2. Did you know?
Average cost per incident is $412,000
Average loss per industry is $15 million over 10 years
In several instances, damages reached over $1 billion
FBI Articles
Naval Espionage: Stopping a Dangerous Insider Threat
Insider Threat: Soldier Receives 16-Year Sentence for Attempted Espionage
Tyco Integrated Security Webinar Series
3. Matt Frowert
Director of Marketing,
Government and Banking
Tyco Integrated Security
Facilitator
Tyco Integrated Security
Webinar Series
Continuing Education Credit:
Email: mfrowert@tyco.com
Tyco Integrated Security Webinar Series
Mitigating Insider Threats:
What Every Security Manager Should Know
4. Featured Speakers:
Mitigating Insider Threats:
What Every Security Manager Should Know
Dr. Band served as chief of
the FBI's famous Behavioral
Science Unit and was
instrumental in creating and
leading the FBI's Undercover
[UC] Safeguard Unit.
Mr. Trzeciak is a Senior Member of
the technical staff for the Software
Engineering Institute‟s (SEI) CERT
Program at Carnegie Mellon
University. His studies include
analyzing the physical and online
behavior of malicious insiders prior
to and during network compromises.
Randy TrzeciakDr. Stephen R. Band
Tyco Integrated Security Webinar Series
6. Company Confidential
Cyber- Insider Threat: Defined
“…The “insider‟ is an individual currently or at one time
authorized to access an organization‟s information system,
data, or network; such authorization implies a degree of
trust in the individual.
The insider threat refers to harmful acts that trusted
insiders might carry out; for example, something that
causes harm to the organization, or an unauthorized act
that benefits the individual…”
Source: Greitzer, F., et al. Combating the Insider Threat, IEEE Security & Privacy. Jan/Feb. 2008.
Tyco Integrated Security Webinar Series
7. Research Findings
Saboteurs & spies had common personal predispositions that contributed to
their risk of committing malicious acts.
In most cases, stressful events including organizational sanctions, contributed to
the likelihood of physical violence, insider IT sabotage & espionage.
Concerning behaviors were often observable before violent acts and during IT
sabotage & espionage
Source: Band, S. R., et al. Comparing Insider IT Sabotage & Espionage: A Model Based Approach. SEI-CERT-CMU, Jan. 2006
Tyco Integrated Security Webinar Series
8. Research Findings (continued)
Technical actions by malicious
insiders could have alerted the
organization to planned or ongoing
malicious acts.
In many cases organizations ignored
or failed to detect concerning
behaviors/rule violations.
Lack of physical and electronic
access controls facilitated Violent
acts, IT sabotage & espionage.
Tyco Integrated Security Webinar Series
9. Do you detect a R.A.T.?
Routine Activity Theory (RAT)
is one of the main theories
of “environmental
criminology.”
The theory states that a crime
occurs when the following
three elements come
together in any given space
and time:
1. The presence of a motivated offender
2. The absence of capable guardians that
could intervene
3. An accessible target
Developed by Marcus Felson and Lawrence E. Cohen
Tyco Integrated Security Webinar Series
10. Applied Criminology In Action
Capable Guardianship
De-motivated Offenders
Protecting the Crown Jewels
Corporate Espionage & Sabotage Prevention
requires a RAT in action:
Tyco Integrated Security Webinar Series
11. It all begins with… ACCESS
At the Gates - Screening
Inside the Perimeter
Expectations of Privacy
Non-disclosure Agreements
Monitoring
Social Media & Engineering
The Hostile Foreign Threat & Recruitment
Tyco Integrated Security Webinar Series
12. „Actionables‟
Develop risk indicator instruments.
Look at case study information in relation to: concerning
behaviors; stressful events; and, personal predispositions
across sabotage & espionage events.
Look at technical data not related to insider threat: false
positive detection.
Evaluate available tools, policies, and methods for
auditing behaviors & technical actions indicative of IT
sabotage & espionage.
Tyco Integrated Security Webinar Series
14. „Actionables‟ (continued)
Assess the relationship between policy enforcement for
policy and rule violations and the risk of Insider IT sabotage
& espionage.
Analyze current access control policies and practices for
the purpose of identifying and evaluating options to
mitigate Insider threat risk.
Develop a „risk indicator „ instrument to acquire better
information on the base rates and baseline level of risk
factors in proportion to actual insider activity.
Tyco Integrated Security Webinar Series
15. Violence-Sabotage-Espionage:
Predispositions-Motivations-Personal Stress-Red Flags
M.I.C.E. Money; Ideology; Compromise; Ego
Disgruntlement: Anger & Revenge
Divided Loyalty – Allegiance Issues
Alcohol and other substance Abuse
Gambling
Financial Complications
Mental Health Issues
Adverse Personnel Actions
Security Violations
Criminal History
Victimized or perceived so
Personality Issues (Narcissistic; Psychopathic)
Tyco Integrated Security Webinar Series
17. Threat Assessment: A Continuum of Observables
“The Cyber World & BMW Converge”
Leakage of Behavior: something isn‟t right (rule out false positive) What
brought attention to this Individual?
Consider emerging risk issues: predispositions; personal stressors;
motivators; „mitigators‟; Crime Script.
Making a Threat vs. Posing a Threat: engaging in behavior that furthers a
plan to harm a target: specificity of plan & ability/tools required for action.
Movement from: idea-to plan-to action.
Thresholds: evidence the path leads to destruction; violence; espionage.
Set a low threshold to facilitate early intervention
Tyco Integrated Security Webinar Series
18. A good Threat Assessment will thoroughly analyze:
The exact nature and context of the threat
The identified target
The Inside threatener‟s apparent motivation
The threatener‟s ability to carry-out the threat
The threatener‟s background, including work history, criminal record,
mental health history, military history and past behavior on the job
THE BEST PREDICTOR OF AN EMERGING OR FUTURE THREAT IS A
RECENT AND OR SIGNIFICANT HISTORY OF PAST THREAT… TO INCLUDE
Sabotage & Espionage
Threat Assessment (continued)
Tyco Integrated Security Webinar Series
19. Some Takeaways …
Behavioral Science empirical Research is your Friend: The past informs the present; don’t buy the ‘secret sauce’. Base your protection
standards on lessons learned from available cases studies and apply them to your organization’s culture.
The Role of Criminology: Be the Capable Guardian; De-motivate the Threatener; Protect the ‘Crown Jewels’. Strive for excellence in each
category.
Develop a multi-disciplinary threat mitigation team: IA, Security; CI; HR; OGC; liaison with law enforcement. Develop threat response options
Know the signs of emerging illicit Conduct: evolving anomalies in employee personal predispositions, stressors, and concerning behaviors.
Conceive of mitigation strategies: before a potential threat escalates into disastrous consequences . Plan to intervene!
Establish and set cyber and brick-and mortar-world insider threat detection methods, techniques, and standards at points of access and
exfiltration.
Establish a See Something, Say
Something, Do Something Culture
Tyco Integrated Security Webinar Series
20. Insider Threats: Lessons Learned from
Actual Incidents
Randy Trzeciak
Carnegie Mellon University
Software Engineering Institute
Pittsburgh, PA 15213
Tyco Integrated Security Webinar Series
21. Notices
Copyright 2014 Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT
LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR
RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES
NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT,
TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Internal use. Permission to reproduce this document and to prepare derivative works from this
document for internal use is granted, provided the copyright and “No Warranty” statements are included
with all reproductions and derivative works.
External use. This document may be reproduced in its entirety, without modification, and freely
distributed in written or electronic form without requesting formal permission. Permission is required for
any other external and/or commercial use. Requests for permission should be directed to the Software
Engineering Institute at permission@sei.cmu.edu.
This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003
with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally
funded research and development center. The Government of the United States has a royalty-free
government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any
manner, and to have or permit others to do so, for government purposes pursuant to the copyright
license under the clause at 252.227-7013.
22. What is the Insider Threat?
Tyco Integrated Security Webinar Series
23. Insider Threat Issue
Insiders pose a substantial
threat by virtue of their
knowledge of, and access to,
their employers‟ systems
and/or databases.
Insiders can bypass existing
physical and electronic security
measures through legitimate
measures.
Tyco Integrated Security Webinar Series
24. The Insider Threat
There is not one “type” of insider threat
• Threat is to an organization‟s critical assets
• People
• Information
• Technology
• Facilities
• Based on the motive(s) of the insider
• Impact is to Confidentiality, Availability, Integrity
There is not one solution for addressing the insider threat
• Technology alone may not be the most effective way to prevent
and/or detect an incident perpetrated by a trusted insider
Tyco Integrated Security Webinar Series
25. Current or former employee, contractor, or other
business partner who
Has or had authorized access to an organization’s network, system or
data and
Intentionally exceeded or misused that access in a manner that
Negatively affected the confidentiality, integrity, or availability of the
organization’s information or information systems.
What is a Malicious Insider Threat?
Tyco Integrated Security Webinar Series
26. Current or former employee, contractor, or other
business partner who
Who has or had authorized access to an organization’s network,
system, or data and who, through
Their action/inaction without malicious intent
Cause harm or substantially increase the probability of future
serious harm to the confidentiality, integrity, or availability of the
organization’s information or information systems.
What is an Unintentional Insider
Threat?
Tyco Integrated Security Webinar Series
27. Separate the “Target” from the
“Impact” from the “Actor”
Tyco Integrated Security Webinar Series
28. Separate the “Target” from the
“Impact” from the “Actor”
Tyco Integrated Security Webinar Series
29. Separate the “Target” from the
“Impact” from the “Actor”
Tyco Integrated Security Webinar Series
30. Types of Insider Crimes -2
Insider IT Sabotage
• Deletion of information
• Bringing down systems
• Web site defacement to embarrass organization
Insider theft of intellectual property
• Proprietary engineering designs, scientific formulas, etc.
• Proprietary source code
• Confidential customer information
• Industrial Espionage
Insider fraud
• Theft and sale of confidential information (SSN, credit card numbers, etc.)
• Modification of critical data for pay (driver‟s license records, criminal records, welfare
status, etc.)
• Stealing of money (financial institutions, government organizations, etc.)
Tyco Integrated Security Webinar Series
31. Types of Insider Crimes -3
Miscellaneous
• Disclosure of information insider believed should
be in the public domain
• Query of database to find address of person –
information provided to acquaintance who
physically harmed individual
• Query of high-profile individuals to access
personal information
Tyco Integrated Security Webinar Series
33. Summary of Insider Incidents
IT Sabotage Fraud
Theft of Intellectual
Property
Current or former
employee?
Former Current
Current (within 30 days
of resignation)
Type of position
Technical (e.g. sys
admins, programmers,
or DBAs)
Non-technical (e.g. data
entry, customer service)
or their managers
Technical (e.g.
scientists,
programmers,
engineers) or
sales
Gender Male
Fairly equally split
between male and
female
Male
Target
Network, systems, or
data
PII or Customer
Information
IP (trade secrets) –or
customer Info
Access used Unauthorized Authorized Authorized
When
Outside normal working
hours
During normal working
hours
During normal working
hours
Where Remote access At work At work
Tyco Integrated Security Webinar Series
35. Patterns of Incidents
Four patterns of incidents were identified based on the threat vector
DISC accidental disclosure (e.g., via the internet)
sensitive information posted publicly on a website, mishandled, or sent to
the wrong party via email, fax, or mail
UIT-HACK malicious code (UIT-HACKing, malware/spyware)
an outsider’s electronic entry acquired through social engineering (e.g.,
phishing email attack, planted or unauthorized USB drive) and carried out
via software, such as malware and spyware
PHYS improper/accidental disposal of physical records
lost, discarded, or stolen non-electronic records, such as paper documents
PORT portable equipment no longer in possession
lost, discarded, or stolen data storage device, such as a laptop, PDA, smart
phone, portable memory device, CD, hard drive, or data tape
Tyco Integrated Security Webinar Series
39. Best Practices for Insider Threat
Mitigation
Consider threats from insiders and business partners in
enterprise-wide risk assessments.
Clearly document and consistently enforce policies and
controls.
Incorporate insider threat awareness into periodic security
training for all employees.
Beginning with the hiring process, monitor and respond to
suspicious or disruptive behavior.
Anticipate and manage negative issues in the work
environment.
Know your assets.
Implement strict password and account management
policies and practices.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud services,
especially access restrictions and monitoring capabilities.
Institute stringent access controls and monitoring policies
on privileged users.
Institutionalize system change controls.
Use a log correlation engine or security information and
event management (SIEM) system to log, monitor, and
audit employee actions.
Monitor and control remote access from all end points,
including mobile devices.
Develop a comprehensive employee termination
procedure.
Implement secure backup and recovery processes.
Develop a formalized insider threat program.
Establish a baseline of normal network device behavior.
Be especially vigilant regarding social media.
Close the doors to unauthorized data exfiltration.
Tyco Integrated Security Webinar Series
41. Motivation for a Program
To ensure the responsible sharing
and safeguarding of classified
national security information on
computer networks.”
To ensure protection of and
appropriate access to intellectual
property and other critical assets,
systems, and data including
• people
• business processes
• technology
• facilities
• Information
Source: Executive Order 13587, quoted in GCN (http://s.tt/1ai6l)
To be prepared and ready to
handle such events in a consistent,
timely, and quality manner
including understanding
• who to involve
• who has authority
• who to coordinate with
• who to report to
• what actions to take
• what improvements to make
Tyco Integrated Security Webinar Series
43. CERT Resources
Insider Threat Center website (http://www.cert.org/insider_threat/)
Common Sense Guide to Mitigating Insider Threats, 4th Ed.
(http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm)
The Insider Threat and Employee Privacy: An Overview of Recent Case Law,
Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L.
Huth
Insider threat workshops
Insider threat assessments
New controls from CERT Insider Threat Lab
Insider threat exercises
The CERT® Guide to Insider Threats: How to Prevent, Detect, and Respond to
Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software
Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak
Tyco Integrated Security Webinar Series
45. Randall F. Trzeciak
CERT Program
Software Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890
+1 412 268-7040
rft@cert.org
http://www.cert.org/insider_threat/
Speaker Contact Information
Stephen R. Band, Ph.D.
behavioralintelligencespecialist@starpower.net
http://www.drstephenrband.com/
Tyco Integrated Security Webinar Series
46. Resources
Tyco Contact Information here:
Matt Frowert, Tyco Integrated Security
mfrowert@tyco.com
www.tycois.com
Helpful Links:
http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat
http://www.fbi.gov/news/stories/2012/may/insider_051112/insider_051112
http://www.ncix.gov/issues/ithreat/docs/Insider_Threat_Brochure.pdf
http://www.cert.org/insider-threat/index.cfm
Tyco Integrated Security Webinar Series