For the past four years insider threats have been identified as the top vulnerability facing federal government agencies. So it wasn’t surprising that at the National Insider Threat Special Interest Group’s (NITSIG) 3rd Annual Insider Threat Symposium & Expo, the urgency of this issue was front and center.
The October 19 event at the Johns Hopkins University – Applied Physics Laboratory in Laurel, Maryland brought together government officials and industry leaders to quantify the risks and map out solutions. Leaders from government offices, including the National Counterintelligence and Security Center, the CERT National Insider Threat Center and the Office of The Comptroller of The Currency were among the speakers.
David Nelson, Federal Sales Director at SolarWinds, who attended the event said that, while progress is being made, some of the statistics presented paint a troubling picture.
Insider threats cost as much – or more – than attacks by nation states, Nelson reported. Yet, most cyber-security is focused on the ‘hardening of the shell,’ while much less money and effort goes towards battling insider threats.
“One presentation showed that more than 50 per cent of insider threats are discovered by accident or through random audits, while slightly more than one-third of attacks were detected because of IT measures” he said. “That means that agencies haven’t necessarily deployed adequate tools for access rights management or file monitoring.”
Nelson‘s colleague, Jasmine Jones, who focuses on agencies that include DISA and OSD, agreed that what she heard from attendees is a need to address gaps in so-called end-to-end security solutions, in particular monitoring and management. “They’re still missing critical pieces,” she said, adding, “although the tools do exist.”
The barriers to better protection from insider threats often come down to human factors. “Budgets are often the scapegoat, but willingness is a real factor,” Nelson explained. “You need to have a group continuously driving it and measuring it and letting people know where there are shortfalls.”
“Poor security hygiene and lack of training are big contributors to accidental threats,” Nelson said. “But there also needs to be a better application of tools to ensure people can’t access files they shouldn’t be seeing.”
One presentation focused on including HR in insider threat programs. “Traditionally in government, Nelson said, HR is often a stovepiped function that tends to be focused on recruitment, onboarding, benefits, etc. But it could be used to look for warning signs among the employee population, while also supporting security education.”
Additionally, contractors who have access to internal system have been a point of concern. Nelson said that scrutiny of contractors has increased. “They’re expected to protect Controlled Unclassified Information and to let the government know if there are breaches. That now gets considered in their past performance ratings.”
The Path Forward
But it isn’t all bad news, Nelson said, explaining that the drive to mitigate these threats is there. Nelson pointed out simple steps that can get agencies moving in the right direction. “Patching, network access controls, secure access rights and provisioning users correctly – these are all basic things that need to be done. In fact, these are best practices that are spelled out in the Presidential IT Modernization memo that came out recently.”
Jones remarked that modernization has a big impact on the ability to keep data secure, as legacy products still take precedence in a number of government offices. “We need to continue to have real conversations about how willing the leadership is to move in new direction.”
In the meantime, Nelson said, if you can’t directly patch a system, for example, you can use technology to limit or control access. “You can also put in intrusion prevention systems that would look at the traffic to those boxes and shield them against vulnerabilities. These are best practices that agencies have known about for many years and need to deploy fully.”
Industry also plays a vital role in mitigating insider threats. “A lot of tools that are available now didn’t exist before,” Nelson commented. But agencies, facing many new vendors, aren’t always sure who to trust, or they place all their trust in one or two vendors. Nelson suggested that industry needs to educate better and government needs to investigate more deeply which of these companies have both the right technologies and the best reputations.
“And, while new technologies, whether that means moving to the cloud or introducing new security and monitoring tools always cause operational disruption, there are companies that can minimize the impact on day-to-day business with tools that ease management and don’t require extra manpower,” he explained.
The deeper risk of insider threats stems from the basic premise that the government needs to be trusted to protect vital information, from military secrets to the personal information of citizens. “The credibility of the government and many agencies is on the line,” Nelson explained.
“It comes down to the fundamentals of security hygiene and training, patching and upgrading, all the basics,” he added. “Then, add monitoring, user access controls and other automation. But it starts with the process and the drive. If management is willing, the solutions are there.”
Learn more about cybersecurity issues facing the federal government here.