Peter Sakaris CISSPBooz Allen Hamilton, 1299 Farnam StreetSuite 1230, Omaha, NE 68102402-232-3829 Officesakaris_peter@bah.com

The Insider Threat

Definition

An insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally or unintentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems and/or compromised the physical security of the organization

CERT, http://www.cert.org/insider-threat/

Some important/potential indicators of an insider threat. •Greed/ financial need, Vulnerability to blackmail, Compulsive and destructive behavior, Rebellious, or passive aggressive behavior, Ethical “flexibility”, Reduced loyalty•Entitlement – narcissism (ego/self-image)•Inability to assume responsibility for actions•Intolerance of criticism•Pattern of frustration and disappointment

Source: Combating the Insider Threat 2 May 2014 DHS, http://www.dss.mil/documents/ci/Insider-Threats.pdf

Indicators

Of those who have committed espionage since 1950: •More than 1/3 had no security clearance •Twice as many “insiders” volunteered as were recruited •Naturalized U.S. citizens •Most recent spies acted alone •Nearly 85% passed information before being caught •Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate contact

Commonalities

• Works odd hours without authorization • Notable enthusiasm for overtime, weekend or unusual work

schedules • Unnecessarily copies material, especially if it is proprietary or

classified • Signs of vulnerability, such as drug or alcohol abuse, financial

difficulties, gambling, illegal activities, poor mental health or hostile behavior.

• Be on the lookout for warning signs among employees such as the acquisition of unexpected wealth, unusual foreign travel, irregular work hours or unexpected absences

Behavioral Indicators

Lone Wolfe Phenomenon

• Vet everyone and every entity that can or does have access to internal networks from the outside or physical spaces

• Outward facing security combined with seamless security

• Specific program developed depends upon organizational culture but general of security principles apply

• Culture and process are important concepts

Program Development

Insider Threat Program Development• Culture of the organization must encourage

reporting• Reporting mechanism must be clear and

concise. Who do I call?• Anonymity must be guaranteed• Awareness and Training activities

– Discussion: policies, resources, and reporting methods

– Role playing– Seminars

ReferencesUS CERT, SEI, at Carnegie-Mellon UniversityDepartment of Homeland Security

Secret Service Federal Bureau of Investigation (CI and Cyber)National Insider Threat Task Force (USD(I))Defense Security Service (IS and CI)

Questions?