cyber summit 2016: insider threat indicators: human behaviour
TRANSCRIPT
Insider ThreatInsider Threat«HUMAN «HUMAN
BEHAVIOUR»BEHAVIOUR»Sgt. Mario Vachon, M.Sc.Insider Threat Security SpecialistRCMP Departmental Security Branch
Cybera Cyber Summit Using Technology ResponsiblyBanff, Alberta October 27, 2016
A National Strategy Built Upon Four Pillars A National Strategy Built Upon Four Pillars «Building a Culture of Security»«Building a Culture of Security»
Protected B
“The thief who is the hardest to detect and who can cause the most
damage is the insider. It is the employee with legitimate access”
US Federal Bureau of Investigation (FBI)
“Who has the most knowledge about your organization, its vulnerabilities and the value of its information? Those inside or outside? Clearly employees
are well placed to compromise your data” Dr. S.
Kabilan, Conf. Board of Canada
A Trusted EmployeeA Trusted Employee
Percentage by User Group
55
46
43
35 28
Figure 1: The Largest Risk to an Organization
Insider Threat
Who Poses the Biggest Threat?
55
46
43
28
35
25
2015 Vormetric Insider Threat Report
Privileged Users
Contractors / Service Providers
Business Partners
Ordinary Employees
Executive Management
Other IT Staff
From Left: Edward Snowden, Chelsea Manning & Jeffrey Delisle
Insider Threat
Understanding the Traitor / Mole / Spy
• They changed over time
• Almost all were trustworthy and loyal when first given a security clearance (security screened, interviewed, polygraphed)
• Majority volunteered their services to a foreign government. They were not enticed, persuaded, manipulated or coerced
70%70%•Mostly male, 30 to 50 years old•Middle management•Emotional, personal crisis•Unhappy •Work frustrations
30%30%•Mostly male, 20 to 26 years old•Entry to low management•Immature, impulsive, •Unhappy •Ideological view, whistle-blower
The usual suspects are …
Insider Threat
The Usual Suspects
… with access to facilities and networks
… with access to sensitive information and ideological
views, marital, financial difficulties
and/or substance abuse
… with privileged access
80% vs 20%
Detection of Risk Indicators
2016 - Sgt. Mario Vachon, M.Sc.RCMP Insider Threat Security Specialist
Insider Threat
Pathway to Commit an Insider Attack
1. Personality Disorders
2. Stressors
3. Concerning Behaviours
Intention
Volition
Insider Threat
Antisocials
Psychopaths
Opportunists
1. Personality Disorders / Predispositions
Narcissists
2. Stressors
• Financial Pressure / Poor Financial Responsibility /Greed
• Life Crisis Personal / Marital / Family / Death / Illness
• Work Issues Frustration / Cynicism / Vengeance / Grudge / Injustice
Spite / Disgruntlement / Conflict / Disappointment
• Legal IssuesAdministrative / Civil / Criminal
Insider Threat
3. Concerning Behaviours• Personal Conduct
Immature / Violence / Immoral / Bias / Retaliatory / Deviant / Dishonest / Lack of Integrity / Manipulative / Impulsive
/ Poor Judgment / Security & IT Policy Violations
• Divided Loyalty Political / Country / Association / Social Network / Employer
• Ideological Radicalization / Religion / Terrorism / Beliefs
• Egotistical / Entitlement
• Exploitable / Vulnerable Lifestyle Alcohol / Drug / Gambling / Sexual Paraphilia
Insider Threat
UK Insider Threat Study5 Types of Insider Activities5 Types of Insider Activities
Insider Threat
2013 CPNI Insider Data Collection StudyCentre for the Protection of National Infrastructure
Unauthorized DisclosuresCorruptionFacilitation of Third Party AccessPhysical SabotageIT Sabotage / HackingIT Sabotage / Hacking
Male
Age
60% committed by employees with less than xx years of service
82%
31 - 45
Permanent Employees 88%
> 5 years
Primary MotivationPrimary Motivation
20% 47%
14%14%
Financial Ideology Recognition / Ego Loyalty
Self-Initiated 76%
Female 18%
Insider ThreatCan you find the Insider?
Photo by: Don TuddTopsy Farms, Ontario
Sgt. Mario Vachon, M.Sc.Insider Threat Security Specialist
Departmental Security BranchRoyal Canadian Mounted Police
(613) [email protected]
«Detection of Risk is useless without Resolution of «Detection of Risk is useless without Resolution of Doubt»Doubt»