Internal Risk Management a.k.a. the Insider Threat MN Government IT Symposium Wed. May 13, 2009 Session 32 Barry Caplin Chief Information Security Officer MN Department of Human Services

In The News

Agenda What is it? How big an issue? What do we do?

What is it?

How big an issue?

What do we do?

What is Internal Risk Management? IRM = Management of the “Insider Threat” “ Insider Threat” = Risk of actions of an Insider Malicious Insider = Current or former employees or contractors who: intentionally exceeded or misused an authorized level of access to networks, systems or data, and; affected the security of the organizations’ data, systems, or daily business operations (CERT/US Secret Service Insider Threat Study)

IRM = Management of the “Insider Threat”

“ Insider Threat” = Risk of actions of an Insider

Malicious Insider = Current or former employees or contractors who:

intentionally exceeded or misused an authorized level of access to networks, systems or data, and;

affected the security of the organizations’ data, systems, or daily business operations

(CERT/US Secret Service Insider Threat Study)

What is Internal Risk Management? Insider’s intentions can be good or evil Actions can be intentional or accidental Must consider errors and omissions Accidents Not following process

Insider’s intentions can be good or evil

Actions can be intentional or accidental

Must consider errors and omissions

Accidents

Not following process

Background Not a new issue 2007 CSI/FBI Computer Crime Survey - insiders #1 reported problem. Old issue, awareness is heightening. Additional monitoring shows what has always been there. Some orgs not fully comfortable with the concept. 2008 CSI/FBI Computer Crime Survey Insider threat decreased

Not a new issue

2007 CSI/FBI Computer Crime Survey - insiders #1 reported problem.

Old issue, awareness is heightening.

Additional monitoring shows what has always been there.

Some orgs not fully comfortable with the concept.

2008 CSI/FBI Computer Crime Survey

Insider threat decreased

Background 2008 Verizon report (based on Verizon caseload) Most breaches external Most costly breaches internal (mostly end-users or admin/root) Greatest overall risk - Trusted Partners 2009 Verizon report Most = external, most costly = internal Greatest overall risk - external sources! But… 39% multiple parties Didn’t consider insiders’ “inaction”

2008 Verizon report (based on Verizon caseload)

Most breaches external

Most costly breaches internal

(mostly end-users or admin/root)

Greatest overall risk - Trusted Partners

2009 Verizon report

Most = external, most costly = internal

Greatest overall risk - external sources!

But…

39% multiple parties

Didn’t consider insiders’ “inaction”

Background 2009 Ponemon/Symantec study 950 people who lost/left jobs 60% took confidential info (cd/usb/email) 82% did not have exit review 24% had network access after leaving US CERT actively studying this issue

2009 Ponemon/Symantec study

950 people who lost/left jobs

60% took confidential info (cd/usb/email)

82% did not have exit review

24% had network access after leaving

US CERT actively studying this issue

From: Dark Reading http://darkreading.com/insiderthreat

Types of Internal Risks Fraud: obtaining property or services from the organization unjustly through deception or trickery. Sale of data Modification of data for pay (license records, criminal records, welfare status) Stealing money (financial institutions, government, etc…) Theft of Information : stealing confidential or proprietary information from the organization. Theft of: customer information, source code, data

Fraud: obtaining property or services from the organization unjustly through deception or trickery.

Sale of data

Modification of data for pay (license

records, criminal records, welfare status)

Stealing money (financial institutions, government, etc…)

Theft of Information : stealing confidential or proprietary information from the organization.

Theft of: customer information, source code, data

Types of Internal Risks IT Sabotage : acting with intention to harm a specific individual, the organization, or the organization’s data, systems, and/or daily business operations. Deletion of data, logic bombs, defacement, extortion (encryption) Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake. Leaving a system vulnerable (not patching, config error, etc.) Improper disclosure (database accessible, posting to website, etc.)

IT Sabotage : acting with intention to harm a specific individual, the organization, or the organization’s data, systems, and/or daily business operations.

Deletion of data, logic bombs, defacement, extortion (encryption)

Error/Omission: causing damage to assets or disclosure of information because of an unintentional mistake.

Leaving a system vulnerable (not patching, config error, etc.)

Improper disclosure (database accessible, posting to website, etc.)

If disgruntled => unmet expectations Stressors contributed Behavioral precursors often observable but ignored Majority attacked after termination Created/used access paths unknown to management Organizations failed to detect technical precursors. Lack of proper access controls Observations from CERT Insider Threat Study http://www.cert.org/insider_threat/

If disgruntled => unmet expectations

Stressors contributed

Behavioral precursors often observable but ignored

Majority attacked after termination

Created/used access paths unknown to management

Organizations failed to detect technical precursors.

Lack of proper access controls

What do we do?

What do we do?

CERT Good Practices Risk assessments - insider/partners threats Document and enforce policies and controls. Security awareness training Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process. Anticipate/manage negative workplace issues.

Risk assessments - insider/partners threats

Document and enforce policies and controls.

Security awareness training

Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.

Anticipate/manage negative workplace issues.

CERT Good Practices Secure the physical environment. Password and account management. Separation of duties and least privilege. SDLC - Consider insider threats Consider extra controls for privileged users.

Secure the physical environment.

Password and account management.

Separation of duties and least privilege.

SDLC - Consider insider threats

Consider extra controls for privileged users.

CERT Good Practices Change control Log, monitor, and audit Defense in Depth Deactivate access after termination Secure backup and recovery Incident response plan

Change control

Log, monitor, and audit

Defense in Depth

Deactivate access after termination

Secure backup and recovery

Incident response plan

According to Schneier Five basic techniques to deal with trusted people (Schneier): Limit the number of trusted people. Ensure that trusted people are also trustworthy. Limit the amount of trust each person has. Give people overlapping spheres of trust. Detect breaches of trust after the fact and issue sanctions.

Five basic techniques to deal with trusted people (Schneier):

Limit the number of trusted people.

Ensure that trusted people are also trustworthy.

Limit the amount of trust each person has.

Give people overlapping spheres of trust.

Detect breaches of trust after the fact and issue sanctions.

ShackF00 Security areas of focus during layoffs (Dave Shackleford – ShackF00 blog) Monitor logs Watch the back door Monitor physical access Institute strict change monitoring of code and files Revocation of access to resources Reclaiming corporate computing assets Forensics

Security areas of focus during layoffs (Dave Shackleford – ShackF00 blog)

Monitor logs

Watch the back door

Monitor physical access

Institute strict change monitoring of code and files

Revocation of access to resources

Reclaiming corporate computing assets

Forensics

The DHS Approach SMT briefing Philosophical direction Previous focus on external threats New area of focus Cross-divisional work – Security, Privacy, Audit, Legal, Compliance Culture change - May not be popular

SMT briefing

Philosophical direction

Previous focus on external threats

New area of focus

Cross-divisional work – Security, Privacy, Audit, Legal, Compliance

Culture change - May not be popular

Examples Background studies Media/device encryption Privileged accounts/Local Admin/activity Improved provisioning Annual recertification Security Lifecycle Management Training via audio/video Improved server control software /logging/NBA Improved change management The DHS Approach

Examples

Background studies

Media/device encryption

Privileged accounts/Local Admin/activity

Improved provisioning

Annual recertification

Security Lifecycle Management

Training via audio/video

Improved server control software /logging/NBA

Improved change management

Next Steps Examining current environment and resources Plan mitigations Create recommended project/tools list Create implementation plan

Examining current environment and resources

Plan mitigations

Create recommended project/tools list

Create implementation plan

Where to Learn More… CMU CyLab - http://www.cylab.cmu.edu/ CERT - http://www.cert.org/insider_threat/ Data Breach Blog - http://breach.scmagazineblogs.com/ OSF DataLossdb - http://datalossdb.org/ Dark Reading - http://darkreading.com/insiderthreat/

CMU CyLab - http://www.cylab.cmu.edu/

CERT - http://www.cert.org/insider_threat/

Data Breach Blog - http://breach.scmagazineblogs.com/

OSF DataLossdb - http://datalossdb.org/

Dark Reading - http://darkreading.com/insiderthreat/

Discussion…