Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A

The Accidental Insider Threat: Is Your Organization Prepared?

National Security Institute – IMPACT 2013 Conference

Insider Threat – EO-13587

The October 2011 Presidential Executive Order 13587, titled “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information”, mandates that every agency and federal government systems integrator to implement an insider threat detection and prevention program by the end of 2013.

This was further reinforced by a presidential memorandum in November 2012 directing federal agencies to deploy monitoring systems that meet prescribed standards. “One way to increase the chance of catching a malicious employee is to examine relevant information regarding suspicious or anomalous behavior of those whose jobs cause them to access classified information,” a White House spokeswoman commented. Given this new government-wide mandate, it is paramount that government agencies take insider threats seriously.

Source: http://www.cataphora.com/markets/government/

Insider Threat

Who is the Malicious Insider Threat?

Disgruntled employees Passed over for raise or promotion Poor work or home environment

Former disgruntled employees Fired from the company, holds animosity to company or personnel

Behavior addictions Drugs Gambling

Collusion – two or more employees acting together

Social engineers – use tactics to gain access to resources they don’t have access to or need. Can steal other users creds…

Insider Threat

Objectives of the Malicious Insider Threat:

Target individuals that did them wrong

Introduction of viruses, worms, trojans or other malware

Theft of information or corporate secrets

Theft of money

The corruption or deletion of data

The altering of data to produce inconvenience or false criminal

evidence

Theft of the identities of specific individuals in the enterprise

Insider Threat

Elements leading up to a Malicious Insider attack:

www.cert.org

Insider Threat

For the Malicious Insider Threat, we need to be able to:

Detect malicious insider activity

Attribute activity to users

Provide NETOPS tools to track down anomalies

Allow Security Operations to foresee events through continuous

monitoring

Execute an effective incident response capability

Improve Mission Assurance

Determine new ways to combat cyber threats

Insider Threat

Who is an Accidental Insider Threat?

All employees – exhibit bad habits Passwords left on screens, under keyboards

Tailgating into restricted areas, loss of accountability

Using their computers to surf the web or communicate personal e-mail

Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets)

Failing to follow OPSEC

Social Engineering – Phone call from imposters, Phishing Emails etc..

IT Personnel - Create vulnerabilities by: Having group accounts

Separation of duties

Create scripts or back doors for conveniences

Don’t change default passwords

Security Personnel – exhibit bad habits Deviate from security practices they are required to enforce

Executive Management

Insider Threat

To Reduce the Risk for the Accidental Insider Threat, we need to be able to:

Provide sound policies that articulate specific behavior

expectations in Acceptable use Policies

Educate and Train all personnel on exhibiting good habits

Set the example: Management and Security personnel alike

Provide constant awareness

Institute a mechanism to report suspicious behavior

Audit or assess your program!

Insider Threat - Policies

Reduce the Risk for the Accidental Insider Threat: Provide sound policies that articulate specific behavior expectations Good policies have the following elements

Introduction – State the purpose of the policy (Acceptable Use)

Scope – Who does the policy apply to? (Everyone, IT personnel, GSU)

Details – here is where you state the specific elements of the policy.

Accountability Statement – This is where you articulate who will be responsible for implementing the policy (Managers/Supervisors) and the ramifications for not adhering to the policy “ Deviations from this policy will be handled promptly and may include disciplinary action up to and including termination”.

Policy Owner – The final section articulates the policy owner, date and version of the policy.

Policies should be coordinated with all stakeholders

Human Resources

Legal Department

Security Personnel

Management

Policies should be specific and enforceable

Policies should be updated periodically

Employees should acknowledge policies with a signature and date

Insider Threat - Training

Reduce the Risk for the Accidental Insider Threat: Educate and Train all personnel on exhibiting good habits & behavior Computer based – Internal/External (DSS/DISA, Others)

Develop in house programs

External training & Conferences

Provide periodically (monthly, biannually, annually)

Gear training to the audience All personnel

IT Personnel

Security Personnel

Assess the training material for currency and effectiveness Update

Provide Examples (real world events or case studies)

Insider Threat - Awareness

Reduce the Risk for the Accidental Insider Threat: Provide constant awareness Reward incentives

Periodic e-mails

Posters – common areas

Break rooms

Rest rooms

Specific work areas

Hallways

Insider Threat - Audit

Reduce the Risk for the Accidental

Insider Threat: Audit or assess your program!

Periodic

Have an external audit (DSS/another facility’s FSO)

Correct deficiencies & if necessary realign resources

If you don’t have one, establish a budget and justify requirements

Insider Threat

For the Accidental Insider Threat, we need to be able to:

Detect malicious insider activity

Attribute activity to users

Provide NETOPS tools to track down anomalies

Allow Security Operations to foresee events through continuous

monitoring

Execute an effective incident response capability

Improve Mission Assurance

Determine new ways to combat cyber threats

For IT Managers & IT Security

Professionals Least Privilege

Segregation of Duties

Defense in Depth

Technical Controls Preventive Controls

Detective Controls

Corrective Controls

Deterrent Controls

Risk-Control Adequacy

Use Choke Points

Additional Resources The Accidental Insider Threat: Is Your Organization Ready?

This panel of industry experts explored the threats posed by

“accidental insiders”— individuals who are not maliciously trying

to cause harm, but can unknowingly present a major risk to an

organization and its infrastructure.

Was Aired on Federal News Radio October 2, 2012 at 12:00 PM ET

Raynor Dahlquist, Booz Allen Hamilton, Panel Moderator

Tom Kellermann, Trend Micro

Angela McKay, Microsoft

Michael C. Theis, CERT Insider Threat Center http://www.federalnewsradio.com/262/3054242/The-Accidental-Insider-Threat-Is-Your-Organization-Ready

Additional Resources

Advanced Persistent Threat (APT) and Insider Threat http://cyber-defense.sans.org/blog/2012/10/23/advanced-persistent-threat-apt-and-insider-threat

Insiders and Insider Threats - An Overview of Definitions and

Mitigation Techniques http://isyou.info/jowua/papers/jowua-v2n1-1.pdf

The Accidental Insider Threat – A White Paper Dr. Shawn P. Murray, Jones International University – (Available on the NSI Website)

Questions?