Developing Your Insider Threat Program: Insider Threat Best Practices

Page 1

CENTRA TECHNOLOGY, INC.

1

Best Practices

Katherine D. MillsCENTRA Technology, Inc.

Insider Threat:

Page 1


2

Threat is Now: Recent Malicious Insiders

Major Nidal Hassan – Responsible for shooting at Fort Hood Texas

Aaron Alexis – Responsible for shooting at the Washington Navy Yard

Bradley Manning – Unauthorized disclosure to WikiLeaks

Edward Snowden – Unauthorized disclosure of NSA surveillance programs

Page 1


3

Why Consider Insider Threat?

Protect national security and corporate assets– We don’t want to be in the news

Will be required by Government – Changes to NISPOM– Required by Sponsors

Want to ensure we are taking positive steps to protect our company and assets

Page 1


4

How to Begin…

Do your research: Tons of free resources available

– CERT• Common Sense Guide to Mitigating Insider Threats

– DSS• Insider threat video and brochures

– FBI website and movie “Betrayed”– ONCIX website– ASIS

• “Detecting the Insider Threat,” October 2013

Page 1


5

Steps

Team

Assets

Procedures

Awareness

Document plan

Page 1


6

Step 1: Identify the Team

Identify team members who understand and can contribute to the mission:– COO– HR– Security– IT

Who will be responsible for:– Drafting the plan– Reporting to sponsors and Government– Bi-monthly meetings– Budget approval

Page 1


7

Step 2: Understand Your Assets

Conduct a risk assessment

Talk to management about assets

– What are the corporate jewels?

– Are they currently protected?

– How sensitive are they?• What is the risk if they are leaked?

– Who has access to the information?

Page 1


8

Step 3: Tighten Up Procedures

Tighten procedures

– Termination procedures

– Unclassified data handling and access

Document expectations to staff

Violation policy

Page 1


9

Step 4: Security Education

Free cartoons, brochures, articles available – No need to reinvent the wheel!

Incorporate insider threat into annual refresher training

Monthly security news item on reporting

Updated current policies– Acceptable Use Policy

Ensure staff understand reporting; make it easy for staff to report confidentially

Page 1


10

Step 5: Draft a Plan

Document what you have learned

Steps 1-4:– Team– What are assets and overall risk– What procedures have been impacted– Security education program

Work-in-progress

Page 1


11

Confronting the Insider Threat

“It is important for each company to identify what an insider threat is

and to set a policy in place on how to deal with insider threats. The

policies must outline certain types of behavior that warrant scrutiny,

disciplinary action, or even termination so that companies have a basis

from which to work when they do identify potential threats.”

ASIS: October 2013

Page 1


12

Encourage Reporting

Encourage employees to report

Provide confidential means of reporting

Staff holding security clearance are required to report

adverse information, including potential threats

Trust your instincts, if you see something, say something!

It is better to report something that turns out to be nothing

than to not report a serious security issue

Page 1


13

Detecting the Insider

Post incident investigations reveal family, friends, or coworkers notice a suspect’s indicators, but they fail to report concerns

“Subjects often tell people close to them what they are doing, and

sometimes even engage associates in the process. Former intimates

(spouses, lovers, close friends – people with whom they spent a good

deal of time) are a potentially important source of information in all

investigations.”*

*Source: Declassified Director of Central Intelligence Memorandum of 12 April 1990; Subject: Project Slammer Interim Report

Page 1


14

Threat Indicators

Apparent unexplained affluence or excessive indebtedness

Efforts to conceal foreign contacts, travel, or foreign interests

Access to information or IT systems without need-to-know

Exploitable behavior

– criminal activity

– excessive gambling

– drug or alcohol abuse

– problems at work

Questionable judgment or untrustworthiness

Page 1


15

Threat Indicators, cont.

Apparent mental, emotional or personality disorders(s)

Disgruntled

Working odd or late hours

Unreported foreign travel

Suspicious foreign contacts

Unreported offer of financial assistance, gifts, or favors by a foreign

national or stranger

Requesting access to information outside of official job duties

including sensitive or classified information

Page 1


16

Summary of Best Practices

Know your people; recognize concerning behaviors as potential indicators

Protect your “crown jewels” Pay close attention at termination Monitor ingress and egress points (IT systems and

physical security) Baseline normal activity and look for anomalies Work together across organization Educate employees regarding potential recruitment

Page 1


17

Sources

http://threatgeek.typepad.com/.a/6a0147e41f3c0a970b0177429dd0ce970d-pi

Business

Developing Your Insider Threat Program: Insider Threat Best Practices