NISPOM Change 2: Considerations for Building an Effective Insider Threat Program

Similar documents
The CERT Top 10 List for Winning the Battle Against Insider Threats

The Insider Threat Center: Thwarting the Evil Insider

Components and Considerations in Building an Insider Threat Program

DEFINITIONS AND REFERENCES

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Cyber Hygiene: A Baseline Set of Practices

Defining Computer Security Incident Response Teams

University of Pittsburgh Security Assessment Questionnaire (v1.7)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

SECURITY & PRIVACY DOCUMENTATION

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

The Enemy Within: Dealing with Insider Threats

WORKSHARE SECURITY OVERVIEW

Cyber Threat Prioritization

Be Like Water: Applying Analytical Adaptability to Cyber Intelligence

QuickBooks Online Security White Paper July 2017

Cyber Security Program

Ohio Supercomputer Center

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

2013 US State of Cybercrime Survey

Subject: University Information Technology Resource Security Policy: OUTDATED

Information Security Is a Business

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

University of Sunderland Business Assurance PCI Security Policy

MEETING ISO STANDARDS

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Denial of Service Attacks

Checklist: Credit Union Information Security and Privacy Policies

Software, Security, and Resiliency. Paul Nielsen SEI Director and CEO

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Oracle Data Cloud ( ODC ) Inbound Security Policies

Roles and Responsibilities on DevOps Adoption

Information Technology Branch Organization of Cyber Security Technical Standard

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Security and Privacy Governance Program Guidelines

UTAH VALLEY UNIVERSITY Policies and Procedures

The Common Controls Framework BY ADOBE

Advancing Cyber Intelligence Practices Through the SEI s Consortium

Julia Allen Principal Researcher, CERT Division

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Google Cloud & the General Data Protection Regulation (GDPR)

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Security Standards for Electric Market Participants

Standard for Security of Information Technology Resources

MNsure Privacy Program Strategic Plan FY

ISAO SO Product Outline

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Information Technology General Control Review

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

How AlienVault ICS SIEM Supports Compliance with CFATS

Legal, Ethical, and Professional Issues in Information Security

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

locuz.com SOC Services

National Policy and Guiding Principles

ARINC653 AADL Annex Update

Researching New Ways to Build a Cybersecurity Workforce

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Donor Credit Card Security Policy

A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS

SAC PA Security Frameworks - FISMA and NIST

RMU-IT-SEC-01 Acceptable Use Policy

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE INTELLIGENCE COMMUNITY POLICY MEMORANDUM NUMBER

Putting It All Together:

Privacy Impact Assessment for the National Cyber Security Division Joint Cybersecurity Services Pilot (JCSP) DHS/NPPD-021.

External Supplier Control Obligations. Cyber Security

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

TSA/FTA Security and Emergency Management Action Items for Transit Agencies

Panel: Future of Cloud Computing

Table of Contents. PCI Information Security Policy

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Trust Services Principles and Criteria

Career Center for Development of Security Excellence (CDSE) Pre-Approved for CompTIA CEUs

Information Security Policy

VMware vcloud Air SOC 1 Control Matrix

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Cyber Risks in the Boardroom Conference

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Goal-Based Assessment for the Cybersecurity of Critical Infrastructure

Analyzing 24 Years of CVD

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

What It Takes to be a CISO in 2017

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

PIPELINE SECURITY An Overview of TSA Programs

INFORMATION ASSET MANAGEMENT POLICY

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

INFORMATION ASSURANCE DIRECTORATE

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Software Assurance Education Overview

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

EXHIBIT A. - HIPAA Security Assessment Template -

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Transcription:

NISPOM Change 2: Considerations for Building an Effective Insider Threat Program Randall Trzeciak (rft@cert.org) July 7, 2016 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM-0002495 2

The CERT Insider Threat Center Center of insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Mission: enable effective insider threat mitigation, incident management practices, and develop capabilities for deterring, detecting, and responding to evolving cyber threats Action and Value: conduct research, modeling, analysis, and outreach to develop & transition socio-technical solutions to combat insider threats 3

Polling Question 2 Would you characterize your organization as: 1. Small (Less than 100 employees) 2. Medium (Between 100 and 999 employees) 3. Large (Between 1000 and 10000 employees) 4. Very Large (Greater than 10000 emplyees) 4

Executive Order 13587 5 2015 Carnegie Mellon University

Executive Order 13587 Structural Reforms To Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information October 7, 2011 Our Nation s security requires classified information to be shared immediately with authorized users around the world but also requires sophisticated and vigilant means to ensure it is shared securely. 6

Executive Order 13587 This order directs structural reforms to ensure responsible sharing and safeguarding of classified information on computer networks that shall be consistent with appropriate protections for privacy and civil liberties. Agencies bear the primary responsibility for meeting these twin goals. 7

Executive Order 13587 These structural reforms will ensure coordinated interagency development and reliable implementation of policies and minimum standards regarding information security, personnel security, and system security; address both internal and external security threats and vulnerabilities; and provide policies and minimum standards for sharing classified information both within and outside the Federal Government. 8

Polling Question 2 Do you currently have an insider threat program in place: 1. Yes 2. No 3. Not Sure 9

General Responsibilities of Agencies The heads of agencies that operate or access classified computer networks shall have responsibility for appropriately sharing and safeguarding classified information on computer networks. Designate a senior official to oversee classified information sharing and safeguards Implement an insider threat detection and prevention program Consistent with guidance and standards developed by Insider Threat Task Force (ITTF) Perform self-assessments of compliance with policies and standards and report results annually to Senior Information Sharing and Safeguarding Steering Committee Provide information and access to enable independent assessments 10

Insider Threat Task Force -1 Interagency Insider Threat Task Force Co-chaired by the Attorney General and Director of National Intelligence Officers from DoS, Defense, Justice, Energy, Homeland Security, ODNI, CIA, FBI, ONCIX Develop a government-wide insider threat program Deter, detect, and mitigate insider threats Safeguard classified information Develop policies, objectives, and priorities 11

Insider Threat Task Force -2 Responsibilities Develop government-wide policy for deterrence, detection, and mitigation of insider threats Develop minimum standards and guidance for implementation of the insider threat program Yearly: add or modify minimum standards and guidance, as appropriate Conduct independent assessments of adequacy of insider threat programs Provide assistance to agencies and dissemination of best practices 12

National Insider Threat Policy -1 The E.O. directs the ITTF to assist agencies in developing and implementing their insider threat programs, while ensuring the program standards do not erode civil liberties, civil rights, or privacy protections for government employees. Issued in November 2012 13

National Insider Threat Policy -2 Directs executive branch departments and agencies to establish, implement, monitor, and report on the effectiveness of insider threat programs to protect classified national security information Applicable to all D&As with access to classified information, or that operate or access classified computer networks; All employees with access to classified information or networks 14

NISPOM Change 2-1 National Industrial Security Program Operating Manual Change 2 Published May 18, 2016 Requires contractors* to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. Insider Threat Industrial Security Letter : "gather, integrate, and report relevant and credible information covered by any of the 13 personnel security adjudicative guidelines that is indicative of a potential or actual insider threat to deter cleared employees from becoming insider threats; detect insiders who pose a risk to classified information; and mitigate the risk of an insider threat. * Contractor: any industrial, educational, commercial, or other entity that has been granted a facility security clearance (FCL) by a Cognizant Security Agency (CSA) 15

NISPOM Change 2-2 Insider Threat Program The contractor will establish and maintain an insider threat program Gather, integrate, and report relevant and available information indicative of a potential or actual insider threat In accordance with E.O. 13587 The contractor will designate a U.S. citizen employee Senior official and cleared with the FCL Office To establish and execute an insider threat program 16

NISPOM Change 2-3 Insider Threat Training Ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained. Must be trained in: Counterintelligence and security fundamentals Procedures for conducting insider threat response actions Applicable laws and regulations regarding gathering, integration, retention, safeguarding, and use of records and data (including consequences of misuse of data) Applicable legal, civil liberties, and privacy policies 17

NISPOM Change 2-4 Insider Threat Training All cleared employees must be provided insider threat awareness training Either in-person or computer-based Within 30 days of initial employment or prior to being granted access to classified information Annually 18

Polling Question 4 Do you anticipate utilizing a full-time insider threat program team or a part-time program team? 1. Full-Time 2. Part-Time 3. Combination of Both Full and Part Time Staff 19

What This Means to Contractors CONTRACTORS MUST HAVE A WRITTEN PLAN IN PLACE TO BEGIN IMPLEMENTING INSIDER THREAT REQUIREMENTS NO LATER THAN NOVEMBER 30, 2016 20

Insider Threat Program Requirements -1 Assign an insider threat program (ITP) senior official Establish and maintain an ITP to gather, integrate, and report information (from HR, Security, Information Assurance, Legal, counterintelligence) about a potential or actual insider threat. Establish procedures to access, share, identify, and collaborate across the contractor organization to report information related to the 13 personnel security adjudicative guidelines. (Contractors are required to report relevant and credible information regarding potential and actual insider threats.) Ensure that insider threat programs address all cleared facility locations owned and operated by the contractor. 21

Insider Threat Program Requirements -2 Perform yearly self-inspections and certify with DSS. Allow independent assessments of their ITP. Develop a system or process to identify and report patterns of negligence and carelessness in handling classified information. Ensure that insider threat training is provided to all members of the contractor's ITP team and that new ITP team members complete the training within 30 days of joining the program team. 22

Insider Threat Program Requirements -3 Require insider threat awareness training for all employees before they are granted access to classified information and refresh their training yearly afterwards. To confirm training is complete, the contractor must have in place a training records management system. Implement the DSS-provided information security controls on classified information systems to detect insider threat behavior. Establish an oversight mechanism to ensure the proper handling and use of information collected through the ITP. 23

Insider Threat Program Requirements -4 Establish procedures and processes for insider threat response actions. Develop a process to document each insider inquiry, investigation, and remediation. 24

Goal for an Insider Threat Program 25 2015 Carnegie Mellon University

Goal for an Insider Threat Program Opportunities for prevention, detection, and response for an insider incident 26

CERT s Recommendations for Building an Insider Threat Program 27 2015 Carnegie Mellon University

Anomaly Detection 28

Baselining Establish normal behavior across bins. User-Based Compare each user to himself or herself. Role-Based Compare users in the same roles against each other. Pattern-Based Compare common patterns to previous occurrences of the pattern. Threshold-Based Compare the average number of activities/events. 29

Indicator Development 30

Indicators Technical Technical actions that could do your organization harm Behavioral Common precursors to insider activity Temporality and sequence 30-day rule Context is key Stimulus Job role Qualities of effective indicators Weighting Specificity 31

Technical Data 32

Security Device Reporting Analysis Operations analysts within the SOC typically monitor consoles where large amounts of information are collected from the security sensors and devices. This set of information includes IDS alerts IPS alerts Antivirus alerts Firewall logs Proxy logs Network flow records Packet capture and session recreation information Correlated events from security event managers External (global) threat and architecture information 33

Hub Tools UAM User Activity Monitoring (UAM): UAM refers to the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing information in order to detect insider threats and support authorized investigations. NITTF Guide Often serves as the starting point and core of an insider threat analysis hub. 34

Behavioral Data 35

Behavioral Data Sources Human Resources Management System Data Help Desk Trouble Ticket System Logs Physical Access Logs Phone Logs Personnel Security Systems Foreign Travel and Reporting Systems Financial Systems 36

Creation of a Data Analytic Hub 37 2015 Carnegie Mellon University

HUB Data Collection Notational Local Insider Threat Working Group Local Insider Threat Working Group Local Insider Threat Working Group Local Insider Threat Working Group Local Insider Threat Working Group 38

Chat Logs Application Logs Active Directory Logs Data Loss Prevention Logs Background Investigations Authentication Logs Antivirus Logs Account Creation Logs Configuration Change Logs Email Logs DNS Logs Firewall Logs File Access Logs Help Desk Ticket System Logs HTTP/SSL Proxy Logs Intrusion Detection/ Prevention Logs Mobile Device Manager Logs Data Sources for Insider Threat Detection, Prevention, and Response Technical Data Sources Non-Technical Data Sources Network Packet Tags Network Monitoring Logs Permission Change Monitor Logs Removable Media Manager Logs User Activity Monitoring Logs Wireless Spectrum Monitoring Logs Printer/ Scanner/ Copier/Fax Logs Telephone Records VPN Logs Anonymous Reporting Asset Management Logs AUP Violation Records Performance Evaluations Conflict of Interest Reporting Corporate Credit Card Records Disciplinary Records Foreign Contacts Reporting IP Policy Violation Records Physical Access Records Personnel Records Security Clearance Records Physical Security Violation Records Travel Reporting 39

Best Practices: Common Sense Guide to Mitigating Insider Threats http://resources.sei.cmu.edu/library/assetview.cfm?assetid=34017 40 2015 Carnegie Mellon University

CERT Recommended Best Practices for Insider Threat Mitigation Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce policies and controls. Incorporate insider threat awareness into periodic security training for all employees. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. Anticipate and manage negative issues in the work environment. Know your assets. Implement strict password and account management policies and practices. Enforce separation of duties and least privilege. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. Institutionalize system change controls. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions. Monitor and control remote access from all end points, including mobile devices. Develop a comprehensive employee termination procedure. Implement secure backup and recovery processes. Develop a formalized insider threat program. Establish a baseline of normal network device behavior. Be especially vigilant regarding social media. Close the doors to unauthorized data exfiltration. Institute stringent access controls and monitoring policies on privileged users. 41

Wrap Up 42 2015 Carnegie Mellon University

CERT Insider Threat Center Services Building an Insider Threat Program Insider Threat Program Manager Certificate (ITPM-C) Insider Threat Vulnerability Assessment Insider Threat Vulnerability Assessor Certificate (ITVA-C) Evaluating an Insider Threat Program Insider Threat Program Evaluator Certificate (ITPE-C) Insider Threat Control/Indicator Development / Deployment Insider Threat Data Analytics Hub Development / Deployment Insider Threat Training (1/2 day, 1 day, and 2 day interactive workshops) Customized Insider Threat Research Ontology Development and Maintenance Sentiment / Linguistic Analysis Insider Threat Tool Evaluation Criteria Development 43

For More Information Insider Threat Center website http://www.cert.org/insider-threat/ Insider Threat Center Email: insider-threat-feedback@cert.org Insider Threat Blog http://www.cert.org/blogs/insider-threat/ 44

References -1 Executive Order 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information https://www.whitehouse.gov/the-press-office/2011/10/07/executive-order- 13587-structural-reforms-improve-security-classified-net National Insider Threat Policy https://www.ncsc.gov/nittf/docs/national_insider_threat_policy.pdf 45

References -2 DoD 5220.22-M: National Industrial Security Program Operating Manual http://www.dss.mil/documents/odaa/nispom2006-5220.pdf Industry Insider Threat Information and Resources Page (DSS) http://www.dss.mil/it/index.html Insider Threat Industrial Security Letter http://www.dss.mil/documents/isp/isl2016-02.pdf 13 Personnel Security Adjudicative Guidelines https://www.gpo.gov/fdsys/pkg/cfr-2012-title32-vol1/xml/cfr-2012- title32-vol1-part147.xml 46

Point of Contact Insider Threat Technical Manager Randall F. Trzeciak CERT Program Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-3890 +1 412 268-7040 Phone rft@cert.org Email http://www.cert.org/insider_threat/ 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback