Security Management: Confronting the Insider Threat Michael G. Gelles, Psy.D., Deloitte & Touche LLP March 3, 2008

Security Management: Confronting the Insider Threat

Michael G. Gelles, Psy.D., Deloitte & Touche LLP

March 3, 2008

Copyright © 2007 Deloitte Development LLC. All rights reserved.

– How effective are current measures against this threat?

– What are state-of-the-art emerging concepts for improved defenses against insider threats?

– What level of damage might be inflicted on a system depending on the level of knowledge of the insider?

– What are the effects of physical sabotage vs electronic sabotage in terms of severity of damage?

– Provided by L. Vance Taylor

Setting the Stage:

System Study for Municipal Domestic Water Security

Damage to key components of a domestic municipal water system from source to distribution resulting from the trusted insider threat. Some issues to be taken into consideration include:


Objectives

• Examine the nature of the insider threat, including any employee who has access to sensitive, classified, or proprietary information.

• Assess how changes in today’s global economy, evolving technology and changing workforce impact risks.

• Review potential strategies for managing the threat and minimizing damage.


Asset Loss Defined

• Asset loss is the end result of actions taken by an employee or insider who has access to sensitive, classified, or proprietary information that when disclosed causes damage to an organization’s interests.

• The insider threat exists within every organization where an employee perceives some inequity or injustice that leads the employee to consider some action as solution to their perceived problem


Asset Loss

• Exploitation of research and technology solutions• Disruption of supply chains• Directed sabotage and contamination• Disclosure of proprietary to classified information • Complacency to security policy• Undermining protection to Infrastructure• Manipulating financial accounts• National security/national interests• Information systems infrastructure• Economic/proprietary interests


Espionage, embezzlement, sabotage

Espionage Embezzlement Sabotage

The act or practice of spying or of using spies to obtain secret information, as about another government or a business competitor

“The fraudulent conversion of property of another by a person in lawful possession of that property.”

Crimes of this nature generally have involved a relationship of trust and confidence, such as an agent, fiduciary, trustee, treasurer, or attorney.

The deliberate act of destruction or disruption in which equipment or a product is damaged.

To hinder normal operations.

Infrastructure such as power stations or products such as pet food or medication and IT systems.”


Ana Montes

• Synopsis: – Turned over classified photos,

info on US military games and DIA assessments of Cuba

– Revealed identity of 4 undercover agents

• Motivation: – Moral conviction: A love of Cuba

and a loathing of US policy toward the “impoverished nation”

– A strong need to help the little guy

Source: Washington Times, September 22, 2006; Frontpagemag.com, “Castros Top Spy,” March 29, 2002


Terrorism

• The adversary has repeatedly attempted to use “insiders” to access information, material, and/or knowledge of facilities and secure sites

• The greatest threat posed to security and safety may be someone who is already on the “inside”, who becomes radicalized

• While considerable efforts have been taken to insure the physical security of ports of entry, the true vulnerability rests with the people who work at the ports and facilities, and who handle material and cargo that is transferred along a supply chain.

While our greatest national investment has been in focused on an attempt to mitigate the never ending physical vulnerability, some of our

greatest vulnerabilities exist with the people who function physically within those allegedly secure facilities.


Iyman Farris

• 34 year old of Kashmiri descent, came to US in 1994, citizenship 1999, lived in Columbus, OH

• Made pilgrimage to Mecca in 2000, then traveled to Afghanistan and trained in AQ camps via TJ

• Tasked by KSM to target the US infrastructure. Assessed the feasibility of bringing down the Brooklyn Bridge by slashing it’s suspension cables. Sent an email to KSM prior to March, 2003: “The weather is too hot.” (target too hard)

• “Drove fuel trucks to airports”• Plead guilty to 2 counts of providing material support to

terrorists

Source: CNN, “Ohio Trucker Joined Al Qaeda Jihad,” June 19, 2003


Process

Insider ThreatInsider Threat

• access to sensitive, classified or proprietary information if improperly disclosed, could cause damage

• employee perceives some inequity or injustice

• leads the employee to consider some action against the organization as a solution to their perceived problem

• sees themselves above the rules

AssetsAssets

•assets include people, material, and information

•assets are the core components of the organization and if not properly managed can impact the agency’s success and future.

Asset LossAsset Loss

The end result of a pattern of discernible behavior exhibited by an employee or close associate of an organization or corporation that results in eventual asset loss

+

An organization’s greatest strength and vulnerability are its people.


How does asset loss happen?

• Individual disclosures

• Public disclosures

• Violence as a solution to problem

• Contamination

• Extortion

• Facilitation of others through complacency

• Public demonstration

• Media leaks


Underlying Themes

• Process of idea to action

• Discernible patterns of behavior

• Personality Styles

• Crisis is a trigger

• Cumulative problems, conflicts and disputes

• Actions are deemed to be a solution


Consequences

• The results of insider exploitation can have a deleterious and destructive effect on – the organization, corporation– general public – free trade, commerce – national security– public confidence and safety

• The loss of critical assets can result not just in loss of revenue, but also– loss of confidence– loss of security – in some instances loss of life.


Mitigating the Threat

• Recognize Vulnerabilities

• Identify a pattern of risk

• Interrupt Forward Motion

• Disrupt potential loss

• Manage the context: technology, facilities, personnel


Context may have changed, behavior has not

• Criminal intent versus complacency• “Bits and bites vs. bricks and mortar” • Recruitment and exploitation online: web page, chat

rooms• Changing work force: Gen Y and networked lifestyle • Scientific ‘romance’• Career mobility and resiliency• Dual identity and dual loyalty


Catalysts

• Entitled and undervalued in the organization

• “Connectedness” and Validation in cyberspace anonymous and subjected to internal verses external constraints

• A world built on immediate access

• Minimal commitments to employers; greater commitment to self and career

• Distance no obstacle


Cyber Security

• Viruses, worms, trojans• Hacking/Cracking• Brute force attacks• Identity theft• Denial of service attacks• Cons/Fraud• Disgruntled employees• Disruption of infrastructure• Openness of university systems• University networks as conduits


The Maroochy Water Services Case

• One of the most celebrated SCADA (systems security of supervisory control and data acquisition) system breaches occurred at Maroochy. Water Services on Queensland’s Sunshine Coast in Australia [6, 13]. In March2000, Maroochy Shire Council experienced problems with its new wastewater

• System. Communications sent by radio links to wastewater pumping stations were being lost, pumps were not working properly, and alarms put in place to alert staff to faults were not going off.

• It was initially thought there were teething problems with the new system.

• Some time later, an engineer who was monitoring every signal passing through the system, discovered that someone was hacking into the system and deliberately causing the problems. In time, the perpetrator, Vitek Boden, a former contractor, was arrested and eventually jailed.


The Maroochy Water Services Case

• Mr. Boden used a laptop computer and a radio transmitter to take control of 150 sewage pumping stations. Over a three-month period, he released one million liters of untreated sewage into a storm water drain from where it flowed to local waterways.

• The attack was motivated by revenge on the part of Mr. Boden after he failed to secure a job with the Maroochy Shire Council.

• The Maroochy Water Services case has been cited around the world as an example of the damage that could occur if SCADA systems are not secured.

• This SCADA security incident also has to be viewed in the context of Australian


Characteristics of the employee at risk

• Not impulsive • No single motive • History of managing crises

ineffectively• Pattern of frustration,

disappointment, and a sense of inadequacy

• Seeks validation • Aggrandized view of their

abilities and achievements• Strong sense of entitlement • Views self above the rules

• Actions seek immediate gratification, validation and satisfaction.

• If needs not met:– Rebellious– Passive aggressive– Destructive – Complacent– Self perceived value exceeds

performance– Intolerance of criticism– Inability to assume responsibility

for their actions, – Blaming of others – Minimizing their mistakes or faults


Exploitation of employees or associates

• Persons with access can also be exploited by others whether they are witting or unwitting based on a belief that they are being – polite– helpful– responsive– interested– validated– manipulated due to unmet needs – complacent and passive aggressive


Risk triangle: “The Perfect Storm”

• Personality Factors

• A Life Crisis

• Access


Brian Patrick Regan USAF Analyst/ TRW Contractor at NRO Synopsis:

• Buried 20,000+ pgs of TS/SCI materials. Letter to Hussein offering locations and orbits of Spy satellites & reports on Iran for $13 mil. Similar letter drafted for Libya.


Brian Patrick ReganTradecraft: Addresses for the European diplomatic offices of Iraq, Iran, & Libya in his shoe when boarding flight to Switzerland. Classified docs, encrypted notes and a GPS device were in his bag.

A salt shaker a toothbrush holder were

buried in which he kept his own secret

codes that recorded the 19 locations

in MD & VA State parks where he

buried docs, CD's, & videos.


Brian Patrick Regan

Motivation: • $100,000 in debt• The need to sustain an

image of being responsible and competent

• Feared humiliation


At-Risk Personality Predisposition

• Grandiose/self serving• High achievement• Entitled• Limited attachments• Some degree of past learning/future ideals• Manipulative/rules to self-serve


Challenges of Competing identities

• Benefits to the US and a Global Economy– Valued talent and skill– Born in a foreign country– Immigrated to the US – Educated in the US from Abroad– Support technological growth and superiority

• Vulnerabilities– Degree of assimilation– Influence of living in migrant communities– Dual identity

• Risk– Dual loyalty


Robert Chaegon KimCivilian Computer Expert, Naval Intelligence

Synopsis: Passed classified info on N. & S. Korea,

China and a computerized maritime tracking system

to a S. Korean Navy Captain attached to the ROK

Embassy in DC.

Tradecraft: Removed all classification markings on military and intelligence subjects

and printed in his office.


Motivation: • “For the love of my two

countries”• Ties with country of birth,

family ties, reconciliation; received no money

• Committed with his brother-in-law

Robert Chaegon Kim


Gen Y : The Future is Here

• Most diverse and educated• “Digital natives” who are information fluent. • Connected 24/7• Expect speed and change • Energetic, positive, innovative and creative. • Value teamwork and collaborative efforts. • Need “Space” to explore• Loyalty must go both ways • “They work to live”


A lower risk profile?

• Most useful factors include– Evidence of long-term commitments or relationships – Capacity for loyalty – Social consciousness

• Individuals who – Work well with others– Display genuine warmth and compassion toward others– Lack a sense of entitlement– Responds well to criticism without becoming defensive– Characterized as good-natured – Can clearly and appropriately express frustration and anger

Just as there are many negative factors identified with potential security risk, there are mediating factors that balance some risk indicators.


Management: an effective defense

• Remain attentive to the evolving threat • Assemble a multidisciplinary team • Create a reporting mechanism that facilitates the flow of

information to security managers; Workforce as an active security monitor

• Be sensitive to employees in crisis• Human Resources must partner with security • Identify "at-risk behavior" prior to hiring• Personnel and physical security become the primary

mechanism for prevention, detection and early intervention. • Security awareness and training • Early intervention can minimize asset loss


Integrated Approach to Mitigating Asset Loss

Mitigating Asset Loss

Mitigating Asset Loss

Risk Management

Risk Management

Information Sharing and Management

Information Sharing and Management

People Management

People Management

Physical/IT Security

Physical/IT Security


Risk avoidance vs. risk management

Risk Avoidance Risk Management• Strict criteria for eligibility• Limited tolerance for indiscretion

or deviant behavior• Little concern for potential acting

out or retaliatory actions

• Discernible personality factors and behavior

• Realistic assessment of vulnerabilities

• Acknowledgment of external threat

• Recognition of mission essential demands

• Cost-benefit risk assessment• Available monitors and control• Selected recruitment and selection• Plan of action• Emergency contingency


RecoveryConsequenceAsset LossContextThreat

Personnel Security Risk Model

Vulnerability

RISK

Risk Management Model

• Conceptualize the risk/threat• Recognize the personnel vulnerabilities• Security vulnerabilities• Evaluate mission essential factors• Anticipate asset loss


Information Management Framework The three categories are offered as a way to organize information obtained in a personnel risk assessment. Organizing information into these three categories assists in developing a management plan.

Category 1 No Evidence of Risk to

Assets No evidence to suggest the presence of any vulnerability factors within the individuals involved.

Category 2 Minimal to Moderate

Risk to Assets/Manageable

There is evidence to suggest that a potential risk to security exists. The information/assets that the individual has access to could possibly be compromised in a witting or unwitting manner.

Category 3 Significant Risk to

Assets/Not Manageable There is evidence to suggest a significant and potentially unmanageable risk is present, based on the identified vulnerabilities, threat, mission, asset and consequence.

Risk Assessment Model

Source: Mike Gelles, Psy.D., © 2007


A human resource approach to secure work environment in a global economy

Old New

Acquire and Retain:“Seek” talent and give them access and keep them in their seats

Recruit, Position and Manage:“Engaging” talent by focusing on what competencies that reflect a risk managed workforce meeting business objectives

Manage a Secure Workforce

Cultivating networks of high-quality relationships within a secure work

environment

Recruit Necessary Skills

Identify competencies and develop capabilities to for a

secure and productive workforce that achieves

business goals

Position Talent

Creating experiences to perform to full extent of abilities while managing the vulnerabilities and threats

Rec

ruit

Position

Manage


Competencies for a secure workforce

External awareness

CoreCompetencies

of a SecureWorkforce

Mission Awareness Mission Strategy Vision

Integrity

Internal and external

communicator

Teamwork and

partnership

Organizational thinking

Maturity and judgment

Accountability


Addressing potential asset loss

Manage The Vulnerability

People-to-PeopleCultivating

high-performancenetworks of high-quality

Relationships who are security minded

People-to-PurposeBuilding and sustaining

a sense of personaland organizational

mission

People-to-ResourcesManaging access,

knowledge,technology, tools,

capital, and time toachieve professionaland business goals


Identify “Value Events” in Security Programming

Identify and Prioritize Value

EventsAnalyze and

Design EventsPilot and

Execute Events

Monitor and

Manage Effectiveness

What are the important

interaction points between

organizations?

What is the desired behaviour within

value events?

How can the desired behaviour

be initiated and kept in place?

How can performance be assessed and maintained?

• Traditional Physical Security Program

• Evolving IT Security Practices

• Security Awareness Communications Strategy

• Workforce Reporting Mechanism

• Multidisciplinary Risk Management Approach


The Bottom Line

• Understand the process

• Risk assessment and management model

• Preemptive strategies

• Methods for monitoring

• Interventions to interrupt forward motion


A member firm ofDeloitte Touche Tohmatsu

Documents

Security Management: Confronting the Insider Threat Michael G. Gelles, Psy.D., Deloitte & Touche LLP March 3, 2008