SlideShare a Scribd company logo

Insider Threat Mitigation

Roger Johnston
Roger Johnston

How to deal with the inside threat.

Government & Nonprofit
1 of 26
Download to read offline
1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Under-Utilized Methods for Mitigating the Insider Threat Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov http://www.ne.anl.gov/capabilities/vat Argonne National Laboratory ~$738 million annual budget 1500 acres, 3400 employees, 4400 facility users, 1100 students R&D and technical assistance for government & industry
2 Vulnerability Assessment Team (VAT) Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into Human Factors in Security
3 What’s Wrong with This Picture? "While serious, the incident in question was the result of human error, not a failure of security systems. We have a robust system in place to report and investigate potential violations. In my opinion, this is a circumstance where those systems worked well." -- Statement from a high-level government official after a serious security incident Security Culture & Climate • Security Climate (informal perceptions) is probably even more important than Security Culture (formal policies & procedures) • In a healthy security culture/climate: § Everybody is constantly thinking about security. § There are on-the-spot awards for (1) good security practice & (2) proactive/creative thinking and actions. § Security ideas, concerns, questions, suggestions, criticisms are welcome from any quarter. § No scapegoating! § Finding vulnerabilities is viewed as good news.
4 Examples of Largely Unstudied Human Factors in Security Ø Two-Person Rule Ø Insider Threat Mitigation Ø Security Culture & Security Climate Ø Identifying Characteristics of Security Theater Ø Countermeasures to Perceptual Blindness, Misdirection, & Sleight-of-Hand Ø Reducing security guard turnover (~40% to 400% per year) Ø Human factors in nuclear safeguards inspections Ø Cognitive psychology of seal and cargo inspection Illuminating Books Relevant to the Human Factor in Security (all fun reads) Ken Perenyi, Caveat Emptor: The Secrete Life of an American Art Forger (2012) G Marcus, Kluge: The Haphazard Construction of the Human Mind (2008) CTravis & E Aronson, Mistakes Were Made (But Not by Me) (2007) BL Katcher & A Snyder, 30 Reasons Employees Hate Their Managers (2007) RL Ackoff & S Rovin, Beating the System: Using Creativity to Outsmart Bureaucracies (2005) K Mitnick & WL Simon, The Art of Intrusion (2005). RJ Sternberg (Editor), Why Smart People Can Be So Stupid (2002)
5 Insider Threat Mo#va#on for Insider A0acks Countermeasures greed/financial need periodic background checks, bribery an;-­‐s;ng opera;ons revenge disgruntlement mi;ga;on terrorism periodic background checks ideology, poli;cal ac;vism, or radicalism periodic background checks coercion/blackmail periodic background checks social engineering/seduc;on security awareness training narcissism/ego/need to feel important or smart, or to gain recogni#on enlist & stroke egos of hacker types desire to prove that a warned about vulnerability or threat is real (self-­‐iden#fied Cassandras) take security professionals & their concerns seriously; welcome cri;cism desire for excitement make jobs interes;ng? mental illness? periodic background checks? inadvertent compromise of security due to educate, mo;vate, carelessness, error, ignorance, laziness, or arrogance reward, punish, analyze aHtudes to predict problems
6 2 Kinds of Insider Threat Inadvertent vs. Deliberate Compromising of Security Schryver’s Law: Sufficiently advanced incompetence is indistinguishable from malice. Insider Threat – Inadvertent
7 Security Awareness Training Definition—Security Awareness Training (n): Presentations that convince employees who once vaguely believed that security was a good idea that they were sadly mistaken. Definition—Counter-Intelligence Program (n): Security Awareness Training so awful that it insults everyone’s intelligence. Security Awareness Training • We train dogs. We educate, remind, encourage, & motivate people. • Tailor to the audience • Promote, sell, & motivate good security by employees, contractors, and vendors. Don’t threaten or intimidate! • Use examples. Show people how to do things, don’t tell them what not to do. Talk about the carrots, not the sticks. • Avoid the negative terms: Don’t! Never! No! • What’s in it for me?
8 Security Awareness Training • Make connections to personal security: home computer travel security, burglary, identity theft, etc. • Refer to news stories about security breaches in other organizations and the consequences. • Have metrics for effectiveness of the training (and the security) • No dumb trivia questions on the quiz! • Use people-oriented instructors, not bureaucrats, technocrats, burnouts, zombies, or deadwood. Security Awareness Training • Be entertaining, vivid, & positive, NOT threatening, boring, patronizing, or full of organizational charts, camera-challenged talking-head executives, references to CFRs, or self-serving fluff about HR, the security organ-ization or the training department. • Less is more. Stick with the most important risks. • Security Awareness posters should offer useful security tips & solutions, not platitudes, mindlessness, insults, & threats.
9 Security Awareness Training • Teach about social engineering and that adversaries often conduct espionage or intelligence via: - industry “surveys” - social networking sites - bogus headhunters & job interviews - phony trade journal interviews - hanging out at nearby restaurants/bars - public affairs & the graphics department - recruiting crafts people & custodians - impersonation - targeting based on ethnicity, religion, or foreign nationality Insider Threat – Deliberate
10 Good Insider Threat Practice Ø Publicly prosecute insider offenders Ø Avoid the perp walk! Ø Pay attention to morale Ø Watch employees/contractors/vendors who think they may soon be gone Ø Treat retired, laid off, and fired personnel well Ø Consider using bribery anti-stings Countermeasure: Bribery Anti-Stings Ø Occasionally test if randomly chosen employees, contractors, vendors, consultants, etc. can be bribed. Ø Let the person keep the money if he/she rejects and reports the bribe. Then widely praise and publicize him/her as a hero. Ø Allow at least 2 days for the bribe to be rejected and reported. Ø There must be clear, frequently publicized rules about the need to report a bribe and exactly how to do it. Ø There are legal entrapment issues but the goal is not to fire or arrest a lot of people (as in a sting operation), but rather to undercut the effectiveness of future bribe attempts by making people think it might be a test.
11 Good Insider Threat Practice Ø Periodic background checks Ø Periodically google & check insiders’ public social media Ø Use role-based access control & actively updating it Ø Identify/Recruit/Ego-Stroke hacker types and Cassandras within the organization Ø Watch out for poor drug testing security Poor Security for Urine Drug Tests It’s easy to tamper with urine test kits. Most urine testing programs (government, companies, athletes) have very poor security protocols. Emphasis has been on false negatives, but false positives are equally troubling. Serious implications for safety, courts, public welfare, national security, fairness, careers, livelihood, reputations, sports. Journal of Drug Issues 39, 1015-­‐1028 (2009)
12 Good Insider Threat Practice Ø Think about which employees/contractors/positions are most likely to be targeted by adversaries for compromise, or have the most potentially risky insider access. Ø Security professionals need to be the “friendly cop on the beat” & pick up scuttlebutt Ø Do thorough exit interviews, and interviews with people who turn down job offers Ø Avoid special treatment for VIPs Ø Avoid polygraphs Polygraphs = Snake Oil National Academy of Sciences $860,000 study: “The Polygraph and Lie Detection” (October 2002) http://www.nap.edu/books/0309084369/html/ Some Conclusions: “Polygraph test accuracy may be degraded by countermeasures…” “…overconfidence in the polygraph—a belief in its accuracy that goes beyond what is justified by the evidence—…presents a danger to national security…” “Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening…”
13 Good Insider Threat Practice Ø Avoid: Witch Hunts, Spying, Secret Police, Invasions of Privacy, Violation of Civil Liberties. (Mind Nietzsche’s Admonition: In fighting monsters, be careful not to become one yourself!) Ø Do effective disgruntlement mitigation. Don’t assume managers or HR will automatically deal with it, or that it’s not a security issue. Disgruntlement Mitigation Blunders Employee perceptions are the only reality! Ø Phony or non-existent grievance, complaint, & conflict resolution processes (Note: if good, they’ll be used a lot) Ø Phony or non-existent anonymous whistle blower program & anonymous tip hot line Ø Non-existent, poor, or retaliatory employee assistance programs
14 Disgruntlement Mitigation Blunders Ø No identification/constraints on bully bosses Ø No constraints on HR tyranny, evil, & charlatanism Ø Institutional arrogance, insincerity, indifference, denial regarding employees Ø Emphasis on being “fair” instead of treating everybody well Ø Not managing expectations (technical personnel often have very high expectations) The human-resources trade long ago proved itself, at best, a necessary evil—and at worst, a dark bureaucratic force that blindly enforces nonsensical rules, resists creativity, and impedes constructive change. -- Keith H. Hammonds Disgruntlement Mitigation Blunders Ø Not being prepared for domestic violence coming into the workplace Ø Not watching for the usual precursors to insider attacks due to disgruntlement, especially sudden changes in: • hygiene • performance • rule compliance • use of drugs or alcohol • signs of aggression or hostility • being late for work or a no show • not getting along with co-workers
15 Disgruntlement Mitigation Blunders Ø Not recognizing that whatever an employee or contactor says is upsetting him/her probably isn’t the real issue. Ø Ignoring the 80% rule about the importance of listening, empathizing, validating, & permitting venting. (You don’t have to agree with the disgruntled individual.) Ø Not trying to fix the problem; not offering a consolation prize if you can’t. Countermeasures from Psychology
16 Under-Utilized Countermeasures From Psychology Ø Have people sign a loyalty, ethics, or honesty statement at the top of a form before they answer questions or provide information, not at the bottom. Ø Use building/facility greeters & posters with eyes. Under-Utilized Countermeasures From Psychology Ø Bright lighting in sensitive areas. Ø Visually open, acoustically closed interior architecture Ø Proactive techniques from i/o psychology for dealing with guard turnover
17 Security Officer Turnover u typical for contract guards: 40 - 400% per year u a serious economic/productivity issue u a serious insider threat issue Countermeasures for Guard Turnover u realistic job interviews u personality tests u new employee training u better supervisors u other tools of i/o psychology
18 Blunder: No Countermeasures for Cognitive Dissonance Cognitive Dissonance dangers: u self-justification (self-serving rationalization & excuse making) u paralysis/stagnation (not addressing problems) u confirmation bias / motivated reasoning (interpret data only in ways that make us feel good) Countermeasures for Cognitive Dissonance u appreciate how hard security really is u avoid binary thinking u watch out for over-confidence u welcome input, questions, criticism, dissent, & controversy; don’t shoot the messenger; avoid groupthink u be your own devil’s advocate and/or appoint one u constantly ask yourself: “What am I being a knucklehead about? How is my security going to fail?” u be uncomfortable/scared u embrace appropriate humor
19 Security Theater & Compliance-Based Security Definition Security Theater: sham or ceremonial security; Measures that ostensibly protect people or assets but that actually do little or nothing to counter adversaries.
20 Security Theater 1. Best way to spot it is with an effective thorough VA. 2. Next best is to look for the characteristic attributes: • Sense of urgency • A very difficult security problem • Involves fad and/or pet technology • Ques;ons, concerns, & dissent are not welcome or tolerated • The magic security device, measure, or program has lots of “feel good” aspects to it • Strong emo;on, over confidence, arrogance, ego, and/or pride related to the security • Conflicts of interest • No well-­‐defined adversary • No well-­‐defined use protocol • No effec;ve VAs; no devil’s advocate • The technical people involved are mostly engineers • Intense desire to “save the world” leads to wishful thinking • People who know li`le about security or the technology are in charge Rule of Thumb 30% Maxim: In any large organization, at least 30% of the security rules, policies, and procedures will be dumb or counter productive. This includes Security Theater, foolish “one-size-fits-all” policies, rules that only the good guys follow, punitive practices, and policies that make abstract sense to bureaucrats, committees, and higher-ups who lack knowledge of real-world issues.
21 Examples of Compliance Harming Security 41 • All the paperwork, bureaucracy, data recording, & prepara;on for audits causes distrac;ons and wastes resources. • Creates wrong mindset: Security = Busy Work; Mindless rule-­‐following; the Brass are responsible for security strategies & tac;cs, not me... • An over-­‐emphasis on fences (4.5 – 15 sec delay) and entry points leads to bad security. • Gran;ng access to numerous auditors, overseers, micro-­‐managers, and checkers of the checkers increases the insider threat. • Security clearances require self-­‐repor#ng of professional counseling, thus discouraging it. • The rules require overly predictable guard patrols & shii changes. • Li`le room for flexibility, individual ini;a;ve, hunches, resourcefulness, observa;onal skills, people skills. Some New Security Paradigms
22 Compliance-Based Security Old Paradigm: • Compliance gets us good Security. New Paradigm: • Compliance—though it may be necessary and can be of value—often causes distractions, gets in the way of good Security, or can be incompatible with it. The Insider Threat Old Paradigm: • The insider threat is our employees, mostly the technical and high-level ones. New Paradigm: • Our insider threat comes from employees, but also contractors, vendors, customers, terminated employees, retirees, consultants, service providers, crafts people, graphic arts professionals, interns, and spouses/significant others. • Low-level personnel can be a major threat, too.
23 Security Training Old Paradigm: • Security Awareness Training for general employees is for the purpose of threatening and intimidating them into compliance. New Paradigm: • Security Awareness Training seeks to motivate and educate general employees about security, and seek their help. Security Officer Training Old Paradigm: • Training for security personnel is mostly about their understanding security rules, policies, and procedures. • Performance for security personnel is measured by how well they adhere to security rules, policies, and procedures. New Paradigm: • Training for security personnel emphasizes creative “What if?” exercises (mental and field practice). • Performance for security personnel is measured by how resourcefully they deal with day-to-day real-world security issues, and with “What if?” exercises.
24 Who Does Security Old Paradigm: • Trained security personnel provide security. • Security managers and security consultants are the main experts on Security. • Regular employees, contractors, & visitors are the enemies of good security. New Paradigm: • (The Insider Threat not withstanding) regular employees, contractors, visitors, local authorities, and neighbors provide security, with help from trained security personnel. • Frontline security personnel and regular employees are the main experts on local Security. Pain & Gain Old Paradigm: • Security is painful and must inconvenience and hassle employees, contractors, & visitors. • Hassling is a metric for security effectiveness. New Paradigm: • Security cannot interfere with productivity any more than necessary. • Once Security becomes the enemy of productivity and employees, all is lost and the bad guys have partially won. • Employee acceptance is one metric for effective Security.
25 Process, Technology, & People Old Paradigm: • Process and Technology (in that order) are our main tools for providing security. New Paradigm: • People and Process (in that order) are our main tools (though Technology can help). Problem: Lack of Research-Based Security Practice The Journal of Physical Security A free, non-profit, online peer-reviewed R&D journal http://jps.anl.gov
26 Additional information is available from: rogerj@anl.gov and For More Information...! http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101vicenteDiaz_KL
 

Recommended

Focusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesFocusing on the Threats to the Detriment of the Vulnerabilities
Focusing on the Threats to the Detriment of the VulnerabilitiesRoger Johnston
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
How to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorHow to Think Like a Vulnerability Assessor
How to Think Like a Vulnerability AssessorRoger Johnston
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
An Underground education
An Underground educationAn Underground education
An Underground educationgrugq
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
Analogic Opsec 101
Analogic Opsec 101Analogic Opsec 101
Analogic Opsec 101vicenteDiaz_KL
 
Internal Investigations
Internal InvestigationsInternal Investigations
Internal Investigationsalberto0
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
Grc t17
Grc t17Grc t17
Grc t17SelectedPresentations
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2Prof John Walker FRSA Purveyor Dark Intelligence
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Defender economics
Defender economicsDefender economics
Defender economicsaddelindh
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionMurray Security Services
 
Ht t17
Ht t17Ht t17
Ht t17SelectedPresentations
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptCakraWicaksono3
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptpixvilx
 
Cyber Portents and Precursors
Cyber Portents and PrecursorsCyber Portents and Precursors
Cyber Portents and PrecursorsUniversity of Hertfordshire
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 

More Related Content

What's hot

Internal Investigations
Internal InvestigationsInternal Investigations
Internal Investigationsalberto0
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Kelly Shortridge
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Defender economics
Defender economicsDefender economics
Defender economicsaddelindh
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
 

What's hot (11)

Internal Investigations
Internal InvestigationsInternal Investigations
Internal Investigations
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Grc t17
Grc t17Grc t17
Grc t17
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...
 
Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...Behavioral Models of Information Security: Industry irrationality & what to d...
Behavioral Models of Information Security: Industry irrationality & what to d...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Defender economics
Defender economicsDefender economics
Defender economics
 
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 

Similar to Insider Threat Mitigation

The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering OWASP Foundation
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013Adrian Wright
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seductionb coatesworth
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptCakraWicaksono3
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptpixvilx
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Safety merit badge troop 504
Safety merit badge troop 504Safety merit badge troop 504
Safety merit badge troop 504Charles Jolly
 
Personal Security for High Profile and High Wealth Individuals
Personal Security for High Profile and High Wealth IndividualsPersonal Security for High Profile and High Wealth Individuals
Personal Security for High Profile and High Wealth IndividualsJuval Aviv
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessEric Schiowitz
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorSandra (Sandy) Dunn
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxClintonKelvin
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceEvan Francen
 

Similar to Insider Threat Mitigation (20)

The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering The Art of Human Hacking : Social Engineering
The Art of Human Hacking : Social Engineering
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
Ht t17
Ht t17Ht t17
Ht t17
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Seductive security - Art of seduction
Seductive security - Art of seductionSeductive security - Art of seduction
Seductive security - Art of seduction
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.ppt
 
SECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.pptSECURITY AND SOCIAL ENGINEERING.ppt
SECURITY AND SOCIAL ENGINEERING.ppt
 
Cyber Portents and Precursors
Cyber Portents and PrecursorsCyber Portents and Precursors
Cyber Portents and Precursors
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Safety merit badge troop 504
Safety merit badge troop 504Safety merit badge troop 504
Safety merit badge troop 504
 
Personal Security for High Profile and High Wealth Individuals
Personal Security for High Profile and High Wealth IndividualsPersonal Security for High Profile and High Wealth Individuals
Personal Security for High Profile and High Wealth Individuals
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
 
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating WarriorBanning Whining, Avoiding Cyber Wolves, and Creating Warrior
Banning Whining, Avoiding Cyber Wolves, and Creating Warrior
 
Cybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptxCybersecurity Risk Management Tools and Techniques (1).pptx
Cybersecurity Risk Management Tools and Techniques (1).pptx
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_Tyco
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 

More from Roger Johnston

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityRoger Johnston
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Roger Johnston
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyRoger Johnston
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Roger Johnston
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Roger Johnston
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Roger Johnston
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020Roger Johnston
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentRoger Johnston
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability AssessmentsRoger Johnston
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Roger Johnston
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments Roger Johnston
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityRoger Johnston
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Roger Johnston
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Roger Johnston
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Roger Johnston
 

More from Roger Johnston (20)

In Risu Veritas: Humor & Security
In Risu Veritas: Humor & SecurityIn Risu Veritas: Humor & Security
In Risu Veritas: Humor & Security
 
Journal of Physical Security 15(1)
Journal of Physical Security 15(1)Journal of Physical Security 15(1)
Journal of Physical Security 15(1)
 
Security Audits.pdf
Security Audits.pdfSecurity Audits.pdf
Security Audits.pdf
 
Camera Obscura and Security/Privacy
Camera Obscura and Security/PrivacyCamera Obscura and Security/Privacy
Camera Obscura and Security/Privacy
 
Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link Vulnerability Assessment: The Missing Manual for the Missing Link
Vulnerability Assessment: The Missing Manual for the Missing Link
 
Journal of Physical Security 14(1)
Journal of Physical Security 14(1)Journal of Physical Security 14(1)
Journal of Physical Security 14(1)
 
Want seals with that?
Want seals with that?Want seals with that?
Want seals with that?
 
Journal of Physical Security 13(1)
Journal of Physical Security 13(1)Journal of Physical Security 13(1)
Journal of Physical Security 13(1)
 
Election Security 2020
Election Security 2020Election Security 2020
Election Security 2020
 
Security Assurance
Security AssuranceSecurity Assurance
Security Assurance
 
A New Approach to Vulnerability Assessment
A New Approach to Vulnerability AssessmentA New Approach to Vulnerability Assessment
A New Approach to Vulnerability Assessment
 
Understanding Vulnerability Assessments
Understanding Vulnerability AssessmentsUnderstanding Vulnerability Assessments
Understanding Vulnerability Assessments
 
Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms Devil's Dictionary of Security Terms
Devil's Dictionary of Security Terms
 
Vulnerability Assessments
Vulnerability Assessments Vulnerability Assessments
Vulnerability Assessments
 
Design Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical SecurityDesign Reviews Versus Vulnerability Assessments for Physical Security
Design Reviews Versus Vulnerability Assessments for Physical Security
 
Journal of Physical Security 12(3)
Journal of Physical Security 12(3)Journal of Physical Security 12(3)
Journal of Physical Security 12(3)
 
Journal of Physical Security 12(2)
Journal of Physical Security 12(2)Journal of Physical Security 12(2)
Journal of Physical Security 12(2)
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security Devices
 
Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security Investment
 
Journal of Physical Security 11(1)
Journal of Physical Security 11(1)Journal of Physical Security 11(1)
Journal of Physical Security 11(1)
 

Recently uploaded

2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...Suhani Kapoor
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTaccounts329278
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)ahcitycouncil
 
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up NumberMs Riya
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCongressional Budget Office
 
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...anilsa9823
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...Suhani Kapoor
 
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...ranjana rawat
 
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginningsinfo695895
 
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxtsionhagos36
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxaaryamanorathofficia
 
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore EscortsVIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escortsaditipandeya
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024ARCResearch
 
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.Christina Parmionova
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Roomishabajaj13
 

Recently uploaded (20)

2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
VIP High Profile Call Girls Gorakhpur Aarushi 8250192130 Independent Escort S...
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CT
 
PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)PPT Item # 4 - 231 Encino Ave (Significance Only)
PPT Item # 4 - 231 Encino Ave (Significance Only)
 
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
##9711199012 Call Girls Delhi Rs-5000 UpTo 10 K Hauz Khas Whats Up Number
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related Topics
 
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
 
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
 
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
 
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
(SHINA) Call Girls Khed ( 7001035870 ) HI-Fi Pune Escorts Service
 
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
(PRIYA) Call Girls Rajgurunagar ( 7001035870 ) HI-Fi Pune Escorts Service
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
 
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service
(TARA) Call Girls Chakan ( 7001035870 ) HI-Fi Pune Escorts Service
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptx
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptx
 
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore EscortsVIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
VIP Russian Call Girls in Indore Ishita 💚😋 9256729539 🚀 Indore Escorts
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024
 
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.WIPO magazine issue -1 - 2024 World Intellectual Property organization.
WIPO magazine issue -1 - 2024 World Intellectual Property organization.
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
 

Insider Threat Mitigation

  • 1. 1 Talk for the 58th Annual ASIS Meeting Philadelphia, PA, September 10-13, 2012 Under-Utilized Methods for Mitigating the Insider Threat Roger G. Johnston, Ph.D., CPP Vulnerability Assessment Team Argonne National Laboratory 630-252-6168 rogerj@anl.gov http://www.ne.anl.gov/capabilities/vat Argonne National Laboratory ~$738 million annual budget 1500 acres, 3400 employees, 4400 facility users, 1100 students R&D and technical assistance for government & industry
  • 2. 2 Vulnerability Assessment Team (VAT) Sponsors • DHS • DoD • DOS • IAEA • Euratom • DOE/NNSA • private companies • intelligence agencies • public interest organizations The VAT has done vulnerability assessments on over 1000 different security devices, systems, & programs. The greatest of faults, I should say, is to be conscious of none. -- Thomas Carlyle (1795-1881) A multi-disciplinary team of physicists, engineers, hackers, & social scientists. Check us out on YouTube: keywords = argonne break into Human Factors in Security
  • 3. 3 What’s Wrong with This Picture? "While serious, the incident in question was the result of human error, not a failure of security systems. We have a robust system in place to report and investigate potential violations. In my opinion, this is a circumstance where those systems worked well." -- Statement from a high-level government official after a serious security incident Security Culture & Climate • Security Climate (informal perceptions) is probably even more important than Security Culture (formal policies & procedures) • In a healthy security culture/climate: § Everybody is constantly thinking about security. § There are on-the-spot awards for (1) good security practice & (2) proactive/creative thinking and actions. § Security ideas, concerns, questions, suggestions, criticisms are welcome from any quarter. § No scapegoating! § Finding vulnerabilities is viewed as good news.
  • 4. 4 Examples of Largely Unstudied Human Factors in Security Ø Two-Person Rule Ø Insider Threat Mitigation Ø Security Culture & Security Climate Ø Identifying Characteristics of Security Theater Ø Countermeasures to Perceptual Blindness, Misdirection, & Sleight-of-Hand Ø Reducing security guard turnover (~40% to 400% per year) Ø Human factors in nuclear safeguards inspections Ø Cognitive psychology of seal and cargo inspection Illuminating Books Relevant to the Human Factor in Security (all fun reads) Ken Perenyi, Caveat Emptor: The Secrete Life of an American Art Forger (2012) G Marcus, Kluge: The Haphazard Construction of the Human Mind (2008) CTravis & E Aronson, Mistakes Were Made (But Not by Me) (2007) BL Katcher & A Snyder, 30 Reasons Employees Hate Their Managers (2007) RL Ackoff & S Rovin, Beating the System: Using Creativity to Outsmart Bureaucracies (2005) K Mitnick & WL Simon, The Art of Intrusion (2005). RJ Sternberg (Editor), Why Smart People Can Be So Stupid (2002)
  • 5. 5 Insider Threat Mo#va#on for Insider A0acks Countermeasures greed/financial need periodic background checks, bribery an;-­‐s;ng opera;ons revenge disgruntlement mi;ga;on terrorism periodic background checks ideology, poli;cal ac;vism, or radicalism periodic background checks coercion/blackmail periodic background checks social engineering/seduc;on security awareness training narcissism/ego/need to feel important or smart, or to gain recogni#on enlist & stroke egos of hacker types desire to prove that a warned about vulnerability or threat is real (self-­‐iden#fied Cassandras) take security professionals & their concerns seriously; welcome cri;cism desire for excitement make jobs interes;ng? mental illness? periodic background checks? inadvertent compromise of security due to educate, mo;vate, carelessness, error, ignorance, laziness, or arrogance reward, punish, analyze aHtudes to predict problems
  • 6. 6 2 Kinds of Insider Threat Inadvertent vs. Deliberate Compromising of Security Schryver’s Law: Sufficiently advanced incompetence is indistinguishable from malice. Insider Threat – Inadvertent
  • 7. 7 Security Awareness Training Definition—Security Awareness Training (n): Presentations that convince employees who once vaguely believed that security was a good idea that they were sadly mistaken. Definition—Counter-Intelligence Program (n): Security Awareness Training so awful that it insults everyone’s intelligence. Security Awareness Training • We train dogs. We educate, remind, encourage, & motivate people. • Tailor to the audience • Promote, sell, & motivate good security by employees, contractors, and vendors. Don’t threaten or intimidate! • Use examples. Show people how to do things, don’t tell them what not to do. Talk about the carrots, not the sticks. • Avoid the negative terms: Don’t! Never! No! • What’s in it for me?
  • 8. 8 Security Awareness Training • Make connections to personal security: home computer travel security, burglary, identity theft, etc. • Refer to news stories about security breaches in other organizations and the consequences. • Have metrics for effectiveness of the training (and the security) • No dumb trivia questions on the quiz! • Use people-oriented instructors, not bureaucrats, technocrats, burnouts, zombies, or deadwood. Security Awareness Training • Be entertaining, vivid, & positive, NOT threatening, boring, patronizing, or full of organizational charts, camera-challenged talking-head executives, references to CFRs, or self-serving fluff about HR, the security organ-ization or the training department. • Less is more. Stick with the most important risks. • Security Awareness posters should offer useful security tips & solutions, not platitudes, mindlessness, insults, & threats.
  • 9. 9 Security Awareness Training • Teach about social engineering and that adversaries often conduct espionage or intelligence via: - industry “surveys” - social networking sites - bogus headhunters & job interviews - phony trade journal interviews - hanging out at nearby restaurants/bars - public affairs & the graphics department - recruiting crafts people & custodians - impersonation - targeting based on ethnicity, religion, or foreign nationality Insider Threat – Deliberate
  • 10. 10 Good Insider Threat Practice Ø Publicly prosecute insider offenders Ø Avoid the perp walk! Ø Pay attention to morale Ø Watch employees/contractors/vendors who think they may soon be gone Ø Treat retired, laid off, and fired personnel well Ø Consider using bribery anti-stings Countermeasure: Bribery Anti-Stings Ø Occasionally test if randomly chosen employees, contractors, vendors, consultants, etc. can be bribed. Ø Let the person keep the money if he/she rejects and reports the bribe. Then widely praise and publicize him/her as a hero. Ø Allow at least 2 days for the bribe to be rejected and reported. Ø There must be clear, frequently publicized rules about the need to report a bribe and exactly how to do it. Ø There are legal entrapment issues but the goal is not to fire or arrest a lot of people (as in a sting operation), but rather to undercut the effectiveness of future bribe attempts by making people think it might be a test.
  • 11. 11 Good Insider Threat Practice Ø Periodic background checks Ø Periodically google & check insiders’ public social media Ø Use role-based access control & actively updating it Ø Identify/Recruit/Ego-Stroke hacker types and Cassandras within the organization Ø Watch out for poor drug testing security Poor Security for Urine Drug Tests It’s easy to tamper with urine test kits. Most urine testing programs (government, companies, athletes) have very poor security protocols. Emphasis has been on false negatives, but false positives are equally troubling. Serious implications for safety, courts, public welfare, national security, fairness, careers, livelihood, reputations, sports. Journal of Drug Issues 39, 1015-­‐1028 (2009)
  • 12. 12 Good Insider Threat Practice Ø Think about which employees/contractors/positions are most likely to be targeted by adversaries for compromise, or have the most potentially risky insider access. Ø Security professionals need to be the “friendly cop on the beat” & pick up scuttlebutt Ø Do thorough exit interviews, and interviews with people who turn down job offers Ø Avoid special treatment for VIPs Ø Avoid polygraphs Polygraphs = Snake Oil National Academy of Sciences $860,000 study: “The Polygraph and Lie Detection” (October 2002) http://www.nap.edu/books/0309084369/html/ Some Conclusions: “Polygraph test accuracy may be degraded by countermeasures…” “…overconfidence in the polygraph—a belief in its accuracy that goes beyond what is justified by the evidence—…presents a danger to national security…” “Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening…”
  • 13. 13 Good Insider Threat Practice Ø Avoid: Witch Hunts, Spying, Secret Police, Invasions of Privacy, Violation of Civil Liberties. (Mind Nietzsche’s Admonition: In fighting monsters, be careful not to become one yourself!) Ø Do effective disgruntlement mitigation. Don’t assume managers or HR will automatically deal with it, or that it’s not a security issue. Disgruntlement Mitigation Blunders Employee perceptions are the only reality! Ø Phony or non-existent grievance, complaint, & conflict resolution processes (Note: if good, they’ll be used a lot) Ø Phony or non-existent anonymous whistle blower program & anonymous tip hot line Ø Non-existent, poor, or retaliatory employee assistance programs
  • 14. 14 Disgruntlement Mitigation Blunders Ø No identification/constraints on bully bosses Ø No constraints on HR tyranny, evil, & charlatanism Ø Institutional arrogance, insincerity, indifference, denial regarding employees Ø Emphasis on being “fair” instead of treating everybody well Ø Not managing expectations (technical personnel often have very high expectations) The human-resources trade long ago proved itself, at best, a necessary evil—and at worst, a dark bureaucratic force that blindly enforces nonsensical rules, resists creativity, and impedes constructive change. -- Keith H. Hammonds Disgruntlement Mitigation Blunders Ø Not being prepared for domestic violence coming into the workplace Ø Not watching for the usual precursors to insider attacks due to disgruntlement, especially sudden changes in: • hygiene • performance • rule compliance • use of drugs or alcohol • signs of aggression or hostility • being late for work or a no show • not getting along with co-workers
  • 15. 15 Disgruntlement Mitigation Blunders Ø Not recognizing that whatever an employee or contactor says is upsetting him/her probably isn’t the real issue. Ø Ignoring the 80% rule about the importance of listening, empathizing, validating, & permitting venting. (You don’t have to agree with the disgruntled individual.) Ø Not trying to fix the problem; not offering a consolation prize if you can’t. Countermeasures from Psychology
  • 16. 16 Under-Utilized Countermeasures From Psychology Ø Have people sign a loyalty, ethics, or honesty statement at the top of a form before they answer questions or provide information, not at the bottom. Ø Use building/facility greeters & posters with eyes. Under-Utilized Countermeasures From Psychology Ø Bright lighting in sensitive areas. Ø Visually open, acoustically closed interior architecture Ø Proactive techniques from i/o psychology for dealing with guard turnover
  • 17. 17 Security Officer Turnover u typical for contract guards: 40 - 400% per year u a serious economic/productivity issue u a serious insider threat issue Countermeasures for Guard Turnover u realistic job interviews u personality tests u new employee training u better supervisors u other tools of i/o psychology
  • 18. 18 Blunder: No Countermeasures for Cognitive Dissonance Cognitive Dissonance dangers: u self-justification (self-serving rationalization & excuse making) u paralysis/stagnation (not addressing problems) u confirmation bias / motivated reasoning (interpret data only in ways that make us feel good) Countermeasures for Cognitive Dissonance u appreciate how hard security really is u avoid binary thinking u watch out for over-confidence u welcome input, questions, criticism, dissent, & controversy; don’t shoot the messenger; avoid groupthink u be your own devil’s advocate and/or appoint one u constantly ask yourself: “What am I being a knucklehead about? How is my security going to fail?” u be uncomfortable/scared u embrace appropriate humor
  • 19. 19 Security Theater & Compliance-Based Security Definition Security Theater: sham or ceremonial security; Measures that ostensibly protect people or assets but that actually do little or nothing to counter adversaries.
  • 20. 20 Security Theater 1. Best way to spot it is with an effective thorough VA. 2. Next best is to look for the characteristic attributes: • Sense of urgency • A very difficult security problem • Involves fad and/or pet technology • Ques;ons, concerns, & dissent are not welcome or tolerated • The magic security device, measure, or program has lots of “feel good” aspects to it • Strong emo;on, over confidence, arrogance, ego, and/or pride related to the security • Conflicts of interest • No well-­‐defined adversary • No well-­‐defined use protocol • No effec;ve VAs; no devil’s advocate • The technical people involved are mostly engineers • Intense desire to “save the world” leads to wishful thinking • People who know li`le about security or the technology are in charge Rule of Thumb 30% Maxim: In any large organization, at least 30% of the security rules, policies, and procedures will be dumb or counter productive. This includes Security Theater, foolish “one-size-fits-all” policies, rules that only the good guys follow, punitive practices, and policies that make abstract sense to bureaucrats, committees, and higher-ups who lack knowledge of real-world issues.
  • 21. 21 Examples of Compliance Harming Security 41 • All the paperwork, bureaucracy, data recording, & prepara;on for audits causes distrac;ons and wastes resources. • Creates wrong mindset: Security = Busy Work; Mindless rule-­‐following; the Brass are responsible for security strategies & tac;cs, not me... • An over-­‐emphasis on fences (4.5 – 15 sec delay) and entry points leads to bad security. • Gran;ng access to numerous auditors, overseers, micro-­‐managers, and checkers of the checkers increases the insider threat. • Security clearances require self-­‐repor#ng of professional counseling, thus discouraging it. • The rules require overly predictable guard patrols & shii changes. • Li`le room for flexibility, individual ini;a;ve, hunches, resourcefulness, observa;onal skills, people skills. Some New Security Paradigms
  • 22. 22 Compliance-Based Security Old Paradigm: • Compliance gets us good Security. New Paradigm: • Compliance—though it may be necessary and can be of value—often causes distractions, gets in the way of good Security, or can be incompatible with it. The Insider Threat Old Paradigm: • The insider threat is our employees, mostly the technical and high-level ones. New Paradigm: • Our insider threat comes from employees, but also contractors, vendors, customers, terminated employees, retirees, consultants, service providers, crafts people, graphic arts professionals, interns, and spouses/significant others. • Low-level personnel can be a major threat, too.
  • 23. 23 Security Training Old Paradigm: • Security Awareness Training for general employees is for the purpose of threatening and intimidating them into compliance. New Paradigm: • Security Awareness Training seeks to motivate and educate general employees about security, and seek their help. Security Officer Training Old Paradigm: • Training for security personnel is mostly about their understanding security rules, policies, and procedures. • Performance for security personnel is measured by how well they adhere to security rules, policies, and procedures. New Paradigm: • Training for security personnel emphasizes creative “What if?” exercises (mental and field practice). • Performance for security personnel is measured by how resourcefully they deal with day-to-day real-world security issues, and with “What if?” exercises.
  • 24. 24 Who Does Security Old Paradigm: • Trained security personnel provide security. • Security managers and security consultants are the main experts on Security. • Regular employees, contractors, & visitors are the enemies of good security. New Paradigm: • (The Insider Threat not withstanding) regular employees, contractors, visitors, local authorities, and neighbors provide security, with help from trained security personnel. • Frontline security personnel and regular employees are the main experts on local Security. Pain & Gain Old Paradigm: • Security is painful and must inconvenience and hassle employees, contractors, & visitors. • Hassling is a metric for security effectiveness. New Paradigm: • Security cannot interfere with productivity any more than necessary. • Once Security becomes the enemy of productivity and employees, all is lost and the bad guys have partially won. • Employee acceptance is one metric for effective Security.
  • 25. 25 Process, Technology, & People Old Paradigm: • Process and Technology (in that order) are our main tools for providing security. New Paradigm: • People and Process (in that order) are our main tools (though Technology can help). Problem: Lack of Research-Based Security Practice The Journal of Physical Security A free, non-profit, online peer-reviewed R&D journal http://jps.anl.gov
  • 26. 26 Additional information is available from: rogerj@anl.gov and For More Information...! http://www.ne.anl.gov/capabilities/vat http://www.youtube.com/watch?v=frBBGJqkz9E