370 likes | 593 Views
… the INSIDER THREAT. Presented by: Cheri Y. Sigmon CISSP. Detecting, Managing, and Remediating the INSIDER THREAT. Cheri Y. Sigmon CISSP Ethics Disclaimer: Presenting in my personal capacity, while on leave. The Problem.
E N D
… the INSIDER THREAT Presented by: Cheri Y. Sigmon CISSP
Detecting, Managing, and Remediating the INSIDER THREAT Cheri Y. Sigmon CISSP Ethics Disclaimer: Presenting in my personal capacity, while on leave
The Problem “This is definitely the golden age of cyber-espionage… Foreign states are stealing data left and right from private-sector companies, nonprofit organizations and government agencies.” -Steven Chabinsky, former Dep. Asst. Director, FBI Cyber Division * Often under-estimated * Disgruntled personnel * Unintentional actions of user * Trusted insider
Seriousness and Longevity • "A nation can survive its fools and even the ambitious. But it cannot survive treason from within." -Cicero (106-43 B.C.) • This poster highlights Cuba due to success their recruited insiders have had against the United States over the years
Insider Threat to Cyber Security NSA Leaks Manning Pollard Walker Increasing Vulnerability / Increasing Volume
National Insider Threat Task Force (NITTF) Oct 2011 - President issued Executive Order (E.O.) 13587 establishing the National Insider Threat Task Force (NITTF) under joint leadership of the Attorney General and the Director of National Intelligence. Primary mission is to prevent, deter & detect compromises of classified information by malicious insiders The President directed federal departments & agencies with classified networks to establish insider threat detection & prevention programs E.O. directs the NITTF to assist agencies in developing & implementing their insider threat programs, while ensuring the program standards do not erode civil liberties, civil rights, or privacy protections for government employees Nov 2012 - following extensive interagency coordination & vetting process, POTUS issued the National Insider Threat Policy & Minimum Standards for Executive Branch Insider Threat Programs via Presidential Memorandum
The National Counterintelligence Executive, Mr. Robert Bryant “Insider threats remain the top counterintelligence (CI) challenge to our community." • Arises when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States. Malicious insiders can inflict incalculable damage. They enable the enemy to plant boots behind our lines and can compromise our nation's most important endeavors • Over the past century, the most damaging U.S. CI failures were perpetrated by a trusted insider with ulterior motives • In each case the compromised individual exhibited identifiable signs of a traitor – but signs went unreported for years due to the unwillingness or inability of colleagues to accept the possibility of treason
Malicious Insiders Insiders who seek to harm U.S. security interests normally are either long-term plants or people who’ve been lured to betray their nation for ideological reasons, a lust for money or sex, or via blackmail. Mankind's methods may change – but core motivations do not • Insiders convicted of espionage have, on average, been active for a number of years before being caught. Today more information can be carried out the door on removable media in a matter of minutes than the sum total of what was given to our enemies in hard copy throughout U.S. history • Consequently, damage caused by malicious insiders will likely continue to increase unless we have effective insider threat detection programs that can proactively identify and mitigate the threats before they fully mature
Economic Espionage Prosecutions - Past Six Years • A senior intelligence official, briefing reporters on the condition of anonymity, noted a few cases & estimates • $100 million worth of insecticide research from Dow Chemical • $400 million worth of chemical formulas from DuPont • $600 million of proprietary data from Motorola • $20 million worth of paint formulas from Valspar • Of 7 Insider Theft cases prosecuted under the Economic Espionage Act in fiscal year 2010, SIX involved a link to China, the report said
DoD- Insider Threat “A person with authorized access, who uses that access, wittingly or unwittingly, to harm national security through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions.” • Minimize Privileged User billets and access while enforcing Two-Person Integrity for sensitive activities such as moving information from classified to unclassified networks • Establish Anomaly Detection systems on networks to identify inappropriate or unauthorized network behavior and highlight that behavior for further investigation • Establish a random CI polygraph program for Privileged Users, starting with most sensitive systems • Establish and execute a Continuous Evaluation Program to continuously monitor the databases that are normally queried during a routine update of a security clearance, looking for anomalous activity such as legal, personnel or financial issues
Managing the Insider Threat • Administration Calls for Program to Continuously Probe Personnel • Pentagon Moves to Modernize Creaky Clearance & Security System – Again • DoD to implement random background checks of those with security clearances • Social media relevant to background checks
Need to Know • A longstanding premise in U.S. Government circles is that a security clearance doesn’t equal "Need to Know" • A critical issue since continued loss of National Security information through unauthorized disclosures denigrates America's most sensitive intelligence/analytic capabilities • ONCIX: "Need to Know" principle
An Unintentional Insider Threat • 1) A current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network, system, or data and who, (3) through action or inaction without malicious intent, (4) unwittingly causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s resources or assets, including information, information systems, or financial systems. Source: DHS - US CERT, Insider Threat Team
Assigning Categories to Insider Incidents Helps us understand the impact of incidents and offers insight into possible insider motivations 4 Main Categories A) Sabotage (24% of MERIT cases) B) Fraud (44%) C) Theft of Intellectual Property (IP) (16%) D) Miscellaneous (12%) or a combination of the three main categories (4%)
Cybersecurity Best Practices 5 Factors 1) Technology Profile 2) Laws and Regulations 3) Law Enforcement 4) Culture and Subcultures 5) Corruption
Identity and Access Management (IdAM) 4 A’s - Authentication. Authorization. Automation. Audit. Authentication: Basis for determining that you are who you say you are & includes usernames and passwords at the most primitive level - could include other things like two factor authentication using DoD’s Common Access Card (CAC) or PIV Authorization: Once the user is authenticated the system grants access to certain assets, resources and data... very complicated, but it needs to be fluid as users change roles. Easiest example in the DoD - you could transition from being a recruit to active duty to retired. Your identity should be transforming and your authorization to various assets should evolve behind the scenes. That idea of migrating an authorization through its lifecycle leads to automation Automation: Scale of Government is so large you must automate these tasks Audit: Leads us down to digital forensics... to who did what, and when. If there was misuse or some sort of breach, either intentional or not, how did that authentication and authorization happen? Who gave that access? Was that person authorized to do so? ‘Why wasn’t there an audit trail?’
Top 7 Characteristics of Insider Threat Products 1. Monitor phone activity logs to detect suspicious behaviors 2. Monitor & control privileged accounts (e.g., administrators) 3. Monitor & control external access & data downloads 4. Protect critical files from modification, deletion, & unauthorized disclosure 5. Disable accounts &/or connections upon employee termination 6. Prevent unauthorized removable storage media 7. Identify all access paths into organizational ISs
Reports, Briefings & Reading Material • CERT: Common Sense Guide to the Prevention & Detection of Insider Threat 4th edition • FBI: The Insider Threat: An introduction to detecting and deterring an insider spy • David L. Charney, M.D.: True Psychology of the Insider Spy
Insider Threat Websites • http://www.cert.org/insider_threat • http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat • http://www.ncix.gov/links.php (security web sites) • http://www.ncix.gov/issues/ithreat/index.php
BACKUP SLIDES • Trade Secrets/ Spy Collection
DoDNOTICE AND CONSENT BANNER You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: •The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations •At any time, the USG may inspect and seize data stored on this IS •Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose •This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy •Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details
Our Country • America's cities, states and landmarks are vivid reminders of our rich heritage, and the need to defend and protect them are important now more than ever before. This is a daily challenge that each and every one of us must undertake if we are to remain the strongest country in the world. The message is simple….."observe and report."
Protecting Sensitive Information • The 1st Amendment to the Constitution of the United States was enacted to guarantee freedom of speech and freedom of the press. Violating this given right, by either leaking or mishandling sensitive information is not only wrong, it can endanger the lives of others and the security of the United States of America
Protecting Proprietary Information • Protecting America's commercial and high-tech secrets makes good business sense and is vital to our national security. Raising your security profile to insure that sensitive and proprietary information does not fall into the wrong hands safeguards your company's competitive edge and helps keep America strong. ONCIX provides this poster to remind US businesses that protecting your most valuable data makes all of us safer.
Economic Espionage - USB Port • Corporate thieves no longer use the front door • “I cost my company $240 million…”
One Evil National Counterintelligence Center, now Office of the National Counterintelligence Executive (ONCIX) produced its 1st security & CI awareness security poster with pictures of 7 convicted spies & quote from George Washington number of convicted spies has increased, notwithstanding Washington's admonition "There is one evil I dread, and that is, their spies. I could wish, therefore, the most attentive watch be kept...“ convicted spies in post-Aldrich Ames era, recent arrest photo of Ana Belen Montes, DIA employee who is the most senior spy for Cuba ever caught
Essence of Robert Hanssen • He betrayed his country, betrayed his fellow Americans for no reason other than greed, and he caused irreparable harm to the national security of the United States." - US Attorney Ken Melson • For decades, thousands of Americans both in the Government and private sector have sworn oaths of allegiance to the United States. The vast majority of these people have honored their oaths and served with pride, loyalty, and integrity. However, some have faltered in their allegiance, bringing discredit to their country, families, and themselves. Such is the case of Robert P. Hanssen, whose lust for fame, adventure, and self-gratification led to his ultimate downfall as a betrayer of the United States • A reminder of the life he chose and its ultimate conclusion
Proactive Counterintelligence • The Man of Steel's x-ray vision can't detect the spies among us, but we mere mortals, armed with the right information, can. Practice good security and report suspicious behavior, and you, too can become a CI Super Hero!
Espionage is No Sure Bet • a reminder that there are no winners in the espionage game
W. Kendall Myers Walter Kendall Myers, aka Kendall Myers, was arrested June ‘09 with wife Gwendolyn Steingraber Myers after having spied for Cuba for almost 30 years. In Nov 2009, Kendall Myers pleaded guilty to conspiracy to commit espionage. Gwendolyn Myers pleaded guilty to conspiracy to gather & transmit national defense information. In July ‘10, they were sentenced to life without parole &81 months respectively. Kendall explains one of the ways he obtained information to pass to Cuba, and the penalty he will pay for doing so.
Tears Poster • We need to be reminded from time to time that the continued loss of highly sensitive U.S. National Security Information through espionage and terrorism methods can have serious repercussions. Unfortunately, these repercussions are first felt by our deployed Military Forces, who stand to protect the U.S. and the American way of life. • Take responsibility—protect and secure National Security Information—it saves the lives of those men and women whose mission it is to protect the United States. Failure to protect this information costs lives on the battlefield. We hope this new poster helps you get the message across to your co-workers and friends.
Recruitment Classified Ads • Recruitment attempts by a drug cartel or terrorist organization are never as obvious as in this poster - non-state actors, like foreign intelligence services, recruit US government officials, law enforcement, contractors, and military personnel for their knowledge, access, and skills
I Want You CI threat from non-state actors (drug cartels/other transnational criminal organizations) - Non-state actors actively recruit US Gov’t employees, law enforcement, contractors, military personnel with knowledge, access, & skills of value, including operational knowledge, access to sensitive or classified information, and military and law enforcement training. Verifying the true origin and nature of business proposals can reduce the risk of unwittingly assisting a non-state actor
Don't Tread on Me • The men and women of the Office of the National Counterintelligence Executive are deeply saddened and angered by the loss of American and other lives in the tragic events of 11 September 2001. In a small effort to aid the healing process, this features quotes from Presidents George W. Bush and Thomas Jefferson, along with renderings of the United States flag and the "DON'T TREAD ON ME" flag, a favorite with pre-Revolutionary War colonists.