The 10 Commandments of Insider Threat Management

Transcription

1 The 10 Commandments of Insider Threat Management Counterintelligence Practices Updated for the Digital Age Cary Williams Principal Consultant 2017 LEIDOS. ALL RIGHTS RESERVED. Cleared by ITC (KB) 2/22/17 PIRA #DIS The wording LEIDOS used throughout is a registered trademark in the U.S. Patent and Trademark Office owned by Leidos, Inc.

2 I have Defender DNA. Whether it be counterintelligence for the CIA or commercial clients, early childhood lessons in responsible stewardship have developed in me a strong commitment to preserve the things we value.

3 Insider Threat Definitions The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the U.S. This threat can include damage to the U.S. through espionage, terrorism, unauthorized disclosure of information, or through the loss or degradation of Departmental resources or capabilities. Department of Justice An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems. Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency's obligations to protect classified national security information. National Industrial Security Program Operating Manual (NISPOM) Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DoD s ability to accomplish its mission. These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities. Defense Security Service 3

4 Insider Threat Definitions The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the U.S. This threat can include damage to the U.S. through espionage, terrorism, unauthorized disclosure of information, or through the loss or degradation of Departmental resources or capabilities. Department of Justice An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems. Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency's obligations to protect classified national security information. National Industrial Security Program Operating Manual (NISPOM) Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DoD s ability to accomplish its mission. These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities. Defense Security Service 4

5 Insider Threat Definitions The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the U.S. This threat can include damage to the U.S. through espionage, terrorism, unauthorized disclosure of information, or through the loss or degradation of Departmental resources or capabilities. Department of Justice An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems. Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency's obligations to protect classified national security information. National Industrial Security Program Operating Manual (NISPOM) Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DoD s ability to accomplish its mission. These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities. Defense Security Service 5

6 Insider Threat Definitions The threat that an insider will use their authorized access, wittingly or unwittingly, to do harm to the security of the U.S. This threat can include damage to the U.S. through espionage, terrorism, unauthorized disclosure of information, or through the loss or degradation of Departmental resources or capabilities. Department of Justice An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization's information or information systems. Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) The likelihood, risk, or potential that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the national security of the United States. Insider threats may include harm to contractor or program information, to the extent that the information impacts the contractor or agency's obligations to protect classified national security information. National Industrial Security Program Operating Manual (NISPOM) Acts of commission or omission by an insider who intentionally or unintentionally compromises or potentially compromises DoD s ability to accomplish its mission. These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities. Defense Security Service 6

7 Background & Context Counterintelligence (CI) Foundation Predates proliferation of modern information technology (IT) systems War Story: Commo Center investigation ~1989 REDWOP Barium Pill application Different approach than prevailing IT product solutions to Insider Threat CIIT not ITCI 7

8 Background & Context Presentation: The 10 Commandments of Counterintelligence Jim Olson James Olson Distinguished 25 year veteran in CIA s Directorate of Operations Former Chief of CIA s Counterintelligence Center (CIC) Currently Senior Lecturer at Texas A&M Bush School of Government and Public Service 8 Jim Olson Photo Source:

9 The Commandments 9

10 I. Be Offensive The best defense is a good offense. Proactivity is essential Differentiator with other security disciplines Original Context: DA Operations War Story: IO Neutralization Ethnic service member Did not assimilate well; marginal job performance Possible relatives in denied area Worked with operational plans Contrived accidental contact Queries for assistance to locate relatives Vince Lombardi 10 Photo Source:

11 I. Be Offensive Relevance to Insider Threat Threat evolves, human element remains constant Focus on the actor, not the instrument War Story: Vehicle surveillance Identify potential risk indicators before they otherwise manifest Non-technical behaviors essential Sole reliance on technical monitoring inadequate Challenges of unstructured data 11 Photo Source

12 III. Own The Street To preempt, you need awareness Original Context: Necessity of physical surveillance War Story: Bus surveillance op Heightened terrorist threat Targeting of Americans DoD school buses Predictable places/times International school Rehearsal witnessed Final pre-attack cycle stage 12 Photo Source

13 III. Own The Street Relevance to Insider Threat: Vigilance over the digital highway Activities indicative of malfeasance Intent, or lack thereof, dictates risk treatment 2016 Spotlight Report: Inadvertent (71%) and unwitting (68%) breaches Transparency sets expectations Monitoring tools disclosure Enforcement is key Resultant deterrence Laws without enforcement are just good advice. Photo Source Abe Lincoln 13

14 V. Do Not Ignore Analysis Original Context: Connect the proverbial dots A small details may be the most important Myriad collection means Surveillance reports, black bag jobs, access agents, technical collections, etc. Must be collated / analyzed Can be archived, sans analysis, for future reference 14 Photo Source

15 V. Do Not Ignore Analysis 15 Relevance to Insider Threat: Analysis is key Data streams must be collated / analyzed Otherwise why bother? Due diligence & due care War Story: PRI aggregation Privileged user sysadmin Security incidents Divorce / associated debt Sensitive program volunteer Failed polygraph Drug use / infidelity admission

16 Next Step Evaluate your risk Design a program against identified areas of priority Solicit buy-in from for successful implementation

17 Thank you. Questions and Discussion