Internal Risk Management


Published on

The media has given a great deal of attention to the “insider threat”, the issue of someone within an organization harming or stealing data or assets. How does this happen and why? Shouldn’t we be more concerned with external threats like hackers and cyber-thieves?

Learning Nuggets
· Insider threat components and issues
· Current research
· Mitigation and good practices

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Internal Risk Management

    1. 1. Internal Risk Management a.k.a. the Insider Threat MN Government IT Symposium Wed. May 13, 2009 Session 32 Barry Caplin Chief Information Security Officer MN Department of Human Services
    2. 2. In The News
    3. 6. Agenda <ul><li>What is it? </li></ul><ul><li>How big an issue? </li></ul><ul><li>What do we do? </li></ul>
    4. 7. What is Internal Risk Management? <ul><li>IRM = Management of the “Insider Threat” </li></ul><ul><li>“ Insider Threat” = Risk of actions of an Insider </li></ul><ul><li>Malicious Insider = Current or former employees or contractors who: </li></ul><ul><ul><li>intentionally exceeded or misused an authorized level of access to networks, systems or data, and; </li></ul></ul><ul><ul><li>affected the security of the organizations’ data, systems, or daily business operations </li></ul></ul><ul><ul><li>(CERT/US Secret Service Insider Threat Study) </li></ul></ul>
    5. 8. What is Internal Risk Management? <ul><li>Insider’s intentions can be good or evil </li></ul><ul><li>Actions can be intentional or accidental </li></ul><ul><li>Must consider errors and omissions </li></ul><ul><ul><li>Accidents </li></ul></ul><ul><ul><li>Not following process </li></ul></ul>
    6. 9. Background <ul><li>Not a new issue </li></ul><ul><li>2007 CSI/FBI Computer Crime Survey - insiders #1 reported problem. </li></ul><ul><ul><li>Old issue, awareness is heightening. </li></ul></ul><ul><ul><li>Additional monitoring shows what has always been there. </li></ul></ul><ul><ul><li>Some orgs not fully comfortable with the concept. </li></ul></ul><ul><li>2008 CSI/FBI Computer Crime Survey </li></ul><ul><ul><li>Insider threat decreased </li></ul></ul>
    7. 10. Background <ul><li>2008 Verizon report (based on Verizon caseload) </li></ul><ul><ul><li>Most breaches external </li></ul></ul><ul><ul><li>Most costly breaches internal </li></ul></ul><ul><ul><li>(mostly end-users or admin/root) </li></ul></ul><ul><ul><li>Greatest overall risk - Trusted Partners </li></ul></ul><ul><li>2009 Verizon report </li></ul><ul><ul><li>Most = external, most costly = internal </li></ul></ul><ul><ul><li>Greatest overall risk - external sources! </li></ul></ul><ul><ul><li>But… </li></ul></ul><ul><ul><ul><li>39% multiple parties </li></ul></ul></ul><ul><ul><ul><li>Didn’t consider insiders’ “inaction” </li></ul></ul></ul>
    8. 11. Background <ul><li>2009 Ponemon/Symantec study </li></ul><ul><ul><li>950 people who lost/left jobs </li></ul></ul><ul><ul><li>60% took confidential info (cd/usb/email) </li></ul></ul><ul><ul><li>82% did not have exit review </li></ul></ul><ul><ul><li>24% had network access after leaving </li></ul></ul><ul><li>US CERT actively studying this issue </li></ul>
    9. 14. From: Dark Reading
    10. 15. Types of Internal Risks <ul><li>Fraud: obtaining property or services from the organization unjustly through deception or trickery. </li></ul><ul><ul><li>Sale of data </li></ul></ul><ul><ul><li>Modification of data for pay (license </li></ul></ul><ul><ul><li>records, criminal records, welfare status) </li></ul></ul><ul><ul><li>Stealing money (financial institutions, government, etc…) </li></ul></ul><ul><li>Theft of Information : stealing confidential or proprietary information from the organization. </li></ul><ul><ul><li>Theft of: customer information, source code, data </li></ul></ul>
    11. 16. Types of Internal Risks <ul><li>IT Sabotage : acting with intention to harm a specific individual, the organization, or the organization’s data, systems, and/or daily business operations. </li></ul><ul><ul><li>Deletion of data, logic bombs, defacement, extortion (encryption) </li></ul></ul><ul><li>Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. </li></ul><ul><ul><li>Leaving a system vulnerable (not patching, config error, etc.) </li></ul></ul><ul><ul><li>Improper disclosure (database accessible, posting to website, etc.) </li></ul></ul>
    12. 20. <ul><li>If disgruntled => unmet expectations </li></ul><ul><li>Stressors contributed </li></ul><ul><li>Behavioral precursors often observable but ignored </li></ul><ul><li>Majority attacked after termination </li></ul><ul><li>Created/used access paths unknown to management </li></ul><ul><li>Organizations failed to detect technical precursors. </li></ul><ul><li>Lack of proper access controls </li></ul>Observations from CERT Insider Threat Study
    13. 21. <ul><li>What do we do? </li></ul>
    14. 22. CERT Good Practices <ul><li>Risk assessments - insider/partners threats </li></ul><ul><li>Document and enforce policies and controls. </li></ul><ul><li>Security awareness training </li></ul><ul><li>Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process. </li></ul><ul><li>Anticipate/manage negative workplace issues. </li></ul>
    15. 23. CERT Good Practices <ul><li>Secure the physical environment. </li></ul><ul><li>Password and account management. </li></ul><ul><li>Separation of duties and least privilege. </li></ul><ul><li>SDLC - Consider insider threats </li></ul><ul><li>Consider extra controls for privileged users. </li></ul>
    16. 24. CERT Good Practices <ul><li>Change control </li></ul><ul><li>Log, monitor, and audit </li></ul><ul><li>Defense in Depth </li></ul><ul><li>Deactivate access after termination </li></ul><ul><li>Secure backup and recovery </li></ul><ul><li>Incident response plan </li></ul>
    17. 25. According to Schneier <ul><li>Five basic techniques to deal with trusted people (Schneier): </li></ul><ul><li>Limit the number of trusted people. </li></ul><ul><li>Ensure that trusted people are also trustworthy. </li></ul><ul><li>Limit the amount of trust each person has. </li></ul><ul><li>Give people overlapping spheres of trust. </li></ul><ul><li>Detect breaches of trust after the fact and issue sanctions. </li></ul>
    18. 26. ShackF00 <ul><li>Security areas of focus during layoffs (Dave Shackleford – ShackF00 blog) </li></ul><ul><li>Monitor logs </li></ul><ul><li>Watch the back door </li></ul><ul><li>Monitor physical access </li></ul><ul><li>Institute strict change monitoring of code and files </li></ul><ul><li>Revocation of access to resources </li></ul><ul><li>Reclaiming corporate computing assets </li></ul><ul><li>Forensics </li></ul>
    19. 27. The DHS Approach <ul><li>SMT briefing </li></ul><ul><ul><li>Philosophical direction </li></ul></ul><ul><ul><li>Previous focus on external threats </li></ul></ul><ul><ul><li>New area of focus </li></ul></ul><ul><ul><li>Cross-divisional work – Security, Privacy, Audit, Legal, Compliance </li></ul></ul><ul><ul><li>Culture change - May not be popular </li></ul></ul>
    20. 29. <ul><li>Examples </li></ul><ul><li>Background studies </li></ul><ul><li>Media/device encryption </li></ul><ul><li>Privileged accounts/Local Admin/activity </li></ul><ul><li>Improved provisioning </li></ul><ul><li>Annual recertification </li></ul><ul><li>Security Lifecycle Management </li></ul><ul><li>Training via audio/video </li></ul><ul><li>Improved server control software /logging/NBA </li></ul><ul><li>Improved change management </li></ul>The DHS Approach
    21. 30. Next Steps <ul><li>Examining current environment and resources </li></ul><ul><li>Plan mitigations </li></ul><ul><li>Create recommended project/tools list </li></ul><ul><li>Create implementation plan </li></ul>
    22. 31. Where to Learn More… <ul><li>CMU CyLab - </li></ul><ul><li>CERT - </li></ul><ul><li>Data Breach Blog - </li></ul><ul><li>OSF DataLossdb - </li></ul><ul><li>Dark Reading - </li></ul>
    23. 32. Discussion…