Agencies today are focused on external threats. They are bolstering their end-points with anti-virus protection, strengthening their perimeter and gateways with next-generation firewalls, and actively patrolling their network with intrusion detection systems (IDS/IPS). But analysts now believe that insider threats, whether malicious or inadvertent, may pose the greatest risk.
An insider threat is defined as…
“a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.[i]”
Dealing with insider threats is less about technology and more about understanding the drives and motivation of the insider, and the organization he/she works for. Eric Shaw, Ph.D. and Harley V. Stock Ph.D. in their white paper “Behavioral Risk Indicators of Malicious Insider Theft of Property: Misreading the Writing on the Wall[ii]” talks about employees at risk and the psychology of IP theft. He discusses two profiles: The entitled disgruntled thief and the Machiavellian leader. He then goes on to talk about what they steal, and when, how and why they steal.
At the conclusion of the paper Drs. Shaw and Stock provide a Risk Assessment Checklist, which gives detailed steps for areas like pre-employment screening and training and education.
For those wanting to get deeper into the mind of the insider, users should read the seminal work “Ten Tales of Betrayal[iii]” by Dr. Eric D. Shaw and Lynn F. Fischer who provide their observations and analysis on ten insider threats that occurred before 2003. The cases were selected by the Defense Personnel Security Research Center (PERSEREC), where in each case a disgruntled of self-interested offender seriously damaged or compromised the operability of critical information systems.
In a comparative analysis, the study found that at the time of the attack only one offender was employed by the organization. Of the nine employees, seven were fired, laid off, terminated or on probation. Only two employees resigned. Seven of the attacks were performed remotely and two were performed with time bombs. The study analyzed personal stressors that affected each employee; a demotion, a rejection or some sort of betrayal. What was surprising to me was that in all cases the employer knew about the nature of the disgruntlement well in advance of the attack.
The paper concludes with nineteen key findings with implications relevant to prevention, detection and personnel management. The section on prevention deals with things like stressors as risk indicators and potential means for prevention. Implications related to detection talks social and cultural conflicts as risks and the occurrence of personal problems prior to an attack. The section on personnel management covers issues such as failure to perform basic screenings.
The study found that while the subjects had diverse backgrounds and were employed in a variety of positions, one thing was clear—nine out of ten subjects were dealing with some of sort of serious employment problem that ended, or threatened, their job.
When looking for information on insider threats, there is no better resource The CERT Insider Threat Center run by Carnegie Mellon University’s Software Engineering Institute (SEI).
SEI maintains the CERT insider threat database, which documents more than 700 insider threat cases. CERT partners with the U.S. Department of Defense (DoD), the U.S. Department of Homeland Security (DHS), and other federal agencies, together with the academic and vendor communities in conducting research and analysis to develop solutions to combat insider cyber threats.
“The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)[iv]” analyzes these insider threat cases and presents the findings. The book available in hardback, provides practical guidance on how to identify hidden signs of IT sabotage, IP theft, and fraud, and provides useful tools that are applicable to executives, managers, security officers and operational staff.
For those looking for a shorter read, the CERT division has published an online best practices guide. Here you will find eighteen practical steps for mitigating IP theft, IT sabotage, and fraud. These steps include best practices such as starting with the hiring process and incorporating insider threat awareness into periodic security trainings, to implementing stringent access controls and monitoring policies on privileged users.
These guidelines can also be found in the more comprehensive “Common Sense Guide to Mitigating Insider Threats, 4th edition[v]” which presents each best practice in full and discusses how and why to use them. A useful aspect of this guide is that it maps all the steps to the National Institutes of Standards and Technology (NIST) Special Publication 800-53 and the International Organization for Standards (ISO) 27002:2005.
ISO 27002 is a comprehensive standard that provides best practices for implementing and maintaining any information security management system, but it can be overwhelming to read. For an A-Z course on ISO 27001 and 27002 go to ISO 27000 Central at www.1799Central.com. The ISO 27000 tool kit found here can help you get started. It contains the ISO 17799 Glossary defines all the terminology and has a concise history of how the standard first evolved from the British Standards Institute (BSI) BS 7799 Code of Practice. The site will help you explore the full scope of the current standard.
There are two types of insider threats: malicious and inadvertent. In this article we explored why malicious threats are less about technology and more about personnel.
In part II of this article we’ll explore why Privilege User Management (PUM) and Privilege User Password Management (PUPM) are at the core of inadvertent insider threats, and why it is so crucial that all administrators log on and work with their own credentials.
[i] CERT, http://www.cert.org/insider-threat/ , 7/13/14
[ii] Eric D. Shaw, Ph.D. and Harley V. Stock, Ph.D., ABPP, Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall, (Mountain View: Symantec Corporation, 2011)
[iii] Eric D. Shaw, Ph.D. and Lynn Fischer, Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations (PERSEREC, 2005 )
[iv] Dawn Cappaelli, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (Boston:Addison-Wesley Professional, 2012)
[v] George Silowash, Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak, Timothy J. Shimeall, Lori Flynn, The Common Sense Guide to Mitigating Insider Threats, 4th Edith (Carnegie Mellon University, Software Engineering Institute, 2011)
This article was authored by Nate Rushfinn, Principal Enterprise Architect at CA Technologies. You can follow Nate on Twitter @Nate_Rushfinn.
