Developing Your Insider Threat Program: Insider Threat Best Practices presented at The National Security Supply Chain: Reducing the Vulnerabilities meeting by the Government Technology & Services Coalition (GTSC)
2. Threat is Now: Recent Malicious Insiders
Major Nidal Hassan – Responsible for
shooting at Fort Hood Texas
Bradley Manning – Unauthorized
disclosure to WikiLeaks
Edward Snowden – Unauthorized
disclosure of NSA surveillance programs
Aaron Alexis – Responsible for
shooting at the Washington Navy Yard
CENTRA TECHNOLOGY, INC.
2
3. Why Consider Insider Threat?
Protect national security and corporate assets
– We don’t want to be in the news
Will be required by Government
– Changes to NISPOM
– Required by Sponsors
Want to ensure we are taking positive steps to
protect our company and assets
CENTRA TECHNOLOGY, INC.
3
4. How to Begin…
Do your research: Tons of free resources available
– CERT
• Common Sense Guide to Mitigating Insider Threats
– DSS
• Insider threat video and brochures
– FBI website and movie “Betrayed”
– ONCIX website
– ASIS
• “Detecting the Insider Threat,” October 2013
CENTRA TECHNOLOGY, INC.
4
6. Step 1: Identify the Team
Identify team members who understand and can
contribute to the mission:
–
–
–
–
COO
HR
Security
IT
Who will be responsible for:
–
–
–
–
Drafting the plan
Reporting to sponsors and Government
Bi-monthly meetings
Budget approval
CENTRA TECHNOLOGY, INC.
6
7. Step 2: Understand Your Assets
Conduct a risk assessment
Talk to management about assets
– What are the corporate jewels?
– Are they currently protected?
– How sensitive are they?
• What is the risk if they are leaked?
– Who has access to the information?
CENTRA TECHNOLOGY, INC.
7
8. Step 3: Tighten Up Procedures
Tighten procedures
– Termination procedures
– Unclassified data handling and access
Document expectations to staff
Violation policy
CENTRA TECHNOLOGY, INC.
8
9. Step 4: Security Education
Free cartoons, brochures, articles available
– No need to reinvent the wheel!
Incorporate insider threat into annual refresher training
Monthly security news item on reporting
Updated current policies
– Acceptable Use Policy
Ensure staff understand reporting; make it easy for staff
to report confidentially
CENTRA TECHNOLOGY, INC.
9
10. Step 5: Draft a Plan
Document what you have learned
Steps 1-4:
–
–
–
–
Team
What are assets and overall risk
What procedures have been impacted
Security education program
Work-in-progress
CENTRA TECHNOLOGY, INC.
10
11. Confronting the Insider Threat
“It is important for each company to identify what an insider threat is
and to set a policy in place on how to deal with insider threats. The
policies must outline certain types of behavior that warrant scrutiny,
disciplinary action, or even termination so that companies have a basis
from which to work when they do identify potential threats.”
ASIS: October 2013
CENTRA TECHNOLOGY, INC.
11
12. Encourage Reporting
Encourage employees to report
Provide confidential means of reporting
Staff holding security clearance are required to report
adverse information, including potential threats
Trust your instincts, if you see something, say something!
It is better to report something that turns out to be nothing
than to not report a serious security issue
CENTRA TECHNOLOGY, INC.
12
13. Detecting the Insider
Post incident investigations reveal family, friends, or
coworkers notice a suspect’s indicators, but they fail to
report concerns
“Subjects often tell people close to them what they are doing, and
sometimes even engage associates in the process. Former intimates
(spouses, lovers, close friends – people with whom they spent a good
deal of time) are a potentially important source of information in all
investigations.”*
*Source: Declassified Director of Central Intelligence Memorandum of 12 April 1990; Subject: Project Slammer
Interim Report
CENTRA TECHNOLOGY, INC.
13
14. Threat Indicators
Apparent unexplained affluence or excessive indebtedness
Efforts to conceal foreign contacts, travel, or foreign interests
Access to information or IT systems without need-to-know
Exploitable behavior
– criminal activity
– excessive gambling
– drug or alcohol abuse
– problems at work
Questionable judgment or untrustworthiness
CENTRA TECHNOLOGY, INC.
14
15. Threat Indicators, cont.
Apparent mental, emotional or personality disorders(s)
Disgruntled
Working odd or late hours
Unreported foreign travel
Suspicious foreign contacts
Unreported offer of financial assistance, gifts, or favors by a foreign
national or stranger
Requesting access to information outside of official job duties
including sensitive or classified information
CENTRA TECHNOLOGY, INC.
15
16. Summary of Best Practices
Know your people; recognize concerning behaviors as
potential indicators
Protect your “crown jewels”
Pay close attention at termination
Monitor ingress and egress points (IT systems and
physical security)
Baseline normal activity and look for anomalies
Work together across organization
Educate employees regarding potential recruitment
CENTRA TECHNOLOGY, INC.
16