Hi everyone this is Millie Law and today’s topic is managing insider threat
Our agenda is first to introduce and define insider threat Then I will talk about the key risk factors and the according managing strategies I will talk about the current issues facing insider risk management and then I will give the conclusion
Insider threat is defined as attacks from within the organization by individuals who have unintentionally or intentionally caused the loss of organizational assets Insider threat is identified as one of the top three macro security issues today for organizations. insiders were responsible for 69% of database breaches. In the 2010 e-Crime Survey, relative to external breaches, incidents of insider attack are often more costly to organizations. A Sprint employee who cloned customer data using a low-tech breach technique had caused Sprint to lose US$15M and to lay off 80 employees. Additionally, $700M loss was caused by a complex financial fraud committed by an insider in a financial institution
Deloitte UK identified four major areas that are susceptible to insider threat, including (1) Damage and (2) Theft of key assets and critical equipment (3) Massive deleting/corrupting files and records (4) Exposure and leakage of information that is sensitive
Researchers have shown that C-suite executives lack insight and understanding of insider threat and its implications, such as decrease in competitiveness, efficiency, compliance, and security. Mitigation of insider threats is often not a top priority for executives because they see it as a “high impact, very low-frequency issue According to the Secure Computing IT Director Survey, only 35% of the organizations surveyed placed internal security as a priority in planned investment despite the economic downturn. According to a Deloitte survey for Fortune 1000 companies, 9 of 10 executives believed that security and privacy are primarily a technology problem, so they believe the IT department should take full responsibility for finding a solution The technical manager of Computer Emergency Response Team (CERT) exclaimed that it has been difficult to convince the C-suite executives that insider threat is not just an IT problem. This implies that executives do not understand that insider threat pervades the business process and that is not just a technology problem
The Enterprise Security Program (ESP) is an effective system which directs an organization to establish the security tone at the top. The objective of the ESP is the sustainability of a pervasive culture of security in the organization’s beliefs, behaviors, capabilities, and actions. This is achieved by implementing top-level policies and an effective governance structure The executive team sets up top-level security policies, establishes the risk thresholds for the organization, obtains funds for the ESP, and creates the X-team. The X-team comprises of sub-teams which are responsible for day-to-day IT security operations The executive team and the X-team should focus on conducting regular reviews of processes that are governed by the policies described above for their effectiveness and efficiency.
More than 27% of insiders studied stated that they were experiencing financial difficulty when the incident occurred. For instance, a cell phone number is sold for £10.00 each ron the black market according to the FBI. There are four types of data which are quite lucrative and are often stolen by insiders Since individual financial crisis is usually the motivating factor behind insider attacks, organizations should not underestimate the return on investments in employee assistance programs (EAP), according to a study conducted by Deloitte. An effective and well-funded EAP provides guidance and support to employees, emotionally and financially. When an employee who is facing financial crisis is helped by the program provided by the organization, it prevents employees from compromising their organization’s information for financial gain.
Lack of education and awareness remains an obstacle in mitigiting insider risk. The insider risk is introduced by employees that lack the motivation and awareness to vigorously protect the integrity and the privacy of sensitive information of the stakeholders. Information system risks can be caused by unintentional behaviors, such as forgetting to log off a workstation, failure to change passwords regularly, and inappropriately discarding of sensitive information. In 2007, more than 37% organizations experienced leakage of sensitive information through emails. In order to reduce information system risks caused by unintentional behaviors, management is responsible for identifying areas with high risk exposure and providing education. CERT’s 16 Best Practices are defensive measures to prevent or facilitate early detection of insider incidents.
Ineffective identity management, which relates to lack of accountability of access activities, increases insider risk. In order to gather information on insider threat detection pertaining to a specific organization, log collection and event correlation analysis are imperative in identifying high-risk behaviors. Any suspicious behavior, such as above average use of company’s network, should be detected, monitored, reported, and investigated The Federated Model is adopted by many large global corporations to distribute responsibility across the company’s hierarchy, ensuring that people are accountable for the safety and protection of the organization’s assets. This model has a centralized group responsible for setting common standards and coordinating functions, while business units manage ‘local’ executions. However, this model may not be suitable for small businesses, where owner-manager oversight serves as the primary risk mitigation strategy to the insider threat. Smaller organizations can consider using log management techniques with the network monitoring approach, where log files go through logical pairing, followed by log analysis and event correlation
A third of organizations have reported that employees have abused their access rights, either intentionally or accidentally The people paradox states that people within the ‘trusted’ circle of the organization are the primary threat to the organization’s assets. This paradox applies to the fact that employees are trusted by the organization with their access privileges, but many have breached the trust by misusing them.
The attribute based model defines insiders based on access attributes. The defined groups are categorized based on access capabilities, and identifies high-risk users to high-risk resources Since the users are grouped by their ability to access organizational resources using the Attributed based model, security personnel can focus on monitoring those that pose the most threat to the organization.
Another approach to mitigate insider threat caused by misused access privileges is “Identity Access Management” (IAM). IAM is the implementation of centralized and automated controls that enforce security policies by monitoring employee and third-party access and use of sensitive data in real time across multiple databases in different locations. IAM uses internal auditing to determine, amongst the stakeholders, the information that needs to be protected the most, and what kind of database application is used for storage. After defining what it means by sensitive data, stakeholders must agree to this common definition. These data are then tagged and consolidated within centralized servers protected by encryption and physical security measures. IAM applies digital rights management technology to control whether this information can be transferred outbound of the server, while balancing the need for employees to complete their job responsibilities
Insiders have significant advantage over external attackers since insiders can bypass physical and logical security measures designed to prevent unauthorized access. Most insider attackers are aware of their insider advantage, such as vulnerabilities in internal controls, systems, and networks. Employees have realized that control mechanisms such as firewalls, intrusion-detection systems, and electronic building-access systems are usually geared towards defending against external threats. The risk of unauthorized access within the organization may be mitigated by the Honey Pot approach, which is a relatively new strategy in dealing with insider threat. Fictitious data such as credit card numbers, social security numbers, and documents are put into this ‘honey pot’ to attract unauthorized access. These unauthorized access attempts are then recorded and would be followed by punitive managerial decisions
According to the “Insider Threat Study”, insiders held different positions in the organization – there was no specific type of high-risk attackers. Contrary to the perception that the IT department is most likely to snoop around confidential information It should be stressed that the insider threat is not exclusive to IT personnel, because employees are now more technologically savvy. The employee screening process should include the best available criminal history records. To ensure accuracy, organizations can standardize the presentation of these records or hire an external agency for screening. However, background checking will not completely remove insider threat, as most attackers come to the organization without a criminal background. Hence, the screening is not a standalone process and is only effective when complemented with other security measures.
However, there are general traits which high-risk employees can identify – but security professionals should not generalize these traits but only use them as a reference source. When hiring, employers should make reference to the characteristics of a Risk-indicator and Risk-mitigator as they show the potential an employee to conduct an insider attack. Organizations should also look for competencies such as accountability and integrity for a secure workforce
Many organizations today have silo’ed physical and information system architecture. It is expensive to integrate and coordinate between physical and cyber infrastructure and assets; hence, companies shy away from this investment which increases the risk of combined fraud and theft of these properties. The risk is further increased when the organizations do not know how much data they have. For instance, only 18% of the 150 IT security professionals surveyed were certain of the exact number of sensitive files in their organizations Since maintaining these data creates significant cost for collection and storage, and carries huge potential costs in legal responsibilities, companies should conduct data inventory projects and modify their systems architecture for leaner data inventory and more efficient architecture for cost and legal liability risk reduction. The recommended data inventory project comprises of the following steps: Take inventory of sensitive files Accurately record their location on the server Keep track of access rights to these files By doing the above, the organization would be able to guard against insider threat by timely detection of the addition, removal, and improper access of these sensitive data. It should be noted that a comprehensive data inventory project must be acted on before an adverse event in order to maximize its benefits.
In addition to the data inventory project, companies should implement the data-centric policy which would focus managers, auditors, and other parties to be involved in securing data under the mobile environment.
The trend for globalization has increased insider risk in multinational operating environments, especially when these environments lack guidance on how to protect against insider threats. Current research studies lack validity in international environments. Also, globalization complicates the issue of trust, and the technology and business process collaboration The insider risk regarding virtual work environment is increased as many organizations still use and rely on policies and manual controls to review user administration, segregation of duties, etc. However, the issue is that there are a lack of tested and practical strategies to minimize insider threat for these ‘cloud-based’ work environments.
Managing insider threat should be a priority, especially for C-suite executives when they are the one responsible to institute a security conscious tone at the top – There are best practicses guidelines and various managing strategies which small to large organizations can use to establish policies and control procedures to address the risk factors. This concludes my presentation Thanks for listening
Blades, M.. (2010, November). The Insider Threat. Security Technology Executive, 20(9), 32-33,35-37. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2233949191).
Nunn-Price, J.. (2010, October). Public job cuts increase insider threat. Computer Weekly,12. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2198713041).
Rajendra Chaudhary. (2009, August). ''The problem of insider threat exists within every organization''. Express Intelligent Enterprise. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1949260831).
Warkentin, M., & Willison, R.. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems: Special Issue: Behavioral and Policy Issues in Information, 18(2), 101-105. Retrieved May 9, 2011, from ABI/INFORM Global. (Document ID: 1751536561). - Loch K.D., Carr H.H. and Warkentin M.E. (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173-186.
Secure Computing IT Director survey reveals "insider threats" as biggest organizational concern. (2008, June 12). Al Bawaba. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1493428881).
Aldhizer III, George R. "The Insider Threat." Internal Auditor 65.2 (2008): 71-73. Business Source Complete. EBSCO. Web. 9 May 2011.
Fyffe, G.. (2008). Addressing the insider threat. Network Security, 2008(3), 11-14. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1574237321).
Mike Heck. (2007, February). Surveying the Insider Threat Detection Landscape. InfoWorld, 29(8), 39. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1229181051).
Moscaritolo, Angela. "Verizon Report Finds Less Shrewd Attacks but More Breaches." SC Magazine (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=SCMAGA0020110420e74j00001&pp=1&fcpil=en&napc=S&sa_from=>.
"Data Security; More Than Half of IT Security Professionals Are Unsure Where Sensitive Files Are Located." Information Technology Newsweekly 131 (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=INTEWK0020110415e74j0003e&pp=1&fcpil=en&napc=S&sa_from=>.
Noonan, Thomas, and Edmund Archuleta. "The National Infrastructure Advisory Council's Final Report and Recommendation - The Insidr Threat to Critical Infrastructures." Department of Homeland Security. Web. 9 May 2011. <http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf>.
Stolfo, Salvatore J. (Salvatore Joseph); Workshop on Insider Attack and Cyber Security (1st : 2007 : Washington, D.C.) New York : Springer c2008
Randazzo, Marisa, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew Moore. "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2005. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/reports/04tr021.cfm>.
"An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2011. Web. 3 May 2011. <http://www.cert.org/archive/pdf/11tn006.pdf>.
Cappelli, Dawn, Andrew Moore, and Timothy Shimeall. "Protecting against Insider Threat." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymatters200702.cfm>.
Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005.
DeZabala, Ted. "Lock It Up or Set It Free? A Risk Intelligent Approach to Data and Intellectual Property." Enterprise Risk Services. Issue 6. Deloitte, 2010. Web. 3 May 2011. <http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Deloitte%20Review/US_deloittereview_Lock_It_Up_Or_Set_It_Free_Jan10.pdf>.
Grant, Ian. "RSA 2008: Spot the Warning Signs of Insider Attacks." Computer Weekly, 2008. Web. 3 May 2011. <http://www.computerweekly.com/Articles/2008/04/10/230233/RSA-2008-spot-the-warning-signs-of-insider-attacks.htm>.
Gelles, Michael, David Brant, and Brian Geffert. "Building a Secure Workforce: Guard against Insider Threat." Enterprise Risk Services. Deloitte, 2008. Web. 3 May 2011.
Westby, Jody, and Julia Allen. "Governing for Enterprise Security (GES)." Software Engineering Institute of Carnegie Mellon University., 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/download-report.cfm?pdf_name=07tn020.pdf&download=true>.
Goodchild, Joan. "What Security Can Learn from the $15M Sprint Employee Breach." CSO Magazine Online, 2010. Web. 3 May 2011. <http://www.csoonline.com/article/609363/what-security-can-learn-from-the-15m-sprint-employee-breach?source=rss_wireless_mobile_security>.
Datardina, Malik, and Gerald Trites. "CICA." Whitepaper: Data-centric Security (2009). Google Scholar. Web. 24 May 2011. <http://www.cica.ca/research-and-guidance/it-advisory-committee/publications/item33711.pdf>.
Justin Myers, Michael R. Grimaila, and Robert F. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 54 , 4 pages. DOI=10.1145/1558607.1558670 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558670
Michael D. Carroll. 2006. Information security: examining and managing the insider threat. In Proceedings of the 3rd annual conference on Information security curriculum development (InfoSecCD '06). ACM, New York, NY, USA, 156-158. DOI=10.1145/1231047.1231082 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1231047.1231082
William R. Claycomb and Dongwan Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the 2010 ACM workshop on Insider threats (Insider Threats '10). ACM, New York, NY, USA, 29-36. DOI=10.1145/1866886.1866894 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1866886.1866894
Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates. 2008. We have met the enemy and he is us. In Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1595676.1595678 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1595676.1595678
Ignacio J. Martinez-Moyano, Eliot Rich, Stephen Conrad, David F. Andersen, and Thomas R. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Trans. Model. Comput. Simul. 18, 2, Article 7 (April 2008), 27 pages. DOI=10.1145/1346325.1346328 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1346325.1346328
Clive Blackwell. 2009. A security architecture to protect against the insider threat from damage, fraud and theft. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 45 , 4 pages. DOI=10.1145/1558607.1558659 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558659
Dattatreya Wed, Yesh. "Building an Enterprise Security Program in Ten Simple Steps CIO.com." CIO.com. 15 Oct. 2008. Web. 30 June 2011.
"Email Best Practices." WVU Office of Information Technology. West Virginia University. Web. 30 June 2011. <http://oit.wvu.edu/email/bestpractices/>.