The CERT Top 10 List for Winning the Battle Against Insider Threats

Similar documents
The Insider Threat Center: Thwarting the Evil Insider

Components and Considerations in Building an Insider Threat Program

Defining Computer Security Incident Response Teams

Insider Threats: Actual Attacks by Current and Former Software Engineers

2013 US State of Cybercrime Survey

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

Cyber Hygiene: A Baseline Set of Practices

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

Insider Threats to the Healthcare Industry

Information Security Is a Business

Cyber Threat Prioritization

Researching New Ways to Build a Cybersecurity Workforce

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Julia Allen Principal Researcher, CERT Division

ARINC653 AADL Annex Update

SEI/CMU Efforts on Assured Systems

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Panel: Future of Cloud Computing

Analyzing 24 Years of CVD

Software Assurance Education Overview

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Roles and Responsibilities on DevOps Adoption

Situational Awareness Metrics from Flow and Other Data Sources

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

Denial of Service Attacks

The Need for Operational and Cyber Resilience in Transportation Systems

Current Threat Environment

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

Legal, Ethical, and Professional Issues in Information Security

Design Pattern Recovery from Malware Binaries

Encounter Complexes For Clustering Network Flow

Combating Cyber Risk in the Supply Chain

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Smart Grid Maturity Model

Flow Analysis for Network Situational Awareness. Tim Shimeall January Carnegie Mellon University

How do you decide what s best for you?

Investigating APT1. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Deana Shick and Angela Horneman

Cyber Security Program

RSA NetWitness Suite Respond in Minutes, Not Months

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Dr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs

Passive Detection of Misbehaving Name Servers

Lakeshore Technical College Official Policy

HIPAA Regulatory Compliance

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Automated Provisioning of Cloud and Cloudlet Applications

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Providing Information Superiority to Small Tactical Units

CENTER FOR SECURITY STUDIES

CSIRT SERVICES. Service Categories

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

How to Assess the Financial Impact of Cyber Risk

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

GUIDE. Navigating the General Data Protection Regulation Mini Guide

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Monthly Cyber Threat Briefing

Causal Modeling of Observational Cost Data: A Ground-Breaking use of Directed Acyclic Graphs

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Using CERT-RMM in a Software and System Assurance Context

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Security Issues

CISO View: Top 4 Major Imperatives for Enterprise Defense

Engineering Improvement in Software Assurance: A Landscape Framework

Stakeholders Analysis

Mitigation Controls on. 13-Dec-16 1

FDIC InTREx What Documentation Are You Expected to Have?

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Fall 2014 SEI Research Review Verifying Evolving Software

Modeling the Implementation of Stated-Based System Architectures

Give Me 5 Understanding Cyber Security Part 1: How Cyber Security is Impacting Your Business

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Data Privacy in Your Own Backyard

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT Arapahoe Street Denver, CO

Verifying Periodic Programs with Priority Inheritance Locks

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Inference of Memory Bounds

Cybersecurity in Higher Ed

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

The Confluence of Physical and Cyber Security Management

The Cyber War on Small Business

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Information Technology Branch Organization of Cyber Security Technical Standard

Statement for the Record

KuppingerCole Whitepaper. by Dave Kearns February 2013

Information Security Management Criteria for Our Business Partners

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Department of Homeland Security Updates

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS

Cyber Security Technologies

Jeff Wilbur VP Marketing Iconix

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

Transcription:

The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification: Intermediate

Copyright 2012 Carnegie Mellon University. This material is based upon work supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. *These restrictions do not apply to U.S. government entities. CERT is a registered mark of Carnegie Mellon University.

Could this happen to you??? Actual insider incidents: Night time security guard plants malware on organization s computers Programmer quits his job and takes source code back to his country of birth Group of employees work with outsiders to carry out lucrative fraud scheme These are only a few examples of the types of insider threats we are tying to prevent!! 3

Outline of the Presentation Introduction Structure of this presentation Top 10 List Questions / Comments 4

What is the CERT Insider Threat Center? Center of insider threat expertise established in 2001 Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 5

CERT Insider Threat Center Objective Opportunities for prevention, detection, and response for an insider attack

Structure of the Presentation 7

Structure of the Presentation Compelling real case examples to reinforce why each item made the Top 10 list and WHY YOU SHOULD CARE!! Explanation of each mitigation strategy What other organizations are doing Details you need to consider 8

Top 10 List. 9

#10: Learn from past incidents 10

#10: Learn from past incidents Some organizations experience the same types of insider crimes more than once When you have an attack, implement controls to catch it next time Some organizations: Create formal teams to examine past incidents and implement new controls 11

#9: Focus on protecting the crown jewels 12

#9: Focus on protecting the crown jewels One third of CERT s insider theft of IP cases involve a foreign government or organization What would happen if your IP was stolen and taken out of the country??? Most insiders use authorized access to steal IP But they don t always require the access! Some organizations: Implement extra controls for THE most critical IP Protect against erosion of access controls 13

#8: Use your current technologies differently 14

#8: Use your current technologies differently Some organizations Create an insider threat team or train Security Operations Center (SOC) staff about insider threat Use Intrusion Detection Systems (IDS) to examine data going out as well as in Tailor use of tools to reduce information overload (Data Leakage Protection, host based controls, change controls) Create signatures in Security Information and Event Management systems (SIEMs) / log correlation tools to detect suspicious insider activity After-hours reconnaissance activity by privileged system users who are on the HR radar Exfiltration via email within 30 days of resignation 15

#7: Mitigate threats from trusted business partners 16

#7: Mitigate threats from trusted business partners Trusted Business Partners (TBPs) include contractors outsourced companies Some organizations: Specify information security controls in contracts Require the same controls for their TBPs as they require internally Audit TBP policies and procedures Require same policies and procedures for contractors as for employees 17

#6: Recognize concerning behaviors as a potential indicator 18

#6: Recognize concerning behaviors as a potential indicator Concerning behaviors are the 4 th most common issue of concern in the CERT Insider Threat Database Negative employment issues are the 8 th Most prevalent in insider IT sabotage and theft of IP Some organizations Educate management staff on insider threat indicators Communicate employees on the HR radar to security staff Integrate cyber insider threat mitigation with their workplace violence program 19

#5: Educate employees regarding potential recruitment 20

#5: Educate employees regarding potential recruitment Recruitment is the 3 rd most common issue of concern in the CERT Insider Threat Database Carefully consider: do you have any systems or data that an insider could be paid to steal or modify? Financial, Personally Identifiable Information (PII), identity documents, utility bills, food stamps, credit histories, Some organizations: Perform periodic background checks for existing employees 21

#4: Pay close attention at resignation / termination! 22

#4: Pay close attention at resignation / termination! Change in employment status is the TOP issue of concern in the CERT Insider Threat Database BUT Typically not in fraud cases! Some organizations Perform targeted employee monitoring Low performing employees Employees who will be laid off or terminated Implement special controls for their most critical IP 23

#3: Address employee privacy issues with General Counsel 24

#3: Address employee privacy issues with General Counsel Employee privacy issues present a tricky legal issue Laws and regulations differ in private sector, government, and various critical infrastructure sectors Some organizations: Have created and implemented insider threat policies and processes by working with Human Resources, General Counsel, Information Security / Information Technology, Security, and top management 25

#2: Work together across the organization 26

#2: Work together across the organization IT cannot solve this alone! Need communication across Management, Information Security / Information Technology, Security, Data Owners, Software Engineering, General Counsel, and Human Resources Some organizations: Achieve this communication but only after significant suspicious activity warrants an investigation Have achieved proactive communication between some of these organizational units 27

#1: Create an insider threat program NOW! 28

#1: Create an insider threat program NOW! In the first three months following this presentation you should: Obtain buy-in from top management Form an insider threat team Create policies (approved by General Counsel) Develop processes and implement controls Within six months you should: Roll out and consistently enforce the policies Regularly communicate across your organization 29

#1: Create an insider threat program NOW! Some organizations Follow an enterprise-wide insider threat strategic plan which was created by C-level managers Have designated a Director responsible for the insider threat program Have made a significant investment in an insider threat program 30

CERT Resources Insider Threat Center website (http://www.cert.org/insider_threat/) Common Sense Guide to Prevention and Detection of Insider Threats (http://www.cert.org/archive/pdf/csg- V3.pdf) Insider threat workshops (http://www.cert.org/insider_threat/docs/workshop.pdf) Insider threat assessments (http://www.cert.org/insider_threat/docs/assessment.pdf) New controls from CERT Insider Threat Lab (http://www.cert.org/insider_threat/controls/) Insider threat exercises The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak

The CERT Top 10 List for Winning the Battle Against Insider Threats 10. Learn from past incidents 9. Focus on protecting the crown jewels 8. Use your current technologies differently 7. Mitigate threats from trusted business partners 6. Recognize concerning behaviors as a potential indicator 5. Educate employees regarding potential recruitment 4. Pay close attention at resignation / termination! 3. Address employee privacy issues with General Counsel 2. Work together across the organization 1. Create an insider threat program NOW! 32

Questions / Comments 33

Point of Contact Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-3890 +1 412 268-9136 Phone dmc@cert.org Email http://www.cert.org/insider_threat/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback