developing your insider threat program: insider threat best practices
DESCRIPTION
Developing Your Insider Threat Program: Insider Threat Best Practices presented at The National Security Supply Chain: Reducing the Vulnerabilities meeting by the Government Technology & Services Coalition (GTSC)TRANSCRIPT
Page 1
CENTRA TECHNOLOGY, INC.
1
Best Practices
Katherine D. MillsCENTRA Technology, Inc.
Insider Threat:
Page 1
CENTRA TECHNOLOGY, INC.
2
Threat is Now: Recent Malicious Insiders
Major Nidal Hassan – Responsible for shooting at Fort Hood Texas
Aaron Alexis – Responsible for shooting at the Washington Navy Yard
Bradley Manning – Unauthorized disclosure to WikiLeaks
Edward Snowden – Unauthorized disclosure of NSA surveillance programs
Page 1
CENTRA TECHNOLOGY, INC.
3
Why Consider Insider Threat?
Protect national security and corporate assets– We don’t want to be in the news
Will be required by Government – Changes to NISPOM– Required by Sponsors
Want to ensure we are taking positive steps to protect our company and assets
Page 1
CENTRA TECHNOLOGY, INC.
4
How to Begin…
Do your research: Tons of free resources available
– CERT• Common Sense Guide to Mitigating Insider Threats
– DSS• Insider threat video and brochures
– FBI website and movie “Betrayed”– ONCIX website– ASIS
• “Detecting the Insider Threat,” October 2013
Page 1
CENTRA TECHNOLOGY, INC.
5
Steps
Team
Assets
Procedures
Awareness
Document plan
Page 1
CENTRA TECHNOLOGY, INC.
6
Step 1: Identify the Team
Identify team members who understand and can contribute to the mission:– COO– HR– Security– IT
Who will be responsible for:– Drafting the plan– Reporting to sponsors and Government– Bi-monthly meetings– Budget approval
Page 1
CENTRA TECHNOLOGY, INC.
7
Step 2: Understand Your Assets
Conduct a risk assessment
Talk to management about assets
– What are the corporate jewels?
– Are they currently protected?
– How sensitive are they?• What is the risk if they are leaked?
– Who has access to the information?
Page 1
CENTRA TECHNOLOGY, INC.
8
Step 3: Tighten Up Procedures
Tighten procedures
– Termination procedures
– Unclassified data handling and access
Document expectations to staff
Violation policy
Page 1
CENTRA TECHNOLOGY, INC.
9
Step 4: Security Education
Free cartoons, brochures, articles available – No need to reinvent the wheel!
Incorporate insider threat into annual refresher training
Monthly security news item on reporting
Updated current policies– Acceptable Use Policy
Ensure staff understand reporting; make it easy for staff to report confidentially
Page 1
CENTRA TECHNOLOGY, INC.
10
Step 5: Draft a Plan
Document what you have learned
Steps 1-4:– Team– What are assets and overall risk– What procedures have been impacted– Security education program
Work-in-progress
Page 1
CENTRA TECHNOLOGY, INC.
11
Confronting the Insider Threat
“It is important for each company to identify what an insider threat is
and to set a policy in place on how to deal with insider threats. The
policies must outline certain types of behavior that warrant scrutiny,
disciplinary action, or even termination so that companies have a basis
from which to work when they do identify potential threats.”
ASIS: October 2013
Page 1
CENTRA TECHNOLOGY, INC.
12
Encourage Reporting
Encourage employees to report
Provide confidential means of reporting
Staff holding security clearance are required to report
adverse information, including potential threats
Trust your instincts, if you see something, say something!
It is better to report something that turns out to be nothing
than to not report a serious security issue
Page 1
CENTRA TECHNOLOGY, INC.
13
Detecting the Insider
Post incident investigations reveal family, friends, or coworkers notice a suspect’s indicators, but they fail to report concerns
“Subjects often tell people close to them what they are doing, and
sometimes even engage associates in the process. Former intimates
(spouses, lovers, close friends – people with whom they spent a good
deal of time) are a potentially important source of information in all
investigations.”*
*Source: Declassified Director of Central Intelligence Memorandum of 12 April 1990; Subject: Project Slammer Interim Report
Page 1
CENTRA TECHNOLOGY, INC.
14
Threat Indicators
Apparent unexplained affluence or excessive indebtedness
Efforts to conceal foreign contacts, travel, or foreign interests
Access to information or IT systems without need-to-know
Exploitable behavior
– criminal activity
– excessive gambling
– drug or alcohol abuse
– problems at work
Questionable judgment or untrustworthiness
Page 1
CENTRA TECHNOLOGY, INC.
15
Threat Indicators, cont.
Apparent mental, emotional or personality disorders(s)
Disgruntled
Working odd or late hours
Unreported foreign travel
Suspicious foreign contacts
Unreported offer of financial assistance, gifts, or favors by a foreign
national or stranger
Requesting access to information outside of official job duties
including sensitive or classified information
Page 1
CENTRA TECHNOLOGY, INC.
16
Summary of Best Practices
Know your people; recognize concerning behaviors as potential indicators
Protect your “crown jewels” Pay close attention at termination Monitor ingress and egress points (IT systems and
physical security) Baseline normal activity and look for anomalies Work together across organization Educate employees regarding potential recruitment
Page 1
CENTRA TECHNOLOGY, INC.
17
Sources
http://threatgeek.typepad.com/.a/6a0147e41f3c0a970b0177429dd0ce970d-pi