CENTRA T ECHNOLOGY, I NC. 1 5 Steps To Protect Your Company Katherine D. Mills CENTRA Technology, Inc. Insider Threat:

Page 1

CENTRA TECHNOLOGY, INC.

1

5 Steps To Protect

Your Company

Katherine D. MillsCENTRA Technology, Inc.

Insider Threat:

Page 1


2

Introduction

5 Step Process– Creating a plan for your company

Best Practices– Transforming your company– CI Indicators

Page 1


3

Threat is Now: Recent Malicious Insiders

Major Nidal Hassan – Responsible for shooting at Fort Hood Texas

Aaron Alexis – Responsible for shooting at the Washington Navy Yard

Bradley “Chelsea” Manning – Unauthorized disclosure to WikiLeaks

Edward Snowden – Unauthorized disclosure of NSA surveillance programs

Page 1


4

Other Malicious Insiders

Telecommunications employee Aerospace engineer Software engineer Chemical contractor

Search insider threat– Hundreds of examples, costing the Government and

companies millions

Page 1


5

Why Consider Insider Threat?

Protect national security and corporate assets– We don’t want to be in the news

Will be required by Government – Changes to NISPOM– Required by Sponsors

Want to ensure we are taking positive steps to protect our company and assets

Page 1


6

How to Begin… Do your research: Tons of free resources available

– CERT• Common Sense Guide to Mitigating Insider Threats

– DSS• Insider threat video and brochures

– FBI website and movie “Betrayed”

– ONCIX website

– ASIS• “Confronting the Insider Threat,” October 2013

Page 1


7

CERT

Common Sense Guide to Mitigating Insider Threats

Page 1


8

Defense Security Service Insider Threat videos and Brochures

Page 1


9

Federal Bureau of Investigation

The Insider Threat Page– An Introduction to Detecting and Deterring an Insider Spy

Betrayed: The Trusted Insider

Page 1


10

ONCIX

National Insider Threat Task Force (NITTF)

National Insider Threat Policy and the Minimal Standards

Page 1


11

ASIS International: Security Management

Confronting the Insider Threat– By Laura Spadanuta, October 2013 of Security

Management

Page 1


12

Steps to Building a Plan

Team

Assets

Procedures

Awareness

Document plan

Page 1


13

Step 1: Identify the Team

Identify team members who understand and can contribute to the mission:– COO– HR– Security– IT

Who will be responsible for:– Drafting the plan– Regular meetings– Budget approval– Reporting to sponsors and Government– Conducting an Investigation

Page 1


14

Step 2: Understand Your Assets

Conduct a risk assessment

Talk to management about assets:

– What are the corporate jewels?

– How well are they currently protected?

– How sensitive are they?• What is the risk if they are leaked?

– Who has access to the information?

Page 1


15

Step 3: Tighten Up Procedures

Tighten procedures

– Termination procedures

– Unclassified data handling and access

– IT system access

Document expectations to staff

Violation policy

Page 1


16

Step 4: Security Education

Free cartoons, brochures, articles available – No need to reinvent the wheel!

Incorporate insider threat into annual refresher training

Monthly security news item on reporting

Update current policies and publicize

Ensure staff understand reporting; make it easy for staff to report confidentially

Page 1


17

Step 5: Draft a Plan

Document what you have learned

Steps 1-4:– Team– What are assets and overall risk– What procedures have been impacted– Security education program

Work-in-progress

Page 1


18

Confronting the Insider Threat

“It is important for each company to identify what an insider threat is

and to set a policy in place on how to deal with insider threats. The

policies must outline certain types of behavior that warrant scrutiny,

disciplinary action, or even termination so that companies have a basis

from which to work when they do identify potential threats.”

ASIS: Confronting the Insider Threat by Laura Spadanuta, October 2013

Page 1


19

Encourage Reporting

Encourage employees to report

Provide confidential means of reporting

Staff holding security clearance are required to report

adverse information, including potential threats

Trust your instincts, if you see something, say something!

It is better to report something that turns out to be nothing

than to not report a serious security issue

Page 1


20

Detecting the Insider

Post incident investigations reveal family, friends, or coworkers notice a suspect’s indicators, but they fail to report concerns

“Subjects often tell people close to them what they are doing, and

sometimes even engage associates in the process. Former intimates

(spouses, lovers, close friends – people with whom they spent a good

deal of time) are a potentially important source of information in all

investigations.”*

*Source: Declassified Director of Central Intelligence Memorandum of 12 April 1990; Subject: Project Slammer Interim Report

Page 1


21

Threat Indicators

Apparent unexplained affluence or excessive indebtedness

Efforts to conceal foreign contacts, travel, or foreign interests

Access to information or IT systems without need-to-know

Exploitable behavior

– criminal activity

– excessive gambling

– drug or alcohol abuse

– problems at work

Questionable judgment or untrustworthiness

Page 1


22

Threat Indicators, cont.

Apparent mental, emotional or personality disorders(s)

Disgruntled

Working odd or late hours

Unreported foreign travel

Suspicious foreign contacts

Requesting access to information outside of official job

duties including sensitive or classified information

Page 1


23

Summary of Best Practices

Know your people; recognize concerning behaviors as potential indicators

Protect your “crown jewels” Pay close attention at termination Monitor ingress and egress points (IT systems and

physical security) Baseline normal activity and look for anomalies Work together across organization Educate employees regarding potential recruitment

Page 1


24

Sources

http://threatgeek.typepad.com/.a/6a0147e41f3c0a970b0177429dd0ce970d-pi

Documents

CENTRA T ECHNOLOGY, I NC. 1 5 Steps To Protect Your Company Katherine D. Mills CENTRA Technology, Inc. Insider Threat: