00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.
Jason Pufahl 00:12
Welcome to CyberSound. So you can already see I’m playing with my tech. So we wrote a lot more today than we normally do. But, today we are going to attempt to draw a parallel between modern day cybersecurity and Benedict Arnold. It’s July fourth after all, the American Revolution.
Michael Grande 00:33
That’s right, we’ve got we’ve got a lot to celebrate, but a lot to learn. So,
Jason Pufahl 00:38
But my traditional I’d like to welcome Steve Maresca and Michael Grande. Thanks as always for being good sports as we work through one of these types of episodes because they’re not easy. But really, how can the most infamous traitor in American history teach us some valuable lessons about insider threats, and I think that’s going to be our parallel. I’m going to do something uncharacteristic, actually, and read a little bit more verbatim something that we’ve written because I put together a brief history of Benedict Arnold, in case you weren’t familiar with it, so I’ll try to manage this as best I can. He was born in 1741 in Connecticut, and he grew up to be a successful Mershon and militia leader. He joined the American Revolution in 1775. And he distinguished himself as a brave and skilled commander in several battles such as the capture of Fort Ticonderoga, the invasion of Quebec, the Battle of Saratoga and defensie of Rhode Island. He was wounded several times in combat, he earned the respect and admiration of his peers, including George Washington, who considered him a close friend and a trusted adviser, probably an important point. However, things started to go downhill for Arnold in 1777, when he was passed over for promotion by Congress. Despite his achievements on the battlefield, he felt he wasn’t given the recognition and reward that he deserved. He became resentful of his rivals and critics who accused him of corruption misconduct. He also faced financial difficulties in his business, probably important, suffered from the war and his lavish lifestyle. He married a young loyalist woman, Peggy Shippen, who had connection to the British spy network. She introduced him to John Andre, a British major who became Arnold’s handler and co-conspirator. In 1780, Arnold was given command of West Point, a fort on the Hudson River that was vital for the American defense, secretly agreed to hand over the fork to the British exchange for money and a commission in the British Army. He provided Andre with detailed plans of the forts defenses and arranged to meet him in person to finalize the deal. However, the Platt was deployed ultimately was exposed when Andre was captured by American soldiers who found the incriminating documents on him. Arnold managed to escape to the British lines while Andre was hanged as a spy. Arnold then fought against the formal countrymen leading raids in Virginia and Connecticut. He died in London in 1801, and viled by both Americans and British who didn’t trust or respect him.
Michael Grande 03:01
That’s a lot of information, a bit of history there. It’s good for those of us who needed a little refresh.
Jason Pufahl 03:07
Yeah, I don’t think, Benedict Arnold, like we know he’s a traitor, but that probably the depth for most of it, right?
Michael Grande 03:11
We knew he was a traitor, and we knew he had Connecticut ties, we’re sorry, yeah, we we are sorry. But at the same time, you know, much more sort of deep history of his involvement. He played very key roles in so many things and then ultimately, becoming a traitor and selling secrets. And interesting though, how we connect this to cybersecurity.
Jason Pufahl 03:35
It’s a direct parallel. I mean, you can see it directly works right to it.
Steven Maresca 03:38
It does. I mean, ultimately, he was trusted, right? He had prestige, he had authority, he had power and recognition. Those are traits that can be misused. Insider threats can be motivated by a bunch of different factors, right. So some of them can be greed, some can be revenge is very common, that folks will simply just want to pay for their bills, if they’re out there, especially a lavish lifestyle. Right, right. Absolutely. These things can involve different methods, you know, stealing, leaking, sabotaging, destroying data, you name it, actually, we’ve seen a great many of those in true practice. In the modern era, that might be installing backdoors that might mean ferreting data outside the bounds of the institution to the organization. Bottom line. There are lots of commonalities. Insider threads usually exhibit a variety of different signs. They tend to be acting suspiciously, they tend to be called out for poor behavior or performance. They’re dissatisfied, they’re complaining. They’re disgruntled as a general psychological element. So Benedict Arnold exhibited a lot of the commonalities here. I think it’s a reasonable thing to assert.
Michael Grande 05:01
Would you attribute some of that more to sort of negative culture?
Steven Maresca 05:08
Possibly. I mean, it’s it’s difficult to peer into the past, but certainly, I think that he was sidelined. And that’s the thing that affected from an ego perspective. And that’s, I think, central to a lot of insider threats.
Michael Grande 05:25
And even almost like, you know, some of the commanders and those above him, the generals that had sort of distracted interest, right, there was so much happening at this time. And yet, even after he’s passed over for the promotion, and demonstrated that he’s competent, demonstrated that he’s competent, he was still then given a very important assignment of control of a fort that had, you know, huge consequences.
Steven Maresca 05:48
There’s another dynamic, too, in terms of prejudicial concerns, like he was born in Connecticut, in that era, if you weren’t originally from elsewhere, you were considered somewhat of a lesser social status overall, too. So there were lots of other things going on.
Jason Pufahl 06:03
But that so in a way, that’s actually particularly interesting, because they turned a Native American born in Connecticut, to the British side, so it wasn’t like he came from Britain. Right?
Steven Maresca 06:14
Yeah, precisely what I say. Yeah, fascinating. It’s very interesting. Bottom line, though, he really did need to support some of the personal dynamics that caused him some grief, whether they were related to his finances, or his lack of elevation, in terms of skills and posture.
Michael Grande 06:32
Are there things that can be done maybe what more in the in the cybersecurity context of today, you know, to address some of these insider threats and, and, and try to root them out earlier or, you know, implement better programs?
Steven Maresca 06:48
So some of this is really preventative up front, when when someone’s being hired when they’re being evaluated for their position, doing the right type of analysis of their personality, their skill set, their background, background checks are, of course, a reasonable way of doing that today. There are lots of other mechanisms like that. But bottom line above all, after passing those filters, it’s a it’s a leadership and development type of a consideration. The root of all insider threats, generally speaking, is dissatisfaction.
Jason Pufahl 07:21
What was that? So is that the responsibility of the Sons of Liberty to have a better leadership and training program in place? Like, did they, they should they have recognized his dissatisfaction?
Steven Maresca 07:30
I think so. That doesn’t mean that they would necessarily identify that this was a possible outcome, but I’m sure they, they could have intervened in a more positive way.
Michael Grande 07:41
Probably not deploying the Myers Briggs Personality Test early on in the interview process.
Jason Pufahl 07:47
Yeah, the background checks are a little more difficult than for sure it’s true. So but but there, we’ve seen cases in, in this era of people stealing money, because they had financial issues at home. And, you know, the, whether it’s 1771, or 2024, those are real issues, if, and you have to monitor that. And if you put people in a position, your potential financial, like CFO, or those types of roles, they’re targets for attackers, and there might be other motivations that make them susceptible.
Steven Maresca 08:25
But getting back to your statement about culture, it’s really important to maintain a certain level of even even handed personnel supporting behavior. People do not become insider threats overnight. It’s a gradual easing in. Most people even good people become this type of character at some juncture, because of other pressures. Finding, you know, early signs of dissatisfaction or actions taken passively or actively against an organization. Those are the things that are worth looking out for, you know, inexplicable actions that seem to be against the, you know, business interests. That’s the sort of thing we’d look for now.
Michael Grande 09:09
You know, and we spend a lot of time talking about different roles and who has access to what I think we’ve over several podcasts talked about financial controls, and and you know, who essentially has the approving authority and the check writing authority and the wire of making authority, but even outside of financial controls, access controls, internal controls, within the organization have to be a key component and appropriate checks and balances.
Steven Maresca 09:36
Benedict Arnoled was a perfect storm because he had the authority, had the keys, yes, to see everything in there. So he was one of the rare cases of insider threat that is abusing their delegated and actual power to do something malicious in this regard, you know, being able to access the forts plan. And then secrets without oversight, that’s within the job description that is, in fact, central to most insider threats, because you may establish role based access controls. But if it’s with if it’s within the job functions of the person, detecting any sort of misdeed is very challenging challenge,
Jason Pufahl 10:17
So setting aside, you know, some of the maybe the background checks, right, setting aside the fact that he probably had more access to things than is appropriate for one person. If they could have recognized some of the traits, because it’s not like he was turned overnight. And you have to imagine he exhibited some suspicious behavior. But I think it speaks even to then of this sort of inherent trust that people have in each other, you know, his peers, his colleagues probably recognized something and felt that there wasn’t a significant risk or felt that they wanted to set aside their concerns because they knew him as an individual probably trusted him and liked him.
Steven Maresca 10:58
Blind trust is a problem, subordinates should not blindly trust superiors. If they see something that is untoward, they should indicate it through some
Jason Pufahl 11:08
You didn’t want to say see something, say something.
Steven Maresca 11:10
No, if there’s something observed, they should report it through some established mechanism, if their mechanism doesn’t exist, that’s a problem. In a military function like this, subordinates are accustomed and expected to follow unflinchingly without question exactly. Establishing some dialogue bi directionally across those lines of power and organization helps to sidestep this type of problem.
Michael Grande 11:37
You know, we talked about with him and sort of distraction, even though there may be there weren’t clear signs or warning signs, he was then given a new post, right with all of this power and authority, you know, the distraction thing sort of hits home to me, because in our daily life with our, you know, running businesses and being accountable to other stakeholders and our clients, we’re distracted, we’re just innately distracted. And we’re not always paying attention to the things that may be very clear, in retrospect, we look back and say, how did we miss that? Right, it was so clear. This was the case. And, you know, I, you know, it’s implementing implementing good controls, to avoid that seems like, you know, it’s, as long as the foundation is built, as we’ve already talked about. Another mitigating step.
Steven Maresca 12:28
Absolutely. Reviewing, auditing, access logs to rooms with sensitive documents, in this particular case, sure, you know, access logs to data, databases, applications, in our our era, those things tend to be mechanisms that support early detection, if they don’t exist, you can’t review, if you can’t review, you can’t find patterns of behavior. But bookending with that would be, you know, training for the overall organization at large, right, equipping people to identify suspicious activity. Meeting with a, you know, British aligned individual is probably something that, you know, cause alarm and a lot of cases.
Jason Pufahl 13:11
Meeting with and marrying one, sure, yeah, yeah. Well,
Steven Maresca 13:14
So in a corporate world, we’re not analyzing our employees relationships is true, but that’s true. But it’s still appropriate to analyze, you know, communications and interactions and in a work appropriate sort of sphere. And in this case, it might have been something you could sniff out.
Michael Grande 13:29
So early security awareness training, maybe would have helped?
Jason Pufahl 13:34
It’s still a hard position that training people is as important as any of the controls that you can put in here, right? Maybe you call it some of these technical controls, right to the wax seal that seals the envelope, right? You know, that day and age is a technical control,
Steven Maresca 13:49
Benedict Arnold literally held the keys. Yeah, if the person holds the keys, and you can bring in somebody else to authorize their action and things of that nature, then you’re in better shape. So otherwise, it’s training.
Michael Grande 14:01
So I’m, I’m lucky, and also unlucky in that I don’t even have I think domain admin control over my own workstation. So fortunate, so yeah, so so when I need to download a new program, I have to raise my hand and ask for help and say, who can help here?
Jason Pufahl 14:16
Right. And we trust you.
Michael Grande 14:18
And apparently I’m trusted, you know, I think that’s a good lesson. So no one essentially has access to everything. Right. And that’s a smart move. Yeah,
Steven Maresca 14:28
The higher up you get, the less frankly, you should be able to do. And the more an individual should guide.
Michael Grande 14:35
That’s helpful words, right.
Jason Pufahl 14:37
So I mean, the reason, one, we wanted a July fourth episode, that seemed it seemed like it was an appropriate way to have a segue into insider threat. And I think as we started to talk about it, the similarities were greater than we maybe even initially thought and frankly, a lot of the a lot of the things that we recommend to people today to our clients today. They do they hold true, they would have held true that and they would have potentially reduced the likelihood, if not maybe eliminated entirely the likelihood that he did that, you know, I find myself wondering if, you know, the Sons of Liberty had Vancord in their corner, and maybe we could have shortened the war by a year, saved a lot of lives. That’d be, but that’s the kind of good that we’re looking for. This is true, right? We’re, we are gonna, global defenders in a world where good wins. So how appropriate would that have been?
Michael Grande 15:22
Well thankfully, you know, the revolutionaries came out on top in 1776. And ultimately, our declaration was, you know, put in place and yeah, now we’re, I don’t want to do the math. But we’re coming up, you know, on on major anniversaries. Again, I remember the bicentennial. I don’t quite remember. But yeah, but it wasn’t big deal. It wasn’t, it was a big deal.
Jason Pufahl 15:53
So we’ll do we’ll do a bison tricentennial, what’s the?
Michael Grande 15:57
250 years.
Jason Pufahl 16:01
So yeah, honestly, it’s just kind of a fun way to talk about insider threats. We do talk about them with our clients, we do a lot of work with manufacturing in the CMMC space. And that is a specific element called out in CMMC. And it’s really difficult for people to set aside that human element and be objective when sort of evaluating, you know, employee or personal behavior. And you really need to and when we do the tabletops, that you run regularly, insider threats, always one of the more difficult because it tends to be less of a technology issue and very more for people.
Steven Maresca 16:37
I would have absolutely, it was an excruciatingly difficult scenarios to run through. And I would, I would have a closing statement to say that everything from a technical and security controls basis is a backstop to HR, in this discussion. So bidirectional collaboration across the organization. That’s how you avoid Benedict Arnold’s in today.
Jason Pufahl 17:02
So as always, thanks. Thanks for listening. You know, we try to be a little creative, especially around the holiday period. We hope that this one hits home a bit. I think it actually teaches a valuable lesson while also letting us jump into history a tiny bit. Thanks to both of you for helping put this together. Happy Fourth of July. Happy Fourth of July!
17:21
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn. And remember, stay vigilant, stay resilient. This has been CyberSound.
