internal risk management
DESCRIPTION
The media has given a great deal of attention to the “insider threat”, the issue of someone within an organization harming or stealing data or assets. How does this happen and why? Shouldn’t we be more concerned with external threats like hackers and cyber-thieves? Learning Nuggets · Insider threat components and issues · Current research · Mitigation and good practicesTRANSCRIPT
Internal Risk Managementa.k.a.
the Insider Threat
MN Government IT Symposium
Wed. May 13, 2009
Session 32
Barry Caplin
Chief Information Security Officer
MN Department of Human Services
In The News
Agenda
• What is it?
• How big an issue?
• What do we do?
What is Internal Risk Management?
• IRM = Management of the “Insider Threat”
• “Insider Threat” = Risk of actions of an Insider
• Malicious Insider = Current or former employees or contractors who:– intentionally exceeded or misused an authorized
level of access to networks, systems or data, and;– affected the security of the organizations’ data,
systems, or daily business operations(CERT/US Secret Service Insider Threat Study)
What is Internal Risk Management?
• Insider’s intentions can be good or evil
• Actions can be intentional or accidental
• Must consider errors and omissions– Accidents
– Not following process
Background
• Not a new issue
• 2007 CSI/FBI Computer Crime Survey - insiders #1 reported problem.– Old issue, awareness is heightening.– Additional monitoring shows what has always
been there.– Some orgs not fully comfortable with the concept.
• 2008 CSI/FBI Computer Crime Survey– Insider threat decreased
Background• 2008 Verizon report (based on Verizon caseload)
– Most breaches external
– Most costly breaches internal(mostly end-users or admin/root)
– Greatest overall risk - Trusted Partners
• 2009 Verizon report– Most = external, most costly = internal
– Greatest overall risk - external sources!
– But…• 39% multiple parties
• Didn’t consider insiders’ “inaction”
Background
• 2009 Ponemon/Symantec study– 950 people who lost/left jobs
– 60% took confidential info (cd/usb/email)
– 82% did not have exit review
– 24% had network access after leaving
• US CERT actively studying this issue
From: Dark Reading http://darkreading.com/insiderthreat
Types of Internal Risks• Fraud: obtaining property or services from the
organization unjustly through deception or trickery. – Sale of data– Modification of data for pay (licenserecords, criminal records, welfare status)– Stealing money (financial institutions,
government, etc…)• Theft of Information: stealing confidential or
proprietary information from the organization.– Theft of: customer information, source code,
data
Types of Internal Risks• IT Sabotage: acting with intention to harm a
specific individual, the organization, or the organization’s data, systems, and/or daily business operations.– Deletion of data, logic bombs, defacement,
extortion (encryption)• Error/Omission: causing damage to assets or
disclosure of information because of an unintentional mistake.– Leaving a system vulnerable (not patching,
config error, etc.)– Improper disclosure (database accessible,
posting to website, etc.)
• If disgruntled => unmet expectations
• Stressors contributed
• Behavioral precursors often observable but ignored
• Majority attacked after termination
• Created/used access paths unknown to management
• Organizations failed to detect technical precursors.
• Lack of proper access controls
http://www.cert.org/insider_threat/
Observations from CERT Insider Threat Study
What do we do?
CERT Good Practices• Risk assessments - insider/partners threats• Document and enforce policies and
controls.• Security awareness training• Monitor and respond to suspicious or
disruptive behavior, beginning with the hiring process.
• Anticipate/manage negative workplace issues.
CERT Good Practices
• Secure the physical environment.
• Password and account management.
• Separation of duties and least privilege.
• SDLC - Consider insider threats
• Consider extra controls for privileged users.
CERT Good Practices
• Change control
• Log, monitor, and audit
• Defense in Depth
• Deactivate access after termination
• Secure backup and recovery
• Incident response plan
According to Schneier
Five basic techniques to deal with trusted people (Schneier):
• Limit the number of trusted people. • Ensure that trusted people are also
trustworthy. • Limit the amount of trust each person has.• Give people overlapping spheres of trust.• Detect breaches of trust after the fact and
issue sanctions.
ShackF00Security areas of focus during layoffs (Dave
Shackleford – ShackF00 blog)• Monitor logs• Watch the back door• Monitor physical access• Institute strict change monitoring of code and
files• Revocation of access to resources• Reclaiming corporate computing assets• Forensics
The DHS Approach
• SMT briefing– Philosophical direction
– Previous focus on external threats
– New area of focus
– Cross-divisional work – Security, Privacy, Audit, Legal, Compliance
– Culture change - May not be popular
Examples• Background studies• Media/device
encryption• Privileged
accounts/Local Admin/activity
• Improved provisioning• Annual recertification
• Security Lifecycle Management
• Training via audio/video
• Improved server control software /logging/NBA
• Improved change management
The DHS Approach
Next Steps
• Examining current environment and resources
• Plan mitigations
• Create recommended project/tools list
• Create implementation plan
Where to Learn More…
• CMU CyLab - http://www.cylab.cmu.edu/
• CERT - http://www.cert.org/insider_threat/
• Data Breach Blog - http://breach.scmagazineblogs.com/
• OSF DataLossdb - http://datalossdb.org/
• Dark Reading - http://darkreading.com/insiderthreat/
Discussion…