, their S3 buckets could

only be talked to by the systems that, you know, did the backups.

Right?

Yeah.

even though it's S3, and technically you can get to that from anywhere, but

they had configured it so that only their systems could write to it, right?

Yeah.

um, so even if.

The, the, the, uh, what would you call it?

The, the credentials to access that S3 account got compromised.

You wouldn't actually be able to get to them, right.

To get to it.

the kind of thing that we're talking about is locking down as much as you can.

Again, it's so hard,

Yep.

right?

The, the responding to the insider threat is probably the biggest.

Challenge that you have.

Right.

And uh, and I do just want to throw out a couple of stats here.

Uh, there was this, uh, great report from gul I, I don't know how to pronounce that.

G-U-R-U-C-U l.com.

They had their 2024 insider threat, which by the way, it gave us the whole.

Idea to do this episode, and they showed that in 2024, uh, so in 2023, only 40, I'm

sorry, 40% of people companies responding, said that they had no insider uh, attacks.

Right.

Um,

That they knew of.

number that they knew of.

Yeah.

That number in 2024 went down to 17%.

Yeah.

so basically 83%.

Felt that they had had some kind of insider attack.

Yeah.

Um, they also described, uh, that the insider attacks are more

difficult to respond to, right?

They're more costly, they're more, they take more time.

Um, and, um, according to this, uh, another interesting, so basically they

said 45% felt that it took a week or longer to recover from an insider attack.

Uh, I thought that was, um,

you,

know.

They said 55% within one day, and I'm like, really?

so I know on the podcast we talk a lot about natural disasters and ransomware.

And ransomware recovery, right.

Would you say that insider threats are.

Sort of like the next, not necessarily the next wave, but like the things that

are kind of like important, but people aren't necessarily thinking about or

don't have a full plan in place because it's much harder to, like you said, to

protect against, than say like ransomware attacks or other things where there

are like certain best practices that people have and just it hasn't matured

in the insider threat side of things.

Well, I think that there, there's like a Venn diagram between malware

attacks and insider threats.

Right?

And, and, and it's, it's not a circle, but it, there's a, there's a huge, like 80% I

Mm-hmm.

um, what's, what's

Overlap.

and, um.

And a lot of the things that we're doing to be able to detect and respond to

ransomware attacks will also be able to detect and respond to an insider threat.

But I do think that more people need to specifically be doing design,

looking at design considerations that would help mitigate.

Specifically a rant, uh, an insider attack.

Right?

So much of this, so much of everything in the cyber world, it's like,

it's, well, it's just like backups.

Backups are no good if you didn't make 'em before you need 'em, right?

Cyber defense is no good unless you do it before you need it.

Yeah.

if you do this beforehand, it makes the attack much less likely, and it

also makes the attack less damaging.

You,

Yeah.

you minimize the.

Um, uh, the,

Last radius.

Yeah,

I was also thinking some of the conversations we'd had with Mike, right?

It's like maybe you should be considering insider threat as part of

your tabletop exercises and walking through that as, and not just focused

on sort of like the ransomware side of things or other things like that.

absolutely.

Insider threat.

The,

I

no, no.

was gonna

the silent killer.

Silent but deadly.

Wait,

Yeah.

else.

Um, no, I, I definitely think more, given that a significant portion

of, of cyber attacks are from an insider threat, I believe that that

particular report gave 83% as a stat.

It, it's, it's, I, I don't think enough attention is paid

to the insider threat concern.

Yep.

And just going back to sort of that Apple example, right.

There is intellectual property claims which might be worth billions of

dollars at that are at stake, right?

If you don't handle the insider threat,

Yeah, by the way, another movie that really gets into the concept of an

insider threat in social engineering is a somewhat maligned movie called Takedown

From 2000, it started Skeet Ulrich.

And it's the, it's the somewhat fictionalized story of Kevin Mitnick who

is, uh, you know, he was a black hat.

You know what we used to call a, you know, a black hat hacker that, um, that

got was, he was num, FBI's most wanted

Hmm.

He got prosecuted and he turned, he turned good guy towards the end.

Um, he, he, he's, I should mention not everybody in the

cyber world was a fan of Kevin.

He, he's no longer with us, but I, I, he had some issues with like, allegedly like

taking credit for other people's work,

Yeah.

But.

The, it's another movie that you can watch and get some stuff.

And one of the things that I happen in there, by the way, the, the, um, the,

the real thing happened against Deck,

Hmm.

Um, digital Equipment

Yeah.

And in the movie, I believe they refer to them as Binary Equipment Corporation

is sort of like in, uh, what's the movie?

What's the show?

Best robot.

Evil core.

Robot, they talk about,

Evil core.

I.

They call it Steel Mountain instead

Oh yeah.

Yep.

Steel Mountain.

Mountain.

Yep.

Um, yeah, so, so one of the things is, one of the things that he did was

um.

He called in to a person and said, Hey, uh, you do you guys

have the, the patch of, has the guy been by to put on the patch?

And they're like, no.

And he goes, oh man, that it's really important.

We gotta put in this patch.

I'm gonna send my guy right away.

And he sends this guy, his guy is there not to put in a patch,

but to put in the malware, right?

So it was like a, it was like a two-tiered social engineering attack.

And, um, and then, you know, and then basically his right hand man gets in

there and puts in the back door that they then use to attack the company.

Uh, you know, this is the problem.

You know, we gotta get rid of all the people, dude.

It's ai.

People are the problems.

ai, uh, and,

To our listeners, we are not trying to replace you and say

you do not have a job anymore.

Please continue to listen and support this podcast.

If you like this, please go to your favorite podcast

catcher and like subscribe.

Leave us a comment.

We love it.

You can catch us, watch our videos, and see our lovely faces on YouTube

under the backup wrap up channel.

We got one comment that said we looked homeless.

I'm like, really?

And then he, and then he said like, you know, I was just joking, like, ah, okay.

It's, it's a couple of bearded guys, back when, back when you had your longer

Yeah,

One of us looked a little homeless, I'm just saying.

Anyway.

All right.

Well that's good.

That's that Thus end of the lesson on the insider threat episode,

that's another movie reference.

So that's a reference to the Untouchables,

Hmm

is the movie with Elliot, with Kevin Costner playing Elliot

Ness, taking down Al Capone,

hmm.

by Robert De Niro.

Anyway, thus send it the lesson.

Anyway, um, thanks as always.

Any time, I guess.

documents, get to my, get

I'll get you questions.

I'll add questions with more questions.

How about that?

Of course, of course, of

Yes,

course, of course, of course.

And thank you to you listeners, if you're still with us.

Thank you.

And uh, that is a wrap.

The backup wrap up is written, recorded, and produced by me w Curtis Preston.

If you need backup or Dr. Consulting content generation or expert witness

work, check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that

you hear are those of the speaker and not necessarily an employer.

Thanks for listening.