In December 2012, The CERT/CC Insider Threat Center published the Common Sense Guide to Mitigating Insider Threats, 4th Edition, CMU/SEI-2012-TR-012. The guide uses extensive research to examine the nature of insider threats and their probability. It is an excellent resource.
This is the first in a series of notes on insider threats – the first note examines the guide and the next considers the impact on incident response planning and handling.
“Insider threats are influenced by a combination of technical, behavioral, and organizational issues” (from the Executive Summary). As a result, management,human resources (HR), legal counsel, and physical security may be involved in the response along with the Information Technology (IT) and Information Assurance (IA) departments.
The range includes:
Each of these may require specialized incident actions as part of the response.
The CyberSecurity Watch Survey provides the following statistics:
This annual survey is sponsored by U.S. Secret Service, CERT Insider Threat Center, Deloitte, and CSO Magazine.
The following chart suggests that all organizations – large and small – have close to a 50/50 chance of experiencing an insider incident in any given year. Or every 2 years give or take a month an insider incident will occur. NOTE: there were 479 respondents, 1/3 were organizations with 5,000 employees or more, 2/5 were organizations with less than 500. This suggests a representative survey.
|The 2012 Survey was retrieved from a Google search for “2012 CyberSecurity Watch”.|
The guide recommends 19 practices for mitigating Insider Threats (See the table at the end of this article). Many of these are well known security controls, but they are presented through the lens of the insider threat. For each practice, the guide (1) defines the protective measure; (2) identifies challenges; (3) provides case studies; (4) identifies quick wins applicable to all organizations; (5) identifies additional quick wins for large organizations; and (6) maps the recommend practices to NIST, CERT, and ISO standards.
We can work with you to incorporate or improve how your response plan addresses insider incidents.
Emphasized practices have a direct bearing on incident response planning and management.
|1||Include insider threats in an enterprise-wide risk assessment.||11||Institutionalize system change controls.|
|2||Clearly document and consistently enforce policies and controls.||12||Log, monitor, and audit insider actions with log correlation or SIEM system.|
|3||Incorporate insider threat security training for all employees.||13||Monitor and control remote access including mobile devices.|
|4||Beginning with the hiring process, monitor suspicious or disruptive behavior.||14||Develop a comprehensive employee termination procedure.|
|5||Anticipate and manage negative issues in the work environment.||15||Implement secure backup and recover processes.|
|6||Know your assets.||16||Develop a formalized insider threat program.|
|7||Implement strict password and account management policies and practices.||17||Establish a normal network behavior baseline.|
|8||Enforce separation of duties and least privilege.||18||Be especially vigilant regarding social media.|
|9||Define explicit security agreements for any cloud services – address access restrictions and monitoring capabilities.||19||Close the doors to unauthorized data exfiltration.|
|10||Institute access controls and monitoring on privileged users.|
From the SEI/CMU Common Sense Guide for Mitigating Insider Threats, 4th Edition.