SlideShare a Scribd company logo

Jason Anthony Smith - thesis short summary v1.0

J
Jason Smith
1 of 7
Download to read offline
Jason Anthony Smith (2014) Mitigating cyber threat from malicious insiders Introduction Employees have a degree of trust invested in them by their employer and have likely been granted physical and logical access to the organisation’s IT systems and information in order to fulfil their in- role duties. Most of these employees are thankfully honest, however there exists the threat that some will abuse their insider position and commit crimes like fraud, theft or IT sabotage against their organisations. Probably the most well-known and notorious insider crime was committed by US Army Soldier Bradley Manning whom, in his role of intelligence analyst, abused legitimately granted access to classified databases and, through WikiLeaks organisation, released the largest set of classified documents ever leaked to the public. This included 250,000 U.S. diplomatic cables and 500,000 other reports relating to the Iraq and Afghan wars. In 2013 he was convicted under the espionage act and sentenced to 35 years confinement. When a roundtable of US government agencies compiled a list of “the hardest and most critical challenges in INFOSEC research that must be addressed for the development and deployment of trustworthy systems for the U.S. Government”, insider threat was ranked as the number two hardest problem behind ‘global scale identity management.’ Figure 1. Malicious insider definition
Jason Anthony Smith (2014) Traditional cyber defence Most implementations of information security management systems, such as the widely adopted ISO17799, are traditionally focused on keeping external attackers at bay by defending the digital perimeter, identity and access management, testing policy compliance, and removing vulnerabilities from systems. In concert with creating a positive security culture, relieving time and work-load pressure, awareness training, and providing usable security tools and processes, these programmes can also alleviate threats from non-malicious insiders who typically cause incidents through user- error and negligence. There may even be pre-employment screening processes and Data Loss Prevention (DLP) deployed, however these programmes remain largely ineffective against malicious insiders. Advanced intelligence-led cyber defence The current digital threat landscape now includes well-resourced sophisticated attackers perpetrating targeted dynamic attacks over long periods of time. These so-called advanced persistent threat (APT) attacks often make use of zero-day exploits, social engineering and other adaptive techniques to get remote hands-on keyboard before ultimately exfiltrating data or completing some other objective. Defending against APT has required organisations to implement a non-traditional approach to defence often using predictive and diagnostic analytics of security intelligence data which has typically been gathered from specialist companies, government agencies, public sources and through private sharing agreements with trusted partners. These approaches to APT defence is unfortunately also ineffective for defence against malicious insider threat. Malicious insiders The sophistication of human beings makes tackling insider threats a difficult problem which requires much more than technology alone. A combination of techniques from the sociological and the socio-technical domains will be required too. People exhibit polymorphous behaviour in that they tend to hide their true emotions from their peers and their behaviour tends to be self-modifying in response to changes in the environment. For example, an insider could wait for an opportune moment to access a system and steal intellectual property and would be sophisticated enough to continually monitor and evaluate the risk of being caught versus the reward of accomplishing the theft. Personality is a dynamic and organised set of characteristics possessed by a person that uniquely influences his or her cognitions, motivations, and behaviours in various situations. It is this intrinsic personality, combined with extrinsic temporal and dynamic factors such as motivation and other external stimuli that form the basis for indicators that may correlate with a higher risk of insider threat. Emotional distress, disappointment, frustration, disgruntlement, introversion, perceived entitlement, lack of empathy and other traits have been discovered to correlate with an increase in
Jason Anthony Smith (2014) the risk of an insider performing illegal acts or being vulnerable to recruitment or manipulation by others. Strong indicators of insider threat risk include disgruntlement, difficulty accepting feedback, anger management, disregard for authority, low performance, stress and confrontational behaviour; whilst weaker indicators include personal issues, self-centredness, dependability and absenteeism. A personal or work related event could be the trigger (an external stimuli) which causes an insider to decide to commit a crime against the organisation that trusts them. This could include being fired, financial pressure, family or marital issues, coercion or recruitment by a third party, or many other events or changes in circumstance. For example, people become affiliated with various organisations of like-minded individuals with similar beliefs, ideologies or causes. These could include religious sects, gangs, clubs, political parties, radical and extremist groups etc. Peer pressure from other members of these groups to commit a crime could cause the trigger point to be reached for a particular individual with a particular personality at a particular time in their life when they were vulnerable. In addition, when an insider crime is being prepared for or is in progress, it’s reasonable to assume there may be observable actions that could give rise to suspicion. For example, the US Defense Security Service regard certain behaviours as reportable including: - Keeping classified materials in an unauthorised location - Removing classification markings from documents - Attempting to conceal foreign travel - Sudden repayment of large debts - Repeated or un-required work outside of normal duty hours The key realisation is that a complex interaction of many factors lead to the malicious insider threat being realised with no single one of the factors being a decisive predictor in its own right. Rather, each extra indicator adds weight to the possibility that an insider is going rogue. The phases of a malicious insider attack An attack can be considered as a sequence of phases, each of which may or may not necessarily be present and which may also overlap with each other during some attacks. Using a phase based model of defence and countermeasure strategy was described in a paper by Lockheed Martin in 2010. In contrast to traditional network defence strategies, which focus upon the vulnerability element of risk, this approach focusses on the threat element of risk. For each moment along the time sequence of the attack there is an opportunity to design countermeasures to monitor and mitigate the threat. This sequence of opportunities is called the ‘kill-chain’. At each phase of the kill-chain, observable data will likely be generated and can be monitored. It may be generated by technical actions taken on systems and electronically captured, or as a result of behaviours and physical actions associated with the insider which may be observed by other people. One or more observable data points might be considered to be an indicator that the threat level of a particular insider is increasing which could lead to a particular intervention or course of action being pursued. The data could be used not just to indicate that an attack is in progress or has succeeded (through diagnostic analytics) but also to warn that the probability of an attack is rising (predictive analytics).
Jason Anthony Smith (2014) As described earlier, threat mitigation can also be directed during each phase of the kill-chain. Specifically, countermeasures can be implemented to ‘deter’ insiders from attempting a particular course of action, ‘deny’ attempts to execute a particular course of action, ‘disrupt’ a particular course of action after it has begun, ‘degrade’ a particular course of action to be less effective or efficient, ‘deceive’ the insider so that they are disadvantaged, or ‘defeat’ the insider such that all future possible courses of action by the insider are of no consequence to the organisation. A characteristics of each phase in a six-phase kill chain model for malicious insider threat is described below and shown graphically in Figure 2. 1. Non-Insider phase o People start off as non-insiders to the organisation, progress to becoming an insider by being granted access, and then commit a crime which causes them to be labelled as a malicious insider. o People may have joined an organisation deliberately intending to the commit the insider crime, or may decide to do so after joining. This choice may have been because of recruitment or coercion by others or it may be self-initiated. o People have intrinsic characteristics and traits which make up their personality. They also have different social and cultural backgrounds, religious and political beliefs. o People may have criminal records and other historic records of past unwanted behaviour in their background. o People have families and friends and also may have associations with many other groups of likeminded individuals or individuals desiring similar actions or outcomes. These associations and these people can influence them. 2. Normal insider phase o A key transition state from non-insider to insider happens when the person is granted access by the organisation as an employee, contractor or business partner. o The mental states of people, whilst not directly observable, are able to be inferred to some degree of accuracy by people interacting with or observing the individuals behaviour and demeanour. o In the course of performing their role, the insider will perform physical actions and technical actions which are observable and will be the basis for the establishment of ‘normality’ o There may be a very short or no normal insider phase, particularly if the insider joined the organisation with the deliberate intent of committing a crime. It may be possible to infer normal technical actions for a role from what peers in the same role do. 3. Tipping point phase o At some point in time there is a tipping point, before which the person is not intending to commit a crime and after which that person has the intention to commit the crime. o The tipping point may have been caused by one or more precipitating events, or triggers, in the persons professional or personal life. o Events happen in people’s personal and professional life continuously which may influence them and change their motivations and outlook. Some of these events will be obvious to the organisation, such as giving the person notice of redundancy, and others will be less visible. o Leading up to the tipping point there may have been a progressive deterioration of trustworthiness of the individual towards the tipping point which resulted in observable behaviour changes. 4. Crime preparation phase
Jason Anthony Smith (2014) o Following the tipping point, in order to accomplish the mission of achieving the crime, the person may need to plan and execute one or more preparatory actions. o Actions and behaviours after the tipping point may be different to those actions and behaviours which were considered normal for the individual before the tipping point. For example, the individual may start hording information or working strange hours. 5. Crime execution phase o The actual criminal act may happen after the person has, or should have had, their access rights removed. E.g. after they are dismissed from the organisation. o There may be opportunities to deter or prevent the person from committing a crime right up until the crime is actually committed. i.e. both before and after the tipping point. o The crime may not be an instantaneous or one-time event. Instead it may execute over a long period of time or be repeated numerous times by the same actor. o Deterrence, detection and prevention may be achieved using technology, process or people controls. 6. Organisation recovery phase o As well as response and recovery from the crime, this phase should give opportunities to perform root cause analysis and feed lessons learned back into the defence system. o Depending on the nature of the crime, the organisation may not ever fully recover.
Jason Anthony Smith (2014) Figure 2. Malicious insider cyber threat kill-chain model A practical 10-step programme for mitigating malicious insider threat Implementing a programme to effectively mitigate malicious insider threat can be complicated, costly and take a long time – but organisations still need to make a start. The paragraphs below describe a programme which incrementally builds organisational capability in 10 practical steps. 1. In the first instance, the threat to the organisation from malicious insiders must be recognised by someone, perhaps the Chief Information Security Officer (CISO), whom is capable of championing its importance to senior executives and establishing support to build a mitigation programme. With senior support, it’s easier to enrol important stakeholders from HR, Legal, Communications, Operational Risk, etc. and form an appropriate governance structure to oversee and steer the programme. 2. A pre-requisite for a mitigation programme focussed on malicious insider threat is a well- functioning traditional Information Security Management System (ISMS) which maintains a baseline security control environment for the organisation. This baseline will likely include processes for risk assessment and treatment; asset management; physical and environmental security; policy and standards maintenance; personnel security; compliance; operational security; business continuity management and disaster recovery, etc. This baseline control environment will serve to protect the organisation from a broad range of threats including compromise by external attackers, and will serve a role in reducing risk from malicious and non-malicious insiders.
Jason Anthony Smith (2014) 3. Extend existing incident response processes so that they are able to properly handle incidents caused by malicious insiders and are able to respond to escalations by staff whom have suspicions of wrong-doing by others. 4. Establish, communicate and enforce acceptable use policies which sufficiently set out the expectations and rules around using the organisations information and systems. Introduce insider threat awareness and training programmes to begin to educate personnel to recognise the threat and respond to it. 5. Taking a risk based approach depends upon ensuring that the critical assets of the organisation are discovered and agreed. In particular understand the location and flow of sensitive or valuable information including intellectual property or information where there are contractual, legal or regulatory obligations for protection or handling. The systems processing this data should be considered critical as well as any systems which play a critical role in the execution of mission critical business processes. A well run traditional ISMS should already have established the critical assets of the organisation and this should form the starting point for prioritising increased protection against the threat from malicious insiders. 6. Ensure that identity and access management processes are operating efficiently. This means that people are granted least privilege entitlement for access to systems; segregation of duties are checked and enforced; and access changes are made quickly following personnel joining, moving roles within, or leaving the organisation. Pay particular attention to those users with elevated privileges, and as with other measures, in the first instance focus on access which is to critical assets. 7. Introduce vetting processes prior to on-boarding new personnel and negotiate contractual clauses into master services agreements with business partners for a similar level of screening to take place. Focus in the first instance on those people whom will be granted access to critical assets. 8. Consider Data Loss Prevention (DLP) and Information Rights Management (IRM) implementations, especially if exfiltration of sensitive data has been identified as a key risk for the organisation. Consider the introduction of honey-tokens and configure DLP to detect and respond to their discovery in unauthorised locations. 9. Ensure Security Information and Event Monitoring (SIEM) logging and event analysis and correlation processes are properly functioning and establish a baseline of normal network traffic patterns and system usage. 10. Extend the scope of monitoring, logging and auditing to harvest richer data relevant to insider threat including behavioural data and personal event data from HR. Implement data analytics capabilities for prediction and diagnosis of insider incidents. Take particular care and apply real resources to ensure the monitoring teams aren’t overwhelmed by increasingly larger volumes of data each day and the expected benefits get lost in the noise.

Recommended

Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloJohn Intindolo
 
ASIS NYC InT Presentation
ASIS NYC InT PresentationASIS NYC InT Presentation
ASIS NYC InT PresentationDaniel McGarvey
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Airport security 2013 jayne maisey
Airport security 2013 jayne maiseyAirport security 2013 jayne maisey
Airport security 2013 jayne maiseyRussell Publishing
 
Mark Singer, 2nd Cyber Insurance & Incident Response Conference
Mark Singer, 2nd Cyber Insurance & Incident Response ConferenceMark Singer, 2nd Cyber Insurance & Incident Response Conference
Mark Singer, 2nd Cyber Insurance & Incident Response ConferenceStarttech Ventures
 
Grc w22
Grc w22Grc w22
Grc w22SelectedPresentations
 

Recommended

Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreatAnthony Buenger
 
No National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseNo National 'Stand Your Cyberground' Law Please
No National 'Stand Your Cyberground' Law PleaseWilliam McBorrough
 
Research_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloResearch_Paper_ISSC461_Intindolo
Research_Paper_ISSC461_IntindoloJohn Intindolo
 
ASIS NYC InT Presentation
ASIS NYC InT PresentationASIS NYC InT Presentation
ASIS NYC InT PresentationDaniel McGarvey
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Airport security 2013 jayne maisey
Airport security 2013 jayne maiseyAirport security 2013 jayne maisey
Airport security 2013 jayne maiseyRussell Publishing
 
Mark Singer, 2nd Cyber Insurance & Incident Response Conference
Mark Singer, 2nd Cyber Insurance & Incident Response ConferenceMark Singer, 2nd Cyber Insurance & Incident Response Conference
Mark Singer, 2nd Cyber Insurance & Incident Response ConferenceStarttech Ventures
 
Grc w22
Grc w22Grc w22
Grc w22SelectedPresentations
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Concept of threats and threat environment
Concept of threats and threat environmentConcept of threats and threat environment
Concept of threats and threat environmentUyoyo Edosio
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015Numaan Huq
 
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...AIIM International
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umaryland2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umarylandSara-Jayne Terp
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandEnrique J Cordero
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
Cyber war
Cyber warCyber war
Cyber warGuro/ Pharmacy muse/ isang mamayan ng PIlipinas/ Social Scientist
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
The Anatomy of an Anonymous Attack
The Anatomy of an Anonymous AttackThe Anatomy of an Anonymous Attack
The Anatomy of an Anonymous AttackImperva
 
Cartografia Tomir 2016
Cartografia Tomir 2016Cartografia Tomir 2016
Cartografia Tomir 2016Miquel Llompart Cànaves
 
The Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological ResearchThe Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological ResearchOnroerend Erfgoed
 

More Related Content

What's hot

Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Roger Johnston
 
Concept of threats and threat environment
Concept of threats and threat environmentConcept of threats and threat environment
Concept of threats and threat environmentUyoyo Edosio
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radarSaraJayneTerp
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...Sara-Jayne Terp
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageSara-Jayne Terp
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015Numaan Huq
 
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...AIIM International
 
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umaryland2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umarylandSara-Jayne Terp
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandEnrique J Cordero
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"Ian MacVicar
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformationSaraJayneTerp
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
The Anatomy of an Anonymous Attack
The Anatomy of an Anonymous AttackThe Anatomy of an Anonymous Attack
The Anatomy of an Anonymous AttackImperva
 

What's hot (20)

Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
 
Concept of threats and threat environment
Concept of threats and threat environmentConcept of threats and threat environment
Concept of threats and threat environment
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
2021 IWC presentation: Risk, SOCs and Mitigations: Cognitive Security is Comi...
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
Risk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of ageRisk, SOCs, and mitigations: cognitive security is coming of age
Risk, SOCs, and mitigations: cognitive security is coming of age
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015
 
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
[AIIM18] When the C-Suite won't Talk About Cybersecurity: What I know about t...
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umaryland2021-05-SJTerp-AMITT_disinfoSoc-umaryland
2021-05-SJTerp-AMITT_disinfoSoc-umaryland
 
CyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderlandCyberTerrorismACaseOfAliceInWonderland
CyberTerrorismACaseOfAliceInWonderland
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
Cyber war
Cyber warCyber war
Cyber war
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation2021 12 nyu-the_business_of_disinformation
2021 12 nyu-the_business_of_disinformation
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
The Anatomy of an Anonymous Attack
The Anatomy of an Anonymous AttackThe Anatomy of an Anonymous Attack
The Anatomy of an Anonymous Attack
 

Viewers also liked

The Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological ResearchThe Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological ResearchOnroerend Erfgoed
 
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...De Kogge – Doel 1: Condition assessment and implementation of the conservatio...
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...Onroerend Erfgoed
 
Toelichting erkende archeologen_20161003
Toelichting erkende archeologen_20161003Toelichting erkende archeologen_20161003
Toelichting erkende archeologen_20161003Onroerend Erfgoed
 

Viewers also liked (6)

Cartografia Tomir 2016
Cartografia Tomir 2016Cartografia Tomir 2016
Cartografia Tomir 2016
 
The Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological ResearchThe Doel Ships: Ship archaeological Research
The Doel Ships: Ship archaeological Research
 
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...De Kogge – Doel 1: Condition assessment and implementation of the conservatio...
De Kogge – Doel 1: Condition assessment and implementation of the conservatio...
 
Historias de 1º
Historias de 1ºHistorias de 1º
Historias de 1º
 
Vlasteelt Noordoost Friesland
Vlasteelt Noordoost FrieslandVlasteelt Noordoost Friesland
Vlasteelt Noordoost Friesland
 
Toelichting erkende archeologen_20161003
Toelichting erkende archeologen_20161003Toelichting erkende archeologen_20161003
Toelichting erkende archeologen_20161003
 

Similar to Jason Anthony Smith - thesis short summary v1.0

The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALIJNSA Journal
 
Cyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docxCyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docxrandyburney60861
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposalJunyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposalJunyan Wu
 
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxRunning Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxtodd271
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkSameer Dasaka
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
Chapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsChapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsAttaporn Ninsuwan
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxClintonKelvin
 
This is assignment is a two part questions. Each question needs to b.docx
This is assignment is a two part questions. Each question needs to b.docxThis is assignment is a two part questions. Each question needs to b.docx
This is assignment is a two part questions. Each question needs to b.docxkenth16
 
Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Ann Johnson
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdframsetl
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-dataNumaan Huq
 

Similar to Jason Anthony Smith - thesis short summary v1.0 (20)

The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information Security
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
 
Cyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docxCyber Security and Terrorism Research Article2Cybe.docx
Cyber Security and Terrorism Research Article2Cybe.docx
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
 
Junyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposalJunyan Wu Healthcare information security control on insider threat proposal
Junyan Wu Healthcare information security control on insider threat proposal
 
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docxRunning Head CYBERSECURITY1CYBERSECURITY 15.docx
Running Head CYBERSECURITY1CYBERSECURITY 15.docx
 
A criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative frameworkA criminological psychology based digital forensic investigative framework
A criminological psychology based digital forensic investigative framework
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_Intindolo
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
Chapter 12 - Computer Forensics
Chapter 12 - Computer ForensicsChapter 12 - Computer Forensics
Chapter 12 - Computer Forensics
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptx
 
This is assignment is a two part questions. Each question needs to b.docx
This is assignment is a two part questions. Each question needs to b.docxThis is assignment is a two part questions. Each question needs to b.docx
This is assignment is a two part questions. Each question needs to b.docx
 
Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...Surveillance Systems And Studies That Should Be...
Surveillance Systems And Studies That Should Be...
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every Organization
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
wp-follow-the-data
wp-follow-the-datawp-follow-the-data
wp-follow-the-data
 

Jason Anthony Smith - thesis short summary v1.0

  • 1. Jason Anthony Smith (2014) Mitigating cyber threat from malicious insiders Introduction Employees have a degree of trust invested in them by their employer and have likely been granted physical and logical access to the organisation’s IT systems and information in order to fulfil their in- role duties. Most of these employees are thankfully honest, however there exists the threat that some will abuse their insider position and commit crimes like fraud, theft or IT sabotage against their organisations. Probably the most well-known and notorious insider crime was committed by US Army Soldier Bradley Manning whom, in his role of intelligence analyst, abused legitimately granted access to classified databases and, through WikiLeaks organisation, released the largest set of classified documents ever leaked to the public. This included 250,000 U.S. diplomatic cables and 500,000 other reports relating to the Iraq and Afghan wars. In 2013 he was convicted under the espionage act and sentenced to 35 years confinement. When a roundtable of US government agencies compiled a list of “the hardest and most critical challenges in INFOSEC research that must be addressed for the development and deployment of trustworthy systems for the U.S. Government”, insider threat was ranked as the number two hardest problem behind ‘global scale identity management.’ Figure 1. Malicious insider definition
  • 2. Jason Anthony Smith (2014) Traditional cyber defence Most implementations of information security management systems, such as the widely adopted ISO17799, are traditionally focused on keeping external attackers at bay by defending the digital perimeter, identity and access management, testing policy compliance, and removing vulnerabilities from systems. In concert with creating a positive security culture, relieving time and work-load pressure, awareness training, and providing usable security tools and processes, these programmes can also alleviate threats from non-malicious insiders who typically cause incidents through user- error and negligence. There may even be pre-employment screening processes and Data Loss Prevention (DLP) deployed, however these programmes remain largely ineffective against malicious insiders. Advanced intelligence-led cyber defence The current digital threat landscape now includes well-resourced sophisticated attackers perpetrating targeted dynamic attacks over long periods of time. These so-called advanced persistent threat (APT) attacks often make use of zero-day exploits, social engineering and other adaptive techniques to get remote hands-on keyboard before ultimately exfiltrating data or completing some other objective. Defending against APT has required organisations to implement a non-traditional approach to defence often using predictive and diagnostic analytics of security intelligence data which has typically been gathered from specialist companies, government agencies, public sources and through private sharing agreements with trusted partners. These approaches to APT defence is unfortunately also ineffective for defence against malicious insider threat. Malicious insiders The sophistication of human beings makes tackling insider threats a difficult problem which requires much more than technology alone. A combination of techniques from the sociological and the socio-technical domains will be required too. People exhibit polymorphous behaviour in that they tend to hide their true emotions from their peers and their behaviour tends to be self-modifying in response to changes in the environment. For example, an insider could wait for an opportune moment to access a system and steal intellectual property and would be sophisticated enough to continually monitor and evaluate the risk of being caught versus the reward of accomplishing the theft. Personality is a dynamic and organised set of characteristics possessed by a person that uniquely influences his or her cognitions, motivations, and behaviours in various situations. It is this intrinsic personality, combined with extrinsic temporal and dynamic factors such as motivation and other external stimuli that form the basis for indicators that may correlate with a higher risk of insider threat. Emotional distress, disappointment, frustration, disgruntlement, introversion, perceived entitlement, lack of empathy and other traits have been discovered to correlate with an increase in
  • 3. Jason Anthony Smith (2014) the risk of an insider performing illegal acts or being vulnerable to recruitment or manipulation by others. Strong indicators of insider threat risk include disgruntlement, difficulty accepting feedback, anger management, disregard for authority, low performance, stress and confrontational behaviour; whilst weaker indicators include personal issues, self-centredness, dependability and absenteeism. A personal or work related event could be the trigger (an external stimuli) which causes an insider to decide to commit a crime against the organisation that trusts them. This could include being fired, financial pressure, family or marital issues, coercion or recruitment by a third party, or many other events or changes in circumstance. For example, people become affiliated with various organisations of like-minded individuals with similar beliefs, ideologies or causes. These could include religious sects, gangs, clubs, political parties, radical and extremist groups etc. Peer pressure from other members of these groups to commit a crime could cause the trigger point to be reached for a particular individual with a particular personality at a particular time in their life when they were vulnerable. In addition, when an insider crime is being prepared for or is in progress, it’s reasonable to assume there may be observable actions that could give rise to suspicion. For example, the US Defense Security Service regard certain behaviours as reportable including: - Keeping classified materials in an unauthorised location - Removing classification markings from documents - Attempting to conceal foreign travel - Sudden repayment of large debts - Repeated or un-required work outside of normal duty hours The key realisation is that a complex interaction of many factors lead to the malicious insider threat being realised with no single one of the factors being a decisive predictor in its own right. Rather, each extra indicator adds weight to the possibility that an insider is going rogue. The phases of a malicious insider attack An attack can be considered as a sequence of phases, each of which may or may not necessarily be present and which may also overlap with each other during some attacks. Using a phase based model of defence and countermeasure strategy was described in a paper by Lockheed Martin in 2010. In contrast to traditional network defence strategies, which focus upon the vulnerability element of risk, this approach focusses on the threat element of risk. For each moment along the time sequence of the attack there is an opportunity to design countermeasures to monitor and mitigate the threat. This sequence of opportunities is called the ‘kill-chain’. At each phase of the kill-chain, observable data will likely be generated and can be monitored. It may be generated by technical actions taken on systems and electronically captured, or as a result of behaviours and physical actions associated with the insider which may be observed by other people. One or more observable data points might be considered to be an indicator that the threat level of a particular insider is increasing which could lead to a particular intervention or course of action being pursued. The data could be used not just to indicate that an attack is in progress or has succeeded (through diagnostic analytics) but also to warn that the probability of an attack is rising (predictive analytics).
  • 4. Jason Anthony Smith (2014) As described earlier, threat mitigation can also be directed during each phase of the kill-chain. Specifically, countermeasures can be implemented to ‘deter’ insiders from attempting a particular course of action, ‘deny’ attempts to execute a particular course of action, ‘disrupt’ a particular course of action after it has begun, ‘degrade’ a particular course of action to be less effective or efficient, ‘deceive’ the insider so that they are disadvantaged, or ‘defeat’ the insider such that all future possible courses of action by the insider are of no consequence to the organisation. A characteristics of each phase in a six-phase kill chain model for malicious insider threat is described below and shown graphically in Figure 2. 1. Non-Insider phase o People start off as non-insiders to the organisation, progress to becoming an insider by being granted access, and then commit a crime which causes them to be labelled as a malicious insider. o People may have joined an organisation deliberately intending to the commit the insider crime, or may decide to do so after joining. This choice may have been because of recruitment or coercion by others or it may be self-initiated. o People have intrinsic characteristics and traits which make up their personality. They also have different social and cultural backgrounds, religious and political beliefs. o People may have criminal records and other historic records of past unwanted behaviour in their background. o People have families and friends and also may have associations with many other groups of likeminded individuals or individuals desiring similar actions or outcomes. These associations and these people can influence them. 2. Normal insider phase o A key transition state from non-insider to insider happens when the person is granted access by the organisation as an employee, contractor or business partner. o The mental states of people, whilst not directly observable, are able to be inferred to some degree of accuracy by people interacting with or observing the individuals behaviour and demeanour. o In the course of performing their role, the insider will perform physical actions and technical actions which are observable and will be the basis for the establishment of ‘normality’ o There may be a very short or no normal insider phase, particularly if the insider joined the organisation with the deliberate intent of committing a crime. It may be possible to infer normal technical actions for a role from what peers in the same role do. 3. Tipping point phase o At some point in time there is a tipping point, before which the person is not intending to commit a crime and after which that person has the intention to commit the crime. o The tipping point may have been caused by one or more precipitating events, or triggers, in the persons professional or personal life. o Events happen in people’s personal and professional life continuously which may influence them and change their motivations and outlook. Some of these events will be obvious to the organisation, such as giving the person notice of redundancy, and others will be less visible. o Leading up to the tipping point there may have been a progressive deterioration of trustworthiness of the individual towards the tipping point which resulted in observable behaviour changes. 4. Crime preparation phase
  • 5. Jason Anthony Smith (2014) o Following the tipping point, in order to accomplish the mission of achieving the crime, the person may need to plan and execute one or more preparatory actions. o Actions and behaviours after the tipping point may be different to those actions and behaviours which were considered normal for the individual before the tipping point. For example, the individual may start hording information or working strange hours. 5. Crime execution phase o The actual criminal act may happen after the person has, or should have had, their access rights removed. E.g. after they are dismissed from the organisation. o There may be opportunities to deter or prevent the person from committing a crime right up until the crime is actually committed. i.e. both before and after the tipping point. o The crime may not be an instantaneous or one-time event. Instead it may execute over a long period of time or be repeated numerous times by the same actor. o Deterrence, detection and prevention may be achieved using technology, process or people controls. 6. Organisation recovery phase o As well as response and recovery from the crime, this phase should give opportunities to perform root cause analysis and feed lessons learned back into the defence system. o Depending on the nature of the crime, the organisation may not ever fully recover.
  • 6. Jason Anthony Smith (2014) Figure 2. Malicious insider cyber threat kill-chain model A practical 10-step programme for mitigating malicious insider threat Implementing a programme to effectively mitigate malicious insider threat can be complicated, costly and take a long time – but organisations still need to make a start. The paragraphs below describe a programme which incrementally builds organisational capability in 10 practical steps. 1. In the first instance, the threat to the organisation from malicious insiders must be recognised by someone, perhaps the Chief Information Security Officer (CISO), whom is capable of championing its importance to senior executives and establishing support to build a mitigation programme. With senior support, it’s easier to enrol important stakeholders from HR, Legal, Communications, Operational Risk, etc. and form an appropriate governance structure to oversee and steer the programme. 2. A pre-requisite for a mitigation programme focussed on malicious insider threat is a well- functioning traditional Information Security Management System (ISMS) which maintains a baseline security control environment for the organisation. This baseline will likely include processes for risk assessment and treatment; asset management; physical and environmental security; policy and standards maintenance; personnel security; compliance; operational security; business continuity management and disaster recovery, etc. This baseline control environment will serve to protect the organisation from a broad range of threats including compromise by external attackers, and will serve a role in reducing risk from malicious and non-malicious insiders.
  • 7. Jason Anthony Smith (2014) 3. Extend existing incident response processes so that they are able to properly handle incidents caused by malicious insiders and are able to respond to escalations by staff whom have suspicions of wrong-doing by others. 4. Establish, communicate and enforce acceptable use policies which sufficiently set out the expectations and rules around using the organisations information and systems. Introduce insider threat awareness and training programmes to begin to educate personnel to recognise the threat and respond to it. 5. Taking a risk based approach depends upon ensuring that the critical assets of the organisation are discovered and agreed. In particular understand the location and flow of sensitive or valuable information including intellectual property or information where there are contractual, legal or regulatory obligations for protection or handling. The systems processing this data should be considered critical as well as any systems which play a critical role in the execution of mission critical business processes. A well run traditional ISMS should already have established the critical assets of the organisation and this should form the starting point for prioritising increased protection against the threat from malicious insiders. 6. Ensure that identity and access management processes are operating efficiently. This means that people are granted least privilege entitlement for access to systems; segregation of duties are checked and enforced; and access changes are made quickly following personnel joining, moving roles within, or leaving the organisation. Pay particular attention to those users with elevated privileges, and as with other measures, in the first instance focus on access which is to critical assets. 7. Introduce vetting processes prior to on-boarding new personnel and negotiate contractual clauses into master services agreements with business partners for a similar level of screening to take place. Focus in the first instance on those people whom will be granted access to critical assets. 8. Consider Data Loss Prevention (DLP) and Information Rights Management (IRM) implementations, especially if exfiltration of sensitive data has been identified as a key risk for the organisation. Consider the introduction of honey-tokens and configure DLP to detect and respond to their discovery in unauthorised locations. 9. Ensure Security Information and Event Monitoring (SIEM) logging and event analysis and correlation processes are properly functioning and establish a baseline of normal network traffic patterns and system usage. 10. Extend the scope of monitoring, logging and auditing to harvest richer data relevant to insider threat including behavioural data and personal event data from HR. Implement data analytics capabilities for prediction and diagnosis of insider incidents. Take particular care and apply real resources to ensure the monitoring teams aren’t overwhelmed by increasingly larger volumes of data each day and the expected benefits get lost in the noise.