Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Accidental Insider Threat

1,036 views

Published on

Dr. Shawn P. Murray was invited back to the National Security Institute in April 2013 to speak on a familiar topic, but with a new focus. The accidental insider threat is becoming more of a concern for companies today. Dr. Murray is a Cyber Security Professional and has worked in various Information Assurance and Information Technology Security positions for many years.

Published in: Technology, Business
  • Be the first to comment

The Accidental Insider Threat

  1. 1. The Accidental Insider Threat: Is Your Organization Prepared? Dr. Shawn P. Murray, C|CISO, CISSP, CRISC, FITSP-A National Security Institute – IMPACT 2013 Conference
  2. 2. Insider Threat – EO-13587 The October 2011 Presidential Executive Order 13587, titled “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information”, mandates that every agency and federal government systems integrator to implement an insider threat detection and prevention program by the end of 2013. This was further reinforced by a presidential memorandum in November 2012 directing federal agencies to deploy monitoring systems that meet prescribed standards. “One way to increase the chance of catching a malicious employee is to examine relevant information regarding suspicious or anomalous behavior of those whose jobs cause them to access classified information,” a White House spokeswoman commented. Given this new governmentwide mandate, it is paramount that government agencies take insider threats seriously. Source: http://www.cataphora.com/markets/government/
  3. 3. Insider Threat Who is the Malicious Insider Threat?  Disgruntled employees  Passed over for raise or promotion  Poor work or home environment  Former disgruntled employees  Fired from the company, holds animosity to company or personnel  Behavior addictions  Drugs  Gambling  Collusion – two or more employees acting together  Social engineers – use tactics to gain access to resources they don’t have access to or need. Can steal other users creds…
  4. 4. Insider Threat Objectives of the Malicious Insider Threat:  Target individuals that did them wrong  Introduction of viruses, worms, trojans or other malware  Theft of information or corporate secrets  Theft of money  The corruption or deletion of data  The altering of data to produce inconvenience or false criminal evidence  Theft of the identities of specific individuals in the enterprise
  5. 5. Insider Threat Elements leading up to a Malicious Insider attack: www.cert.org
  6. 6. Insider Threat For the Malicious Insider Threat, we need to be able to:  Detect malicious insider activity  Attribute activity to users  Provide NETOPS tools to track down anomalies  Allow Security Operations to foresee events through continuous monitoring  Execute an effective incident response capability  Improve Mission Assurance  Determine new ways to combat cyber threats
  7. 7. Insider Threat Who is an Accidental Insider Threat?  All employees – exhibit bad habits       Passwords left on screens, under keyboards Tailgating into restricted areas, loss of accountability Using their computers to surf the web or communicate personal e-mail Bring personal computing devices to work (laptops, PDAs, Smart Phones & Tablets) Failing to follow OPSEC Social Engineering – Phone call from imposters, Phishing Emails etc..  IT Personnel - Create vulnerabilities by:     Having group accounts Separation of duties Create scripts or back doors for conveniences Don’t change default passwords  Security Personnel – exhibit bad habits  Deviate from security practices they are required to enforce  Executive Management
  8. 8. Insider Threat To Reduce the Risk for the Accidental Insider Threat, we need to be able to:  Provide sound policies that articulate specific behavior      expectations in Acceptable use Policies Educate and Train all personnel on exhibiting good habits Set the example: Management and Security personnel alike Provide constant awareness Institute a mechanism to report suspicious behavior Audit or assess your program!
  9. 9. Insider Threat - Policies Reduce the Risk for the Accidental Insider Threat: Provide sound policies that articulate specific behavior expectations      Good policies have the following elements  Introduction – State the purpose of the policy (Acceptable Use)  Scope – Who does the policy apply to? (Everyone, IT personnel, GSU)  Details – here is where you state the specific elements of the policy.  Accountability Statement – This is where you articulate who will be responsible for implementing the policy (Managers/Supervisors) and the ramifications for not adhering to the policy “ Deviations from this policy will be handled promptly and may include disciplinary action up to and including termination”.  Policy Owner – The final section articulates the policy owner, date and version of the policy. Policies should be coordinated with all stakeholders  Human Resources  Legal Department  Security Personnel  Management Policies should be specific and enforceable Policies should be updated periodically Employees should acknowledge policies with a signature and date
  10. 10. Insider Threat - Training Reduce the Risk for the Accidental Insider Threat: Educate and Train all personnel on exhibiting good habits & behavior      Computer based – Internal/External (DSS/DISA, Others) Develop in house programs External training & Conferences Provide periodically (monthly, biannually, annually) Gear training to the audience  All personnel  IT Personnel  Security Personnel  Assess the training material for currency and effectiveness  Update  Provide Examples (real world events or case studies)
  11. 11. Insider Threat - Awareness Reduce the Risk for the Accidental Insider Threat: Provide constant awareness  Reward incentives  Periodic e-mails  Posters – common areas     Break rooms Rest rooms Specific work areas Hallways
  12. 12. Insider Threat - Audit Reduce the Risk for the Accidental Insider Threat: Audit or assess your program!  Periodic  Have an external audit (DSS/another facility’s FSO)  Correct deficiencies & if necessary realign resources  If you don’t have one, establish a budget and justify requirements
  13. 13. Insider Threat For the Accidental Insider Threat, we need to be able to:  Detect malicious insider activity  Attribute activity to users  Provide NETOPS tools to track down anomalies  Allow Security Operations to foresee events through continuous monitoring  Execute an effective incident response capability  Improve Mission Assurance  Determine new ways to combat cyber threats
  14. 14. For IT Managers & IT Security Professionals  Least Privilege  Segregation of Duties  Defense in Depth  Technical Controls  Preventive Controls  Detective Controls  Corrective Controls  Deterrent Controls  Risk-Control Adequacy  Use Choke Points
  15. 15. Additional Resources The Accidental Insider Threat: Is Your Organization Ready?  This panel of industry experts explored the threats posed by “accidental insiders”— individuals who are not maliciously trying to cause harm, but can unknowingly present a major risk to an organization and its infrastructure.  Was Aired on Federal News Radio October 2, 2012 at 12:00 PM ET Raynor Dahlquist, Booz Allen Hamilton, Panel Moderator Tom Kellermann, Trend Micro Angela McKay, Microsoft Michael C. Theis, CERT Insider Threat Center http://www.federalnewsradio.com/262/3054242/The-Accidental-Insider-Threat-Is-Your-Organization-Ready
  16. 16. Additional Resources Advanced Persistent Threat (APT) and Insider Threat http://cyber-defense.sans.org/blog/2012/10/23/advanced-persistent-threat-apt-and-insider-threat Insiders and Insider Threats - An Overview of Definitions and Mitigation Techniques http://isyou.info/jowua/papers/jowua-v2n1-1.pdf The Accidental Insider Threat – A White Paper Dr. Shawn P. Murray, Jones International University – (Available on the NSI Website)
  17. 17. Questions?

×