the insider: a significant threat which should be … › mys_shared › gsx19 ›...
TRANSCRIPT
The Insider: A Significant Threat
Which Should Be Addressed
Sponsored by:
ASIS International Human Threat Management Council
ASIS International Intellectual Property Protection Council
Disclaimer
The topics discussed in this presentation do not
reflect the official opinions or policies of the U.S.
Department of Defense, Department of Justice,
the United States Air Force, the Federal Bureau of
Investigation or the National Archives and
Records Administration!
Agenda
• Introduction (Kevin Peterson - Moderator)
• History and Behavioral Indicators of an Insider
Threat (Neil Carmichael)
• Threat Vectors (Bruce Wimmer)
• New Government and Law Enforcement
Requirements (Charlie Margiotta)
• Trusted Insiders (Neil Carmichael)
• Trusted Partners (Myrah Kirkwood)
• Building an Insider Threat Program (Joe Rector)
• Questions & Answers
History and Behavioral Indicators of
an Insider Threat
Neil C. Carmichael, Jr., ITPM
Director, Insider Threat Program
National Archives and Records Administration
An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. The insider threat comes in two categories:
Malicious insiders, which are people who take advantage of their access to inflict harm on an organization;
Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and
Definition
Aldrich Ames (1994) Central Intelligence Agency
US Classified Information
Ander Burius (1995 & 2004) National Library of Sweden
Two antique books from the National Library
Robert Hanessen (2001) Federal Bureau of Investigation
US Classified Information
Sergey Aleynikov (2007-2009) Goldman Sachs
Downloaded 32 MB of propriety computer codes that could have cost his employer millions
David Yan Lee (2009-2010) Valpar
Downloading trade secrets from secure computer system valued at $7 million and $20 million
Michael Mitchell (2010) DuPont
Stole Trade Secrets to Rival Company $187K
Shalin Jhaveri (2011) Bristol-Myers Squib
Stole information to start rival company
History
Chelsea Manning (2013) U.S. Army
Unauthorized release of classified documents
Edward Snowden (2013) Booz Allen Hamilton
Unauthorized release of classified documents
Unknown Insider (2016) Mossack Fonseca
“Panama Papers” 11.4 million documents
Candace Marie Claiborne, (2019) Department of State
Concealed Foreign Contacts
Jerry Chun Shing Lee, (2010-2019) Central Intelligence Agency
Money transferred to account from Hong Kong
Steffan Needham, (2019) Voova IT Consultant
Accessed servers and deleted customers information, $650K in damage
Mulazim Hussain, (2018) Apotex
Stole intellectual property with plans to set up own business
Galen Marsh, (2015) Morgan Stanley
Stole details of 10% Morgan Stanley wealth clients
Behavioral Indicators
•Access without need or authorization, takes proprietary or other material home via documents, thumb drives, computer disks, or e-mail.
•Inappropriately seeks or obtains proprietary or classified information on subjects not related to their work duties.
•Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.
•Unnecessarily copies material, especially if it is proprietary or classified. Remotely accesses the computer network while on vacation, sick leave, or at other odd times.
•Disregards company computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.
•Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.
•Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel. Short trips to foreign countries for unexplained or strange reasons.
•Unexplained affluence; buys things that they cannot afford on their household income. Engages in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals.
•Overwhelmed by life crises or career disappointments.
•Shows unusual interest in the personal lives of coworkers; asks inappropriate questions regarding finances or relationships.
•Concern that they are being investigated; leaves traps to detect searches of their work area or home; searches for listening devices or cameras.
Threat Vectors
Bruce Wimmer, CPP
Senior Director of Corporate Risk Services, G4S
“Insiders” include:
- Current employees (full-time and part-time)
- Former employees (especially those who just resigned or
were terminated)
- Contractors/Vendors (also including repair/maintenance
support, shippers, cleaners, security, cafeteria, legal, etc.)
Insider Threats include:
- Inadvertent/negligent employees
- Disgruntled/activist employee
- Planted insider
- Employees colluding with outsiders
• State sponsored
• Competitors (including new businesses formed by former
employees)
• Criminals
- Malicious employees/selfish ladder climbers
- Non-responsive employees
Threat Activities Include:
-Theft of Trade Secrets, Intellectual Property and Research
and Development data
- Theft of property of value
- Sabotage
- Embezzlement
- Planting misinformation or misleading information
- Using cyber compromise; theft or
- Eavesdropping/recording
- Copying/printing
- Trash Cover
New Requirements for Government
and Law Enforcement
Charles Margiotta
Deputy Assistant Director, Security Division
Federal Bureau of Investigation
Trusted Insiders
Neil C. Carmichael, Jr., IPTM
Director, Insider Threat Program
National Archives and Records Administration
A DEFINITION OF INSIDER THREAT from Digital Guardian
An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.
Contractors, business associates, and other individuals or third-party entities who have knowledge of an organization’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of insider threat. An insider threat may also be described as a threat that cannot be prevented by traditional security measures that focus on preventing access to unauthorized networks from outside the organization or defending against traditional hacking methods.
Trusted Insiders
Holistic Approach
Employee
Holistic Approach
Contractor and Partners
Trusted Partners
Myrah Kirkwood, CPP
Area Manager – Asset Protection, AT&T
BEST PRACTICES
• Trusted partners (subcontractors/
vendors/franchisees) who access
company systems, facilities, etc.,
have a direct impact on the
organization’s insider threat
program.
DEFINE POLICIES
• Trusted Partner agreements must be in place that include language stating that company systems are restricted to authorized users for official company business only and unauthorized access, attempted access, use or modification of any systems will result in revoking access and/or criminal and civil penalties.
ACCESS RISK
• Benjamin Lawsky, Superintendent of Financial Services for the State of New York opined that “a company’s cybersecurity is often only as good as the cybersecurity of its vendors.” This saying is true whether it involves cybersecurity, or a disgruntled employee who causes a security incident.
AUTHENTICATE USERS
• The best way to protect credentials is to proactively manage and control them. When someone joins a partner organization, an account is created and access is provided. That account and access must then be
• terminated when that individual leaves the company or changes role.
• To ensure such actions are handled in a timely fashion, automated
• vendor reporting of staffing changes is advised.
ENFORCE PROCEDURES
• Processes/policies that are in place,
must be enforced by the business
units who own the vendor relationships
and handle the associated operational
processes.
MONITOR COMPLIANCE AND INVESTIGATE
• Monitoring compliance of policies and procedures is required in protecting and enhancing a company's brand, reputation and profitability. The specific level and scope of monitoring depend on the company’s risk and exposure considerations. Once a system breach or security incident is discovered or reported, vigorous investigation of the matter is paramount to mitigation.
Building an Insider Threat Program
Joseph Rector, CPP, PSP, PCI, CISSP
Deputy Director, 11th Security Forces Group
Program Goal:
Prevent, Detect, Respond
Source: The CERT Guide to Insider Threats
Essential Elements
of an InTP
Source: http://www.insaonline.org/InsiderThreat
Key Components of an
Insider Threat Program • Formalized/Defined Program
• Policies and Procedures
• Integration w/ Enterprise Risk Management
• Insider Threat Practices with regards to Trusted Business
Partners
• Insider Threat Training and Awareness
• Insider Threat Incident Response Plan
• Insider Threat Communication Plan
• Prevention, Detection and Response Infrastructure
• Data Collection and Analysis Tools, Techniques and Practices
• Program Oversight and Compliance
• Confidential Reporting Tools and Mechanisms
• Organization-wide Participation
Resources
• Carnegie Mellon University Software Engineering Institute CERT
Resources - https://www.sei.cmu.edu/research-capabilities/all-
work/display.cfm?customel_datapageid_4050=21232
• Center for Development of Security Excellence Insider Threat Toolkit
- https://www.cdse.edu/toolkits/insider/index.php
• Defense Human Resources Activity Resources -
https://www.dhra.mil/PERSEREC/Products/#InsiderRisk
• Intelligence and National Security Alliance (INSA) -
https://www.insaonline.org/?s=insider+threat
Resources (Cont)
• National Insider Threat Task Force –
https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf
• Federal Bureau of Investigation Resources –
https://www.fbi.gov/resources
• National Intellectual Property Rights Coordination Center –
https://www.iprcenter.gov/
• United States Secret Service National Threat Assessment Center
(NTAC) – https://www.secretservice.gov/protection/ntac/
Insider Threat
Awareness Month
Questions and Answers