Downloaded 32 times
![37
US Businesses [DOMESTIC]
◦ NCIX/NCSC reporting
◦ FBI Field Office
US Businesses [INTERNATIONAL]
◦ U.S. Embassy (Commercial Services,
Legal Attaché)
◦ AMCHAM
Law Enforcement (Local, State and Federal)
Regulators/Law Makers
Government Contracting Activities and Security Offices
Defense Security Service (Industrial Security
Representatives and Counterintelligence Special Agents)](https://image.slidesharecdn.com/2862191f-150b-4c3b-a3a8-cc4f1cfe35d0-150427115346-conversion-gate02/85/ASIS-NYC-InT-Presentation-32-320.jpg)
ASIS NYC InT Presentation
- 1.
- 2. 2 “In the lastfiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion… economic espionage and theft of trade secrets are increasingly linked to the insider threat…” - Christopher Munsey, FBI Counterintelligence Division (2013) “The average cost per Insider Threat incident is $412,000. Average loss per industry is $15 million/year. Multiple incidents have exceeded $1 billion.” - Patrick Reidy, FBI, Senior Level Staff, Information Security Assurance Section (2013)
- 3. 0 50 100 1975 1985 19952005 2009 Composition of the S&P 500 Tangible Assets Intangible Assets %Value “ The U.S. economy has changed over the past 20 years. Intellectual capital rather than physical assets now represent the bulk of a U.S. corporation’s value. This shift has made corporate assets far more susceptible to espionage.” - Protecting Key Assets: A Corporate Counterintelligence Guide, Office of the National Counterintelligence Executive (2013) 3
- 4. 29 Figure 5. Typesof Insiders that individuals believe Pose the Biggest Threat to Organizations. In your opinion, which of the following types of insiders pose the biggest threat to your organization? (Percent of respondents, N=707, three responses accepted)
- 5.
- 6. Aldrich Ames :CIA Case Officer/Analyst Provided detailed information to KGB on CIA intelligence operations and agents in the USSR. Received $4.6 million dollars in exchange for information. Convicted in 1994 : Sentenced to life imprisonment (without possibility of parole) for espionage. 6 Robert Hanssen : FBI Special Agent Provided detailed information to KGB/SVR on FBI intelligence operations against USSR/Russian Federation. Received $1.4 million dollars in cash and jewelry in exchange for information. Convicted in 2001 : Sentenced to life imprisonment (without possibility of parole) for espionage.
- 7. Spies Turncoats Traitors Guilty of Treason 7 Sexual orientation... Blackmail… Greed... Ideology
- 8. Edward Snowden :NSA Systems Administrator Contractor Passed thousands of classified documents describing NSA and allied intelligence agencies operations to The Guardian and The Washington Post for public release. Considered a fugitive by US Government since 2013. Charged with espionage and theft of government property. Granted temporary asylum in Moscow by Russian Government. PFC Bradley Manning : US Army Intelligence Analyst Passed thousands of classified diplomatic cables and military reports to the WikiLeaks staff which posted this material on their public web site. Convicted in 2013 : Sentenced to 35 years imprisonment (with possibility of parole in eight years) for espionage. 8
- 9. 9 Leakers Whistleblowers Dissidents Patriots Justice… Ideology… Notoriety… ?
- 10.
- 11. Game Changer! Companies mustadapt to a new, effective security paradigm that provides an ROI in security. The world is complex, so is our internal threat. If Security does not evolve to contain the threat… 11
- 12. 12 • The ITWGis a joint effort by government and industry CSOs. • The ITP is supported by ASIS International, NDIA and NCMS. • It addresses both violent and non-violent employee behavior. • ITP meets both compulsory (Federal) and effective (industry) requirements. • It is evolutionary not revolutionary in approach. • Functional and psychometric analyses were used to design the program. • ITP updates and repurposes existing programs, thus minimizing costs. • Through effective use of metrics, ITP provides a demonstrable ROI for senior management. What are the characteristics of this program? Insider Threat Program (ITP) Insider Threat Working Group (ITWG)
- 13. National Industrial SecurityProgram Operation Manual (NISPOM) Conforming Change #2 (Fall 2015) Will require US Defense Industry to establish Insider Threat Programs at all cleared contractor facilities. NITTF Guide to Accompany the National Insider Threat Policy and Minimum Standards (November 2013) Detailed implementation plan for federal agencies to comply with White House policy memo. White House Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (21 November 2012) Directed federal agencies to establish effective insider threat programs to deter, detect and mitigate actions by employees who may represent a threat to national security E.O. 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information (7 October 2011) Mandated responsible sharing and safeguarding of classified information on computer networks by federal agencies. Established NITTF to assist federal agencies in preventing, deterring and detecting compromise of classified information by malicious insiders. 13
- 14. 14 ASIS CSO RoundtableSurvey (August 2013) Establish baseline understanding of industry Insider Threat. Surveyed CSO of companies with > $1 billion dollars in annual gross profit. 78 of 330 CSOs participated in survey (24%). 94% represented companies with > 999 employees. NCMS Survey (March 2014) Expand survey database of industry Insider Threat Programs to include small and medium size companies. Survey conducted through NCMS Board of Directors to membership. 777 of 5900 members participated in survey (13%). 56% represented companies with < 500 employees.
- 15. 35.9% 47.2% 17.0% Does your organizationhave an insider threat-related program? Yes, formal Yes, informal No 43.2% 6.9% 37.1% Please identify the relative size of your organization. Small (1 to 249 employees) Medium (250 to 499 employees) Large (500 to 999 employees) Enterprise (More than 999 employees) 21.8% 15
- 16. 16 An ITP isa proactive security implementation, approved and directed by executive leadership with cross-disciplinary participation to protect specified organizational assets. What is the goal of the ITP? What is an insider threat program? Insider Threat Program (ITP) Insider Threat Program Model (ITPM) The goal of the ITP is to: IDENTIFY > PREVENT > DETECT > RESPOND to counterproductive workforce behaviors and attacks that may compromise the safety and security of organizational assets.
- 17.
- 18. The huband key element of the ITP. The scope includes all planning and development responsibilities – charter, leadership, policy creation, legal and privacy review, plan documentation, implementation, and requirements for each of the nine essential program elements. 18 BASIC Designated PoC and responsibilities for program planning to include policies, procedures, and response protocols INTERMEDIATE ITP Manager installed with supporting staff to execute program goals and objectives. ADVANCED Senior Executive leadership and skilled staff execute a broad spectrum of detection and mitigation activities.
- 19. Approach basedon human behavior using technology as tools. Categorizes the inventory of behavioral indicators. Develops metrics to assess individual/organizational health. Builds advanced monitoring strategies to increase positive “hit” rates and reduce false-positives. Informs senior leadership and conveys ROI. 19 BASIC Focuses ITP resources on inventory of behavioral indicators associated with insider threats. INTERMEDIATE Analyst role added to ITP team. Acceptable use profiles created. ADVANCED Behavioral psychology expertise added to program. Specialized analytics applied in pre/post-hiring selection and monitoring to include social media.
- 20. Part I: Apparel Mind with USB port access Metaphysical Lab Coat Psychometric Goggles Analytical Tongue Depressor 20 Part II: Questions Who is the Insider Threat? What do you do with 150+ identified possible behaviors? How and when do you measure bad behavior? Do you want to identify behavior before it becomes bad, or after? What do you do next?
- 21. 21 Who is thePotential Insider? The challenge is to address personality traits that remain consistent, not cultural norms which change over time. According to the DMS-5, depending on the disorder, 2-6% of the population suffer with Personality Disorders associated with personality traits reflecting inappropriate behaviors. 7,000,000 to 21,000,000 in the USA alone. Few will be diagnosed, fewer still will ever be a threat. How many Insiders does it really take to: Damage a brand name, Significantly impact profits, and Hurt your organization…. BUT…
- 22. How many Insidersdoes it take to Seriously damage an ORGANIZATION? PFC Bradley Manning US Army 22 An Army of ONE
- 23. How many Insidersdoes it take to Seriously damage an ORGANIZATION? Edward Snowden 1 - NSA 2 - Booze Allen Hamilton 23 One Insider, TWO ORGANIZATIONS damaged
- 24. How many Insidersdoes it take to Seriously damage an ORGANIZATION? Add Name Your Company 24 It only takes ONE.
- 25. Personality Disorder– Anenduring pattern of inner experience and behavior that deviates markedly from the expectations of the individual’s culture, is pervasive and inflexible, has an onset in adolescence or early adulthood, is stable over time, and leads to distress or impairment. (DSM-5) Metrics–The science of measurement. Metrics enable process assessment and controls, drive business policies and investment decisions, influence collaboration for enterprise-wide benefits, and motivate strategic and profit center alignment. (Persuading Senior Management w/Effective, Evaluated Security Metrics) 25 Counterproductive Work Behavior– Any intentional action by members of organizations that violates core organizational and/or social norms. (Vardi and Weiner) Personality disorders are characterized by impairments in personality functioning and pathological personality traits. Cognitive: Stressor-Emotion Model – Integrating human aggression and occupational stress Organizational Citizen Model – Counterproductive work behavior as protest Clinical Models True Psychology of the Insider Spy (Dr. David Charney) Diagnostic and Statistical Manual of Mental Disorders (DSM-5) Define/Measure/Optimize
- 26. 26 Behavioral Family (Individual) Minor Nonviolent Poor performance ratings Late to work/meetings Poor quality work Misuse of Time Misuse of resources Not accepting feedback Disgruntled Incongruent work history Unreported changes in personal history Behavioral Family (Individual) Serious Violent Open Anger Destruction of Property Assault Theft Increasing Paranoia Actions Dangerous to Self and Others Disregard for authority Arrests Behavioral Family (Individual) Serious Nonviolent Falsifying employment data Excessive absenteeism Theft of information/property Time Card fraud Falsifying work related data Exhibits paranoia attitudes Disregard for authority Excessive secrecy Distrust of others Behavioral Family (Individual) Minor Violent Unsafe behavior (risk taking) Drug Use Alcohol Abuse Bullying of co-workers Verbal Abuse/profane language Unexpressed Anger Aggression toward others Demonization
- 27. 27 Behavioral Family (Environmental) Minor ModeratingFactors Medical issues (self/family) Depression Being bullied at work Injustice (self or others) Financial losses Reward system Job satisfaction shift Suicide in family Behavioral Family (Corporate) Minor Moderating Factors Practice vs. Policy Inconsistent Selection Process Lack of Training Mal-assignments Distrust of Employees Reward System Changes Ignoring Security rules Inconsistent reward process Perceived authority shift Behavioral Family (Corporate) Serious Moderating Factors Change of Employee Authority Layoffs Furloughs No Communication Benefit Loss Employee Treatment (loyalty) Patronage (Selection/Promotion) Terminations Ethics violations Behavioral Family (Environmental) Serious Moderating Factors Loss of control (real or perceived) Poor work relationships Marital/family difficulties Poor job ratings Passed over for promotion Pending termination Mal-assignment
- 28. 28 BASIC Liaison is establishedwith internal stakeholders and external government agencies and industry organizations. INTERMEDIATE Technologies are in place to support data collection, retention, and sharing. ADVANCED Interactive engagement and knowledge exchange with IC, federal, state, and local law enforcement authorities, trade associations. Details and administrates internal cross-organizational interactivity required to execute the ITP plan. Details external collaboration requirements and knowledge sharing protocols necessary to facilitate the acquisition of information potentially indicative of insider threat behaviors and activities.
- 29. 29 Why Collaborate? Internal Collaboration Industry Collaboration Government Collaboration Scalable Collaboration Basic-Intermediate-Advance
- 30. 30 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0% 100.0% Which departments withinyour organization participate with your insider threat-related program? (Check all that apply). Internal ASIS/NCMS Insider Threat Survey
- 31. Industry Peers(Cleared Defense Contractors) ◦ Classified Threat Reporting from supported offices Customers and Suppliers Professional Association and Working Groups ◦ ASIS, AIA, NCMS, National Industrial Security Program Policy Advisory Committee (NISPPAC), National Intellectual Property Rights Coordination Center Trade Groups 36
- 32. 37 US Businesses[DOMESTIC] ◦ NCIX/NCSC reporting ◦ FBI Field Office US Businesses [INTERNATIONAL] ◦ U.S. Embassy (Commercial Services, Legal Attaché) ◦ AMCHAM Law Enforcement (Local, State and Federal) Regulators/Law Makers Government Contracting Activities and Security Offices Defense Security Service (Industrial Security Representatives and Counterintelligence Special Agents)
- 33. Details therequirements for education, training, and awareness concerning insider threat behaviors and risk. Provides customize training that address program objectives of each design element. 33 BASIC Basic insider threat education, training, and awareness provided at hiring and on an annual basis. INTERMEDIATE Customized training for various org units e.g., C-suite, R&D, IP group(s), LoB. etc. ADVANCED Advanced CI training programs. Redundancy in training roles, sharing lessons learned for ITP improvement. Training effectiveness metrics defined and deployed.
- 34. Who mustreceive insider threat education, training, and awareness? ◦ Insider Threat Program Personnel ◦ Executive Leadership ◦ Workforce What must be included in the program? Where and when should it be taught? How should this training be conducted? What resources are available to support this training? 34
- 35. Section 3-103. InsiderThreat Training. The designated Senior contractor official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained. a. Contractor Insider Threat Program Personnel must be trained in: (1) Counterintelligence and security fundamentals to include applicable legal issues; (2) Procedures for conducting insider threat response actions; (3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information; and (4) Applicable legal, civil liberties, and privacy policies. 35 Proposed NISPOM Conforming Change #2 identifies specific Insider Threat training requirements for U.S. defense contractors. The following training syllabus may be required to be implemented during 2015: Our ITP covers these requirements in all three model types: Basic – Intermediate – Advanced
- 36. 36 b. All clearedemployees must be provided insider threat awareness training, either in-person or computer-based, within 30 days of initial employment or prior to being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum: (1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee; (2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems; (3) Indicators of insider threat behavior, and procedures to report such behavior; and (4) Counterintelligence and security reporting requirements, as applicable. c. The contractor will establish a system to validate and maintain a record of all cleared employees who have completed the insider threat briefings. Section 3-107. Initial Security Briefings. Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following: a. A threat briefing security briefing, to include insider threat awareness in accordance with 3-103b, Insider Threat Training.
- 37. Insider Threatterminology Different types of Insider Threats Case examples of Insider Threats Available data Personal and organizational factors which prompt an Insider Threat Behavioral Indicators Current organizational policies and controls Legislative and regulatory requirements on the Insider Threat Laws and related penalties Document the training program 37
- 38. Executive Leadership: Whyis an Insider Threat Program necessary? How can it be implemented? What will it cost? What checks and balances are in place? Insider Threat Program Personnel: What should be tracked? How is reporting managed? What civil liberties need to be protected? Workforce: What are we protecting? What assets are most wanted by others? How can suspicious activities be reported? What checks and balances are in place? 38 The Insider Threat is Real
- 39. 39 Individual Welfare:Odd or suspicious behaviors are often associated with life crises, such as work stress, financial pressure, divorce, and death. Helping is Not Snitching: By sharing with management, information about a coworker displaying odd or suspicious behaviors, that person may get help to resolve a life crisis. Employee Assistance: Investigations are not the only solution to responding to suspicious behavior; employee assistance programs (EAPs) can increase individual wellness and decrease pernicious emotions. Motivating Action: If employees understand that their involvement may help an individual and prevent them from taking harmful actions, they may be more inclined to report what they observe. Employee health ensures corporate health
- 40. Identify yourcompany’s “Crown Jewels”: Key assets, products and services. Give real life examples of Insider Threat and show the consequences. Provide economic rationale and ROI for implementing Insider Threat Program. Explain ethical obligations, legal limitations and regulatory requirements. Outline how your program will be established and operated. Introduce key members of your Insider Threat Program Personnel. Gain specific support commitments from each executive. 40
- 41. Educate theITP security team on Insider threat terminology; behaviors, motives, anomalies and ways to “connect the dots.” Educate your team on how data collection points indicate insider threat: ◦ Human Resources ◦ Legal ◦ Physical Security ◦ IT-Security ◦ Information Assurance ◦ Data Owners ◦ Ethics and Compliance ◦ Internal Audit ◦ EAP Determine what is normal within your organization (both behavioral and on the computer). Educate the team members on new and developing trends. Teach team members how to interpret data and generate metrics. 41
- 42. Explain whatneeds to be protected and why. Point to policies and procedures already in place. Explain what suspicious activities look like. Explain how to report suspicious activities. Develop a multi-pronged, repetitive approach to education. Consider your audience when developing materials. 42 Executive Leadership ITP Personnel Workforce
- 43. Before formalizingthis Insider Threat training program consider what current company policies and procedures and resources already in place. 43 Procedures for reporting suspicious behavior or employees / trusted partners. Access Control Systems / Badging Procedures Annual Security Awareness training New Hire Orientation Pamphlets / Posters ALL employees should understand their role on eliminating internal threat. Initial Security Briefing Computer usage policy / wireless device policy / social media policy Procedures for handling sensitive, proprietary and personally identifiable information (PII) as well as classified information. Procedures for reporting suspicious activities and security incidents.
- 44. 44 Where isthe ASIS Insider Threat Information Repository and who can access it? Access the ASIS site: www.asisonline.org Sign in Under “Membership,” select Library (IRC)
- 45. 45 Details theidentification, assessment, and prioritization of risk associated with specified assets within the scope of the ITP. Coordinates the economical use of resources to minimize, monitor, and control the probability and/or impact of security events. BASIC Risk management processes are initiated to accomplish ITP asset protection objectives. INTERMEDIATE ITP assets are mapped to owners, custodians, persons with access, geo-locations, servers, workstations, laptops networks, systems, applications and endpoints. ADVANCED Deploys sophisticated monitoring techniques to track the movement of asset(s) across electronic and physical boundaries.
- 46. 46 Systematic approach toacquiring and analyzing the information necessary for protecting assets and allocating resources. Source: USAF/SAF/AA
- 47. Source: Insider ThreatMitigation Group, LLC 2010 Bloggers Darknet Operatives Competitive Intel-Agents Independent Entrepreneurs Internet Entrepreneurs Market Analysts Information Brokers Domestic International Organized Criminals Organized “net” Gangs Identity Thieves Allied States Foreign Govt Intelligence-Agents Adversarial States Domestic Competitors Foreign Hacker-for-Hire Freelance Hacker Cyber Criminals Anonymous Hacker Unwitting Hacker Domestic Operatives Terrorist Operatives International Operatives Al Qaeda BASIC CI basic principles operate in unison with existing security implementation–somewhat reactive in nature. INTERMEDIATE CI program elements and practices evolve for a more comprehensive and strategic approach. ADVANCED CI operates with a degree of autonomy from conventional security implementation. Details a strategic approach to the identification, disruption, neutralization, and defeat of insider attacks. Drives proactivity in ITP operations. 47
- 48. 1. Manage theCI Process 2. Determine resource allocation 3. Identify triggers and risk indicators 4. Apply CI techniques 5. Compile, process, and organize CI reports 6. Prepare and present CI awareness briefings 7. Develop an operational structure 8. Conduct vulnerability assessments 9. Evaluate, integrate, analyze, and interpret threat information 10. Maintain compliance 11. Identify and respond to cyber intrusions 12. Initiate and oversee CI investigations 13. Communicate threat awareness culture 14. Apply technical solutions 48 Source: Global Skills X-change (GSX)
- 49. 49 Deterrence Details proceduresand protocols required to respond to technical (Cyber) and non-technical (human) indicators, incidents, and events. Develops protocols for integrated direct and indirect interventions, investigations, and related response scenarios. BASIC Confidential reporting protocols are instituted pursuant to documented plan. INTERMEDIATE Response policies and procedures reviewed and revised in response to incident findings– preventative measures are implemented. ADVANCED Acceptable use training is provided to emphasize expectations and enforcement consequences for non- conformity.
- 50. 50 Detection BASIC Monitoring strategyis implemented pursuant to the asset protection requirements of the ITP plan. INTERMEDIATE Monitoring practices are refined through analytics and lessons learned. Documented profiles inform decision- maker and buttress tech-tool and resource requisitions. ADVANCED Technical and non-technical resources are integrated providing automated monitoring processes to include executive dashboards for timeline visibility. Details the metric-based design and implementation of human and technical monitoring technologies, processes, and protocols. Defines and manages data collection requirements. On-boards analytic software and predictive algorithms to measure linguistic patterns.
- 51. 51 Cyber Measures • Registryentries • Intrusion Detection System (IDS) events Firewall logs • Host event logs • Host print logs • Network print logs • Database server logs • Web server logs File permissions Access to account Keystroke records Digital signatures Local stored or cached files Proximity card data Applications Installed Search engine queries (from query logs) Domain Name Server (DNS) logs Known software signature Email content capture Instant messaging HR Measures Performance Measures • Disciplinary records (theft, violence, harassment, abuse) • Personnel Files • Absentee records • Employee turnover • Employee surveys • Termination of Employment • Exit Interview Details • Supervisor assessments • Corporate performance evaluations • 360-degree evaluations • Job performance statistics • Customer feedback Behavioral Assessment
- 52. 52 Technical Criteria –Category 1 Reliability Validity Generalizability Operational (Security) Criteria – Category 2 Cost Timeliness Manipulation Strategic (Corporate) Criteria – Category 3 Return on Investment Organizational Relevance Communication
- 53. 53 Guidelines to makepresentations more compelling • Present metrics that are aligned with the organization’s objectives or risks or that measure the specific issues management is most interested • Present metrics that meet measurement standards • Tell a story • Use graphics, and keep presentations short • Present metric data regularly
- 54. 54 BASIC Designated PoC andresponsibilities for program planning to include policies, procedures, and response protocols. INTERMEDIATE ITP Manager installed with supporting staff to execute program goals and objectives. ADVANCED Senior Executive leadership and skilled staff execute a broad spectrum of detection and mitigation activities. Details the ITP’s review and audit management processes. Assures that the program is operating pursuant to plan. Applies lessons learned, and implements improvements based on metrics and other analysis.
- 55. •Identify and review historicalinsider threat incidents •Need & purpose for ITP articulated •Obtain senior executive buy-in for program charter •Select ITP model and components • Build consensus and advocacy among core stakeholders (Convergence) •In concert with General Council and HR develop corporate ITP policy •Develop comprehensive plan and timelines •Form IT Working Group (ITWG) •Define critical positions and modify position descriptions based on criticality •Corporate wide ITP metrics/measures developed •Metrics dashboard designed •Design comprehensive education plan •High-level company- wide policies are approved and published •ITP is formally launched and is operational •Monitoring and Audit procedures initiated •Mitigation procedures operational •Risk Security Risk Management (ESRM) processes initiated to identify assets, threats and vulnerabilities •Integrate ESRM and ITP metrics into an analytical structure •Identify requirements for core elements: Operations, Analytics, Collaboration, and Education EVALUATION FORMULATION INITIATION I M P L E M E N T A T O N D E S I G N •Policies and procedures are written to support the development and operation of all ITP elements •Incorporate counterintelligence controls and measures •Security education plan modified to incorporate ITP requirements •Determine technologies for monitoring and analytics •Formulate incident response requirements •Audit and improvement requirements incorporated •Completed ITP plan is reviewed and approved as appropriate •Develop collaboration plan for external relationships •Pilot ITP 55
- 56. 56 Contact: Jeff Vish (Chair,ITWG) Jeff.vish@Mantech.com 571.388.8688 Dan McGarvey (Chair, D&IC) DMcGarvey@Skillsdmo.com 703.684.5067 ext.115
Editor's Notes
- #3 The FBI has investigated and analyzed numerous cases involving Insider Threat activity in Corporate America during the past several years. Patrick Reidy, who serves as the FBI’s CISO, estimated that the average cost per Insider Threat incident is $412,000, while noting there have been incidents resulting in economic losses exceeding $1 billion dollars. Over the past four years, the FBI reported the number of arrests involving economic espionage and trade theft has nearly doubled, while indictments have more than tripled and convictions have increased six fold. Economic espionage and trade theft is increasingly linked to the Insider Threat.
- #4 How Corporate America measures its wealth has significantly changed in the 21st Century. A company’s economic edge in the marketplace is increasingly determined by the strength of its intellectual property and not its physical holdings. From an Insider Threat standpoint, it is much easier to steal an idea than an object.
- #6 Among the most famous examples of government Insider Threat activity in the late 20th Century are CIA Case Officer Aldrich Ames and FBI Special Agent Robert Hanssen. They received millions of dollars selling highly classified information to the Soviet Union’s KGB and later the Russian Federation’s SVR. Their actions seriously damaged the U.S. Intelligence Community’s collection capabilities, adversely impacted our national security and directly caused the deaths of several individuals. How were these men viewed by the media and public?
- #7 Among the most famous examples of government Insider Threat activity in the late 20th Century are CIA Case Officer Aldrich Ames and FBI Special Agent Robert Hanssen. They received millions of dollars selling highly classified information to the Soviet Union’s KGB and later the Russian Federation’s SVR. Their actions seriously damaged the U.S. Intelligence Community’s collection capabilities, adversely impacted our national security and directly caused the deaths of several individuals. How were these men viewed by the media and public?
- #8 The media and public opinion overwhelming condemned Aldrich Ames and Robert Hanssen as traitors highly deserving of sentences mandating lifetime imprisonment.
- #9 Private Bradley Manning and Edward Snowden are the most famous examples of government Insider Threat activity in the 21st Century. Both of them without authorization transmitted highly classified information to public media groups. This action was seen by the U.S. Government as seriously damaging U.S. diplomatic relations with other countries and adversely impacting the U.S. Intelligence Community’s collection capabilities. The difference between these 20th Century and 21st Century insiders was their motivation. Ames and Hanssen were clearly influenced by greed. Manning and Snowden apparently acted from ideological beliefs. No money changed hands. So how are Manning and Snowden regarded by the media and public?
- #10 Media polls indicated the public attitude about their actions was essentially split along generational lines. Older Americans typically felt both men violated the terms of their national security agreements and betrayed their country’s trust. By contrast, many younger Americans (under 30) expressed their belief these men did the right thing by revealing intelligence activities that jeopardized the privacy rights of American citizens. So why should a corporate CSO care about government insiders?
- #11 Within your company reside executives doubting the existence of an Insider Threat or believing the cost of committing corporate resources to counter this threat outweighs any risk of potential damage. Your job as a security professional is to make a valid business case for committing the necessary resources to mitigate this risk. You can advise your CEO that at least 1% of your work force is potentially an Insider Threat. When we present the analytical portion of our model, we’ll discuss how to identify and quantify your company’s Insider Threat. But first you need to change the perception that the Insider Threat is a government concern and not a corporate matter.
- #13 An ITP comprehends the full spectrum of human nature and behavior in the workplace. A security program that fails to comprehend “insiders” is not delivering security that works. Lessons learned from historical threats. ITP must close the fault-lines of conventional security implementations. The persons you trust may be: careless, unwitting, disgruntled, disloyal, opportunistic, there to do harm (plant or mole).
- #15 One of the major initiatives of the ITWG involved conducting two industry-wide surveys of the practices and procedures utilized by various companies to address the Insider Threat. In 2013, our first survey focused on the CSOs of large companies with 1,000 or more employees and annual gross profits exceeding $1 billion. 78 CSOs participated in this survey. The results from this survey were published last year by ASIS. A second survey in 2014 , covering small and medium size companies was conducted in cooperation with the NCMS Board of Directors. The results of this survey will soon be published by ASIS.
- #17 An ITP comprehends the full spectrum of human nature and behavior in the workplace. A security program that fails to comprehend “insiders” is not delivering security that works. Lessons learned from historical threats. ITP must close the fault-lines of conventional security implementations. The persons you trust may be: careless, unwitting, disgruntled, disloyal, opportunistic, there to do harm (plant or mole).
- #18 Four component types: Design elements center Common properties Model types Recommendations A methodical approach is required in order to achieve objectives.
- #19 The importance of getting the Operations Plan right and having the right people. Survey findings: Does your organization have an insider threat related program? A: LARGE= 68.4% has formal program. COMBINED=35.9% have formal/47.2% informal. Is your organization’s program corporate-wide, or does it vary by subordinate component? A: COMBINED=68.4% have corporate wide/31.6% have subordinate components.
- #20 Decisions laden with trade-offs in resources, timing, data volume: Manual Analysis – Skills mix, number of humans vs. volume of data collected Automated Analysis – Costs for software/programming, speed, O&M dollars Real-Time Reporting – Resource intensive, more timely, potentially preventative Event-Triggered Reporting – More manageable resources, latency, most likely post-event recovery
- #21 Defining the human threat requires a change of perception for the security professional. The threat has always been there, so we must ask ourselves why have we not been more effective in our profession. Our culture has done a good job in protecting the organization from external threats. The technology for physical and IT protection is constantly improving. As a culture, we rely on technology, but we need to focus more on people and their behavior. Technology will never be as good as we are when working with people. Part of the problem is that we do not know how to define the potential insider. So, we react to internal threats when we should be proactive.
- #22 What does it take to convince senior management that insider threat is real? Up to 21,000,000 (that’s 21 million) have personality disorders which may make them susceptible to the kind of behavior we categorize as insider threat. Very few will ever have that official diagnosis and far fewer still will ever be a threat to an organization, but how many do you need to cause damage?
- #23 PFC Manning is the poster child for the insider. He took no money as a spy would, but caused the same level of damage. All the classic indications were there, but were never considered until it was too late.
- #24 Snowden’s story is still unfolding. He pretends to be a citizen, doing what was right, but there is a very dark side to both his motivations and behaviors. Technology (cybersecurity) should have caught him, but his position and knowledge allowed him to bypass the technical hurtles. The behavioral signs were there, but reliance on technology alone was the flaw.
- #25 One has to ask the question: Why should it be so hard to convince senior management that the insider is the greatest threat to their organization? We hire people for their skills. We tend to assume that others who are like us on the surface, feel and react the same, but that is not true. In fact, the most dangerous insiders are very clever and they are in your organization NOW! It is a time bomb waiting for the right combination of events to occur.
- #26 This defines the model of the insider. No one model can adequately define the true insider, so we had to combine the best into a composite model. We combined both the clinical models which looked at individuals with cognitive models which defined the general behavior of multiple individuals in a given class of situations. We looked at numerous models. Most reflected slight variations against the core model. Every model reflected a different facet of personality. Our composite model provides the most comprehensive description and definition of the insider based on analysis of the behaviors and motivation of those insiders identified in industry and government. Research has indicated that one can modify their behavior to fit the situation, for awhile, but not forever. Personality TRAITS are a permanent aspect of the individual. They do not change and can be measured. Most individuals observe and react in ways our culture considers normal. Those with Personality Disorders, observe and react in ways that are modified by their disorder. It is that variance which become measurable. Not every Personality Disorder lends itself to the model. Many disorders are benign as they relate to CWB.
- #27 These are some examples of measurable CWB. They are grouped based on the cognitive models using a clinical diagnostic schema. Minor and serious behaviors and non-violent and violent behaviors are grouped. The more behaviors noted, reflect the greater probability of potential CWB. This is not a complete list, but an example of behavioral groupings.
- #28 These are the environmental and organizational stressors. What is unique about the model is that organizational behavior and health is recognized as a key contributor to the creation of the insider threat.
- #29 Survey finding: Does your organization have offices outside of the United States? A: COMBINED: 48%=YES, 58.0% No. Type collaborations: Knowledge exchange Case referral Industry based Focal sponsor
- #32 The National Industrial Security Program Policy Advisory Committee (NISPPAC) is comprised of both Government (16 members) and industry representatives (8). The NISPPAC is responsible for recommending changes in industrial security policy through modifications to Executive Order 12829, its implementing directives, and the National Industrial Security Program Operating Manual (NISPOM). The NISPPAC also advises the Information Security Oversight Office (ISOO) on all matters concerning the policies of the National Industrial Security Program (NISP), including recommended changes to those policies, and serves as a forum to discuss policy issues in dispute. The Director of ISOO chairs the NISPPAC. IP Center - The U.S. Immigration and Customs Enforcement (ICE) Homeland Security Investigations (HSI) led National Intellectual Property Rights Coordination Center (IPR Center) stands at the forefront of the United States Government's response to global intellectual property (IP) theft and enforcement of its international trade laws. The mission of the IPR Center is to ensure national security by protecting the public's health and safety, the U.S. economy, and our war fighters, and to stop predatory and unfair trade practices that threaten the global economy. To accomplish this goal, the IPR Center brings together 21 partner agencies, consisting of 17 key federal agencies, Interpol, Europol and the governments of Canada and Mexico in a task-force setting.
- #33 FBI and DSS are just two external partners that industry needs to continue to partner with. FBI has local agents who can provide briefings and tools, such as their new video, The Company Man, to your staff. Law Enforcement Local – Low level but possibly the highest intensity (violent threat) – How’s your relationship? Is the 911 call the first/only time the local police hear from you? State – Multi- jurisdiction, State Attorney General Federal – Foreign Government Influence Regulators – Share your common problem, Trade associations provide the most leverage Law Makers – Is there an issue that requires a new law to address? Both the DSS IS Rep and CI Special Agent can provide threat information (classified and unclassified) to the FSO/KMP. GCAs and government security offices can partner with industry to ensure any issues with embedded contractor employees are discussed and reported.
- #34 Q: If your insider threat-related program has an education component (i.e., Security/CI/Information Security awareness training/information), how is it delivered? A: Over 70% used online resources. The importance of detecting and reporting suspected insider threat activities Understanding methodologies of adversaries to recruit trusted insiders to collect info-assets Recognizing at-risk behavior and procedures for reporting General awareness of counterintelligence practice and security reporting requirements as applicable.
- #35 These are the 5 key takeaways from this Insider Threat Educational Component presentation. Who What Where and when, and How Plus access to over 100 Insider threat resources, all stored in the ASIS Norton Information Resources Center
- #36 Bradley Manning leaks classified information to WikiLeaks early 2010 President Obama signs Executive Order 13587 in October 2011 It happens again May 2013 when Edward Snowden boards a plane to Hong Kong with more classified documents
- #37 Executive Order 13587 mandates all federal agencies adopt Insider Threat programs to prevent another Manning or Snowden instance. Now those same mandates are being imposed on Cleared Defense Contractors (scheduled for 2015).
- #38 At the end of this presentation, I will show you the Insider Threat Information Repository (ITIR) which provides definitions, types of Insider Threats, types of Insider Threat cases, personal, organizational and behavioral indicators of an Insider Threat. ITIR also has information on legislative and regulatory requirements as well as federal statutes relating to Insider Threat violations.
- #39 Executive buy-in is critical A powerful presentation is needed here A continued commitment is necessary This problem is not going away Emphasize the company brand and that it cannot be tarnished, that by protecting our brand, higher profits, growth, job security ensue We need more vigilance by the employees (if you see something, say something)
- #40 Now you have defined the threat. You can identify potential CWB before it occurs, but how do you provide mitigation? This can be difficult for some, but there are options. We must shift from a black and white, and even from the shades of gray perspective. We must shift from a reactive mode to an active mode of response. We must anticipate and resolve the problem before it occurs. If not, we will always be in a catch up mode. Individuals are selected for their technical skills, more than the propensity to be threats. By identifying and mitigating minor behavior problems of a potential problem employee early, we avoid damage to the organization. Organizations have personalities, reflecting the culture of senior management and the workers. Organizations have health issues just like employees. To be effective, the security professional of the 21st Century has to have both technical and behavioral skills. Because when you get to the bottom line, it is all about the security of the people in your organization.
- #41 A very sensitive issue: employee's may view this as Big Brother monitoring their every movement. Also advise employees that an employee may not be an Insider Threat but may just be in a rough spot and may need assistance (EAP). One of the key points that needs to stressed in our education slides is how ITP training is different from other training programs. Emphasize to this group as well - the company brand and that it cannot be tarnished; we need more vigilance by the employees (if you see something, say something); that by protecting our brand, higher profits, growth, job security. We are asking people to tell on each other when they hear or see something about the person that strikes them as rather unusual behavior. This is socially counterintuitive to what we learned and were taught as kids. “Don’t be a tattle-tale.” “You don’t rat out a friend.” You help a someone get through hard times by not saying anything. For a long-time employee to tell on another long-time employee feels like an intimate betrayal of friendship and trust. This education issue is shared across the Basic, Intermediate and Advanced models. Getting a workforce over this psychological barrier is a serious challenge. You have to walk them through the personal trust issue. How Security can best approach educating their workforce in this area needs to be clearly addressed in your slides.
- #42 Determine what data can and should be collected : Human Resources: background screening, hostile work environment claims, performance issues, wage attachments Legal: civil liberties and privacy issues, as well as concerns relating to targeting certain class of employees Physical Security: access badges and unauthorized access to your facility IT-Security: malicious attacks, suspicious emails Information Assurance: who has access to your most sensitive information; computer policy violators Data Owners: what are we trying to protect Ethics and Compliance: allegations made through a confidential hotline Internal Audit: anomalies identified in audits EAP: with understanding that information within EAP is confidential Determine what is normal within your organization, both behavioral and on the computer *** ALL employees should be trained on Insider Threat***
- #43 Explain what needs to be protected and why: Use real-life examples. Discuss consequences. Emphasize how this program will protect their future. Point to policies and procedures already in place: Explain what suspicious activities look like Explain how to report suspicious activities Handling of classified, sensitive, proprietary and personally identifiable information (PII). Computer network usage and monitoring. Access Management System / Badging. Social Media /Wireless / photographic policies. Consider your audience when developing materials Emphasize that a varied workforce learns in a variety of ways.
- #44 Point to policies and procedures already in place: Handling of classified, sensitive, proprietary and personally identifiable information (PII). Computer network usage and monitoring. Access Management System / Badging. Social Media /Wireless / photographic policies. The ITIR - with over 100 resources for your organization.
- #45 To access the ASIS ITIR education resource: Go to the ASIS website at www.asisonline.org On the right hand side of the Global Navigation bar, sign in Under “Membership” on the Global Navigation bar, click on “Library (IRC)” This will take you to the Norton Information Resources Center or IRC The ITIR - with over 100 resources for your organization.
- #46 Define the scope and importance of ASSET SPECIFICATION in the ITP: Assess Assets Assess Threats Assess Vulnerabilities Analyze Risk and Reports Manage Risk Evaluate Effectiveness and Reassess
- #48 Getting a big picture view requires an understanding of the big picture. Can you comprehend this risk apart from a CI mentality and approach?
- #50 ITP must deter by responding in a uniform and consistent manner. A program of integrity. The Broken Windows Theory – norm-setting and signaling effect of urban disorder and vandalism on additional crime and anti-social behaviors. “Mercy to the guilty is cruelty to the innocent” – Adam Smith
- #51 Monitoring types: active, passive, and hybrid. Big data analytics and the detection of psychological state.
- #52 Defining the Insider is the first step. Identifying where to look for the behaviors follows. The chart reflects the fact that looking for behaviors cuts across the organization. The concept of creating an Insider Threat Working Group (ITWG) not only brings the organization together for a common cause, but is necessary for the identification and development of the metrics needed to make the program successful. Metrics do not have to be created if they already exist in another office. Existing metrics can be ‘repurposed’ simply by looking at existing data from a different perspective. This can reflect an ROI as repurposing requires no additional funding.
- #53 A good metric is like a good spouse: hard to find. There are three categories to consider in a metric: The psychometric principles in the design; The security considerations; and The value to senior management. If you get all three categories correct, you have a solid measurement tool. The tool does not tell one what to measure, just how to measure effectively. Take time to read the study and attend the Insider Threat certificate workshop to learn the details on what to look for and how to build a good measurement tool.
- #54 A good metric is like a good spouse: hard to find. There are three categories to consider in a metric: The psychometric principles in the design; The security considerations; and The value to senior management. If you get all three categories correct, you have a solid measurement tool. The tool does not tell one what to measure, just how to measure effectively. Take time to read the study and attend the Insider Threat certificate workshop to learn the details on what to look for and how to build a good measurement tool.
- #55 Kevlar Analogy: Known for its high tensile strength to weight ratio that is 5 times stronger than steel. The polymer owes its high strength to the many inter-chain bonds. The regularity of interactive properties. Fear of audit is a healthy fear. Admissions of criminals and spies on enforcement.
- #57 A good ITP tightens an organizations grip on asset management and insider risk mitigation. It is now my pleasure to introduce our Analytical Subgroup Lead Dan McGarvey.