102100 how you protect your valuable data from the
TRANSCRIPT
10/18/2020
1
102100 How You Protect Your Valuable Data
from the “Insider Threat”
Greg KellyPeopleTools Product Management Strategy DirectorSecurity
October 2020
10/18/2020
2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
Statements in this presentation relating to Oracle’s future plans, expectations, beliefs, intentions and prospects are “forward-looking statements” and are subject to material risks and uncertainties. A detailed discussion of these factors and other risks that affect our business is contained in Oracle’s Securities and Exchange Commission (SEC) filings, including our most recent reports on Form 10-K and Form 10-Q under the heading “Risk Factors.” These filings are available on the SEC’s website or on Oracle’s website at http://www.oracle.com/investor. All information in this presentation is current as of September 2019 and Oracle undertakes no duty to update any statement in light of new information or future events.
Safe Harbor
3
Agenda
4
Contributing Factors
Risk Awareness
Remediations/Access Controls
Useful Links
10/18/2020
3
5
Who are the “BAD” guys?
"Never attribute to malice that which can be adequately explained by neglect." - Hanlon's Razor
Agenda
6
Contributing Factors
Risk Awareness
Remediations/Access Controls
Useful Links
The Fluidity of People’s Morals
10/18/2020
4
Contributing Factors
7
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
Moral Luck
8
Moral Luckhttp://www.iep.utm.edu/moralluc/
"... A case of moral luck occurs whenever luck makes a moral difference. The problem of moral luck arises from a clash between the apparently widely held intuition that cases of moral luck should not occur with the fact that it is arguably impossible to prevent such cases from arising."
10/18/2020
5
Contributing Factors
9
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
Moral Hazard
10
What is moral hazard? By Andrew Beattiehttp://www.investopedia.com/ask/answers/09/moral-hazard.asp
"... The idea of a corporation being too big or too important to fail also represents a moral hazard. If the public and the management of a corporation believe that the company will receive a financial bailout to keep it going, then the management may take more risks in pursuit of profits.
Government safety nets create moral hazards that lead to more risk taking, and the fallout from markets with unreasonable risks - meltdowns, crashes, and panics - reinforces the need for more government controls. Consequently, the government feels the need to strengthen these nets through regulations and controls that increase the moral hazard in the future."
See the move “The Big Short”
10/18/2020
6
Contributing Factors
11
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
Normalization of Deviance
12
Bedford and the Normalization of Devianceby Ron Rapp on December 20, 2015http://www.rapp.org/archives/2015/12/normalization-of-deviance/
"... Social normalization of deviance means that people within the organization become so much accustomed to a deviant behavior that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety. People grow more accustomed to the deviant behavior the more it occurs.
To people outside of the organization, the activities seem deviant; however, people within the organization do not recognize the deviance because it is seen as a normal occurrence. In hindsight, people within the organization realize that their seemingly normal behavior was deviant."
Check out “The Challenger Launch Decision”
10/18/2020
7
Normalization of Deviance“Familiarity Breeds Contempt” and “Broken Windows Theory”
13
Does familiarity breed contempt?http://www.dba-oracle.com/t_familiarity_breeds_contempt.htm
In a nutshell, the "Familiarity Breeds Contempt" concept is the idea that, the more we get to know a supervisor on a personal level, the more likely we are to find fault with them. The term "familiarity breeds contempt" dates back at least 100 years, and this belief is widely noted as an absolute truth, even by famous authors.
Broken Windows Theoryhttps://study.com/academy/lesson/broken-windows-theory-definition-lesson.html
The broken window theory stems from an article written in 1982 by criminologists James Q. Wilson and George Kelling. Their theory states that signs of disorder will lead to more disorder. A building with a broken window that has been left unrepaired will give the appearance that no one cares and no one is in charge. This will lead to vandals breaking the rest of the windows and adding graffiti, because in their minds nobody cares.
Contributing Factors
14
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
8
Willful Blindness“Absence of Evidence is not Evidence of Absence”
15
Willful Blindnesshttps://www.nacdl.org/criminaldefense.aspx?id=21211
"... Willful blindness, also known as conscious avoidance, is a judicially-made doctrine that expands the definition of knowledge to include closing one's eyes to the high probability a fact exists. While the doctrine originated in the context of drug trafficking cases, it has since been expanded to a wide array of prosecutions and is increasingly used in the white collar cases.
Consistently benefiting the prosecution, a request to instruct the jury on willful blindness usually comes on the heels of weak evidence of knowledge, without any advance warning to the defense, and invites the jury to convict based on evidence of mere negligence or recklessness."
Contributing Factors
16
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
9
Hubris
17
Hubrishttp://literarydevices.net/hubris/
"... Hubris is a typical flaw in the personality of a character who enjoys a powerful position; as a result of which, he overestimates his capabilities to such an extent that he loses contact with reality. A character suffering from Hubris tries to cross normal human limits and violates moral codes. Examples of Hubris are found in major characters of tragic plays."
Contributing Factors
18
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
10
Disengagement/Disenchantment
19
Employee Disengagement Underlies Saga of Sabotagehttp://inbusinessmag.com/in-business/employee-disengagement-underlies-saga-sabotage
"... Most insider threats are made, not born. Employees do not often join the world of work with overt intentions to steal from, damage or sabotage their organization. Instead, they are jaded after a sequence of disenchanting events, leaving them cynical, angry, and driven to balance the scales.
Disenchantment is not a solitary existence, but instead clusters around ineffective and damaging management practice. Managers account for nearly 70 percent of the reasons an employee is disenchanted. Organizations are often unaware of how their culture increases their vulnerability to the insider threat."
Contributing Factors
20
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
11
Kohlberg and the “Heinz Dilemma”
21
Kohlberg’s Stages of Moral DevelopmentThis states that we progress through three levels of moral thinking that build on our cognitive development.https://courses.lumenlearning.com/teachereducationx92x1/chapter/kohlbergs-stages-of-moral-development/
Lawrence Kohlberg expanded on the earlier work of cognitive theorist Jean Piaget to explain the moral development of children. Kohlberg believed that moral development, like cognitive development, follows a series of stages. He used the idea of moral dilemmas—stories that present conflicting ideas about two moral values—to teach 10 to 16 year-old boys about morality and values. The best known moral dilemma created by Kohlberg is the “Heinz” dilemma, which discusses the idea of obeying the law versus saving a life. Kohlberg emphasized that it is the way an individual reasons about a dilemma that determines positive moral development.
Contributing Factors
22
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
12
Dunning–Kruger effect
23
The Dunning-Kruger Effect Shows Why Some People Think They're Great Even When Their Work Is Terriblehttps://www.forbes.com/sites/markmurphy/2017/01/24/the-dunning-kruger-effect-shows-why-some-people-think-theyre-great-even-when-their-work-is-terrible/#462bdede5d7c
Coined in 1999 by then-Cornell psychologists David Dunning and Justin Kruger, the eponymous Dunning-Kruger Effect is a cognitive bias whereby people who are incompetent at something are unable to recognize their own incompetence. And not only do they fail to recognize their incompetence, they’re also likely to feel confident that they actually are competent.
Contributing Factors
24
Moral Luck
Moral Hazard
Normalization of Deviance “Familiarity Breeds Contempt” and “Broken Window Syndrome”
Willful Blindness
Hubris
Disengagement/Disenchantment
Kohlberg and the “Heinz Dilemma”
Dunning–Kruger effect
Preference Cascade
10/18/2020
13
Preference Cascade
25
What is a preference cascade?https://www.quora.com/What-is-a-preference-cascade
In short, average people behave the way they think they ought to, even though that behavior might not reflect their own personal feelings.
Given a sufficient "A-HA!" moment when they discover that their personal feelings are shared by a large portion of the population their behavior may change dramatically.
Agenda
26
Contributing Factors
Risk Awareness
Remediations/Access Controls
Useful Links
10/18/2020
14
Risk Awareness
27
Latency of Security Patches (CPU)
Scope of Privileged Users Data Classification
Attestation
Compliance with Internal Processes
Segregation of Duties
Mandatory Vacation
Job Rotation
Phishing, Ransomware
“Sextortion”
Case #1
28
$4.5M office supply scheme inside Las Vegas water district
draws FBI inquiryhttp://www.reviewjournal.com/news/las-vegas/45m-office-supply-scheme-inside-las-
vegas-water-district-draws-fbi-inquiry
... The scheme, which unfolded over three years, involved an employee in the district’s
purchasing division who fraudulently ordered office supplies through the water utility’s
vendor, then sold the items to a company in New Jersey and kept the money.
10/18/2020
15
Case #2
29
Target settles for $39 million over data breachhttp://money.cnn.com/2015/12/02/news/companies/target-data-breach-settlement/
Target agreed to a $39 million settlement with several U.S. banks on Wednesday over a
data breach that affected roughly 40 million customers.
The banks lost millions when they were forced to reimburse customers who lost money
in the massive 2013 hack of Target's database.
Case #3
30
The Trusted Grown-Ups Who Steal Millions From Youth Sportshttp://www.nytimes.com/2016/07/10/sports/youth-sports-embezzlement-by-
adults.html
Prosecutors in several states say embezzlement investigations involving youth sports
have become common.
... Across the country, people who volunteered as treasurers and other officers for Little
Leagues and sports clubs have been prosecuted for pilfering gobs of money from the
coffers: $220,000 in Washington, $431,000 in Minnesota, $560,000 in New Jersey, and
so on, according to law enforcement authorities, league officials, experts on nonprofit
organizations and news reports.
10/18/2020
16
Case #4
31
Retail ShrinkageStudy: Shrink costs U.S. retailers $42 billion;
employee theft tops shopliftinghttp://www.chainstoreage.com/article/study-shrink-costs-us-retailers-42-billion-employee-theft-tops-shoplifting
"... While shoplifting is the biggest cause of all retail shrink in 16 of the 24
countries surveyed, in the United States, employee theft ranked first at 42.9%,
with shoplifting next at 37.4%"
Self-Service Checkouts Can Turn Customers Into Shoplifters, Study Sayshttp://www.nytimes.com/2016/08/11/business/self-service-checkouts-can-turn-customers-into-shoplifters-study-says.html?_r=0
"... The scanning technology, which grew in popularity about 10 years ago, relies largely on
the honor system. Instead of having a cashier ring up and bag a purchase, the shopper is
solely responsible for completing the transaction. That absence of human intervention,
however, reduces the perception of risk and could make shoplifting more common, the
report said.“ Avocado and Pear …
Case #5
32
Stolen Proprietary SoftwareCar thefts – Two men used a pirated software running on a Laptop to steal more
than 100 carshttp://securityaffairs.co/wordpress/50070/cyber-crime/car-theft-laptop.html
"... Fiat Chrysler and the authorities are investigating the case, in particular, it is important
to understand if the crooks got access to a computerized database of codes used by
dealers, and how. Data in the database are used by auto repair shops to replace lost key
fobs."
10/18/2020
17
Case #6
33
Famous cybercrime groups and hacktivists “brands” may be a
smokescreen to cover sophisticated insider attacks.http://www.csoonline.com/article/3107987/hacktivism/fake-attack-by-insider-tries-to-fool-company.html
"... One of the company’s web portals was lightly defaced (using its admin panel
functionality) with insulting slogans, criticizing the company for globalization.
A few moments later, attackers also erased all website content they had access
to, including HTTP logs on the breached web server. A first internal notification
about the incident came from a web administrator working at the company for 15
years. It also contained a link to zone-h defacement mirror saying that hacktivists
compromised and probably backdoored the server, urging server re-installation
from scratch. As the attackers were known, he recommended skipping the formal
investigation process in order to reduce the downtime of the server. His
management gave a green light to move forward without proper system
mirroring for further forensics investigation."
Before AI/ML
10/18/2020
18
Agenda
35
Contributing Factors
Risk Awareness
Remediations/Access Controls
Useful Links
OverviewAccess Controls
Types of Access Control
(function or purpose)
- Preventive access control
- Deterrent access control
- Detective access control
- Corrective access control
- Recovery access control
- Compensation access control
- Directive access control
Types of Access Control
(implementation)
- Administrative access controls
- Logical/technical access controls
- Physical access controls
10/18/2020
19
Function or Purpose Access ControlsPreventive access control
A preventive access control is deployed to stop unwanted or unauthorized
activity from occurring.
Examples of preventive access controls include fences, locks, biometrics,
separation of duties, job rotation, data classification, penetration testing,
access control methods, encryption, auditing, security cameras, smart
cards, callback, security policies, security awareness training, and antivirus
software.
Function or Purpose Access ControlsPreventive access control - Support
• PeopleTools
• Password Controls
• Revalidate Password (supports LDAP)
• Time of Day Permissions
• Oracle and Other Products
• Oracle Access Manager (with Multi Factor Authentication)
• Oracle Adaptive Access Manager
• Oracle Audit Vault and DB Firewall
10/18/2020
20
Function or Purpose Access ControlsDeterrent access control
A deterrent access control is deployed to discourage the violation of
security policies. Deterrent controls pick up where prevention leaves off. A
deterrent doesn’t stop with trying to prevent an action; instead, it goes
further to exact consequences in the event of an attempted or successful
violation.
Examples of deterrent access controls include locks, fences, security
badges, security guards, security cameras, intrusion alarms, separation of
duties, work task procedures, awareness training, encryption, auditing, and
firewalls.
Function or Purpose Access ControlsDeterrent access control - Support
• PeopleTools
• Change Password Frequency
• Login Page Notice
• PeopleSoft Encryption Technology
• Oracle and Other Products
• Oracle GRC
• Log Analysis
• Critical Staff Background/Credit Checks
10/18/2020
21
Splash Screen for Login Page
This site is intended solely for use by Company's authorized users. Use of this site is subject to the Legal Notices, Terms of Use, and Privacy Statement located on this site. Use of the site by customers and partners, if authorized, is also subject to the terms of your contract(s) with Company. Use of this site by Company employees is also subject to company policies, including the Code of Conduct. By continuing to use this site, you understand all activity may be monitored and audited. Unauthorized access or breach of these terms may result in termination of your authorization to use this site and/or civil and criminal penalties.
Accept Decline
This Splash Screen can also be used to comply with EU Cookie RequirementsStrictly Necessary Cookies are ones that are only used to enable a site to work and can generally be assumed to have negligible privacy concerns attached to them. They are therefore exempt from cookie regulations around the need for consent. Often they are generated automatically by the technology platforms running most websites. However it is important to realize that these can be customized to perform additional tasks which can change their purpose..
Function or Purpose Access ControlsDetective access control
A detective access control is deployed to discover unwanted or
unauthorized activity. Often detective controls operate after the fact rather
than in real time.
Examples of detective access controls include security guards, guard dogs,
motion detectors, post incident review of security camera recordings, job
rotation, mandatory vacations, audit trails, honey pots, seeded email
distribution lists, intrusion detection systems, violation reports, supervision
and reviews of users, incident investigations, and intrusion detection
systems.
10/18/2020
22
Function or Purpose Access ControlsDetective access control - Support
• PeopleTools
• Enterprise Manager PeopleSoft plug-in
• Seeded Mailing Lists
• Workforce Practices - Vacation
• Oracle and Other Products
• Oracle Audit Vault
• Oracle GRC (Governance, Risk and Compliance)
• IPS/IDS (Intrusion Prevention and Detection System)
Function or Purpose Access ControlsCorrective access control
A corrective access control is deployed to restore systems to normal after
an unwanted or unauthorized activity has occurred. Usually corrective
controls are simple, such as terminating access or rebooting a system.
Corrective controls have only a minimal capability to respond to access
violations.
Examples of corrective access controls include intrusion detection systems,
antivirus solutions, business continuity planning, and security policies.
10/18/2020
23
Function or Purpose Access ControlsCorrective access control - Support
• PeopleTools
• Password Controls – Account Lockout
• Active Data Guard
• Server Based Anti-virus
• Oracle and Other Products
• IPS/IDS
• High Availability Architecture
• Attestation – Account Revalidation
Function or Purpose Access ControlsRecovery access control
A recovery access control is deployed to repair or restore resources,
functions, and capabilities after a violation of security policies. Recovery
controls have more advanced or complex abilities to respond to access
violations than corrective access controls. For example, a recovery access
control can repair damage as well as halt further damage.
Examples of recovery access controls include backups and restores, fault-
tolerant drive systems, server clustering, antivirus software, and database
shadowing.
10/18/2020
24
Function or Purpose Access ControlsRecovery access control - Support
• PeopleTools
• Lock out Password Controls
• Clustering
• Active Data Guard
• Oracle and Other Products
• Cloning and various restore documented and tested processes
• Firewalls
• Disaster Recovery
Function or Purpose Access ControlsCompensation access control
A compensation access control is deployed to provide various options to
other existing controls to aid in enforcement and support of security policy.
Examples of compensation access controls include security policy
requirements or criteria, personnel supervision, monitoring, and work task
procedures.
10/18/2020
25
Function or Purpose Access ControlsCompensation access control - Support
• PeopleTools
• Architecture Separation
• Data in Flight Encryption
• Password Controls – Account Lockout
• Oracle and Other Products
• Oracle Database Vault
• Oracle Database Firewall
• Oracle RUEI (Real User Experience Insight) or
Application Performance Monitoring (APM)
Function or Purpose Access ControlsDirective access control
A directive access control is deployed to direct, confine, or control the
actions of subjects to force or encourage compliance with security policies.
Examples of directive access controls include tail gating controls, security
policy requirements or criteria, posted notifications, escape route exit
signs, monitoring, supervision, work task procedures, and awareness
training.
10/18/2020
26
Function or Purpose Access ControlsDirective access control - Support
• PeopleTools
• Login Page Policy Acceptance
• Mandatory Policy ReCertification
• Log Analysis
• Oracle and Other Products
• Oracle GRC
• Oracle RUEI or APM
• Oracle Audit Vault
Implementation Access ControlsAdministrative access controls
Administrative access controls are the policies and procedures defined by
an organization’s security policy to implement and enforce overall access
control. Administrative access controls focus on two areas: personnel and
business practices (for example, people and policies).
Examples of administrative access controls include policies, procedures,
hiring practices, background checks, data classification, security training,
vacation history, reviews, work supervision, personnel controls, and
testing.
10/18/2020
27
Implementation Access ControlsAdministrative access controls - Support
• PeopleTools
• UPK (User Productivity Kit)
• Mandatory Vacation
• Job Rotation
• Oracle and Other Products
• Credit Checks
• Identity ReValidation
• Oracle Identity Manager
Implementation Access ControlsLogical/technical access controls
Logical access controls and technical access controls are the hardware or
software mechanisms used to manage access to resources and systems and
also provide protection for those resources and systems.
Examples of logical or technical access controls include encryption, smart
cards, passwords, biometrics, constrained interfaces, access control lists
(ACLs), protocols, firewalls, routers, intrusion detection systems.
10/18/2020
28
Implementation Access ControlsLogical/technical access controls - Support
• PeopleTools
• User Agent Validation
• Location Based Access
• PET (PeopleSoft Encryption Technology)
• Oracle and Other Products
• Oracle Adaptive Access Manager
• ERP Firewall
• URL Request Filtering
Implementation Access ControlsPhysical access controls
Physical access controls are physical barriers deployed to
prevent direct contact with systems or portions of a facility.
Examples of physical access controls include guards, fences,
motion detectors, locked doors, sealed windows, lights, cable
protection, laptop locks, swipe cards, guard dogs, video
cameras, laptop or tablet screen filters, anti-tailgating,
“shoulder surfing” mirror, and alarms.
10/18/2020
29
Implementation Access ControlsPhysical access controls - Support
• PeopleTools
• Controlled Server Access
• Web Profile
• Time of Day Permissions
• Oracle and Other Products
• Server Room Controls
• Oracle RUEI or APM
• Oracle Database Firewall
• “Shoulder Surfing” awareness mirror
Agenda
58
Contributing Factors
Risk Awareness
Remediations
Useful Links
10/18/2020
30
Useful Links #1
59
Information classification according to ISO 27001http://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
The Long-Term Effects of Tracking Employee Behaviorhttps://hbr.org/2016/07/the-long-term-effects-of-tracking-employee-behavior
Risk Perception and Its Impacts on Risk Governancehttp://environmentalscience.oxfordre.com/view/10.1093/acrefore/9780199389414.001.0001/acrefore-9780199389414-e-2
Insider Threat Mitigation Guidancehttps://www.sans.org/reading-room/whitepapers/monitoring/insider-threat-mitigation-guidance-36307
Background Checks - What Employers Need to Knowhttps://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm
Your Employees' Right to Privacyhttp://www.nolo.com/legal-encyclopedia/employee-privacy
Useful Links #2
60
Running Background Checks on Current Employeeshttp://blog.verifirst.com/running-background-checks-on-current-employees
Insider Threat Best Practiceshttps://www.sei.cmu.edu/search.cfm#stq=insider%20threat&stp=1
The Threat of the Malicious Insider: What Is the CFO's Responsibility?https://www.securityexecutivecouncil.com/spotlight/?sid=31306
Data Loss Prevention as a Critical Component of Cyber Insurance Strategyhttps://www.infosecurity-magazine.com/white-papers/data-loss-prevention-cyber
Rapid7 InsightIDR, Dramatically Reduces Time from Compromise to Containmenthttps://www.rapid7.com/company/news/press-releases/2016/rapid7-launches-new-security-incident-detection-and-response-solution.jsp
10/18/2020
31
CIO Update - Top 10 Cloud Computing Caveatshttps://cioupdate.com/top-10-cloud-computing-caveats/
1. Define your terms
2. Watch out for cloud washing - “everything old is new again”
3. Examine basic needs
4. Should I choose cumulus or nimbus?
i.e. public, private or hybrid cloud.
5. Nail down projected costs
6. Policy is as important as technology
7. Cloud piracy abounds
8. Know before you go
9. Start small
10. Find the right tools
A little “hacking” exercise … Guess the Pin Code!