The rise of insider cybersecurity threats

Chris Sienko: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cyber security industry. Irena Mroz is the co-founder of Nucleus Cyber, an AI driven security company. She brings more than 20 years of cybersecurity experience and expertise with a special emphasis on the increasing prevalence of internal breaches within the cyber security sphere. We're going to talk today about all of this and more in hopes of making your workplace safer from threats both outside and within. Irena Mroz is co-founder and VP at Nucleus Cyber. She's responsible for defining the company's messaging, branding, demand generation and public relations strategies. An innovative executive with impeccable attention to detail, Mroz leverages more than 20 years of B2B marketing experience to directly company's marketing strategy and communication programs. Mroz has built her successful career by empowering startups and public software companies to exceed growth objectives through successful demand generation programs, product positioning, high profile events and product evangelism. Most recently, Mroz was the Vice President of Marketing at Infocyte, a malware and threat hunting solution. She served as the SVP of Marketing for Cryptzone's network and application security solutions, and the VP of Hardware for HiSoftware, a provider of compliance and security solutions, acquired by Cryptzone. She led the integration of the two global market organizations, while managing development of all strategic marketing programs and communications for the joint entity. Her previous roles include senior marketing positions at Bottomline Technologies and Create! form International. Mroz holds a Bachelor of Science in Mass Communications from Boston University's College of Communications. Irena, thank you so much for being here today.

Irena Mroz: Thank you Chris, I'm happy to be here.

Chris: So to start from the beginning, how and when did you first get started and interested in computers and security?

Irena: Well, it's kind of funny, I did not have a start in the computer field. I was armed with a degree in mass communication during a really bad economy. And I started out in the marketing department of a large wine and spirits wholesaler, and I sort of stumbled into computers a few years later.

Chris: What was what was the impetus?

Irena: It was just time for a change and I ended up taking a job with, actually a software startup. And to my surprise found that I was very technically minded and really enjoyed it, and here I am, 20 years later.

Chris: Can you give me some some of the highlights and the big transitions of specifically your security career, like what are some of the steps you took in terms of, say, a job experience like that, or leaps of learning or whether you know, schooling or self study or whatever, like, how did you sort of get from there to here as this security evangelist?

Irena: Absolutely, you know, obviously, it's a huge challenge to be able to transition over from a completely different industry. I had to learn about both the software and the security landscape. And then all the technical terms and jargon that go with it with absolutely zero background. An important thing is you really need to get over the fear of admitting that you don't know something or understand it and learn it's okay to say, what's that? People are usually surprisingly happy to explain a technical term or a concept you're not familiar with. And then you do need to do a lot of research on your own, after meetings, looking things up and a lot of self education. I've also worked in lots of areas of software and cyber security, every company has a different piece of the puzzle that it solves and it's impossible to know everything. So, these skills have been really helpful and being able to adapt quickly to new situations and new technologies.

Chris: What would you say in general is sort of your learning style? It sounds like you're kind of a go off and study it yourself. Have you gone through schooling or gotten degrees or things like that? Or are you mostly sort of like, I need to get this thing done by Monday?

Irena: I think in the software and security world, definitely self educated. I've been in this industry for a really long time. So you learn a lot as you go.

Chris: So could you tell our listeners a little bit about what your day to day work schedule looks like? What time do you start work? What types of things are on your to do list? And you know, I always ask, how long before you know the emergencies to be handled? Basically set your to do list on fire.

Irena: Absolutely. So I've spent my software career in startups. So every day looks a lot different. I couldn't start at 8:00 a.m. and I wouldn't say I have an official end time. Lots of times you'll find me at my computer, late into the night for calls with the West Coast or Australia. And you know, when you're in a start up, you really wear a lot of hats in a small company. So, despite what your job description may be, you'll talk a lot of different things. So one day may be about product, another day might be about an event, another day may be focused on business development, but to be honest, more often than not, it's a combination of all of those things each day. And to answer the other half of your question, on like, how do you keep track and keep organized? Don't laugh, but I'm very much a pen and paper list maker, despite all the digital tools available and being in the industry.

Chris: Everything I do with your sort of personal learning preference, I think. I don't think that you know, every time you get someone say, well, you got to use this or you got to use this. What's the thing that actually like gets results?

Irena: Like I said, I'm a list maker. You make your list, you work through it and then you reprioritize as the fire start burning. There's like a huge satisfaction on being able to look at that and cross it off and certainly for day to day, big on, you know, social collaboration tools internally to be able to communicate and escalate things and prioritize. So, on that concept very modern but I'm still that pen and paper kind of list person.

Chris: There's no better feeling in the world than to cross the piece with a pencil, putting a line through the to do list. So, you say you've been involved with the cyber security industry for the past 20 years, how have you seen the cybersecurity industry change in these past 20 years, whether procedurally or technically, or you know, just in general, how it how it feels or the atmosphere?

Irena: The industry keeps evolving, just as the threats have, right? We're always kind of trying to keep pace. It used to be all about the perimeter. Build your castle walls, build them taller, build them higher, add a moat around your network and keep intruders out. Unfortunately, we found that that's no longer effective. Hackers have found way to get through security, or they go after your authorized users and steal their credentials, so they can navigate within your network. It's not that you don't need to protect the perimeter anymore. It's just no longer enough. You really need a multi-layered approach. So, now there's the identity solutions and behavior solutions, to see what what your users are doing. But a lot of those solutions kind of take care of things after the fact and they're not protecting the data itself. And that at the end of the day is the real target of both hackers and any malicious insiders.

Chris: So what are your suggestions for sort of protecting data that's not currently being addressed in these ways?

Irena: First of all, you need to know where that data is. That's very important. But you also need to start looking to some of the data loss and prevention solutions and more modern data centric approaches that actually focus on the data and put the permissions and controls around the data. I think that is something that's really important in this day and age in general.

Chris: So one of the things that you specifically brought up as an interest and area of expertise and so forth that we wanna talk about today is the difference of internal versus external threats in cyber security. So, tell me more about the insider threat landscape at the moment. You had a report from July 25 of this year that indicates that insider threats have risen to new all time highs in the past 12 months. Can you say why that is? Why that's changing?

Irena: Absolutely. So you know, there's a lot of data out there about external hacks and security, less so about insider threats. So we partnered with Cyber Security Insiders to see what the state of insider threats is in 2019. I'm gonna rattle off a couple of facts here. So what the report found is 70% of organizations have confirmed that they actually have seen insider attacks become more frequent. 68% feel extremely moderately more vulnerable. 39% have identified cloud storage and file apps as the most vulnerable to attacks. And this last point I wanted to share, 85% of organizations find it moderately too difficult to determine the damage of an insider attack. Think that last point is really important. It's really hard to identify if your users are doing something they're not supposed to do. After all, they're supposed to use your data in their day to day job so trying to go back and take a look at what they've access and try and determine what they've done is difficult and time consuming. And it's certainly one area where that old saying of an ounce of prevention, really applies.

Chris: Okay, so before we get too far into the weeds here, let's talk about the actual definition of what we mean by insider threats as used by this report. When we are speaking about, what do we mean when we say that? Is that employees with bad intent? Is this third parties who have privileged access to networks and data? Is that some combination of this? Is it other things?

Irena: Well, that's a great question. It's really a combination of all those things. Your malicious insiders are your employees, your internal users who are looking to steal your information and use it for personal gain. So things like credit card numbers or social security numbers, where they're gonna steal that data and commit fraud and to put money in their pocket. Negligent insiders though, are the ones you really don't think about. Those are the folks who are inadvertently putting your data at risk. Just think about those whoops moments, how many times have you accidentally shared an email with the wrong attachment or sent the wrong email to someone, we've all done it. But that in itself, you know, could be a data breach, depending on what information you've shared. So it's these types of scenarios, both malicious and negligent that makeup insider threats.

Chris: So, why do you think that these, specifically these insider threats have been on the rise? What is what's changed in cyber crime to make this suddenly more appealing? Although it sounds like it's, part of it is maybe that it's just being recognized more, is that the case? Or is it really, is there like a specific, intentional sort of rise?

Irena: No, so it's a few things. So, for one, everyone's been focused on the outsiders, right? Let's stop everyone from getting in. And, up until now, and things are actually changing, there's been less focus on your trusted users, because these are the people that are within your organization that are meant to be doing the right thing. So, like I said, if you think about the Lewandowski case now, which is going on with Google and theft of Uber plans and things like that, those are the people that are going after it for malicious reasons. But then think about the growth of your social collaboration tools, you've got SharePoint, you've got Teams, you've got Box, you have Slack. They've just made it so much easier to access and share company information both inside and outside of your organization. And then add to that, that you've got a mobile workforce, we're not all working in the same building, right? We're working at home and airports and cafes, and our phones, on laptops. So it just makes the opportunities for making mistakes that much greater. And most companies are addressing their data security today by locking down their security in a secure container folder. They're not actually controlling what a user can do with the data. So if you have access to it, you can pretty much do anything you want with it. You can share it, you can download it, you can copy it. So, it just makes it that much easier to steal, or in most cases, it's just accidentally sharing sensitive information. So it's not intentionally doing the wrong thing, it's making a mistake. So interesting point the data survey also found out is most companies rely on user training to prevent and address insider threats. But they're not actually using technology to control it. So there is creating a big security gap. Training is important, but it's not going to stop something from happening, right? That's a, hey, you've done something wrong, here's some more training. This is how you should avoid it. But it's not preventing anything correct.

Chris: Right, right. So a lot of the things that you're sort of discussing here, seem intangible, almost to the point of like, I'm not really sure how to sort of. Like you say, you're inadvertently sending the wrong attachment or you're inadvertently sharing the wrong data with the wrong person. So what are some of the primary weak points that you're seeing in terms of insiders being able to breach a security system and, how do you sort of deal with these sort of scary intangibles?

Irena: And the real problem is in broad access to data and the ease in which others can give you access, right? So you can easily get added, think about with like social collaboration tools, how easy it is to add someone to a group or chat thread. So really, we need to start putting some controls around this, right? So maybe you don't need to see everything, you know that this folder based security where, hey, if you have access to a folder, you can see everything in it. But, data changes and evolves during time, data is not static. So maybe it started out not having sensitive information that could be for general consumption, but at some point, it changes. So really, the data centric tools today, they provide a way to reduce someone's ability to steal, misuse or accidentally shared data, because they secure the data itself and then they're able to actually use attributes from the data. So what's in the data? So it can look at the data, and also look at the user context to determine how that data can be used or shared. So say for example, right, you're sitting in your office and you're looking at financials and that's perfectly fine. You're supposed to have access to them, you're within a secure setting. Then maybe you're traveling at the airport. And in that scenario, even though under normal circumstances, you should have access, we don't want you having access there.

Chris: I see.

Irena: And this type of security can also help if someone's stolen your credentials. So like a good example is, if someone that looks like you is trying to access data in the middle of the night, but their IP address is from China and it's two o'clock in the morning, then maybe they should just block access, right? So, this doesn't look like you or something that you would be doing so we're just not going to let you look at this document right now. When you come in the office at nine in the morning, not a problem. So I think starting to add solutions like that, that are looking at both the content and the context of the user to make some decisions about what can do the data are really necessary to prevent this.

Chris: I noticed, sometimes you'll get those weird notifications from your email where you'll type the word see attached in the email and then you hit send, you given some of the attachment there, did you mean to send an attachment. Is there a possibility for like an opposite version of that, where you accidentally copy sensitive data into something and it's like, are you sure you meant to paste that to that person or whatever?

Irena: And that's true. True, and certainly data, some of the solutions out there, they can actually address that. So if it's sensitive content, it can make something read-only and actually disable the copy and paste settings. It can add a digital watermark. So you're always going to have these, someone who's, grabs their phone and wants to snap a picture. But if you have a digital watermark that says, you opened to this file at this date and time and it's plastered all over the document, you're gonna think twice about where that goes, because now you've just left your digital footprint on the document.

Chris: So let's walk through some preparedness strategies to prevent these types of insider hacks. Are there low or no cost strategies that companies can implement today to make themselves safer against these eventualities?

Irena: Absolutely, so I talked about it a little earlier. First and foremost, know where your sensitive data is. There's some staggering stats out there on the amount of dark data, and that's a data that companies don't know exist. And it's staggering, I think it's something like 60% of people say 1/2 their organization's data is dark. So if you don't know that your data, where your data is stored, or that it exists in the first place, you can't protect it. So you need to make sure that you find all that data and have a solution for not just finding it, but classifying it, right? So if it's sensitive, you wanna make sure it's marked that way. And if you're using a platform like Office 365, there's built in labeling and tagging and classification functionality, so it's there, use it. And then you also, if you can track your access to sensitive data using these tools, make sure you're doing that so that you do have a digital footprint. And then, of course there's also third party solutions that are designed to work with those investments to help you add more granular security if it's needed.

Chris: Do you have any recommendations for organizations or companies that have to work with a lot of third party vendors and suppliers, in the inevitable security issues that can come with providing them privileged, security information. I mean, we obviously thing about the target breach all the time, but this happens all the time, people have, you have to give your sensitive information out to people so they can do their job, but they're not, you don't have any vetting process otherwise. So what are what are some of the recommendations for that sort of thing?

Irena: So, I would say treat them as you would your internal users. Don't assume that they have security and good practices on their end. Put those same controls in for access that you would on your internal users, and make sure they only have access to what they need to. If you think about the target breach, your HVAC vendor doesn't need broad access to all your systems, right? So lock it down what they have access to, so if their credentials are stolen, the hacker can't get in and navigate your system. And you know, again, protecting the data itself. So even if somebody does get in, if the data has security on it, says this vendor can't look at it, then whoever is, whether it's them or someone impersonating them won't be able to access it

Chris: So we talked a lot, especially this year in the Cyber Work podcast about stories of women in cybersecurity field, can you tell us about your own career journey as a woman in a predominantly male oriented industry? Have you had problems or things that you had to overcome? Or issues that needed solving?

Irena: So, that's funny, the two industries that I've spent my career in have actually been male dominated. I've worked with some fantastic guys and some not so great. I definitely feel like I've had to work harder to prove myself and be taken seriously. Especially when and especially in a startup environment, you may literally be the only woman sitting around a meeting table. I think it's also hard to find work life balance being a mom. You wanna be taken seriously at work, but you still have home obligations. And I've certainly found that a lot of men that I work with, who maybe have wives that are staying at home are not so understanding of the juggling act. That said, I'm lucky, I've actually worked with the same CEO at multiple companies, who's been very supportive and encouraging.

Chris: Okay, what are... I guess you've pointed out a few of them, but what are some, ingrained behaviors of the industry that you think are most likely to push away women who might otherwise be inclined to get involved?

Irena: I've been told them to opinionated, not opinionated enough, to serious. I've been called a booth babe. My favorite's being told I didn't smile enough after delivering a board presentation. It was literally the only criticism. So I think there's a lot of unfair criticism and negative attention that can come your way that I don't think a man would face. So, I think the only way to solve this though is we just need to take gender out of the equation, right? Treat people with respect, and we have to hold everyone to the same standards, regardless of their gender. That's clearly the only way to solve the issue.

Chris: And also what we're doing now, you know, just shine light on it. I think a lot of people hear this for the first time, they are like, that can't be the case. And then they started thinking, well, maybe it is the case.

Irena: So just be more aware of your actions is probably a good piece of advice.

Chris: Absolutely. So what what can we do in the cyber security field to make security careers more accessible or desirable to women? And conversely, how can we make the cybersecurity industry understand that more women in tech industry ultimately makes the entire industry stronger?

Irena: Well, I think it needs to start when we're kids, right? We need to let our daughters know that careers in tech are an option, not just the traditional roles that have been available. And I think there's some nice progress being made, there STEM programs and there's young quota programs for girls available today. And it's a great way to expose them to the field from early on and foster a passion that hopefully leads them down the career path to tech. From an industry perspective, I think we just need to embrace that diversity brings different viewpoints to the problems and solutions, and we need to embrace that. We need to look at to recruit women in more technical roles, not just the traditional sales and marketing roles that have been available, right? To make the industry as a whole stronger. And then it just gives us all a broader viewpoint.

Chris: Do you have any thoughts or suggestions or strategies for sort of building the bench in the sense of, you bring a lot of women in the industry and sort of entry level roles, but there's that further level of resistance of sort of moving them up the sort of managerial ladder, up into the C suite and into CSO roles or CEO roles and things like that, that's a lot of strategizing and a lot of time and effort, do you have any ideas about that?

Irena: I mean, you know, I think there's, awareness has been raised on the issues. So I think that that's really important, so we're changing the mindset of the industry. And I think as people are more aware and more women get involved, that you'll naturally see a climb to these other types of roles. It's not a fast change, but you're already seeing it. There's women at the helm of major companies so there's there's no reason why the tech space shouldn't follow suit.

Chris: And so to wrap up with that, what what tips would you give to women entering the world of security right now? What are some pitfalls you've learned to sidestep? And what are some opportunities that are available now that maybe weren't when you started that you would recommend people seek out?

Irena: I mean, I think you said it earlier. The workplace definitely has changed dramatically, I would say over the past one to two years. And there's some open dialogue happening that's positive. And the changes today are certainly not the same that I faced 20 years ago because of that. So I think the advice I'd give really applies to the tech industry and any industry. Just remember, you have a valuable contribution to make, you deserve a seat at the table. And don't be afraid to stand your ground. Don't let the guys bully you.

Chris: Absolutely, so as we're wrapping up today, thank you again for for all of your insights here. But, walk me through a little bit of Nucleus Cyber, what are some of the projects you're working on? What services do you provide for your clients? And just tell us more about you.

Irena: So Nucleus Cyber is a data security company, and the kind of solution is focused around Microsoft and collaboration tools. And the idea is to put that security around the data and how do you collaborate securely, right? How do you embrace collaboration, but make sure that your data stays secure and is only shared with the right folks? It can be done.

Chris: And if people wanna know more about Irena Mroz, or Nucleus Cyber, where can they go online?

Irena: You can find me by my name, Irena Mroz on LinkedIn, and the last name is spelled M-R-O-Z, it's an unusual one. Or you can visit nucleuscyber.com to learn more about the solutions, and hear more about my viewpoint on our blog.

Chris: All right, Irena, thank you so much for joining us today.

Irena: Thank you. It's been a pleasure.

Chris: It's been great talking to you. And thank you all today for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec. Check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your work day, all of our videos are also available as audio podcasts, just search Cyber Work with Infosec in your favorite podcast catcher of choice. To see the current promotional offers available to listeners of this podcast, go to infosecinstitute.com/podcast. We've been talking about this for last couple weeks but we have a free election security training resource, which you can download use to educate your local co-workers and volunteers on the cyber security threats that they could face this election season. For more information about how to download your training packet, visit infosecinstitute.com/iq/election-security-training or click the link in the description. Thank you once again to Irena Mroz and thank you all for watching and listening. We'll speak to you next week.