I have been asked several time to refresh the content of my 2013 presentation on this topic. While much of the core principles remain the same, I have provided some additional resources to consider for those that are looking to develop an Insider Threat Program.
CNIC Information System with Pakdata Cf In Pakistan
Accidental Insider Threat - 2018 Version
1. DR. SHAWN P. MURRAY, C|CISO, CISSP, CRISC, FITSP-A
The Accidental Insider
Threat:
Is Your Organization Prepared?
President & Chief Academic Officer, Murray Security Services
Presented for the Pikes Peak Small Business Development Center
December 14, 2018
2. Insider Threat – EO-13587
The October 2011 Presidential Executive Order 13587, titled “Structural
Reforms to Improve the Security of Classified Networks and the Responsible
Sharing and Safeguarding of Classified Information”, mandates that every
agency and federal government systems integrator to implement an insider
threat detection and prevention program by the end of 2013.
This was further reinforced by a presidential memorandum in November 2012 directing
federal agencies to deploy monitoring systems that meet prescribed standards. “One
way to increase the chance of catching a malicious employee is to examine
relevant information regarding suspicious or anomalous behavior of those whose
jobs cause them to access classified information,” aWhite House spokeswoman
commented. Given this new government-wide mandate, it is paramount that
government agencies take insider threats seriously.
Source: http://www.cataphora.com/markets/government/
3. Insider Threat
Who is the Malicious Insider Threat?
Disgruntled employees
➢ Passed over for raise or promotion
➢ Poor work or home environment
Former disgruntled employees
➢ Fired from the company, holds animosity to company or personnel
Behavior addictions
➢ Drugs
➢ Gambling
Collusion – two or more employees acting together
Social engineers
➢ Use tactics to gain access to resources they don’t have access to or
need. Can steal other users credentials…
4. Insider Threat
Objectives of the Malicious Insider Threat:
Target individuals that they perceived did them wrong
Introduction of viruses, worms, trojans or other malware
Theft of information or corporate secrets
Theft of money
The corruption or deletion of data
The altering of data to produce inconvenience or false
criminal evidence
Theft of the identities of specific individuals in the enterprise
6. Insider Threat
For the Malicious Insider Threat, we need to be able to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Determine new ways to combat cyber threats
8. Insider Threat
Who is an Accidental Insider Threat?
IT Personnel
Contractors/Consultants
All employees
Security Personnel – exhibit bad habits
Executive Management
Clients/Customers
RISKY USERS - In this year’s survey, privileged IT
users, such as administrators with access to
sensitive information, pose the biggest insider
threat (60 percent).
This is followed by contractors and consultants (57
percent), and regular employees (51 percent).
2017 Insider Threat Study
HaystaxTechnology
9. Insider Threat
Who is an Accidental Insider Threat?
All employees – exhibit bad habits
➢ Passwords left on screens, under keyboards
➢ Tailgating into restricted areas, loss of accountability
➢ Using their computers to surf the web or communicate personal e-mail
➢ Bring personal computing devices to work (laptops, PDAs, Smart Phones &Tablets)
➢ Failing to follow OPSEC
➢ Social Engineering – Phone call from imposters, Phishing Emails etc..
IT Personnel - Create vulnerabilities by:
➢ Having group accounts
➢ Separation of duties
➢ Create scripts or back doors for conveniences
➢ Don’t change default passwords
Security Personnel – exhibit bad habits
➢ Deviate from security practices they are required to enforce
Executive Management
10. Insider Threat
To Reduce the Risk for the Accidental Insider
Threat, we need to be able to:
Provide sound policies that articulate specific behavior
expectations in Acceptable use Policies
Educate andTrain all personnel on exhibiting good habits
Set the example: Management and Security personnel alike
Provide constant awareness
Institute a mechanism to report suspicious behavior
Audit or assess your program!
11. Insider Threat - Policies
Reduce the Risk for the Accidental Insider Threat:
Provide sound policies that articulate specific behavior expectations
Good policies have the following elements
✓ Introduction – State the purpose of the policy (Acceptable Use)
✓ Scope – Who does the policy apply to? (Everyone, IT personnel,GSU)
✓ Details – here is where you state the specific elements of the policy.
✓ Accountability Statement –This is where you articulate who will be responsible for
implementing the policy (Managers/Supervisors) and the ramifications for not adhering to
the policy “ Deviations from this policy will be handled promptly and may include disciplinary
action up to and including termination”.
✓ Policy Owner –The final section articulates the policy owner, date and version of the policy.
Policies should be coordinated with all stakeholders
➢ Human Resources
➢ Legal Department
➢ Security Personnel
➢ Management
Policies should be specific and enforceable
Policies should be updated periodically
Employees should acknowledge policies with a signature and date
12. Insider Threat - Training
Reduce the Risk for the Accidental Insider Threat:
Educate andTrain all personnel on exhibiting good habits &
behavior
Computer based – Internal/External (DSS/DISA,Cybrary, SocialEngineer.org )
Develop in house programs
External training & conferences
Provide periodically (monthly, biannually, annually)
Focus training to the target audience
➢ All personnel
➢ IT Personnel
➢ Security Personnel
Assess the training material for currency and effectiveness!
➢ Update periodically
➢ Provide Examples (real world events or case studies)
13. Insider Threat - Awareness
Reduce the Risk for the Accidental
Insider Threat:
Provide constant awareness
Reward incentives
Periodic e-mails
Posters – common areas
➢ Break rooms
➢ Rest rooms
➢ Specific work areas
➢ Hallways
14. Insider Threat - Audit
Reduce the Risk for the Accidental
Insider Threat:
Audit or assess your program!
Periodic (at least annually)
Have an external audit (DSS/another facility’s FSO,
commercial vendor, SBDC Cyber Consultant)
Correct deficiencies & if necessary realign resources
If you don’t have one, establish a budget and justify
requirements
15. Insider Threat
For the Accidental Insider Threat, we need to
be able to:
Detect malicious insider activity
Attribute activity to users
Provide NETOPS tools to track down anomalies
Allow Security Operations to foresee events through continuous
monitoring
Execute an effective incident response capability
Determine new ways to combat cyber threats
16. For IT Managers & IT Security
Professionals
• Least Privilege & Need to Know
• Segregation of Duties
• Appropriate Access Controls – RBAC and/or ABAC are preferred
• Defense in Depth
✓Technical Controls
✓Preventive Controls
✓Detective Controls
✓Corrective Controls
✓Deterrent Controls
• Risk-Control Adequacy
18. Additional Resources
The Accidental InsiderThreat: IsYour Organization Ready?
This panel of industry experts explored the threats posed by “accidental
insiders”— individuals who are not maliciously trying to cause harm, but
can unknowingly present a major risk to an organization and its
infrastructure.
Was Aired on Federal News Radio October 2, 2012 at 12:00 PM ET
Raynor Dahlquist, BoozAllen Hamilton, Panel Moderator
Tom Kellermann, Trend Micro
Angela McKay, Microsoft
Michael C.Theis, CERT InsiderThreat Center
http://www.federalnewsradio.com/262/3054242/The-Accidental-Insider-Threat-Is-Your-Organization-Ready
19. Additional Resources
Advanced PersistentThreat (APT) and InsiderThreat
http://cyber-defense.sans.org/blog/2012/10/23/advanced-persistent-threat-apt-and-insider-threat
Insiders and InsiderThreats - An Overview of Definitions and Mitigation Techniques
http://isyou.info/jowua/papers/jowua-v2n1-1.pdf
The Accidental InsiderThreat – A White Paper
Dr. Shawn P. Murray, Jones International University, 2014
Insider Attacks – 2017, an InsiderThreat Study
https://haystax.com/blog/whitepapers/insider-attacks-industry-survey/
Social Engineer.Org website
https://www.social-engineer.org/
FBI
https://www.fbi.gov/
NATIONAL INSIDERTHREATTASK FORCE RELEASES INSIDERTHREAT PROGRAM MATURITY FRAMEWORK
https://www.dni.gov/index.php/newsroom/press-releases/item/1920-national-insider-threat-task-force-releases-insider-threat-program-maturity-framework