insider threat - Nebraska InfraGard

Download Report

Transcript insider threat - Nebraska InfraGard

The Insider Threat
Peter Sakaris CISSP
Booz Allen Hamilton,
1299 Farnam Street
Suite 1230, Omaha, NE 68102
402-232-3829 Office
[email protected]
Definition
An insider threat to an organization is a current or former
employee, contractor, or other business partner who has or
had authorized access to an organization's network, system,
or data and intentionally or unintentionally exceeded or
misused that access in a manner that negatively affected the
confidentiality, integrity, or availability of the organization's
information or information systems and/or compromised the
physical security of the organization
CERT, http://www.cert.org/insider-threat/
Indicators
•
•
•
•
•
Some important/potential indicators of an insider threat.
Greed/ financial need, Vulnerability to blackmail, Compulsive
and destructive behavior, Rebellious, or passive aggressive
behavior, Ethical “flexibility”, Reduced loyalty
Entitlement – narcissism (ego/self-image)
Inability to assume responsibility for actions
Intolerance of criticism
Pattern of frustration and disappointment
Source: Combating the Insider Threat 2 May 2014 DHS, http://www.dss.mil/documents/ci/Insider-Threats.pdf
Commonalities
•
•
•
•
•
•
Of those who have committed espionage since 1950:
More than 1/3 had no security clearance
Twice as many “insiders” volunteered as were recruited
Naturalized U.S. citizens
Most recent spies acted alone
Nearly 85% passed information before being caught
Out of the 11 most recent cases, 90% used computers while
conducting espionage and 2/3 used the Internet to initiate
contact
Behavioral Indicators
• Works odd hours without authorization
• Notable enthusiasm for overtime, weekend or unusual work
schedules
• Unnecessarily copies material, especially if it is proprietary or
classified
• Signs of vulnerability, such as drug or alcohol abuse, financial
difficulties, gambling, illegal activities, poor mental health or
hostile behavior.
• Be on the lookout for warning signs among employees such
as the acquisition of unexpected wealth, unusual foreign
travel, irregular work hours or unexpected absences
Lone Wolfe Phenomenon
Program Development
• Vet everyone and every entity that can or does have
access to internal networks from the outside or
physical spaces
• Outward facing security combined with seamless
security
• Specific program developed depends upon
organizational culture but general of security
principles apply
• Culture and process are important concepts
Insider Threat Program Development
• Culture of the organization must encourage
reporting
• Reporting mechanism must be clear and
concise. Who do I call?
• Anonymity must be guaranteed
• Awareness and Training activities
– Discussion: policies, resources, and
reporting methods
– Role playing
– Seminars
References
US CERT, SEI, at Carnegie-Mellon University
Department of Homeland Security
Secret Service
Federal Bureau of Investigation (CI and Cyber)
National Insider Threat Task Force (USD(I))
Defense Security Service (IS and CI)
Questions?