The document discusses insider threat programs and insider threats. It notes that in the last fiscal year, economic espionage and theft of trade secrets cost the American economy over $19 billion, and these crimes are increasingly linked to insider threats. The average cost per insider threat incident is $412,000, with average losses of $15 million per industry per year. Some incidents have exceeded $1 billion in losses. Intellectual property now represents most of a corporation's value, making assets more susceptible to espionage. The document discusses the need for organizations to implement insider threat programs to identify, prevent, detect and respond to insider threats in order to reduce losses.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
IDC developed a set of cybersecurity case studies of US commercial organizations in order to learn: What security problems they have experienced, changes that they have made to address them, and new underlying security procedures that they are exploring.
Shaping Your Future in Banking Cybersecurity Dawn Yankeelov
Designed for bankers, this cybersecurity policy presentation given via partnership with the BSG Financial Group explains where the industry should pay attention and what is next. It was presented on Jan. 24, 2017.
Presentation by Larry Clinton, President of the Internet Security Alliance (ISA) to the 66th Annual Fowler Seminar on Oct 12 2012 titled Evolution of the Cyber Threat - A Unified Systems Approach.
IDC developed a set of cybersecurity case studies of US commercial organizations in order to learn: What security problems they have experienced, changes that they have made to address them, and new underlying security procedures that they are exploring.
Factor in the security threat of mobile devices and the rise in compliance demands, and the situation threatens to spin out of control. CSC, in partnership with RSA and IDG Research, recently surveyed IT professionals across a wide array of industries on their top security challenges and concerns.
An analysis and discussion of the many factors to be considered when talking about data breaches.
What is a breach?
What are data?
What costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
How do we measure / estimate frequency?
Presented at Source Boston, April 18, 2012, Boston, MA
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
Holistic view to educate people on how to secure internet from information abused - this is a presentation that is specially designed for ESDM Ministry conference in Bali
Cyber Threat Intelligence (CTI) primarily focuses on analysing raw data gathered from recent and past events to monitor, detect and prevent threats to an organisation, shifting the focus from reactive to preventive intelligent security measures.
Public Relations Campaign for SecureWorks for IMC 618: PR Concepts & Strategy. Campaign is focused on increasing brand awareness among both big and small businesses as well as potential investors.
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them.
Viewers will learn:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
About the Presenter:
Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention
Factor in the security threat of mobile devices and the rise in compliance demands, and the situation threatens to spin out of control. CSC, in partnership with RSA and IDG Research, recently surveyed IT professionals across a wide array of industries on their top security challenges and concerns.
An analysis and discussion of the many factors to be considered when talking about data breaches.
What is a breach?
What are data?
What costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
How do we measure / estimate frequency?
Presented at Source Boston, April 18, 2012, Boston, MA
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
Holistic view to educate people on how to secure internet from information abused - this is a presentation that is specially designed for ESDM Ministry conference in Bali
Cyber Threat Intelligence (CTI) primarily focuses on analysing raw data gathered from recent and past events to monitor, detect and prevent threats to an organisation, shifting the focus from reactive to preventive intelligent security measures.
Public Relations Campaign for SecureWorks for IMC 618: PR Concepts & Strategy. Campaign is focused on increasing brand awareness among both big and small businesses as well as potential investors.
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
Cyber attacks have increased in frequency and severity, and financial institutions are particularly interesting targets to cyber criminals. Join this presentation to learn the latest cybersecurity threats and challenges plaguing the financial industry, and the policies and solutions your organization needs to have in place to protect against them.
Viewers will learn:
• Current trends in Cyber attacks
• FFIEC Cyber Assessment Toolkit
• NIST Cybersecurity Framework principles
• Security Metrics
• Oversight of third parties
• How to measure cybersecurity preparedness
• Automated approaches to integrate Security into DevOps
About the Presenter:
Ulf Mattsson is the Chief Technology Officer of Security Solutions at Atlantic BT, and earlier at Compliance Engineering. Ulf was the Chief Technology Officer and a founder of Protegrity, He invented the Protegrity Vaultless Tokenization, Data Type Preservation (DTP2) and created the initial architecture of Protegrity's database security technology. Prior to Protegrity, Ulf worked 20 years at IBM in software development and in IBM's Research organization, in the areas of IT Architecture and Security, and received a US Green Card of class ‘EB 11 – Individual of Extraordinary Ability’ after endorsement by IBM. Ulf is the inventor of more than 45 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
Identity Theft Response
You have successfully presented an expanded Mobile Device Management Policy, which was approved by the CEO. He now wants you to work on a response plan for identity theft, which you proposed a few weeks earlier as part of a series of four cybersecurity projects.
The CEO says to you, "The Incident Response Plan will be our company's action plan to recover should the 'worst' occur. In our case, the 'worst' would be a breach of the company's security that could occur through the theft of customers' personally identifiable information, possibly through an individual's mobile device. Such a breach could compromise the integrity of the financial institution's data."
The CEO continues: “It is your responsibility to be fully prepared, and I want you to ask your team some ‘What if’ questions.”
“Specifically, I want you to ask: What if our customer information system is compromised internally by a misguided employee? What do we do? And, What if the system is breached by an external hacker and all our customer records are exfiltrated and/or deleted? How would we respond?”
You know that any stolen identity might be that of an employee and/or the identities within the customer information module, which would affect a large number of accounts. Either way, even the slightest breach would be serious, and not having an approved, executable plan of action would only compound the problem. Any lack of regulatory compliance by the organization could also be brought to light.
The CEO closes by saying, “A comprehensive plan for identity theft response is mandatory, and it will receive a lot of scrutiny from senior leadership. Everyone in the company realizes it is a critical component of our success and continued operation. I’m counting on you to do it well.”
Identity theft is becoming more common as technology continues to advance exponentially. Mobile devices, applications, and email make it more convenient for individuals to access records and financial accounts, but also increase the risk of identity theft.
As the CISO, you will be drafting an incident response plan to address identity theft for your financial organization.
Identity Theft Response is the second of four sequential projects in this course. The final plan will be about 10-12 pages in length. There are 16 steps in this project and it should take about 14 days to complete. Begin with Step 1, where you will identify types of cyberattacks in which personally identifiable information could be vulnerable.Competencies
Your work will be evaluated using the competencies listed below.
· 1.3: Provide sufficient, correctly cited support that substantiates the writer's ideas.
· 2.2: Locate and access sufficient information to investigate the issue or problem.
· 8.4: Design an enterprise cybersecurity incident response plan.
Project 2: Identity Theft Response
Step 1: Identify Potential PII Attacks
Since this project will require an enterprise cybersecurity incident response plan with ...
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
INSIDER THREAT PREVENTION IN THE US BANKING SYSTEMijsc
Insider threats have been a major problem for the US banking sector in recent years, costing billions of
dollars in damages.
To combat this, the implementation of effective cybersecurity measures is essential. This paper investigates
the current state of insider threats to banks in the U.S., the associated costs, and the potential measures
that can be taken to mitigate this risk. The development of a framework for the adoption of cybersecurity
measures within the banking industry is the primary emphasis in order to stop fraud and lessen financial
losses. Through a detailed examination of the literature, in-depth interviews with experts in the banking
sector, and case studies of existing cybersecurity measures, this paper provides a comprehensive overview
of the problem and potential remedies.
Analysis of the research reveals that identity and access management, data encryption, and secure
authentication are key components of any cybersecurity strategy. Furthermore, it is recommended that
banks increase their technical capabilities and improve their employee awareness and training. The study
concludes with a series of suggestions for enhancing banking industry cybersecurity and eventually
reducing the danger of insider attacks.
This paper explores the topic of insider threats in the US banking industry and presents cybersecurity
measures to prevent fraud. Insider threats from people with access to sensitive data and systems present
serious hazards to the banking industry, resulting in monetary losses, reputational harm, and compromised
data integrity.
Insider Threat Prevention in the US Banking Systemijsc
Insider threats have been a major problem for the US banking sector in recent years, costing billions of dollars in damages.
To combat this, the implementation of effective cybersecurity measures is essential. This paper investigates the current state of insider threats to banks in the U.S., the associated costs, and the potential measures that can be taken to mitigate this risk. The development of a framework for the adoption of cybersecurity measures within the banking industry is the primary emphasis in order to stop fraud and lessen financial losses. Through a detailed examination of the literature, in-depth interviews with experts in the banking sector, and case studies of existing cybersecurity measures, this paper provides a comprehensive overview of the problem and potential remedies.
Analysis of the research reveals that identity and access management, data encryption, and secure authentication are key components of any cybersecurity strategy. Furthermore, it is recommended that banks increase their technical capabilities and improve their employee awareness and training. The study concludes with a series of suggestions for enhancing banking industry cybersecurity and eventually reducing the danger of insider attacks.
This paper explores the topic of insider threats in the US banking industry and presents cybersecurity measures to prevent fraud. Insider threats from people with access to sensitive data and systems present serious hazards to the banking industry, resulting in monetary losses, reputational harm, and compromised data integrity.
Financial Institutions, Merchants, and the Race Against CyberthreatsEMC
This Aite analyst report examines the common threats facing financial institutions and retailers, including mobile attacks, DDoS, and malware, and offers recommendations on common defenses deployed by players in both industries.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
Brian Wrote There is a wide range of cybersecurity initiatives .docxhartrobert670
Brian Wrote :
There is a wide range of cybersecurity initiatives that exist on the international level through collaborative efforts between the Department of Homeland Security (DHS) and numerous organizational units (UMUC, 2012). According to UMUC (2012), some examples of these initiatives are:
· Federal Law Enforcement Training Center
· National Cyber Security Division
· National Communications System
· Office of Infrastructure Protection
· Office of Operations Coordination
· Privacy Office
· U.S. Secret Service
· U.S. Immigration and Customs Enforcement
· Organization of American States Assistance
“The National Cyber Security Division works to secure cyberspace and America’s cyber assets in cooperation with public, private, and international entities” (UMUC, 2012). This is done using several strategic plans and directives, such as the Presidential Decision Directive 7, the Information Technology Sector Specific Plan, the National Strategy to Secure Cyber Space, National Infrastructure Preparedness Plan, and the National Response Plan (UMUC, 2012). A challenge that the National Cyber Security Division faces in providing an effective deterrent to cybersecurity threats are the constant evolving technologies. These include for both good and bad. Cyber attacks are constantly evolving and so are the technologies use to protect from them. In order for the National Cyber Security Division to effectively deter them not only do they have to stay up-to-date but also so do all of the strategic plans and directives that they use.
Another initiative is the Federal Law Enforcement Training Center (FLETC) that emerged in the 1980s. This initiative puts forth “efforts to counter international hijackings and financial crimes” (UMUC, 2012). It now also extends law enforcement abroad to help against terrorist activity, international crime, and drug-trafficking (UMUC, 2012). It does those with the partner of Department of State. A challenge that the FLETC faces in providing an effective deterrent to cybersecurity threats are their international limitations. All though they have partnered abroad with select foreign nations they still have restrictions and limitations as to what exactly they can do.
Justin Wrote:
Mutual Legal Assistance Treaties (MLATs) are established between two or more nations and provide a formal means of exchanging evidence and information pertaining to criminal acts or cases that occur outside of a nation’s legal jurisdiction. The primary issue associated with MLATs and cybercrime is the inconsistency of host nation laws. Many nations feel that the idea of a global anti-crime initiative may contradict a nation’s fundamental principles (Finklea & Theohary, 2012, p.24). There is no standardized definition for cybercrime which means that one nation may view a virtual act as a crime and the other, with which the MLAT exists, may not. If the two nations agree on the legality of the act then the requesting nation may sub ...
2. 2
“In the last fiscal year alone, economic espionage and theft of trade secrets cost
the American economy more than $19 billion… economic espionage and theft
of trade secrets are increasingly linked to the insider threat…”
- Christopher Munsey, FBI Counterintelligence Division (2013)
“The average cost per Insider Threat incident is $412,000. Average loss per
industry is $15 million/year. Multiple incidents have exceeded $1 billion.”
- Patrick Reidy, FBI, Senior Level Staff, Information Security Assurance Section (2013)
3. 0
50
100
1975 1985 1995 2005 2009
Composition of the S&P 500
Tangible Assets Intangible Assets
%Value
“ The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent
the bulk of a U.S. corporation’s value. This shift has made corporate assets far more susceptible to espionage.”
- Protecting Key Assets: A Corporate Counterintelligence Guide, Office of the National Counterintelligence Executive (2013)
3
4. 29
Figure 5. Types of
Insiders that
individuals believe
Pose the Biggest
Threat to
Organizations.
In your opinion, which of the following types of insiders pose the biggest threat to your
organization? (Percent of respondents, N=707, three responses accepted)
6. Aldrich Ames : CIA Case Officer/Analyst
Provided detailed information to KGB on CIA intelligence
operations and agents in the USSR.
Received $4.6 million dollars in exchange for information.
Convicted in 1994 : Sentenced to life imprisonment (without
possibility of parole) for espionage.
6
Robert Hanssen : FBI Special Agent
Provided detailed information to KGB/SVR on FBI intelligence
operations against USSR/Russian Federation.
Received $1.4 million dollars in cash and jewelry in exchange
for information.
Convicted in 2001 : Sentenced to life imprisonment (without
possibility of parole) for espionage.
7. Spies
Turncoats
Traitors
Guilty of Treason
7
Sexual orientation... Blackmail… Greed... Ideology
8. Edward Snowden : NSA Systems Administrator Contractor
Passed thousands of classified documents describing NSA
and allied intelligence agencies operations to The Guardian
and The Washington Post for public release.
Considered a fugitive by US Government since 2013. Charged
with espionage and theft of government property. Granted
temporary asylum in Moscow by Russian Government.
PFC Bradley Manning : US Army Intelligence Analyst
Passed thousands of classified diplomatic cables and military
reports to the WikiLeaks staff which posted this material on their
public web site.
Convicted in 2013 : Sentenced to 35 years imprisonment (with
possibility of parole in eight years) for espionage.
8
11. Game Changer!
Companies must adapt to a new, effective security
paradigm that provides an ROI in security.
The world is complex, so is our internal threat.
If Security does not evolve to contain the threat…
11
12. 12
• The ITWG is a joint effort by government and industry CSOs.
• The ITP is supported by ASIS International, NDIA and NCMS.
• It addresses both violent and non-violent employee behavior.
• ITP meets both compulsory (Federal) and effective (industry)
requirements.
• It is evolutionary not revolutionary in approach.
• Functional and psychometric analyses were used to design
the program.
• ITP updates and repurposes existing programs, thus
minimizing costs.
• Through effective use of metrics, ITP provides a
demonstrable ROI for senior management.
What are the characteristics of this program?
Insider Threat Program (ITP) Insider Threat Working Group (ITWG)
13. National Industrial Security Program Operation Manual (NISPOM) Conforming Change #2 (Fall 2015)
Will require US Defense Industry to establish Insider Threat Programs at all cleared contractor facilities.
NITTF Guide to Accompany the National Insider Threat Policy and Minimum Standards (November 2013)
Detailed implementation plan for federal agencies to comply with White House policy memo.
White House Memorandum: National Insider Threat Policy and
Minimum Standards for Executive Branch Insider Threat Programs (21 November 2012)
Directed federal agencies to establish effective insider threat programs to deter, detect and mitigate actions by employees who may represent a threat to
national security
E.O. 13587: Structural Reforms to Improve the Security of Classified Networks
and the Responsible Sharing and Safeguarding of Classified Information (7 October 2011)
Mandated responsible sharing and safeguarding of classified information on
computer networks by federal agencies.
Established NITTF to assist federal agencies in preventing, deterring and
detecting compromise of classified information by malicious insiders.
13
14. 14
ASIS CSO Roundtable Survey (August 2013)
Establish baseline understanding of industry Insider Threat.
Surveyed CSO of companies with > $1 billion dollars in
annual gross profit.
78 of 330 CSOs participated in survey (24%).
94% represented companies with > 999 employees.
NCMS Survey (March 2014)
Expand survey database of industry Insider Threat
Programs to include small and medium size companies.
Survey conducted through NCMS Board of Directors to
membership.
777 of 5900 members participated in survey (13%).
56% represented companies with < 500 employees.
15. 35.9%
47.2%
17.0%
Does your organization have an insider threat-related program?
Yes, formal
Yes, informal
No
43.2%
6.9%
37.1%
Please identify the relative size of your organization.
Small (1 to 249 employees)
Medium (250 to 499
employees)
Large (500 to 999
employees)
Enterprise (More than 999
employees)
21.8%
15
16. 16
An ITP is a proactive security implementation,
approved and directed by executive leadership
with cross-disciplinary participation to protect
specified organizational assets.
What is the goal of the ITP?
What is an insider threat program?
Insider Threat Program (ITP) Insider Threat Program Model (ITPM)
The goal of the ITP is to:
IDENTIFY > PREVENT > DETECT > RESPOND
to counterproductive workforce behaviors and attacks that may compromise
the safety and security of organizational assets.
18. The hub and key element of the ITP.
The scope includes all planning and development
responsibilities – charter, leadership, policy creation, legal
and privacy review, plan documentation, implementation,
and requirements for each of the nine essential program
elements.
18
BASIC
Designated PoC and responsibilities for program planning
to include policies, procedures, and response protocols
INTERMEDIATE
ITP Manager installed with supporting staff to execute
program goals and objectives.
ADVANCED
Senior Executive leadership and skilled staff execute a
broad spectrum of detection and mitigation activities.
19. Approach based on human behavior using technology as tools.
Categorizes the inventory of behavioral indicators.
Develops metrics to assess individual/organizational health.
Builds advanced monitoring strategies to increase
positive “hit” rates and reduce false-positives.
Informs senior leadership and conveys ROI.
19
BASIC
Focuses ITP resources on inventory of behavioral
indicators associated with insider threats.
INTERMEDIATE
Analyst role added to ITP team. Acceptable use profiles
created.
ADVANCED
Behavioral psychology expertise added to program.
Specialized analytics applied in pre/post-hiring selection
and monitoring to include social media.
20. Part I: Apparel
Mind with USB port access
Metaphysical Lab Coat
Psychometric Goggles
Analytical Tongue Depressor
20
Part II: Questions
Who is the Insider Threat?
What do you do with 150+ identified possible behaviors?
How and when do you measure bad behavior?
Do you want to identify behavior before it becomes bad, or after?
What do you do next?
21. 21
Who is the Potential Insider?
The challenge is to address personality traits that remain
consistent, not cultural norms which change over time.
According to the DMS-5, depending on the disorder, 2-6% of
the population suffer with Personality Disorders associated
with personality traits reflecting inappropriate behaviors.
7,000,000 to 21,000,000 in the USA alone.
Few will be diagnosed, fewer still will ever be a threat.
How many Insiders does it really take to:
Damage a brand name,
Significantly impact profits, and
Hurt your organization….
BUT…
22. How many Insiders does it take to Seriously
damage an ORGANIZATION?
PFC Bradley Manning
US Army
22
An Army of ONE
23. How many Insiders does it take to Seriously
damage an ORGANIZATION?
Edward Snowden
1 - NSA
2 - Booze Allen Hamilton
23
One Insider,
TWO ORGANIZATIONS
damaged
24. How many Insiders does it take to Seriously
damage an ORGANIZATION?
Add Name
Your Company
24
It only takes ONE.
25. Personality Disorder– An enduring pattern of inner experience and behavior that deviates markedly from
the expectations of the individual’s culture, is pervasive and inflexible, has an onset in adolescence or
early adulthood, is stable over time, and leads to distress or impairment. (DSM-5)
Metrics–The science of measurement. Metrics enable process assessment and controls, drive business
policies and investment decisions, influence collaboration for enterprise-wide benefits, and motivate
strategic and profit center alignment. (Persuading Senior Management w/Effective, Evaluated Security Metrics)
25
Counterproductive Work Behavior– Any intentional action by members of organizations that
violates core organizational and/or social norms. (Vardi and Weiner)
Personality disorders are characterized by impairments in
personality functioning and pathological personality traits.
Cognitive:
Stressor-Emotion Model – Integrating human aggression and
occupational stress
Organizational Citizen Model – Counterproductive work behavior as
protest
Clinical Models
True Psychology of the Insider Spy (Dr. David Charney)
Diagnostic and Statistical Manual of Mental Disorders (DSM-5)
Define/Measure/Optimize
26. 26
Behavioral Family
(Individual) Minor
Nonviolent
Poor performance
ratings
Late to work/meetings
Poor quality work
Misuse of Time
Misuse of resources
Not accepting
feedback
Disgruntled
Incongruent work
history
Unreported changes
in personal history
Behavioral Family
(Individual) Serious
Violent
Open Anger
Destruction of Property
Assault
Theft
Increasing Paranoia
Actions Dangerous to
Self and Others
Disregard for authority
Arrests
Behavioral Family
(Individual) Serious
Nonviolent
Falsifying employment
data
Excessive absenteeism
Theft of
information/property
Time Card fraud
Falsifying work related
data
Exhibits paranoia
attitudes
Disregard for authority
Excessive secrecy
Distrust of others
Behavioral Family
(Individual) Minor
Violent
Unsafe behavior (risk
taking)
Drug Use
Alcohol Abuse
Bullying of co-workers
Verbal Abuse/profane
language
Unexpressed Anger
Aggression toward
others
Demonization
27. 27
Behavioral Family
(Environmental) Minor
Moderating Factors
Medical issues
(self/family)
Depression
Being bullied at work
Injustice (self or
others)
Financial losses
Reward system
Job satisfaction shift
Suicide in family
Behavioral Family
(Corporate) Minor
Moderating Factors
Practice vs. Policy
Inconsistent
Selection Process
Lack of Training
Mal-assignments
Distrust of
Employees
Reward System
Changes
Ignoring Security
rules
Inconsistent
reward process
Perceived
authority shift
Behavioral Family
(Corporate) Serious
Moderating Factors
Change of Employee
Authority
Layoffs
Furloughs
No Communication
Benefit Loss
Employee Treatment
(loyalty)
Patronage
(Selection/Promotion)
Terminations
Ethics violations
Behavioral Family
(Environmental) Serious
Moderating Factors
Loss of control (real
or perceived)
Poor work
relationships
Marital/family
difficulties
Poor job ratings
Passed over for
promotion
Pending termination
Mal-assignment
28. 28
BASIC
Liaison is established with internal stakeholders and
external government agencies and industry organizations.
INTERMEDIATE
Technologies are in place to support data collection,
retention, and sharing.
ADVANCED
Interactive engagement and knowledge exchange with IC,
federal, state, and local law enforcement authorities, trade
associations.
Details and administrates internal cross-organizational
interactivity required to execute the ITP plan.
Details external collaboration requirements and
knowledge sharing protocols necessary to facilitate the
acquisition of information potentially indicative of
insider threat behaviors and activities.
29. 29
Why Collaborate?
Internal Collaboration
Industry Collaboration
Government Collaboration
Scalable Collaboration
Basic-Intermediate-Advance
31. Industry Peers (Cleared Defense Contractors)
◦ Classified Threat Reporting from supported offices
Customers and Suppliers
Professional Association and Working Groups
◦ ASIS, AIA, NCMS, National Industrial Security
Program Policy Advisory Committee (NISPPAC),
National Intellectual Property Rights Coordination
Center
Trade Groups
36
32. 37
US Businesses [DOMESTIC]
◦ NCIX/NCSC reporting
◦ FBI Field Office
US Businesses [INTERNATIONAL]
◦ U.S. Embassy (Commercial Services,
Legal Attaché)
◦ AMCHAM
Law Enforcement (Local, State and Federal)
Regulators/Law Makers
Government Contracting Activities and Security Offices
Defense Security Service (Industrial Security
Representatives and Counterintelligence Special Agents)
33. Details the requirements for education, training, and
awareness concerning insider threat behaviors and risk.
Provides customize training that address program
objectives of each design element.
33
BASIC
Basic insider threat education, training, and awareness
provided at hiring and on an annual basis.
INTERMEDIATE
Customized training for various org units e.g., C-suite,
R&D, IP group(s), LoB. etc.
ADVANCED
Advanced CI training programs. Redundancy in training
roles, sharing lessons learned for ITP improvement.
Training effectiveness metrics defined and deployed.
34. Who must receive insider threat
education, training, and awareness?
◦ Insider Threat Program Personnel
◦ Executive Leadership
◦ Workforce
What must be included in the program?
Where and when should it be taught?
How should this training be conducted?
What resources are available to support
this training?
34
35. Section 3-103. Insider Threat Training. The designated Senior
contractor official will ensure that contractor program personnel
assigned insider threat program responsibilities and all other
cleared employees are trained.
a. Contractor Insider Threat Program Personnel must be trained in:
(1) Counterintelligence and security fundamentals to include applicable legal
issues;
(2) Procedures for conducting insider threat response actions;
(3) Applicable laws and regulations regarding the gathering, integration,
retention, safeguarding, and use of records and data, including the
consequences of misuse of such information; and
(4) Applicable legal, civil liberties, and privacy policies.
35
Proposed NISPOM Conforming Change #2 identifies specific Insider Threat training
requirements for U.S. defense contractors. The following training syllabus may be required to
be implemented during 2015:
Our ITP covers these requirements in all three model types:
Basic – Intermediate – Advanced
36. 36
b. All cleared employees must be provided insider threat awareness training, either in-person or computer-based,
within 30 days of initial employment or prior to being granted access to classified information, and annually
thereafter. Training will address current and potential threats in the work and personal environment and will include
at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected
activity to the insider threat program designee;
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular
within information systems;
(3) Indicators of insider threat behavior, and procedures to report such behavior; and
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish a system to validate and maintain a record of all cleared employees who have
completed the insider threat briefings.
Section 3-107. Initial Security Briefings. Prior to being granted access to classified
information, an employee shall receive an initial security briefing that includes the following:
a. A threat briefing security briefing, to include insider threat awareness in accordance with 3-103b, Insider
Threat Training.
37. Insider Threat terminology
Different types of Insider Threats
Case examples of Insider Threats
Available data
Personal and organizational factors which prompt an Insider Threat
Behavioral Indicators
Current organizational policies and controls
Legislative and regulatory requirements on the Insider Threat
Laws and related penalties
Document the training program
37
38. Executive Leadership:
Why is an Insider Threat Program necessary?
How can it be implemented?
What will it cost?
What checks and balances are in place?
Insider Threat Program Personnel:
What should be tracked?
How is reporting managed?
What civil liberties need to be protected?
Workforce:
What are we protecting?
What assets are most wanted by others?
How can suspicious activities be reported?
What checks and balances are in place?
38
The Insider Threat is Real
39. 39
Individual Welfare: Odd or suspicious behaviors
are often associated with life crises, such as work
stress, financial pressure, divorce, and death.
Helping is Not Snitching: By sharing with
management, information about a coworker
displaying odd or suspicious behaviors, that person
may get help to resolve a life crisis.
Employee Assistance: Investigations are not the
only solution to responding to suspicious behavior;
employee assistance programs (EAPs) can increase
individual wellness and decrease pernicious
emotions.
Motivating Action: If employees understand that
their involvement may help an individual and
prevent them from taking harmful actions, they may
be more inclined to report what they observe.
Employee health ensures corporate health
40. Identify your company’s “Crown Jewels”: Key assets, products and services.
Give real life examples of Insider Threat
and show the consequences.
Provide economic rationale and ROI for
implementing Insider Threat Program.
Explain ethical obligations, legal limitations
and regulatory requirements.
Outline how your program will be established and
operated.
Introduce key members of your Insider
Threat Program Personnel.
Gain specific support commitments from each executive.
40
41. Educate the ITP security team on Insider threat terminology; behaviors, motives, anomalies and
ways to “connect the dots.”
Educate your team on how data collection points indicate insider threat:
◦ Human Resources
◦ Legal
◦ Physical Security
◦ IT-Security
◦ Information Assurance
◦ Data Owners
◦ Ethics and Compliance
◦ Internal Audit
◦ EAP
Determine what is normal within your organization (both behavioral and on the computer).
Educate the team members on new and developing trends.
Teach team members how to interpret data and generate metrics.
41
42. Explain what needs to be protected and why.
Point to policies and procedures already in
place.
Explain what suspicious activities look like.
Explain how to report suspicious activities.
Develop a multi-pronged, repetitive approach
to education.
Consider your audience when developing
materials.
42
Executive Leadership
ITP Personnel
Workforce
43. Before formalizing this Insider Threat training program consider what current
company policies and procedures and resources already in place.
43
Procedures for reporting suspicious
behavior or employees / trusted
partners.
Access Control Systems / Badging
Procedures
Annual Security Awareness training
New Hire Orientation
Pamphlets / Posters
ALL employees should understand their role on eliminating internal threat.
Initial Security Briefing
Computer usage policy / wireless
device policy / social media policy
Procedures for handling sensitive,
proprietary and personally identifiable
information (PII) as well as classified
information.
Procedures for reporting suspicious
activities and security incidents.
44. 44
Where is the ASIS Insider Threat Information Repository and who can access it?
Access the ASIS site: www.asisonline.org
Sign in
Under “Membership,” select Library (IRC)
45. 45
Details the identification, assessment, and prioritization of risk
associated with specified assets within the scope of the ITP.
Coordinates the economical use of resources to
minimize, monitor, and control the probability and/or
impact of security events.
BASIC
Risk management processes are initiated to accomplish
ITP asset protection objectives.
INTERMEDIATE
ITP assets are mapped to owners, custodians, persons
with access, geo-locations, servers, workstations, laptops
networks, systems, applications and endpoints.
ADVANCED
Deploys sophisticated monitoring techniques to track the
movement of asset(s) across electronic and physical
boundaries.
46. 46
Systematic approach to acquiring and analyzing the information necessary for protecting assets and allocating resources.
Source: USAF/SAF/AA
47. Source: Insider Threat Mitigation Group, LLC 2010
Bloggers
Darknet Operatives
Competitive Intel-Agents
Independent
Entrepreneurs
Internet Entrepreneurs
Market Analysts
Information Brokers
Domestic
International
Organized Criminals
Organized “net” Gangs
Identity Thieves
Allied States
Foreign Govt
Intelligence-Agents
Adversarial States
Domestic
Competitors
Foreign
Hacker-for-Hire
Freelance Hacker
Cyber Criminals
Anonymous Hacker
Unwitting Hacker
Domestic Operatives
Terrorist
Operatives
International Operatives
Al Qaeda
BASIC
CI basic principles operate in unison with existing security
implementation–somewhat reactive in nature.
INTERMEDIATE
CI program elements and practices evolve for a more
comprehensive and strategic approach.
ADVANCED
CI operates with a degree of autonomy from conventional
security implementation.
Details a strategic approach to the identification, disruption,
neutralization, and defeat of insider attacks.
Drives proactivity in ITP operations.
47
48. 1. Manage the CI Process
2. Determine resource allocation
3. Identify triggers and risk indicators
4. Apply CI techniques
5. Compile, process, and organize CI
reports
6. Prepare and present CI
awareness briefings
7. Develop an operational structure
8. Conduct vulnerability assessments
9. Evaluate, integrate, analyze, and
interpret threat information
10. Maintain compliance
11. Identify and respond to cyber
intrusions
12. Initiate and oversee CI
investigations
13. Communicate threat awareness
culture
14. Apply technical solutions
48
Source: Global Skills X-change (GSX)
49. 49
Deterrence
Details procedures and protocols required to respond to
technical (Cyber) and non-technical (human) indicators,
incidents, and events.
Develops protocols for integrated direct and indirect
interventions, investigations, and related response
scenarios.
BASIC
Confidential reporting protocols are instituted pursuant to
documented plan.
INTERMEDIATE
Response policies and procedures reviewed and revised
in response to incident findings– preventative measures
are implemented.
ADVANCED
Acceptable use training is provided to emphasize
expectations and enforcement consequences for non-
conformity.
50. 50
Detection BASIC
Monitoring strategy is implemented pursuant to the asset
protection requirements of the ITP plan.
INTERMEDIATE
Monitoring practices are refined through analytics and
lessons learned. Documented profiles inform decision-
maker and buttress tech-tool and resource requisitions.
ADVANCED
Technical and non-technical resources are integrated
providing automated monitoring processes to include
executive dashboards for timeline visibility.
Details the metric-based design and implementation of human and
technical monitoring technologies, processes, and protocols.
Defines and manages data collection requirements.
On-boards analytic software and predictive algorithms
to measure linguistic patterns.
51. 51
Cyber Measures
• Registry entries
• Intrusion Detection System (IDS)
events Firewall logs
• Host event logs
• Host print logs
• Network print logs
• Database server logs
• Web server logs
File permissions
Access to account
Keystroke records
Digital signatures
Local stored or cached files
Proximity card data
Applications Installed
Search engine queries (from query
logs)
Domain Name Server (DNS) logs
Known software signature
Email content capture
Instant messaging
HR Measures Performance Measures
• Disciplinary records (theft,
violence, harassment,
abuse)
• Personnel Files
• Absentee records
• Employee turnover
• Employee surveys
• Termination of
Employment
• Exit Interview Details
• Supervisor assessments
• Corporate performance
evaluations
• 360-degree evaluations
• Job performance statistics
• Customer feedback
Behavioral Assessment
53. 53
Guidelines to make presentations more
compelling
• Present metrics that are aligned with the
organization’s objectives or risks or that measure
the specific issues management is most
interested
• Present metrics that meet measurement
standards
• Tell a story
• Use graphics, and keep presentations short
• Present metric data regularly
54. 54
BASIC
Designated PoC and responsibilities for program planning
to include policies, procedures, and response protocols.
INTERMEDIATE
ITP Manager installed with supporting staff to execute
program goals and objectives.
ADVANCED
Senior Executive leadership and skilled staff execute a
broad spectrum of detection and mitigation activities.
Details the ITP’s review and audit management processes.
Assures that the program is operating pursuant to plan.
Applies lessons learned, and implements improvements
based on metrics and other analysis.
55. •Identify and review
historical insider threat
incidents
•Need & purpose for ITP
articulated
•Obtain senior executive
buy-in for program
charter
•Select ITP model and
components
• Build consensus and
advocacy among core
stakeholders
(Convergence)
•In concert with General
Council and HR
develop corporate ITP
policy
•Develop comprehensive
plan and timelines
•Form IT Working
Group (ITWG)
•Define critical
positions and modify
position descriptions
based on criticality
•Corporate wide ITP
metrics/measures
developed
•Metrics dashboard
designed
•Design comprehensive
education plan
•High-level company-
wide policies are
approved and
published
•ITP is formally
launched and is
operational
•Monitoring and Audit
procedures initiated
•Mitigation procedures
operational
•Risk Security Risk
Management (ESRM)
processes initiated to
identify assets,
threats and
vulnerabilities
•Integrate ESRM and
ITP metrics into an
analytical structure
•Identify requirements
for core elements:
Operations,
Analytics,
Collaboration, and
Education
EVALUATION
FORMULATION
INITIATION
I
M
P
L
E
M
E
N
T
A
T
O
N
D
E
S
I
G
N
•Policies and
procedures are written
to support the
development and
operation of all ITP
elements
•Incorporate
counterintelligence
controls and measures
•Security education
plan modified to
incorporate ITP
requirements
•Determine
technologies for
monitoring and
analytics
•Formulate incident
response requirements
•Audit and improvement
requirements
incorporated
•Completed ITP plan is
reviewed and approved
as appropriate
•Develop collaboration
plan for external
relationships
•Pilot ITP
55
56. 56
Contact:
Jeff Vish (Chair, ITWG)
Jeff.vish@Mantech.com
571.388.8688
Dan McGarvey (Chair, D&IC)
DMcGarvey@Skillsdmo.com
703.684.5067 ext.115
Editor's Notes
The FBI has investigated and analyzed numerous cases involving Insider Threat activity in Corporate America during the past several years.
Patrick Reidy, who serves as the FBI’s CISO, estimated that the average cost per Insider Threat incident is $412,000, while noting there have been incidents resulting in economic losses exceeding $1 billion dollars.
Over the past four years, the FBI reported the number of arrests involving economic espionage and trade theft has nearly doubled, while indictments have more than tripled and convictions have increased six fold.
Economic espionage and trade theft is increasingly linked to the Insider Threat.
How Corporate America measures its wealth has significantly changed in the 21st Century. A company’s economic edge in the marketplace is increasingly determined by the strength of its intellectual property and not its physical holdings.
From an Insider Threat standpoint, it is much easier to steal an idea than an object.
Among the most famous examples of government Insider Threat activity in the late 20th Century are CIA Case Officer Aldrich Ames and FBI Special Agent Robert Hanssen.
They received millions of dollars selling highly classified information to the Soviet Union’s KGB and later the Russian Federation’s SVR. Their actions seriously damaged the U.S. Intelligence Community’s collection capabilities, adversely impacted our national security and directly caused the deaths of several individuals.
How were these men viewed by the media and public?
Among the most famous examples of government Insider Threat activity in the late 20th Century are CIA Case Officer Aldrich Ames and FBI Special Agent Robert Hanssen.
They received millions of dollars selling highly classified information to the Soviet Union’s KGB and later the Russian Federation’s SVR. Their actions seriously damaged the U.S. Intelligence Community’s collection capabilities, adversely impacted our national security and directly caused the deaths of several individuals.
How were these men viewed by the media and public?
The media and public opinion overwhelming condemned Aldrich Ames and Robert Hanssen as traitors highly deserving of sentences mandating lifetime imprisonment.
Private Bradley Manning and Edward Snowden are the most famous examples of government Insider Threat activity in the 21st Century.
Both of them without authorization transmitted highly classified information to public media groups. This action was seen by the U.S. Government as seriously damaging U.S. diplomatic relations with other countries and adversely impacting the U.S. Intelligence Community’s collection capabilities.
The difference between these 20th Century and 21st Century insiders was their motivation. Ames and Hanssen were clearly influenced by greed. Manning and Snowden apparently acted from ideological beliefs. No money changed hands.
So how are Manning and Snowden regarded by the media and public?
Media polls indicated the public attitude about their actions was essentially split along generational lines.
Older Americans typically felt both men violated the terms of their national security agreements and betrayed their country’s trust.
By contrast, many younger Americans (under 30) expressed their belief these men did the right thing by revealing intelligence activities that jeopardized the privacy rights of American citizens.
So why should a corporate CSO care about government insiders?
Within your company reside executives doubting the existence of an Insider Threat or believing the cost of committing corporate resources to counter this threat outweighs any risk of potential damage.
Your job as a security professional is to make a valid business case for committing the necessary resources to mitigate this risk.
You can advise your CEO that at least 1% of your work force is potentially an Insider Threat. When we present the analytical portion of our model, we’ll discuss how to identify and quantify your company’s Insider Threat.
But first you need to change the perception that the Insider Threat is a government concern and not a corporate matter.
An ITP comprehends the full spectrum of human nature and behavior in the workplace.
A security program that fails to comprehend “insiders” is not delivering security that works.
Lessons learned from historical threats.
ITP must close the fault-lines of conventional security implementations.
The persons you trust may be: careless, unwitting, disgruntled, disloyal, opportunistic, there to do harm (plant or mole).
One of the major initiatives of the ITWG involved conducting two industry-wide surveys of the practices and procedures utilized by various companies to address the Insider Threat.
In 2013, our first survey focused on the CSOs of large companies with 1,000 or more employees and annual gross profits exceeding $1 billion. 78 CSOs participated in this survey. The results from this survey were published last year by ASIS.
A second survey in 2014 , covering small and medium size companies was conducted in cooperation with the NCMS Board of Directors. The results of this survey will soon be published by ASIS.
An ITP comprehends the full spectrum of human nature and behavior in the workplace.
A security program that fails to comprehend “insiders” is not delivering security that works.
Lessons learned from historical threats.
ITP must close the fault-lines of conventional security implementations.
The persons you trust may be: careless, unwitting, disgruntled, disloyal, opportunistic, there to do harm (plant or mole).
Four component types:
Design elements center
Common properties
Model types
Recommendations
A methodical approach is required in order to achieve objectives.
The importance of getting the Operations Plan right and having the right people.
Survey findings:
Does your organization have an insider threat related program? A: LARGE= 68.4% has formal program. COMBINED=35.9% have formal/47.2% informal.
Is your organization’s program corporate-wide, or does it vary by subordinate component? A: COMBINED=68.4% have corporate wide/31.6% have subordinate components.
Decisions laden with trade-offs in resources, timing, data volume:
Manual Analysis – Skills mix, number of humans vs. volume of data collected
Automated Analysis – Costs for software/programming, speed, O&M dollars
Real-Time Reporting – Resource intensive, more timely, potentially preventative
Event-Triggered Reporting – More manageable resources, latency, most likely post-event recovery
Defining the human threat requires a change of perception for the security professional.
The threat has always been there, so we must ask ourselves why have we not been more effective in our profession.
Our culture has done a good job in protecting the organization from external threats.
The technology for physical and IT protection is constantly improving.
As a culture, we rely on technology, but we need to focus more on people and their behavior.
Technology will never be as good as we are when working with people.
Part of the problem is that we do not know how to define the potential insider.
So, we react to internal threats when we should be proactive.
What does it take to convince senior management that insider threat is real?
Up to 21,000,000 (that’s 21 million) have personality disorders which may make them susceptible to the kind of behavior we categorize as insider threat.
Very few will ever have that official diagnosis and far fewer still will ever be a threat to an organization, but how many do you need to cause damage?
PFC Manning is the poster child for the insider.
He took no money as a spy would, but caused the same level of damage.
All the classic indications were there, but were never considered until it was too late.
Snowden’s story is still unfolding.
He pretends to be a citizen, doing what was right, but there is a very dark side to both his motivations and behaviors.
Technology (cybersecurity) should have caught him, but his position and knowledge allowed him to bypass the technical hurtles.
The behavioral signs were there, but reliance on technology alone was the flaw.
One has to ask the question: Why should it be so hard to convince senior management that the insider is the greatest threat to their organization?
We hire people for their skills.
We tend to assume that others who are like us on the surface, feel and react the same, but that is not true.
In fact, the most dangerous insiders are very clever and they are in your organization NOW!
It is a time bomb waiting for the right combination of events to occur.
This defines the model of the insider. No one model can adequately define the true insider, so we had to combine the best into a composite model.
We combined both the clinical models which looked at individuals with cognitive models which defined the general behavior of multiple individuals in a given class of situations. We looked at numerous models. Most reflected slight variations against the core model. Every model reflected a different facet of personality.
Our composite model provides the most comprehensive description and definition of the insider based on analysis of the behaviors and motivation of those insiders identified in industry and government.
Research has indicated that one can modify their behavior to fit the situation, for awhile, but not forever. Personality TRAITS are a permanent aspect of the individual.
They do not change and can be measured.
Most individuals observe and react in ways our culture considers normal.
Those with Personality Disorders, observe and react in ways that are modified by their disorder. It is that variance which become measurable.
Not every Personality Disorder lends itself to the model. Many disorders are benign as they relate to CWB.
These are some examples of measurable CWB.
They are grouped based on the cognitive models using a clinical diagnostic schema.
Minor and serious behaviors and non-violent and violent behaviors are grouped.
The more behaviors noted, reflect the greater probability of potential CWB.
This is not a complete list, but an example of behavioral groupings.
These are the environmental and organizational stressors.
What is unique about the model is that organizational behavior and health is recognized as a key contributor to the creation of the insider threat.
Survey finding:
Does your organization have offices outside of the United States? A: COMBINED: 48%=YES, 58.0% No.
Type collaborations:
Knowledge exchange
Case referral
Industry based
Focal sponsor
The National Industrial Security Program Policy Advisory Committee (NISPPAC) is comprised of both Government (16 members) and industry representatives (8). The NISPPAC is responsible for recommending changes in industrial security policy through modifications to Executive Order 12829, its implementing directives, and the National Industrial Security Program Operating Manual (NISPOM). The NISPPAC also advises the Information Security Oversight Office (ISOO) on all matters concerning the policies of the National Industrial Security Program (NISP), including recommended changes to those policies, and serves as a forum to discuss policy issues in dispute. The Director of ISOO chairs the NISPPAC.
IP Center - The U.S. Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) led National Intellectual Property Rights Coordination Center (IPR Center) stands at the forefront of the United States Government's response to global intellectual property (IP) theft and enforcement of its international trade laws. The mission of the IPR Center is to ensure national security by protecting the public's health and safety, the U.S. economy, and our war fighters, and to stop predatory and unfair trade practices that threaten the global economy. To accomplish this goal, the IPR Center brings together 21 partner agencies, consisting of 17 key federal agencies, Interpol, Europol and the governments of Canada and Mexico in a task-force setting.
FBI and DSS are just two external partners that industry needs to continue to partner with. FBI has local agents who can provide briefings and tools, such as their new video, The Company Man, to your staff.
Law Enforcement
Local – Low level but possibly the highest intensity (violent threat) – How’s your relationship? Is the 911 call the first/only time the local police hear from you?
State – Multi- jurisdiction, State Attorney General
Federal – Foreign Government Influence
Regulators – Share your common problem, Trade associations provide the most leverage
Law Makers – Is there an issue that requires a new law to address?
Both the DSS IS Rep and CI Special Agent can provide threat information (classified and unclassified) to the FSO/KMP.
GCAs and government security offices can partner with industry to ensure any issues with embedded contractor employees are discussed and reported.
Q: If your insider threat-related program has an education component (i.e., Security/CI/Information Security awareness training/information), how is it delivered?
A: Over 70% used online resources.
The importance of detecting and reporting suspected insider threat activities
Understanding methodologies of adversaries to recruit trusted insiders to collect info-assets
Recognizing at-risk behavior and procedures for reporting
General awareness of counterintelligence practice and security reporting requirements as applicable.
These are the 5 key takeaways from this Insider Threat Educational Component presentation.
Who
What
Where and when, and
How
Plus access to over 100 Insider threat resources, all stored in the ASIS Norton Information Resources Center
Bradley Manning leaks classified information to WikiLeaks early 2010
President Obama signs Executive Order 13587 in October 2011
It happens again May 2013 when Edward Snowden boards a plane to Hong Kong with more classified documents
Executive Order 13587 mandates all federal agencies adopt Insider Threat programs to prevent another Manning or Snowden instance. Now those same mandates are being imposed on Cleared Defense Contractors (scheduled for 2015).
At the end of this presentation, I will show you the Insider Threat Information Repository (ITIR) which provides definitions, types of Insider Threats, types of Insider Threat cases, personal, organizational and behavioral indicators of an Insider Threat. ITIR also has information on legislative and regulatory requirements as well as federal statutes relating to Insider Threat violations.
Executive buy-in is critical
A powerful presentation is needed here
A continued commitment is necessary
This problem is not going away
Emphasize the company brand and that it cannot be tarnished, that by protecting our brand, higher profits, growth, job security ensue
We need more vigilance by the employees (if you see something, say something)
Now you have defined the threat. You can identify potential CWB before it occurs, but how do you provide mitigation? This can be difficult for some, but there are options.
We must shift from a black and white, and even from the shades of gray perspective.
We must shift from a reactive mode to an active mode of response. We must anticipate and resolve the problem before it occurs. If not, we will always be in a catch up mode.
Individuals are selected for their technical skills, more than the propensity to be threats.
By identifying and mitigating minor behavior problems of a potential problem employee early, we avoid damage to the organization.
Organizations have personalities, reflecting the culture of senior management and the workers. Organizations have health issues just like employees.
To be effective, the security professional of the 21st Century has to have both technical and behavioral skills.
Because when you get to the bottom line, it is all about the security of the people in your organization.
A very sensitive issue: employee's may view this as Big Brother monitoring their every movement.
Also advise employees that an employee may not be an Insider Threat but may just be in a rough spot and may need assistance (EAP).
One of the key points that needs to stressed in our education slides is how ITP training is different from other training programs.
Emphasize to this group as well - the company brand and that it cannot be tarnished; we need more vigilance by the employees (if you see something, say something); that by protecting our brand, higher profits, growth, job security.
We are asking people to tell on each other when they hear or see something about the person that strikes them as rather unusual behavior.
This is socially counterintuitive to what we learned and were taught as kids. “Don’t be a tattle-tale.” “You don’t rat out a friend.” You help a someone get through hard times by not saying anything.
For a long-time employee to tell on another long-time employee feels like an intimate betrayal of friendship and trust.
This education issue is shared across the Basic, Intermediate and Advanced models.
Getting a workforce over this psychological barrier is a serious challenge. You have to walk them through the personal trust issue.
How Security can best approach educating their workforce in this area needs to be clearly addressed in your slides.
Determine what data can and should be collected :
Human Resources: background screening, hostile work environment claims, performance issues, wage attachments
Legal: civil liberties and privacy issues, as well as concerns relating to targeting certain class of employees
Physical Security: access badges and unauthorized access to your facility
IT-Security: malicious attacks, suspicious emails
Information Assurance: who has access to your most sensitive information; computer policy violators
Data Owners: what are we trying to protect
Ethics and Compliance: allegations made through a confidential hotline
Internal Audit: anomalies identified in audits
EAP: with understanding that information within EAP is confidential
Determine what is normal within your organization, both behavioral and on the computer
*** ALL employees should be trained on Insider Threat***
Explain what needs to be protected and why: Use real-life examples.
Discuss consequences.
Emphasize how this program will protect their future.
Point to policies and procedures already in place:
Explain what suspicious activities look like
Explain how to report suspicious activities
Handling of classified, sensitive, proprietary and personally identifiable information (PII).
Computer network usage and monitoring.
Access Management System / Badging.
Social Media /Wireless / photographic policies.
Consider your audience when developing materials
Emphasize that a varied workforce learns in a variety of ways.
Point to policies and procedures already in place:
Handling of classified, sensitive, proprietary and personally identifiable information (PII).
Computer network usage and monitoring.
Access Management System / Badging.
Social Media /Wireless / photographic policies.
The ITIR - with over 100 resources for your organization.
To access the ASIS ITIR education resource:
Go to the ASIS website at www.asisonline.org
On the right hand side of the Global Navigation bar, sign in
Under “Membership” on the Global Navigation bar, click on “Library (IRC)”
This will take you to the Norton Information Resources Center or IRC
The ITIR - with over 100 resources for your organization.
Define the scope and importance of ASSET SPECIFICATION in the ITP:
Assess Assets
Assess Threats
Assess Vulnerabilities
Analyze Risk and Reports
Manage Risk
Evaluate Effectiveness and Reassess
Getting a big picture view requires an understanding of the big picture.
Can you comprehend this risk apart from a CI mentality and approach?
ITP must deter by responding in a uniform and consistent manner. A program of integrity.
The Broken Windows Theory – norm-setting and signaling effect of urban disorder and vandalism on additional crime and anti-social behaviors.
“Mercy to the guilty is cruelty to the innocent” – Adam Smith
Monitoring types: active, passive, and hybrid.
Big data analytics and the detection of psychological state.
Defining the Insider is the first step.
Identifying where to look for the behaviors follows.
The chart reflects the fact that looking for behaviors cuts across the organization.
The concept of creating an Insider Threat Working Group (ITWG) not only brings the organization together for a common cause, but is necessary for the identification and development of the metrics needed to make the program successful.
Metrics do not have to be created if they already exist in another office.
Existing metrics can be ‘repurposed’ simply by looking at existing data from a different perspective. This can reflect an ROI as repurposing requires no additional funding.
A good metric is like a good spouse: hard to find.
There are three categories to consider in a metric:
The psychometric principles in the design;
The security considerations; and
The value to senior management.
If you get all three categories correct, you have a solid measurement tool.
The tool does not tell one what to measure, just how to measure effectively.
Take time to read the study and attend the Insider Threat certificate workshop to learn the details on what to look for and how to build a good measurement tool.
A good metric is like a good spouse: hard to find.
There are three categories to consider in a metric:
The psychometric principles in the design;
The security considerations; and
The value to senior management.
If you get all three categories correct, you have a solid measurement tool.
The tool does not tell one what to measure, just how to measure effectively.
Take time to read the study and attend the Insider Threat certificate workshop to learn the details on what to look for and how to build a good measurement tool.
Kevlar Analogy: Known for its high tensile strength to weight ratio that is 5 times stronger than steel. The polymer owes its high strength to the many inter-chain bonds.
The regularity of interactive properties.
Fear of audit is a healthy fear. Admissions of criminals and spies on enforcement.
A good ITP tightens an organizations grip on asset management and insider risk mitigation.
It is now my pleasure to introduce our Analytical Subgroup Lead Dan McGarvey.