the accidental insider threat
Post on 12-Jul-2015
295 Views
Preview:
TRANSCRIPT
Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A
The Accidental Insider Threat: Is Your Organization Prepared?
National Security Institute – IMPACT 2013 Conference
Insider Threat – EO-13587
The October 2011 Presidential Executive Order 13587, titled “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information”, mandates that every agency and federal government systems integrator to implement an insider threat detection and prevention program by the end of 2013.
This was further reinforced by a presidential memorandum in November 2012 directing federal agencies to deploy monitoring systems that meet prescribed standards. “One way to increase the chance of catching a malicious employee is to examine relevant information regarding suspicious or anomalous behavior of those whose jobs cause them to access classified information,” a White House spokeswoman commented. Given this new government-wide mandate, it is paramount that government agencies take insider threats seriously.
Source: http://www.cataphora.com/markets/government/
Insider Threat
Who is the Malicious Insider Threat?
Disgruntled employees Passed over for raise or promotion Poor work or home environment
Former disgruntled employees Fired from the company, holds animosity to company or personnel
Behavior addictions Drugs Gambling
Collusion – two or more employees acting together
Social engineers – use tactics to gain access to resources they don’t have access to or need. Can steal other users creds…
Insider Threat
Objectives of the Malicious Insider Threat:
Target individuals that did them wrong
Introduction of viruses, worms, trojans or other malware
Theft of information or corporate secrets
Theft of money
The corruption or deletion of data
The altering of data to produce inconvenience or false criminal
evidence
Theft of the identities of specific individuals in the enterprise
Insider Threat
For the Malicious Insider Threat, we need to be able to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Improve Mission Assurance
Determine new ways to combat cyber threats
Insider Threat
Who is an Accidental Insider Threat?
All employees – exhibit bad habits Passwords left on screens, under keyboards
Tailgating into restricted areas, loss of accountability
Using their computers to surf the web or communicate personal e-mail
Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets)
Failing to follow OPSEC
Social Engineering – Phone call from imposters, Phishing Emails etc..
IT Personnel - Create vulnerabilities by: Having group accounts
Separation of duties
Create scripts or back doors for conveniences
Don’t change default passwords
Security Personnel – exhibit bad habits Deviate from security practices they are required to enforce
Executive Management
Insider Threat
To Reduce the Risk for the Accidental Insider Threat, we need to be able to:
Provide sound policies that articulate specific behavior
expectations in Acceptable use Policies
Educate and Train all personnel on exhibiting good habits
Set the example: Management and Security personnel alike
Provide constant awareness
Institute a mechanism to report suspicious behavior
Audit or assess your program!
Insider Threat - Policies
Reduce the Risk for the Accidental Insider Threat: Provide sound policies that articulate specific behavior expectations Good policies have the following elements
Introduction – State the purpose of the policy (Acceptable Use)
Scope – Who does the policy apply to? (Everyone, IT personnel, GSU)
Details – here is where you state the specific elements of the policy.
Accountability Statement – This is where you articulate who will be responsible for implementing the policy (Managers/Supervisors) and the ramifications for not adhering to the policy “ Deviations from this policy will be handled promptly and may include disciplinary action up to and including termination”.
Policy Owner – The final section articulates the policy owner, date and version of the policy.
Policies should be coordinated with all stakeholders
Human Resources
Legal Department
Security Personnel
Management
Policies should be specific and enforceable
Policies should be updated periodically
Employees should acknowledge policies with a signature and date
Insider Threat - Training
Reduce the Risk for the Accidental Insider Threat: Educate and Train all personnel on exhibiting good habits & behavior Computer based – Internal/External (DSS/DISA, Others)
Develop in house programs
External training & Conferences
Provide periodically (monthly, biannually, annually)
Gear training to the audience All personnel
IT Personnel
Security Personnel
Assess the training material for currency and effectiveness Update
Provide Examples (real world events or case studies)
Insider Threat - Awareness
Reduce the Risk for the Accidental Insider Threat: Provide constant awareness Reward incentives
Periodic e-mails
Posters – common areas
Break rooms
Rest rooms
Specific work areas
Hallways
Insider Threat - Audit
Reduce the Risk for the Accidental
Insider Threat: Audit or assess your program!
Periodic
Have an external audit (DSS/another facility’s FSO)
Correct deficiencies & if necessary realign resources
If you don’t have one, establish a budget and justify requirements
Insider Threat
For the Accidental Insider Threat, we need to be able to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Improve Mission Assurance
Determine new ways to combat cyber threats
For IT Managers & IT Security
Professionals Least Privilege
Segregation of Duties
Defense in Depth
Technical Controls Preventive Controls
Detective Controls
Corrective Controls
Deterrent Controls
Risk-Control Adequacy
Use Choke Points
Additional Resources The Accidental Insider Threat: Is Your Organization Ready?
This panel of industry experts explored the threats posed by
“accidental insiders”— individuals who are not maliciously trying
to cause harm, but can unknowingly present a major risk to an
organization and its infrastructure.
Was Aired on Federal News Radio October 2, 2012 at 12:00 PM ET
Raynor Dahlquist, Booz Allen Hamilton, Panel Moderator
Tom Kellermann, Trend Micro
Angela McKay, Microsoft
Michael C. Theis, CERT Insider Threat Center http://www.federalnewsradio.com/262/3054242/The-Accidental-Insider-Threat-Is-Your-Organization-Ready
Additional Resources
Advanced Persistent Threat (APT) and Insider Threat http://cyber-defense.sans.org/blog/2012/10/23/advanced-persistent-threat-apt-and-insider-threat
Insiders and Insider Threats - An Overview of Definitions and
Mitigation Techniques http://isyou.info/jowua/papers/jowua-v2n1-1.pdf
The Accidental Insider Threat – A White Paper Dr. Shawn P. Murray, Jones International University – (Available on the NSI Website)
top related