Insider Threats and the Power of Least Privilege Access

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we explore insider threats using the penultimate

episode of Mr. Robot season one.

Where you talk about Angela getting compromised through extortion.

We talk about Tyrell getting fired and potentially going rogue, and also

Elliot, who basically infiltrated say from day one, the insider threat

is real and it's one of the biggest reasons that you need immutable backups.

We break down the the three types of insider threats that

you need to be worried about.

And we talked about how to protect yourself from each type.

I hope you enjoy the episode.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr. Backup,

and I've been passionate about backup and recovery for over 30 years, ever since.

I had to tell my boss that there were no backups of the production

database that we had just lost.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated admins into Cyber Recovery Heroes.

This is the backup wrap up.

Okay.

welcome to the show.

Hi, I am w Curtis Preston, AKA, Mr. Backup, and I have with me a guy

who I am 100% sure is not going to join me on my latest hobby persona.

Molly, how's it going?

Ana?

I am doing well, Curtis, I, so let's explain to the listeners

and viewers what your latest hobby is, if they are not aware of it.

well, before I explain it, I'll just say that my daughter's reaction when

she heard what I was up to was, that's totally an old man thing to do, and that

is so, so the, it, it's a tack on hobby.

So I've been, I've been.

Diligently walking for two miles every morning.

I've been doing that, you know, basically it's the first thing I do when I get up.

And then what I, what happened was I started seeing that, um, there was

just too much, uh, litter in my area.

Uh, and, and, and you know what I have to say, after having driven

around and seeing other parts of San Diego, this area is not bad.

So if I was in other parts of San Diego, this, this whole thing would be pointless,

but.

I decided to, . At first I decided I'm gonna pick up a

little litter here and there.

And then of course, like, I'm like, oh, well I'm gonna need to bring along

a little shopping bag and then I'm gonna bring, bring, bring along a bag,

and then I'm gonna, next thing you know, I bought one of those bags that

hangs over my shoulder and I got a picker and I'm like some kind of weirdo

picking up litter on side the street.

But, but you need to clarify.

You actually have two bags,

I, I do,

and one for litter.

I have one big bag, which is for litter, and then I have a smaller

bag, which uh, is technically what they call a foraging bag.

It's like for like doing mushrooms and I don't think I'm doing

mushrooms, but, um, and yeah.

And so that's the smaller bag is for the, like the cans and bottles and whatnot.

But, um, because if I'm doing this, I might as well, you know, do that as well.

Right.

yeah.

And it's good though that you're, it's sort of like motivation for continuing

to go on these walks because you're like, Hey, look at these streets.

They're clean.

So I have one question.

Why is San Diego so filthy?

I dunno.

I got why is it not, does it, is this not the problem where you live?

So, yeah, my wife and I, we were just walking like, so we've started also

going on walks or at least trying to go on walks, like whenever we can.

And we walk in our neighborhoods and take a bunch of streets and we do

the same thing, like walk a couple miles and we rarely ever see trash.

Yeah.

I don't see it in the neighborhood per se.

It's when I go out onto the main

Okay.

Right.

Um, college

probably the difference.

Yeah.

'cause I, we don't walk in the main areas.

We just go on the neighborhood residential streets and,

And, and there's, and there's, there's little elements of, of areas where

people clearly litter more, right?

Areas where like, there's nobody looking, basically, like there's

no houses that are looking, right.

So that's where people tend to things like curbs and uh, bus stops, you know,

even though there's a trash can by the bus stop, people seem to litter at the bus

It, and that's because for people, right?

This main thoroughfare you're referring to doesn't have any houses on it

doesn't have any businesses on it.

For the most part.

It's just literally just a main thoroughfare that, yeah.

Yeah.

And so, and what and what and the, and the thing that I see that, that, that

is a constant is it's all fast food.

Like 90% of the litter is, it's stuff that people bought on the way home that they

probably shouldn't have bought, that their wife doesn't know that they're buying.

And, uh, I'm just assuming this is all men.

This is all men with their candy bars and their burgers and their.

French fries and their stuff based on the stuff.

And a lot of cigarettes, a lot of cigarette butts.

I'm not, I, I started at, when I started this, I started with the cigarette butts.

Now I'm like, I'm getting the big stuff.

I'm not, I'm not getting the little tiny stuff.

'cause it's just, it's just too much.

Well, and even cigarette butts.

Here's what I wanna know.

If you're smoking, it's not like you go home and you don't smell the smoke

on you, or you don't enter the car and you don't smell the smoke on you.

well I just think just in general, it, it, it's.

It's easy to flick a cigarette butt out the window and not be seen.

Right?

N nevermind the fact that we live in Southern California and everything's

fricking dry and, you know, you can start a, a fire, but, uh, but yeah, but there's

only one thing, and I I, I know I've told you the one, the, the one piece of

litter that makes me really, really angry.

I do know which one you're referring to, and it has to do with something

that I just did right now, but I did put it away, throw it.

Yeah.

Yeah.

So, you know, for those of you that, you know, when, when you walk your

dog, you're required to pick up the poo and put it in a little baggie.

And so people do it because people are what they see the dog, they see the

thing, and then you, you, you pick it up and then some of these people will then

just toss that bag when nobody's looking.

And that just makes me so angry.

'cause it's like, you made it worse,

yeah.

Well, here's the question.

Is that worse tossing a proper poop bag, or is it worse for the people who

had sandwich bags that they were using

Oh, the worst was the sandwich bag, the open sandwich, like the

old school, like the kind that you just fold over, not the Ziploc.

And they didn't even, they didn't even fold it over or tie it up or anything.

They just tossed it over.

And when I first saw that, because it was a sandwich bag, I literally was

like, oh, somebody threw brownies away.

On that note, how about we

It was not brownies.

It was not brownies.

Anyway, yeah.

So speaking of poop,

oh, wait, wait, wait.

Before we move on, one last thing about this.

So I know that you have shared with me some videos of you

walking and picking up trash.

Is this something that you will be posting for our listeners who may wanna

see kind of what you've been up to?

So I am going to start a YouTube channel.

I, I, I, because you know me, like if I, if there, if it's worth

doing, it's worth overdoing, right?

So I have a, I have a chest mounted camera looking down and so I have a POV of me

picking up litter and I'm just hoping that I can create a YouTube channel,

like those like pressure washer channels where people watch the pressure and

Or the mowing ones.

Yeah.

Like people will get some sort of vicarious joy out of

seeing someone pick up litter.

Um, I, I have a name for this channel.

I'm not gonna say it to 'cause I need to, I need to get it

registered first, but, um,

So stay tuned listeners.

tuned.

Yeah.

Anyway, the things I get up to, I tell you, uh, speaking of stuff

I get up to, let's talk about.

Uh, let's see, what's, what is the, this is, we're up to episode nine, 1.8.

Yeah, I think it's 1.8, episode nine.

Yeah.

It's, um, mirroring and I don't really know where that name came from.

The mirroring.

It's because of like, we will get to it in a bit, but it's like Mr. Robot and.

Oh, okay.

Okay.

All right.

All right.

You wanna do the summary?

Yeah, so this one was interesting, so just kind of a recap from the

last ending of the last episode was Elliot realizes Darlene's his sister.

He goes home, he's like freaking out.

He realizes that, uh, goes back, he realizes that he had erased himself.

He goes and discovers all this stuff on the thing, and then

he realizes that, Hey, Mr.

Robot is my father.

And then you get this pound, pound, pound at the door, and it's Mr. Robot.

Yeah.

he's like, Hey, I need to take you somewhere and show you stuff.

And Elliot follows him, goes back to his childhood home, he pushes Mr. Robot off.

And then, uh, Darlene and Angela are looking for Elliot.

And they search everywhere they can't find him, and they end up going

back to his hometown, to his house.

And then they find him randomly wandering around

Right,

and.

They basically see him at a grave site and Mr. Robot's

there with him this entire time,

right.

and he's like, Elliot, don't let them take me away.

Don't let them take me away.

He's like, what?

And he hides.

And then Darlene and Angela come up and they're like, Elliot, what do you

think's been going on this entire time?

He is like, I don't know.

And then they zoomed down or they looked down.

And then they panned down and that's where you see the gravestone

that he, uh, that Mr. Robot was lying on was actually his dad.

Yeah.

And so his dad is not real.

His dad's all in his, uh, his dad is a mirror of him.

That's what, that's where, I guess that's where the episode came from.

Yeah.

that's kind of the Elliot story.

yeah, that's the Elliot story.

You've also got the, uh, the Tyrell story.

Tyrell ultimately gets fired because he's been just like, everything's just

too weird with all the stuff going on.

So he gets fired, so he is not gonna be very happy.

Um, meanwhile.

hates him.

And if wife, his wife says, I don't, yeah, go fix this or go away.

Don't, you know, just basically like, yeah.

Uh, she, she has the baby.

She has her baby, and then she's like, yeah.

Um, and then, um, uh, she's a very driven, she's a very driven person.

Like she, I mean, driven to the point like when she like stabbed

herself to break her water to.

Yeah.

Save Tyrell.

Yeah.

the last episode.

Yeah.

Um, she, she's like, what?

You know what?

Both of them, he, he clearly, as we've talked about, he

will do whatever he has to do.

Uh, and she will do that as well.

They are two very driven little people.

Um,

So he gets fired.

And then,

fired.

Yeah.

and then do you wanna talk about Gideon at the same time?

Yeah.

So, so Gideon has the thing where he's, he, he finds out that the, that the

honeypot had been deactivated, which we find out, you know, that, that had

happened in the previous episode, uh, where they had done the, they had.

Put in a message pretending to be him.

And, uh, and then we find out he, he's, he's trying to figure this out.

He is trying to sort this out and he goes over to, to, um, to see

Tyrell, and that's when he find out that Tyrell is, uh, has been fired.

Um, and there's also the side story of Angela and Terry Colby and Terry

Kobe's, like trying to offer a job at evil court, which makes no

sense, but I'm sure that will come.

Uh, also there's the, there, the other Angela side story is that the lawsuit is.

Kicking into full force.

Um, and there's that weird story there.

You wanna talk about that?

The, the money.

Yeah, so when Terry Kolbe's at Angela's house and he offers a job, he, she's

like, but we're suing you for millions.

It's gonna cost you an arm and a leg.

And Terry Colby's like, no, we kind of figured that this

would happen at some days.

So we set aside money in a rainy day fund, and that's five times the

amount of whatever the worst case penalty could be from this lawsuit.

So he's like, we're basically gonna be making money either

way, so it doesn't matter.

And they're like, we liked what you did and how you like, brought me down.

And so you've been noticed by people at Evil Corp. So they're like, yeah,

we want Angela, we wanna hire you.

Yeah.

Be, because the entire reason she, they wanted to hire her.

And I don't know if this happened in this episode or the last, but

basically remember she quit allsafe,

Right.

Well, she got, didn't she get fired after the whole losing the Yeah, yeah,

Yeah.

Yeah.

The DAT file thing.

So she was let go from allsafe.

She tried to get hired by the lawyers.

Right.

And they're like, you're too close to this.

We can't let

you in.

Yep.

And she's like, I don't know what I'm gonna do for money.

Yeah.

Uh, and so now she's being offered a job at Evil Corp. And uh, by the way,

there was, uh, a post credit scene.

Oh.

I did not watch a post credit scene.

Yeah, I'm just looking at the thing here.

There's a post credit scene that shows white Rose meeting with the

Evil Corp, CEO, uh, and they discuss a conspiracy, uh, about Evil Corp and also

potentially the murder of Sharon Knowles.

So that should be interesting.

Oh, wait.

And there's one important, important thing that we forgot to mention.

what did we forget to mention?

So Darlene and Elliot are on the way back to New York

from their hometown from

Mm-hmm.

and, uh, Darlene looks at Elliot and is like, do you remember creating f Society?

Do you remember the scene?

They're on the train and,

A little bit, yeah.

yeah.

And he's like, I don't remember Anthony.

He's like, Elliot, we, you created F Society.

You're the one who wanted to do all this.

Uh,

And he's like, I don't remember any of this.

Because I guess probably, uh, foreshadowing into sort of like how

things are like dissonant for him between like what happens with Mr.

Robot versus what happens when he is

right, right, right.

Yeah.

He's got issues, man.

Um, so.

When I looked at this episode, I, I, I, I, I, I came up with this idea.

So when we look at Angela working at allsafe, when we look at Elliot working

at allsafe, when we look at Tyrell working at, uh, E Corp, um, and what, what, what

you have across all of these and now.

Potentially white rose.

I don't even know the, I don't even know what what's going on there.

But what you, what you have at all of these places is you have insider threats.

You have a person who is on the inside who can then easily

become, um, a rogue admin, right.

Or a rogue something.

Right.

We, we talk about this concept of a rogue admin and, and there are those who, who

poo poo the idea that, that say that it, that it's not, you know, that it's not.

Um, that it's like the boogeyman, right?

That, that people like me, because we talk about like, 'cause the insider threat.

Is like one of the things that you can stop with a really good backup

when we talk about, like Microsoft 365, an insider threat with 365.

If you've got all power, you can like not only delete the stuff, but

delete the stuff and the stuff, right?

So, so that's why you need to have like a copy that's immutable, that even the, even

the admin and, uh, can't delete, right?

So.

Uh, I, I make that big point.

And so I talk about the possibility of an insider threat quite a bit,

and I just, I just thought that this would give us a chance to talk about

that and, and the different types of insider threats that you might have.

And you, 'cause you kind of have a, a collection of them

here in this, in this episode.

The thing is, it, it absolutely happens, right?

Um,

talked about episodes where there have been insider threats.

yeah.

Publicly acknowledged ones are relatively rare, but the idea of.

An insider threat.

It, you know, it, not only is it something that you, you need to protect against,

uh, I, I think it's something that it's potentially very, um, what's the word,

uh, damaging to the company as a whole.

can, can you define what insider threat is for people

Yeah.

It's a threat from the inside.

Um, yeah.

Thank you.

So the, um, you know, and in the, the insider threat, the insider threat

is basically some sort of cyber risk, some sort of cybersecurity issue

from a person on the inside, right?

From an employee, from a contractor that has insider access, um, and,

and vicariously, I don't know if that's the right word, but.

You know, related to that, because an outsider can sometimes assume

the identity of an insider.

The insider threat becomes an outsider threat.

Yeah.

Or influence, coerce, blackmail, however you wanna look at it.

yeah.

So when we look at the, the different, um, these three, so Angela Elliot.

Tyrell.

Um, we have three very different insider threats here, right?

So, uh, you know, so just real quick, we've got Angela that was compromised.

We've got Elliot that has a vendetta, you know, against

the company from the outside.

And then we've got Tyrell who has a vendetta of the company from the inside.

These are, these are three very different, and I think that gives

us an opportunity to talk about these different types of ones.

And, and let's talk about Angela first because I think that's a,

I think it's a very common one.

Um, it's the one, because the other two sort of are, if you, if you want to

attack a company, you need to somehow.

Compromise.

Someone that's on the inside.

Right?

Or one of the ways that you can attack a company is to

compromise somebody on the inside.

You wanna talk about how Angela was compromised?

Well, there are multiple ways Angela was compromised.

So I guess the first right is she was compromised through Ollie when

she was given the CD by Cisco, which then hijacked the webcam

and.

not Cisco, the company.

Yes, Cisco, the person who works for the Dark Army, right?

And he basically was threatening or blackmailing her by saying, Hey, I'm gonna

wipe out your dad's financial records.

I'm gonna post pictures of you online and videos, and therefore, unless

you do what I want you to do, then everything's gonna go out there

Yeah, it was a, it was a d multi-pronged extortion attack, right?

So, you know, we have, we have compromising photos and videos of you, you

know, basically naked Plus we've got all this financial information that if it gets

out, you're, you're financially ruined.

Didn't, didn't they bring their father into it as

Well, it, it was because she had transferred money

using her father's account,

Right.

they also had her father's information as well.

So that was

basically steal all their money, all her money, and all her father's money.

Um, and, you know, let's just talk about that.

W when you, when we talk about the second, the second type, the, there's

a, there's a, well actually let's talk about the second type person that I'm

gonna go back and talk about this thing.

When we talk about this first type.

Um.

You know, this can happen from a variety of things.

It can be a person who's compromised in the way that Angela was compromised.

It can also be a person who's compromised because their identity was stolen, right?

Uh, they're compromised in just a different way.

And, um, if, if, as if an outsider has the access to an insider,

right, uh, and can thwart.

The, uh, MFA stuff that we've put up or, or other, uh, security

mechanisms to, to prevent that they are then given the, um, the powers

both good and bad of that insider,

And so this is basically what is currently happening with, I

don't know if you're familiar with, let's see if I get it right.

Shiny hunters and scattered spider.

right?

Right.

Th this is the current attacks that are going on against Salesforce instances

of corporations where they pretend to call into the help desk and ask for a

password reset and use social engineering to then gain access to an insider to

then gain access to another insider and then take over an exfiltrate data.

Yeah.

So that's the, that's one type of insider threat.

Go ahead.

now I know you're gonna talk about the other insider threat, what.

Like Angela had multiple insider threats, right?

She was multiple threats as an insider, right?

So the first is where she was unknowing, unwillingly compromised,

Right.

The second though is where she purposefully did something right that.

She basically was like, screw it, I'm done.

And yes.

Even though she was sort of forced to do it.

Right.

And this is where she took the CD that Cisco gave to Ollie and told

him to upload into Allsafe, right.

That the Dark Army gave him.

And she went in early in the morning, put the CD in the drive and said,

yep, uh, I'm gonna load this.

And that's where the Dark Army then gets a foot foothold into all safe.

Yeah.

So she basically becomes a true insider threat at that point.

Right.

Um, so the, the second one, and, and I think that, um, actually the

second one I wanna talk about is Tyrell, and it's, it's another.

Rather traditional insider threat.

And we've had, we've had examples of this on here where we've, we've had,

uh, incidents that, you know, famous or infamous incidents that we've, uh,

covered where there is someone who basically gets pissed off at the company.

Um, and they are like, they work for the company and they get, they get in

their opinion, they get shorted their bonus, they get shorted their raise,

they get shorted, their promotion.

they, get fired.

they get, they get fired.

Right.

And before they, and unfortunately, whoever, um, you know, does the firing,

doesn't like pull their access first.

Yeah.

Or yes.

And so I'll let you finish and then I'll talk about a case.

Um, but that's pretty much it.

It's basically you, you, you essentially have a disgruntled

employee that, that's the sort of, the second one is you have an employee.

For whatever reason, or, or a contractor, right.

Uh, you have a dis, a disgruntled worker who has the access that they were

granted and they still have that access and now they were upset with you and

they could potentially then use this.

They don't even necessarily want to make money.

Some of them will.

We, we talked about some of those stories.

Some of them.

We'll use this to try to make money.

Others just want to hurt you on the way out.

Yep.

Exactly.

Take down everything, burn it all down, I think is what they

Yeah.

Yeah, exactly

And this is kind of what happened with Tyrell, right?

He base, he was like, Hey, I'm being fired.

I did.

Or well, before he even gets fired, right?

He didn't get the CTO gig.

right.

He was super pissed about that he was being investigated for

the murder of Sharon Knowles.

Go figure.

Right.

Um.

He was investigating sort of this rogue server on the network he

canceled Gideon's instructions to have the honeypot active again.

Right.

Right?

And then he basically gets fired by the CEO

Yeah.

he's like, I did, I put my life into this company.

How dare you fire me?

And then what does he do?

well, and, and his reaction, his reaction basically to CEO.

It, it's funny, you know, I've seen situations where.

I, I, I've been around, I've been around a minute.

I've let some people go and, um, sometimes when you let 'em go, they burn

things down on their way out, right?

Um, if they have, if they're cyber type people, if they're IT type people and

they have access and they're unstable, they could do some really damaging things.

If they're not IT people, they tend to like go try to file lawsuits and stuff

So.

I, speaking of this, I just read in the paper, I think it was last week,

the sentencing actually finished, but there was an IT worker who basically

got fired from his company, but he had a, uh, logic bomb built in

Yeah.

that basically would look up his LDAP to, or his active directory name to

make sure he was still in the system.

And if it wasn't in the system, it would basically go and delete a bunch of things.

Right.

And they basically, it deleted a bunch of things.

Caused a bunch of issues, but he was charged with cyber crimes, right?

And destroying company property.

And I think he was just sentenced last week, I think it was four years.

And one of the reasons he was caught is on his work laptop.

He was searching for like how to hide prompts or how to hide

Damons from being detected and how to issue windows, PowerShell

commands to do blah, blah, blah.

So

Yeah.

Yeah.

smartest cookie.

Not the smartest cookie.

Yeah.

Just for the Tyrell thing though, right?

You said he was super pissed at being fired.

And so in the episode, right, he goes to Elliot's apartment and he's like, Hey, we,

I told you we were gonna work together.

We are.

Show me what you're doing.

And Elliot

he's gonna become the third type of, of insider threat.

Yeah.

Yeah.

Yeah.

And do you wanna cover the third type?

Yeah, so the technically Elliot, well, yeah, so Elliot.

I think like we're still figuring Elliot out, right?

But I think technically Elliot was the third type, and then he became the

second type, be like he got a job because of the being, being the third type.

That's, so the third type is a person actually outside of the organization

who develops a vendetta against the organization, whether it's.

Just purely financially motivated, or it's literally like in the case of,

uh, Mr. Robot, they want to take down evil court because, well, they're evil.

Right?

And, uh, we don't yet have any backstory as to Well, no, we do have some backstory.

Sorry.

We do have some backstory about that he specifically could have some

issues against, uh, evil court because of, um, you know, the, the stuff

that we found out the, the death.

Yeah.

Yeah.

Um, and so you need to have some kind of vetting process to look

for a person who's actually an outsider trying to become an insider.

Right?

But it's hard though,

right?

Because how can

show everything.

and even especially during the pandemic, and now with a lot of remote

offerings like workplaces, right?

It's hard to actually go through because how do you know who you're

hiring is actually who you're hiring?

Yeah, especially with AI now, and yeah, I, I watched, I, I saw a thing and it

was something about this guy used an AI video clone of himself to do an interview.

I'm not surprised.

Yeah.

Yeah.

That'll be more and more, it's sort of like back when, um, back during

the pandemic and these smart students had figured out that they should

put reconnecting on their phone.

Ugh.

Um, so, so let's talk about, you know, the ways that you, how, how

can you respond to an insider threat?

Right.

So the, the most, the, the best way, I think is a proactive way, which

is to, uh, the, the concept that we talk about a lot is that that

is the concept of least privilege.

You wanna talk about that?

Yeah, so this is basically saying if you don't need access to

something, don't give people access or to state it a different way.

Only give access to what a person needs in order to do their job and nothing more.

Yeah, exactly.

It's a difficult cyber principle to enact.

It's so much easier to do the opposite of that.

Right.

To go back, back in the day, basically there were, there

were two people there were.

People who didn't have root, and there were people who had root and

people who had root were all powerful.

There were, there was no rback, there was no role-based administration controls.

Right.

Uh, the, you, you just, you either had root or you didn't have root, and the

root password was the same on everything.

I mean, it was, it was just crazy back in the day.

Right.

But, um, that has definitely changed.

Uh, you give people different parts of the job and, and, and, and I know

I've, I've given this access or this.

This example before, but the best example of how not to do this is

that hospital, and I believe it was Portugal, and this was an eu, um, um,

GDPR violation where they give every pers every employee in the hospital.

The highest level of access in the hospital was doctor, right?

They gave everyone doctor access because it was easier

Yep.

Include the maintenance people.

Including the maintenance people.

And so that was when the G-P-R-G-D-P-R fine them.

'cause basically the GDPR had the, the, the council or whatever, I forgot

the name of the, the governing body.

They, they have the ability to be, you know, lenient or whatever the opposite of

lenient, you know, throw the book at you and they decided to throw the book at you.

'cause they're like, look.

If you had showed us that you would at least tried, but then you failed.

They're like, you gave everybody Doctor Ag, you didn't care at all.

Right?

That is the opposite of of, of lease privilege.

That is all the privileges.

Yeah.

And

why don't you just give 'em surgical privilege while you're at it, you know?

Mm-hmm.

I was reading an article this morning and I actually ran across it on LinkedIn

as opposed to, not sure the truth or the validity behind it, but it basically said

that someone was working at Xai, right?

So Elon Musk, AI company, and they basically downloaded all the source

code, uploaded it to chat GPT.

Or to open AI and then quit The company, sold a bunch of stock and now

worked for Open ai and they basically were like, it's a small company.

The guy had access to everything in the company.

He was just a normal coder.

He downloaded all the things they weren't tracking, like what he was doing, if

he downloaded it via USB, like they had no logs, nothing to be able to

figure out like what he actually did.

So that is sort of, and now I don't know the truth behind this story,

but that is one thing I read.

And I'm like, I don't think it's the only time that this sort of thing has happened.

It always happens.

Like there was another case with Apple where they were trying to charge

two people with posh of downloading, uh, apple Proprietary Secrets and

transferring it to another company.

And it was surprising because they basically said Apple did not

have the logs to be able to figure out what the person actually did.

Interesting.

Yeah, so the, the, the, you know, the, we talked about.

Limiting the access to for each person to the thing that they need to do, just the

access they need to do their job right.

Um, the other thing is, you know, you do need some sort of detection.

What

Yeah.

Yeah.

I was just gonna say, yeah, the monitoring piece, right?

That's the piece that you need

You do need some sort of detection system, right?

So this is where you're, you're, you're looking, this is where AI

can help a lot, where you can look for user behavior, uh, typical user

behavior, and then you look for things that are outside of that norm, right?

Can Before monitoring though, I think there's two aspects.

One, like you said, it's the being able to detect patterns, right?

And look for anomalies like you said.

But I think even more importantly, it's just having the logs itself,

Yeah.

the fact of like what people are doing.

Because if something happens, you at least can go back and figure out like

what happened versus if you don't even have those, you're screwed.

Yeah, I was looking at, so cisa.gov.

cisa.gov has a really nice, uh, uh, and I, I should link to this,

a really nice, uh, white paper called Insider Threat Mitigation.

And they had some interesting stats here and they were saying

that, um, 58 percentage, sorry.

58% of those who, uh, there were 42 computer system sabotage incidents,

um, during the, the report period here that they're talking about.

And they're saying that 58% of them communicated some sort of negative

feelings, grievances or whatever.

Um, you know, prior to that, 92% of those were verbal, by the way.

Uh, which is interesting, right?

Um, and 31% of them.

Um, they had basically, this is the weirdest part, is 31% of the time someone

had knowledge about potential plans that

I did nothing.

and did nothing.

Yeah.

Um, yeah, 64% was of coworkers, 21% of friends, family members,

and then 14% someone that was involved with the incident.

So, um, the, um.

So, so one of the things that, that, uh, CISA, the point that

CISA is making here is, is the see something, say something, right?

I, I If, if you see someone who looks a little on edge, right?

Tell somebody, right.

I, I'm a little worried about Steve.

Steve.

That's my random, random name that I throw out.

Um, and, um, the, um.

And, uh, you know, pass that information on.

You do need monitoring.

You do need automated monitoring that looks for patterns and

looks for things like that.

But also the human is a significant part of the threat detection.

Or if Steve's like, Hey, what are you doing on this, this, and this.

Or if you're like, Hey, Steve, why are you in some system that you shouldn't be in?

Right.

Right.

And by the way, thanks for bringing that up because one of the things that

I, what, that I wanted to bring up is that it all starts with policy, right?

Every, every, everything from a cybersecurity perspective

starts with policy.

We start with a policy of lease privilege.

We enact that lease privilege, and then you have rules on, you're not allowed

to, you know, thwart that, right?

It, it may sound silly, but the point is.

When you establish practices and you establish procedures and then you, and

then you monitor for adherence to those procedures, when you see people going

outside of those, that's when increased scrutiny, uh, can, can figure things out.

Yeah.

And also if you have the policy, then it can't be like, oh, Steve didn't know

what the policy was and he didn't know.

He just stumbled upon something.

Right.

Versus, yeah, Steve, you really shouldn't have been doing that.

Yeah.

You know, there, there's sometimes you, you think that, um, you think

that, um, what do you call it?

Um, you'd think that people would know certain things, right?

But I'll give you an example of, of a, of a person that I worked with once

who really should have known better and they were doing something for what

they felt was a, uh, a good thing.

Right, but, uh, not so much.

So here's what was going on.

So they, um, we were at, I was at a consulting company.

We were at a household name financial organization, like, you know, wall Street

Big.

thing, big.

And, um, the, they received a notification from a former employee of our company.

And they said, Hey, I noticed some problems with the firewall at Empty Squad

Bank, and so I logged in and fixed it.

What?

What?

What?

Yeah, so they had created a back door for themselves to be able to do

maintenance and stuff, and they hadn't shut down the back door when they left.

So this was like months later.

They no longer worked for either organization and they logged, they were

still receiving alerts and their, their response was to log in and fix it.

Yeah.

That's

think that they should know that that should not be what they're

doing, but you know, but they, but they, you know, sometimes

Well, it's a good thing the person wasn't malicious.

A good thing they, they weren't malicious, they were fired, but it's

a good thing they were malicious.

Yeah.

Um, so.

The, I mean that, and that's really all you could do.

You, you, you have the least privilege.

And I'll just wanna do three things.

The, we talked about the least privilege, we talked about monitoring

and things like that, and logs.

And then also, again, I'm just gonna come back to backups because that's

really what we talk about here.

You wanna make sure that no matter how bad the person is,

they can't delete the backups.

Immutable, immutable, immutable, I don't know how many times I gotta say that.

Yeah, so based on the CISA article that you're quoting out with the stats

and everything we've talked about.

It seems like detecting insider risk is really, really, really, really hard.

Yeah.

And I know we talked about like three things that you could possibly do to just

sort of get you there, but I think it's one of those things that you shouldn't

just ignore it and put your head in the sand and be like, yeah, this is too hard.

I'm never going to worry about it.

I think you sort of like.

Cover the low hanging fruits, and as you mature as an organization,

you sort of ratchet things up and start looking for additional things,

but don't just ignore it, right?

Don't just be like, oh, it's gonna always be there.

I shouldn't even bother worrying about it.

I, I would say it's definitely on that cybersecurity ma mature

cybersecurity maturity model.

Um, but I, I, I do wanna say, I think the first rung is

100% immutable backups, right?

You can't detect everything.

And so that's why we've got to have.

A backup of everything, everything that matters.

We need to have a backup that is 100% immutable that even I, the, the

owner of the company, the biggest admin of the company, whatever, the

person with the most level of access cannot delete it even if I want to.

And then if you have that, at least, even if we don't detect an insider

threat and it deletes the per, the person goes to just the logic bomb,

whatever, and they just blow up the whole company, we'll have a, we'll

at least have a backup of the data.

Yes, you'll have a backup, but it's also important to note

that sometimes the insider isn't looking to just delete your data.

They may also be looking to exfiltrate your data and use it for blackmail,

extortion, or other things, which is a different set of problems.

Right?

That backup

and if that's the case, then if that's the case, you're screwed.

Right.

If that's, if that's their

Well, there are other, well, there are other tools, right?

Like EDR and other

there are other, yeah, there are other tools that would be able to help detect

that, but if again, we go back to the earlier thing, it's really, really hard.

So if they managed to get through.

Um, again, we stop this as much as we can with process and procedure.

We stop as much as we can with monitoring.

Why in the world is there's this gigantic level of traffic going

out to this open internet port.

Right?

Um, there was some really interesting, uh, conversations when we had Dwayne on here.

When we, when you talked about, listen, why would I go through the,

why would I go through Port 80 when there's this giant door over here?

You know, like, why, why would I. Why, you know, you can lock down port 80.

Great.

The, the rest.

He's like, he, I remember him, he had this analogy.

He's like, so you put a locked door in the middle of a field

and said, don't go through that.

Yeah, it's like dummy.

I'm just gonna walk around.

yeah.

I'm just gonna walk around.

Um, it's like, I don't know.

Did you see the unbearable weight of massive

Yes, yes,

Remember the, the, the wall that they climbed over?

Yeah.

It's like that.

All right.

Enough ta enough of talking.

Talking about insider threats.

It's depressing, but do your best.

And again, please have an immutable backup.

I know.

To a hammer.

Everything's a nail.

Thanks for chatting, prana.

No, I am excited.

You know what next week is,

What's next week?

it's the season finale.

Oh, Jesus.

Or as my father always called it, the finally.

And, and, and what he always liked to, to, if we were watching a final,

a finally, he would want to eat.

He wa he would want to eat spinach quickies.

Oh

my father.

This is, this is the, the, you know, I am his child for sure.

Yes, you are definitely his

All right.

Thank.

for listening folks.

You're why we do this?

That is a wrap.

The backup wrap up is written, recorded and produced by me w Curtis Preston.

If you need backup or Dr. Consulting content generation or expert witness

work, check out backup central.com.

You can also find links from my O'Reilly Books on the same website.

Remember, this is an independent podcast and any opinions that you

hear are those of the speaker.

And not necessarily an employer.

Thanks for listening.

I.