Components and Considerations in Building an Insider Threat Program

Similar documents
2013 US State of Cybercrime Survey

The CERT Top 10 List for Winning the Battle Against Insider Threats

ARINC653 AADL Annex Update

Cyber Threat Prioritization

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

The Insider Threat Center: Thwarting the Evil Insider

Current Threat Environment

Empirically Based Analysis: The DDoS Case

Defining Computer Security Incident Response Teams

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

Fall 2014 SEI Research Review Verifying Evolving Software

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Kathleen Fisher Program Manager, Information Innovation Office

Cyber Hygiene: A Baseline Set of Practices

Architectural Implications of Cloud Computing

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Using Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)

Multi-Modal Communication

A Review of the 2007 Air Force Inaugural Sustainability Report

Corrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011

FUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.

Concept of Operations Discussion Summary

Technological Advances In Emergency Management

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

C2-Simulation Interoperability in NATO

4. Lessons Learned in Introducing MBSE: 2009 to 2012

DoD Common Access Card Information Brief. Smart Card Project Managers Group

Dana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:

CENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE

Running CyberCIEGE on Linux without Windows

Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED

ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)

By Derrick H. Karimi Member of the Technical Staff Emerging Technology Center. Open Architectures in the Defense Intelligence Community

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

Information, Decision, & Complex Networks AFOSR/RTC Overview

75th Air Base Wing. Effective Data Stewarding Measures in Support of EESOH-MIS

Introducing I 3 CON. The Information Interpretation and Integration Conference

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Using Templates to Support Crisis Action Mission Planning

Directed Energy Using High-Power Microwave Technology

ATCCIS Replication Mechanism (ARM)

Information Security Is a Business

ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD

Distributed Real-Time Embedded Video Processing

Space and Missile Systems Center

US Army Industry Day Conference Boeing SBIR/STTR Program Overview

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

Towards a Formal Pedigree Ontology for Level-One Sensor Fusion

U.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC

Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

Energy Security: A Global Challenge

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Wireless Connectivity of Swarms in Presence of Obstacles

Computer Aided Munitions Storage Planning

An Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.

Guide to Windows 2000 Kerberos Settings

Space and Missile Systems Center

Secure FAST: Security Enhancement in the NATO Time Sensitive Targeting Tool

MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware

The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links

Data to Decisions Terminate, Tolerate, Transfer, or Treat

Headquarters U.S. Air Force. EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS

QuanTM Architecture for Web Services

M&S Strategic Initiatives to Support Test & Evaluation

Accuracy of Computed Water Surface Profiles

Julia Allen Principal Researcher, CERT Division

Use of the Polarized Radiance Distribution Camera System in the RADYO Program

Office of Global Maritime Situational Awareness

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

The State of Standardization Efforts to support Data Exchange in the Security Domain

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

32nd Annual Precise Time and Time Interval (PTTI) Meeting. Ed Butterline Symmetricom San Jose, CA, USA. Abstract

SURVIVABILITY ENHANCED RUN-FLAT

ASPECTS OF USE OF CFD FOR UAV CONFIGURATION DESIGN

Exploring the Query Expansion Methods for Concept Based Representation

Topology Control from Bottom to Top

Dr. Stuart Dickinson Dr. Donald H. Steinbrecher Naval Undersea Warfare Center, Newport, RI May 10, 2011

Situational Awareness Metrics from Flow and Other Data Sources

DoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation

Washington University

2011 NNI Environment, Health, and Safety Research Strategy

Dynamic Information Management and Exchange for Command and Control Applications

A Distributed Parallel Processing System for Command and Control Imagery

BUPT at TREC 2009: Entity Track

Denial of Service Attacks

David W. Hyde US Army Engineer Waterways Experiment Station Vicksburg, Mississippi ABSTRACT

Nationwide Automatic Identification System (NAIS) Overview. CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008

Web Site update. 21st HCAT Program Review Toronto, September 26, Keith Legg

Safety- and Security-Related Requirements for

Coalition Interoperability Ontology:

VICTORY VALIDATION AN INTRODUCTION AND TECHNICAL OVERVIEW

Monte Carlo Techniques for Estimating Power in Aircraft T&E Tests. Todd Remund Dr. William Kitto EDWARDS AFB, CA. July 2011

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

UMass at TREC 2006: Enterprise Track

Transcription:

Components and Considerations in Building an Insider Threat Program Carly Huth Insider Threat Researcher, CEWM Carly L. Huth is an insider threat researcher in the Cyber Enterprise and Workforce Management Directorate in the CERT Program at the Software Engineering Institute (SEI). Huth s current areas of research include the intersections of privacy and technology as well as the effects of the current regulatory environment on insider threat prevention practices. Robin Ruefle Technical Staff - CERT Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Ruefle has co-authored: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services List, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, and numerous other articles and guides.

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 08 AUG 2013 2. REPORT TYPE 3. DATES COVERED 00-00-2013 to 00-00-2013 4. TITLE AND SUBTITLE Components and Considerations in Building an Insider Threat Program 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 11. SPONSOR/MONITOR S REPORT NUMBER(S) 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 22 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Motivation for a Program to ensure the responsible sharing and safeguarding of classified national security information on computer networks. Source: Executive Order 13587, quoted in GCN (http://s.tt/1ai6l) To ensure protection of and appropriate access to intellectual property and other critical assets, systems, and data To be prepared and ready to handle such events in a consistent, timely, and quality manner including understanding who to involve who has authority who to coordinate with who to report to what actions to take what improvements to make

Goal for a Program Opportunities for prevention, detection, and response for an insider attack

Component Overview Cross-enterprise project planning and implementation group Designated staff to manage and operate the Insider Threat Program Multi-level training and awareness program Infrastructure support Cross-organizational data collection and analysis Incident Response Plan Policies, procedures, and practices created or enhanced to support insider threat program Protection of civil liberties and privacy rights

Insider Threat Program Participants (Notional)

Multi-level Training and Awareness General awareness, training, and refreshers for all staff Definitions for insider threat Types of insider threat crimes and activities and motivations How staff can be targeted and social engineered When, how, and what to report regarding suspicious human or computer activity Acceptable use policy and repercussions for violation Responsibility for protecting IP, data, and systems and for reporting Role based training for areas of the organization HR Legal IT and Security Facilities Specific training for Insider Threat Program staff

Infrastructure Support Prevention and Detection Data loss prevention Monitoring, filtering, blocking Data Collection and Analysis Synthesis and aggregation Correlation Repository for data analysis

Data Aggregation and Analysis Determine types of data to be collected Supporting authority and permission Methods for obtaining data Criteria for user monitoring Privileged users Role based Asset based Criteria for suspicious or potential malicious behavior Scoring criteria Alerting mechanisms Escalation mechanisms

Incident Response Plan How incidents perpetrated by insiders are Detected Reported Contained Remediated Documented Prosecuted (if applicable) How processes change for different types of threats: Fraud Theft of IP Sabotage Espionage How processes change when involvement includes Contracts and SLAs Unions Privileged users Cloud computing servers and data centers

Response Options Internal Retraining Personnel actions Organizational sanctions Legal actions External Referral to internal investigative unit or counter intelligence (if applicable) Referral to local or federal law enforcement if applicable Response Considerations Think about response to precursors not just to incidents that have occurred. Responses must be documented and practiced consistently All response procedures should be coordinated with General Counsel Privacy and civil liberties must be consider at all times

Policies, Procedures, and Practices Examples include but are not limited to: Reporting Confidential reporting mechanism Requirement to report Information Technology Acceptable use Separation of duties Code reviews Least privilege No shared accounts Change control Configuration management

Criminal Background Screening Best Practices Practices apply to all employment decisions, including promotions Even neutral policies can impact certain groups of candidates more than others; generally, policies shouldn t automatically exclude all candidates with criminal history Be cautious when using arrest records, conviction records provide better evidence Train all relevant staff about complying with the equal employment laws and keep all candidate criminal information confidential

Criminal Background Screening Best Practices Screenings should be job related and consistent with a business need Often, a targeted screening is recommended, where the employer considers: The nature of the crime How long ago the crime took place The nature of the job Best Practices Adapted from the Equal Employment Opportunity Commission s Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964.

6 Essential Legal Considerations Create, maintain and enforce acceptable use and monitoring policies Obtain employee acknowledgement of policies and communicate any updates Don t rely solely on policies; protect proprietary information through technical measures such as access controls

6 Essential Legal Considerations Consider the need to review logs for evidence when creating your data retention policies Be cautious of performing your own investigations, make sure to preserve evidence Be prompt when issuing a legal response Considerations adapted from: Chickowski, 5 Ways to Lose a Malicious Insider Lawsuit, available at: http://www.darkreading.com/ insider-threat/167801100/security/news/240000436/five-ways-to-lose-a-malicious-insider-lawsuit.html? cid=nl_dr_daily_2012-05-16_html&elq=c5ac1d36f4564d6bbe7fa410608fb160

Summary

Implementation Strategy First 30-90 Days Obtain buy-in from top management Designate a senior manager to be the Insider Threat Program Manager Create a working group to plan the project and implementation (include representative from key areas) Collect information on what is already in place and can be leveraged Talk to others who have programs, research recommendations Identify the organizational structure of an enterprise Insider Threat Program Identify roles and responsibilities for the program Next 90-180 Days Develop staffing requirements, competencies, and a workforce management plan Develop initial training requirements and materials Architect data collection, aggregation, and analysis methodology and tools

The CERT Top 10 List for Winning the Battle Against Insider Threats

Resources

CERT Resources Insider Threat Center website (http://www.cert.org/insider_threat/) Common Sense Guide to Mitigating Insider Threats, 4 th Ed. (http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm) The Insider Threat and Employee Privacy: An Overview of Recent Case Law, Computer Law and Security Review, Volume 29, Issue 4, August 2013 by Carly L. Huth Insider threat workshops Insider threat assessments New controls from CERT Insider Threat Lab Insider threat exercises The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak

Points of Contact Robin M. Ruefle Technical Team Lead, ETVM Organizational Solutions CERT Program, Software Engineering Institute Phone: +1 412 268-6752 Email: rmr@cert.org Carly L. Huth Member of the Technical Staff, ETVM CERT Program, Software Engineering Institute Phone: +1 412 268-5760 Email: clhuth@cert.org

Copyright 2013 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of AFCEA or the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM-0000552

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback