Developing Your Insider Threat Program: Insider Threat Best Practices


Published on

Developing Your Insider Threat Program: Insider Threat Best Practices presented at The National Security Supply Chain: Reducing the Vulnerabilities meeting by the Government Technology & Services Coalition (GTSC)

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Here are the priorities for putting your plan in place
    We’ll discuss each of these in some detail
  • According to ASIS article on Confronting the Insider Threat
  • Developing Your Insider Threat Program: Insider Threat Best Practices

    1. 1. Insider Threat: Best Practices Katherine D. Mills CENTRA Technology, Inc. CENTRA TECHNOLOGY, INC. 1
    2. 2. Threat is Now: Recent Malicious Insiders Major Nidal Hassan – Responsible for shooting at Fort Hood Texas Bradley Manning – Unauthorized disclosure to WikiLeaks Edward Snowden – Unauthorized disclosure of NSA surveillance programs Aaron Alexis – Responsible for shooting at the Washington Navy Yard CENTRA TECHNOLOGY, INC. 2
    3. 3. Why Consider Insider Threat?  Protect national security and corporate assets – We don’t want to be in the news  Will be required by Government – Changes to NISPOM – Required by Sponsors  Want to ensure we are taking positive steps to protect our company and assets CENTRA TECHNOLOGY, INC. 3
    4. 4. How to Begin…  Do your research: Tons of free resources available – CERT • Common Sense Guide to Mitigating Insider Threats – DSS • Insider threat video and brochures – FBI website and movie “Betrayed” – ONCIX website – ASIS • “Detecting the Insider Threat,” October 2013 CENTRA TECHNOLOGY, INC. 4
    5. 5. Steps  Team  Assets  Procedures  Awareness  Document plan CENTRA TECHNOLOGY, INC. 5
    6. 6. Step 1: Identify the Team  Identify team members who understand and can contribute to the mission: – – – – COO HR Security IT  Who will be responsible for: – – – – Drafting the plan Reporting to sponsors and Government Bi-monthly meetings Budget approval CENTRA TECHNOLOGY, INC. 6
    7. 7. Step 2: Understand Your Assets Conduct a risk assessment Talk to management about assets – What are the corporate jewels? – Are they currently protected? – How sensitive are they? • What is the risk if they are leaked? – Who has access to the information? CENTRA TECHNOLOGY, INC. 7
    8. 8. Step 3: Tighten Up Procedures  Tighten procedures – Termination procedures – Unclassified data handling and access  Document expectations to staff  Violation policy CENTRA TECHNOLOGY, INC. 8
    9. 9. Step 4: Security Education  Free cartoons, brochures, articles available – No need to reinvent the wheel!  Incorporate insider threat into annual refresher training  Monthly security news item on reporting  Updated current policies – Acceptable Use Policy  Ensure staff understand reporting; make it easy for staff to report confidentially CENTRA TECHNOLOGY, INC. 9
    10. 10. Step 5: Draft a Plan  Document what you have learned  Steps 1-4: – – – – Team What are assets and overall risk What procedures have been impacted Security education program  Work-in-progress CENTRA TECHNOLOGY, INC. 10
    11. 11. Confronting the Insider Threat “It is important for each company to identify what an insider threat is and to set a policy in place on how to deal with insider threats. The policies must outline certain types of behavior that warrant scrutiny, disciplinary action, or even termination so that companies have a basis from which to work when they do identify potential threats.” ASIS: October 2013 CENTRA TECHNOLOGY, INC. 11
    12. 12. Encourage Reporting  Encourage employees to report  Provide confidential means of reporting  Staff holding security clearance are required to report adverse information, including potential threats  Trust your instincts, if you see something, say something!  It is better to report something that turns out to be nothing than to not report a serious security issue CENTRA TECHNOLOGY, INC. 12
    13. 13. Detecting the Insider Post incident investigations reveal family, friends, or coworkers notice a suspect’s indicators, but they fail to report concerns “Subjects often tell people close to them what they are doing, and sometimes even engage associates in the process. Former intimates (spouses, lovers, close friends – people with whom they spent a good deal of time) are a potentially important source of information in all investigations.”* *Source: Declassified Director of Central Intelligence Memorandum of 12 April 1990; Subject: Project Slammer Interim Report CENTRA TECHNOLOGY, INC. 13
    14. 14. Threat Indicators  Apparent unexplained affluence or excessive indebtedness  Efforts to conceal foreign contacts, travel, or foreign interests  Access to information or IT systems without need-to-know  Exploitable behavior – criminal activity – excessive gambling – drug or alcohol abuse – problems at work  Questionable judgment or untrustworthiness CENTRA TECHNOLOGY, INC. 14
    15. 15. Threat Indicators, cont.  Apparent mental, emotional or personality disorders(s)  Disgruntled  Working odd or late hours  Unreported foreign travel  Suspicious foreign contacts  Unreported offer of financial assistance, gifts, or favors by a foreign national or stranger  Requesting access to information outside of official job duties including sensitive or classified information CENTRA TECHNOLOGY, INC. 15
    16. 16. Summary of Best Practices  Know your people; recognize concerning behaviors as potential indicators  Protect your “crown jewels”  Pay close attention at termination  Monitor ingress and egress points (IT systems and physical security)  Baseline normal activity and look for anomalies  Work together across organization  Educate employees regarding potential recruitment CENTRA TECHNOLOGY, INC. 16
    17. 17. Sources CENTRA TECHNOLOGY, INC. 17