The document discusses the threat of insider threats, both malicious and accidental, to organizations. It notes that a 2011 presidential executive order mandates that all government agencies implement insider threat detection programs by 2013. Both intentional and accidental insider threats can potentially damage an organization. To mitigate risks, the document recommends that organizations establish sound security policies, provide training to all personnel, conduct constant security awareness activities, and regularly audit insider threat programs. It also suggests technical controls and strategies for IT and security professionals to help detect and prevent insider threats.
1. The Accidental Insider Threat:
Is Your Organization Prepared?
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A
National Security Institute – IMPACT 2013 Conference
2. Insider Threat – EO-13587
The October 2011 Presidential Executive Order 13587, titled
“Structural Reforms to Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding of
Classified Information”, mandates that every agency and
federal government systems integrator to implement an
insider threat detection and prevention program by the end of
2013.
This was further reinforced by a presidential memorandum in November 2012
directing federal agencies to deploy monitoring systems that meet prescribed
standards. “One way to increase the chance of catching a malicious
employee is to examine relevant information regarding suspicious or
anomalous behavior of those whose jobs cause them to access classified
information,” a White House spokeswoman commented. Given this new governmentwide mandate, it is paramount that government agencies take insider threats seriously.
Source: http://www.cataphora.com/markets/government/
3. Insider Threat
Who is the Malicious Insider Threat?
Disgruntled employees
Passed over for raise or promotion
Poor work or home environment
Former disgruntled employees
Fired from the company, holds animosity to company or personnel
Behavior addictions
Drugs
Gambling
Collusion – two or more employees acting together
Social engineers – use tactics to gain access to resources they don’t
have access to or need. Can steal other users creds…
4. Insider Threat
Objectives of the Malicious Insider Threat:
Target individuals that did them wrong
Introduction of viruses, worms, trojans or other malware
Theft of information or corporate secrets
Theft of money
The corruption or deletion of data
The altering of data to produce inconvenience or false criminal
evidence
Theft of the identities of specific individuals in the enterprise
6. Insider Threat
For the Malicious Insider Threat, we need to be able to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Improve Mission Assurance
Determine new ways to combat cyber threats
7. Insider Threat
Who is an Accidental Insider Threat?
All employees – exhibit bad habits
Passwords left on screens, under keyboards
Tailgating into restricted areas, loss of accountability
Using their computers to surf the web or communicate personal e-mail
Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets)
Failing to follow OPSEC
Social Engineering – Phone call from imposters, Phishing Emails etc..
IT Personnel - Create vulnerabilities by:
Having group accounts
Separation of duties
Create scripts or back doors for conveniences
Don’t change default passwords
Security Personnel – exhibit bad habits
Deviate from security practices they are required to enforce
Executive Management
8. Insider Threat
To Reduce the Risk for the Accidental
Insider Threat, we need to be able to:
Provide sound policies that articulate specific behavior
expectations in Acceptable use Policies
Educate and Train all personnel on exhibiting good habits
Set the example: Management and Security personnel alike
Provide constant awareness
Institute a mechanism to report suspicious behavior
Audit or assess your program!
9. Insider Threat - Policies
Reduce the Risk for the Accidental Insider Threat:
Provide sound policies that articulate specific behavior expectations
Good policies have the following elements
Introduction – State the purpose of the policy (Acceptable Use)
Scope – Who does the policy apply to? (Everyone, IT personnel, GSU)
Details – here is where you state the specific elements of the policy.
Accountability Statement – This is where you articulate who will be responsible for implementing
the policy (Managers/Supervisors) and the ramifications for not adhering to the policy “ Deviations
from this policy will be handled promptly and may include disciplinary action up to and including termination”.
Policy Owner – The final section articulates the policy owner, date and version of the policy.
Policies should be coordinated with all stakeholders
Human Resources
Legal Department
Security Personnel
Management
Policies should be specific and enforceable
Policies should be updated periodically
Employees should acknowledge policies with a signature and date
10. Insider Threat - Training
Reduce the Risk for the Accidental Insider
Threat:
Educate and Train all personnel on exhibiting good habits & behavior
Computer based – Internal/External (DSS/DISA, Others)
Develop in house programs
External training & Conferences
Provide periodically (monthly, biannually, annually)
Gear training to the audience
All personnel
IT Personnel
Security Personnel
Assess the training material for currency and effectiveness
Update
Provide Examples (real world events or case studies)
11. Insider Threat - Awareness
Reduce the Risk for the Accidental
Insider Threat:
Provide constant awareness
Reward incentives
Periodic e-mails
Posters – common areas
Break rooms
Rest rooms
Specific work areas
Hallways
12. Insider Threat - Audit
Reduce the Risk for the Accidental
Insider Threat:
Audit or assess your program!
Periodic
Have an external audit (DSS/another facility’s FSO)
Correct deficiencies & if necessary realign resources
If you don’t have one, establish a budget and justify requirements
13. Insider Threat
For the Accidental Insider Threat, we need to be able
to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Improve Mission Assurance
Determine new ways to combat cyber threats
14. For IT Managers & IT Security
Professionals
Least Privilege
Segregation of Duties
Defense in Depth
Technical Controls
Preventive Controls
Detective Controls
Corrective Controls
Deterrent Controls
Risk-Control Adequacy
Use Choke Points
15. Additional Resources
The Accidental Insider Threat: Is Your Organization Ready?
This panel of industry experts explored the threats posed by
“accidental insiders”— individuals who are not maliciously trying
to cause harm, but can unknowingly present a major risk to an
organization and its infrastructure.
Was Aired on Federal News Radio October 2, 2012 at 12:00 PM ET
Raynor Dahlquist, Booz Allen Hamilton, Panel Moderator
Tom Kellermann, Trend Micro
Angela McKay, Microsoft
Michael C. Theis, CERT Insider Threat Center
http://www.federalnewsradio.com/262/3054242/The-Accidental-Insider-Threat-Is-Your-Organization-Ready
16. Additional Resources
Advanced Persistent Threat (APT) and Insider Threat
http://cyber-defense.sans.org/blog/2012/10/23/advanced-persistent-threat-apt-and-insider-threat
Insiders and Insider Threats - An Overview of Definitions and
Mitigation Techniques
http://isyou.info/jowua/papers/jowua-v2n1-1.pdf
The Accidental Insider Threat – A White Paper
Dr. Shawn P. Murray, Jones International University – (Available on the NSI Website)