1 / 51

CIP for Operators The Insider Threat

CIP for Operators The Insider Threat. September 11 & September 25, 2014 Nashville/Franklin, TN. Bill Peterson CIP, Senior Engineer SERC Reliability Corporation. Brian Harrell Director, ES-ISAC Operations NERC. Security Riddle. Here's an age-old security riddle:

devika
Download Presentation

CIP for Operators The Insider Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIP for OperatorsThe Insider Threat September 11 & September 25, 2014 Nashville/Franklin, TN Bill Peterson CIP, Senior Engineer SERC Reliability Corporation Brian Harrell Director, ES-ISAC Operations NERC

  2. Security Riddle Here's an age-old security riddle: Where and when is theft of company assets or intellectual property (IP) not really theft? Answer: In the minds of your employees, when they're headed out the door for the last time. Hmmm..

  3. Learning Objectives At the conclusion of this training session, you should be able to: • Explain the meaning of “insider threat”; • Identify three human behaviors that might be signs of insider security threats; • State the types of insider crimes and identify which are most prevalent; • List three ways to prevent, mitigate or stop insider crime; and, • Identify CIP version 5 goals regarding insider threats

  4. Outline of Topics • What is insider threat? • Types of insider crime and malicious activity. • Can insider crime be prevented, mitigated or stopped? • Who are the insiders? • Recent attacks/case studies. • Security awareness training. • Practices, procedures, and policies to minimize your risk. • CIP V5 migration

  5. What Is An Insider Threat? • A maliciousinsider is a current or former employee, contractor, or business partner who meets the following criteria: • has or had authorized access to an organization’s network, system, or data. • has intentionally exceeded or used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

  6. Considerations • Collusion with outsiders: Many insiders who stole or modified information were recruited by outsiders, organized crime and foreign organizations or governments. • Business partners: An increase in the number of insider crimes perpetrated by employees of trusted business partners who have been given authorized access to their clients’ networks, systems, and data.

  7. Other Considerations Mergers and acquisitions: Create a heightened risk of insider threats in organizations being acquired. Organizations should recognize the increased risk of insider threats both within the acquiring organization and in the organization being acquired, as employees endure stress and an uncertain organizational climate.

  8. Are Insiders Really a Threat? • The threat of an electronic crime from insiders is real and substantial. • The 2014 CyberSecurity Watch Survey, conducted by the U.S. Secret Service, CERT, CSO Magazine, and Deloitte, found: • 28%were committed by insiders. • 46% thought that damage caused by insider attacks was more severe than damage from outsider attacks.

  9. Can Insider Attacks Be Stopped? • Insider threat is a complex problem. • Insider attacks can be prevented only through a layered defense strategy consisting of policies, procedures, and technical controls. • Management must pay close attention to many aspects of the organization, including its business policies and procedures, organizational culture, and technical environment.

  10. Patterns and Trends of Malicious Insider Activity • The patterns and trends observed indicate classes of malicious insider activity: • Sabotage - direct specific harm at an organization or an individual. • Theft of IP - to steal IP from the organization. This category includes industrial espionage involving outsiders. • Fraud - the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or theft that leads to an identity crime (e.g., identity theft or credit card fraud).

  11. Instances of Insider Crime by Industry Sector

  12. Recent Insider Attacks • Washington Navy Yard Shooting • Target Stores • UBS PaineWebber • Terry Childs • Wikileaks: Bradley Manning • Edward Snowden

  13. Who Are The Insiders? • Employees • Former Employees • Contractors • Suppliers • Visitors • Collaborators • User facilities • Industry

  14. Pre-conditions • Motiveor need to be satisfied through crime. • Ability to Overcome Inhibitions: • Moral values. • Fear of being caught. • Loyalty to employer or co-workers. • Risk-taking behaviors. • Triggerthat sets the betrayal in motion. • Opportunityto commit the crime. • Poor and/or lax security practices.

  15. Motive • Financial • Anger • Excitement • Divided loyalties • Arrogance • The BIG 3: • Greed • Disgruntlement • Revenge

  16. Ability to Overcome Inhibitions • Moral Values • Ethical Values • Loyalty • Fear • Rationalization

  17. Trigger • Personal or professional event. • Stress pushes individual to the “breaking point”. • React negatively and criminally. • Emotionally stable/well adjusted. • React to stress in a positive manner. At least 1/4 of American spies experienced a personal life crisis in the months preceding an espionage attempt.

  18. Opportunity • Don't give it to them! • Use mitigation efforts to reduce threats • Focus on strong security practices

  19. ArcSight Top 10 Insider Threats • Provingthat the insider threat claims are valid. • Converging insider threat with physical security. • Demanding ROI for your insider threat program. • Converging IT threat with governance & regulatory compliance. • Understandingthat insiders are people too.

  20. ArcSight Top 10 Insider Threats • Leveragingreal-time and forensics analysis to pinpoint insiders. • Providing intelligent, insider-aware response capabilities. • Managing the insider threat. • Detecting the insider threat. • Recognizing that insider threats are different than external threats.

  21. Carnegie Mellon University Survey Findings • Most insider events were triggered by a negative event in the workplace. • Most perpetrators had prior disciplinary issues. • Most insider events were planned in advance. • Only17%involved individuals with root access. • 87%of the attacks used very simple user commands that didn't require any advanced knowledge. • 30%of the incidents took place at the insider’s home using remote access to the organization's network.

  22. Developments Make Harder Items like these greatly increase opportunities for espionage and the amount of damage that can be done by a single insider.

  23. 5 Simple Measures to Protect Your Organization from Insider Threats • Conduct background checkson all new employees. • Monitoremployee behavior. • Restrictaccounts that have remote access. • Restrictthe scope of remote access. • Enforcethe principle of “Least User Privilege”.

  24. Screen Your Personnel • Initial counterintelligence screening & periodic reviews. • Financial records check. • IRS disclosure. • Records checks.

  25. Contributing Factors

  26. Behavioral Factors & Suitability Issues • Substance abuse or dependence. • Hostile, vindictive, or criminal behavior. • Extreme, persistent interpersonal difficulties. • Unreported foreign interaction. • Excessive gambling / spending. • Internet presence… most will. “Most known American spies (80%) demonstrated one or more conditions or behaviors of security concern” before they turned to espionage.” - Defense Personnel Security Research Center (PERSEREC) Report 2002

  27. The Human Element Trumps All • Employees who feel they've been dealt with fairly are a whole lot less likely to justify their actions in a disgruntled huff. • Without policies, not only are employees unclear as to their ethical responsibility to leave data behind, but the organization may lack legal recourse when information walks out the door, says Damon Petraglia, Director of Forensic and Information Security Services for Chartstone.

  28. Socio-Economic Factors • Global market is expanding. • Increased foreign interaction. • Vulnerabilities (financial crisis). • Organizational loyalty is diminishing. • Ethnic ties. • Moral justification.

  29. Insider Threat Example • The U.S military started the Cyber-insider Threat Program (CINDER) to reduce insider threats, following some Wikileaks post. • The CINDER Program was led by DARPA, the research and development office for the U.S. Department of Defense (DoD). • “The goal of CINDER will be to greatly increase the accuracy, rate, and speed with which insider threats are detected and impede the ability of adversaries to operate undetected within government and military interest network,”.

  30. Psychological Factors • The Sociopath: • Lack of conscience or morals. • Violates others rights to serve own means. • The Narcissist: • Preoccupation with self at expense of others. • Grandiose sense of their own importance. • Exaggerate accomplishments. • Unjust victims of rivals. • Sense of entitlement.

  31. What Can You Do? • Be alert! • Don’t be paranoid, but report concerns. • Be aware of espionage indicators. • Screen your personnel. • Assess your personal vulnerabilities.

  32. Possible Indicators • Appearing intoxicated at work. • Sleeping at the desk. • Unexplained, repeated absences on Monday or Friday. • Actual or threatened use of force or violence. • Pattern of disregard for rules and regulations. • Spouse or child abuse or neglect. • Attempts to enlist others in illegal or questionable activity. • Significant drug and alcohol abuse. • Pattern of significant change from past behavior, especially • increased nervousness or anxiety, • unexplained depression, hyperactivity, decline in performance or work habits, • deterioration of personal hygiene, • increased friction in relationships with co-workers, and • isolating oneself by rejecting any social interaction.

  33. Possible Indicators • Expression of bizarre thoughts, perceptions, or expectations. • Pattern of lying and deception of co-workers or supervisors. • Talk of or attempt to harm oneself. • Writing bad checks. • Argumentative or insulting behavior toward work associates or family to the extent that it has disrupted the workplace environment. • Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator, other than as part of a legitimate system testing or security research.

  34. 60-Day Danger Zone • According to an academic study of insider cases by researchers with CERT, the risk of insider theft of IP is the highest just before the employee resigns or is fired. • "Insiders stealing IP did so within a period of 60 days before termination 70% of the time," wrote CERT engineers.

  35. In Other News…… • Symantec sheds some light on the employee mindset as these insiders set their feet out of the door. A survey Symantec released showed that half of employees who left or were fired from their jobs took corporate data with them, and 62% of them didn't think the practice was wrong. • This validates a survey from Cyber-Ark last year that showed just less than half of employees, IT managers and executives questioned said they would take proprietary data with them if they were fired tomorrow.

  36. Training • Take advantage of training opportunities. • Seek out training opportunities. • Create unique & innovative training. • Promote interactive training.

  37. Make Training Interesting • Bring external experts to your organization. • Make your training relevant, interesting and FUN! • Case studies are excellent training platforms. MARGARET ??

  38. Training and Awareness • Use frequent reminders on policies and processes. • Training should be frequent. • Train all new insiders. • Top-down approach. • Use awareness banners and prompts. • For example, a system that issues a warning at log-in can act as a constant reminder of policies around data and also a warning of monitoring.

  39. CIP Standards Status • CIP V3 to V5 • Effective April 2016 (High and Medium) • Effective April 2017 (Low) • Currently undergoing changes • Physical Security Standard CIP-014 • New FERC directive • 90day development period • CIP-014 filed with FERC 5-23-2014 and is pending regulatory approval V3 V5!!!

  40. CIP Version 5 Goal • To find “Shared BES Cyber Systems” that could, within 15 minutes, adversely impact the reliable operation of any combination of units that aggregately equal or exceed 1500 MW”. • Secure the BES Cyber Systems based upon High, Medium, or Low Criticality. • Look for connectivity between devices. • Look for common plant components and processes. • Look for unique characteristics of devices and functions.

  41. CIP Version 5 Observations • The 15-minute rule supports and seems to be a good proxy for ‘real-time’. • Culture change for generation functions. • Not a once and done review; requires periodic reviews. • Train your plants. • Security is the NEW safety.

  42. CIP V5 Awareness • What is CIP V5? • How do the CIP V5 Requirements impact the plants? • What is required from the plant from an implementation standpoint? • What are the future expectations and responsibilities? • How does CIP fit into the existing management of change process? • High, Medium, and Low BES Assets? • What is a BES Cyber System? • What is a BES Cyber Asset?

  43. BES Cyber System • One or more Bulk Electric System (BES) Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.

  44. BES Cyber Asset • A Cyber Asset that if rendered unavailable, degrade, or misused would, within 15 minutes of its required operation, or non-operation, adversely impact one or more Facilities, Systems, or equipment, which, if destroyed, degraded or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. • Programmable Electronic Device. • Includes the hardware, software, and data in the devices.

  45. BES Cyber System Information • Information about the BES Cyber System that could be used to gain unauthorized access or pose a security threat to the BES Cyber System.

  46. SUMMARY of Main Points • An “insider threat” can occur when a former employee, business partner or contractor who has (or has had) access to company data then uses the data to negatively affect company security/operations. • Three human behaviors that might be signs of insider security threats are: unexplained affluence/wealth, extreme interpersonal difficulties, violent expressions and/or actions. • Types of insider crime includes: fraud, theft of intellectual property (IP) and sabotage, with IT sabotage being the most prevalent in technical sectors. • There have been many recent examples of insider attacks, including: Robert Hanssen and Edward Snowden, both engaging in espionage activities. • Methods to prevent, mitigate or stop insider crime include: proper training and education of employees, increased alertness to/awareness of surroundings and individuals, aggressive screening of potential employees.

  47. SUMMARY for Prevention • Best way to reduce the insider threat is to remove the opportunity. • Best way to remove the opportunity is to implement administrative, physical and technical controls. • Know the administrative controls, policies, and procedures in place. • Train and promote awareness of administrative controls on a regular basis. • Be aware of your surroundings and acceptable behavior practices. • Ask questions and/or report something that doesn’t look right. • Embrace security as the new safety. • Don’t bypass physical or technical controls. • Use strong passphrases. • Use screen locks.

  48. Relevant Reading 2014 CyberSurvey reference http://resources.sei.cmu.edu/asset_files/Presentation/2014_017_001_298322.pdf FBI, Insider Threat Brochure http://www.fbi.gov/about-us/investigate/counterintelligence/insider_threat_brochure

More Related