Posted on Leave a comment

A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

(Or…”How This One Weird Thing Can Take Your Program to the Next Level!”)

The CERT National Insider Threat Center (NITC) continues to transition its insider threat research to the public through its publications of the Common Sense Guide to Mitigating Insider Threats (CSG), blog posts, and other research papers. We recently released an updated version of the CSG: the Common Sense Guide to Mitigating Insider Threats, Sixth Edition. In this post, I’ll highlight the new additions and updates: best-practice mappings to standards and more attention to workplace violence, monitoring, and privacy. I’ll also walk you through the new best practice, on positive incentives in the workplace.

21 Best Practices

In the fifth edition of the CSG, we described 20 best practices that any organization can implement to help prevent, detect, or mitigate insider threats. The sixth edition describes 21 best practices. The new and revised best practices in the sixth edition are based on the latest research findings and case studies. The table below summarizes the best practices from the sixth edition of the CSG.

Table 1 The 21 Insider Threat Best Practices.PNG

Best Practice 21: Adopt Positive Incentives to Align Workforce with the Organization

Figure 2 Best Practice 21 Adopt positive incentives to align workforce with the organization.PNG

All groups within an organization, as shown above, are involved in the newest, capstone best practice: “Adopt positive incentives to align the workforce with the organization.” Best Practice 21 refers to workforce management practices that increase perceived organizational support as positive incentives because they attempt to entice (rather than force) an employee to act in the interests of the organization.

Enticing employees to act in the interests of the organization through positive incentives reduces the baseline insider threat risk. Positive incentives that align workforce values and attitudes with the organization’s objectives form a foundation on which to build traditional security practices that rely on forcing functions. The combination of incentives and forcing functions improves the effectiveness and efficiency of insider threat defense.

Best Practice 21 is derived from the research published in an SEI technical report: The Critical Role of Positive Incentives for Reducing Insider Threats. The research identified and analyzed three avenues for aligning the interests of the employee and the organization–job engagement, perceived organizational support, and connectedness with co-workers–to reduce the risk of an insider becoming a threat. The model developed from this research shows how these factors can encourage employees to act in the interests of the organization. One particularly strong outcome showed that as perceived organizational support went up, the risk of an insider incident went down (see figure below).

Figure 1 Perceived org support vs insider misbehavior.pngFigure 1. Negative Correlation Between Perceived Organizational Support and Insider Misbehavior

We adapted the key components of this research into Best Practice 21 in the Common Sense Guide to Mitigating Insider Threats, Sixth Edition.

This practice is related to Best Practice 5, “Anticipate and manage negative issues in the work environment,” and Best Practice 8, “Structure management and tasks to minimize insider stress and mistakes.” The difference is that Best Practice 21 focuses on using positive incentives to improve employee attitudes independent of whether a specific negative issue or insider stress exists or is even identifiable. In other words, positive incentives are proactive and reduce the frequency of insider incidents before they, or even their indicators, occur.

Best Practice 21, consistent with all the other best practices, contains the following sections:

  • Protective Measures
  • Challenges
  • Case Studies
  • Incident Analysis
  • Survey on Organizational Supportiveness and Insider Misbehavior
  • Quick Wins and High-Impact Solutions for All Organizations

Other New Features: EU-GDPR, Privacy, Workplace Violence, Standards Mapping

In the sixth edition, we also integrated new information into the other best practices to reflect aspects of the European Union’s General Data Protection Regulation (EU-GDPR); we paid special attention to issues surrounding insider threat and associated employee-monitoring concerns. In the sixth edition, we also interwove aspects of workplace violence prevention into many of the best practices. Finally, we updated mappings of the best practices to other relevant standards and added new mappings to the following:

  • NIST Cybersecurity Framework
  • Center for Internet Security Controls V7
  • National Insider Threat Task Force Program Maturity Framework
  • European Union General Data Protection Regulation (GDPR)

The table below shows an example of this mapping of best practices, using Best Practice 1, to security control standards.

Table 2 Mapping practices to standards.PNG

Example of Best Practice 1 Mapped to Security Control Standards

Looking Ahead: New Practices for New Threats

We continue to research new insider threat vectors and develop mitigation strategies for organizations to prevent, detect, and respond to these threats. We plan to incorporate these strategies into future versions of the CSG.

Additional Resources

We invite you to search for and read our blog series on CERT Best Practices to Mitigate Insider Threats and read our report titled The Critical Role of Positive Incentives for Reducing Insider Threat.

Subscribe to our Insider Threat blog feed to be alerted when any new post is available. For more information about the CERT National Insider Threat Center, or to provide feedback, please contact [email protected].

Posted on Leave a comment

Are You Providing Cybersecurity Awareness, Training, or Education?

When I attend trainings, conferences, or briefings, I usually end up listening to someone reading slides about a problem. Rarely am I provided with any solutions or actions to remediate the problem. As a cybersecurity trainer with 17+ years of experience and a degree in education, I understand that developing a good presentation is a challenge in any domain. Fortunately for cybersecurity professionals, the National Institute of Standards and Technology (NIST) can help you choose which kind of presentation to give. This blog post will review the three types of presentations defined by NIST: awareness, training, and education.

briefing room.jpg

What are you presenting?

You have to know whether you’re delivering a presentation for awareness, training, or education. Here are the definitions, according to NIST Speciation Publication (SP) 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model.

Awareness

Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. – NIST SP 800-16

If the purpose of your briefing is to simply tell your audience about a topic or problem so that they can respond, you’re providing awareness. Provide the information and suggest actionable solutions for your audience.

Training

Training strives to produce relevant and needed security skills and competency by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing). – NIST SP 800-16

Describe the new skills, provide practice–either guided or independent–and maybe even provide a checklist or job aid that will prompt the audience to use those new skills and abilities after they leave your presentation. Your checklist or job aid will not only improve that person’s work, but the cybersecurity of their office, and the transference of that skill to others within their organization.

If you want to change their normal behaviors, then you are providing training.

Education

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multi-disciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and proactive response. – NIST SP 800-16

Education is generally thought of when beginning or entering a new field. For example, a high school graduate or someone changing careers would attend a college or university to receive an education in cybersecurity. This audience must learn the breadth and depth of knowledge necessary to begin a successful career in the cybersecurity industry. Once on the job, they would receive job-specific training to focus their knowledge to successfully complete the tasks of their employment.

Conclusion

At the Software Engineering Institute and within Carnegie Mellon University, we provide awareness, training, and education to a variety of audiences. Knowing which to use in the right situation is important.

  • If your audience needs to know about a cybersecurity situation so they can devise a solution, you are providing awareness.
  • If you are trying to change your audience’s behavior or improve their knowledge, skills and abilities to improve their cybersecurity, you are providing training.
  • If you are trying to create well-rounded cybersecurity professionals who can take what they have learned, add it to other knowledge, and expand it to different situations to improve the overall body of knowledge of cybersecurity, you are providing education.

Here is my final piece of practical advice, especially when speaking to cybersecurity professionals: Your audiences should always leave with new information, a new way of operating, or a list of tasks to perform or complete. If you can do that, you can make a difference in the way your audience conducts cybersecurity and protects the information entrusted to their care.

Posted on Leave a comment

Insider Threat Supply Chain Best Practices

This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization’s mission. In today’s business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.

Understanding the Problem

The CERT Division’s National Insider Threat Center (NITC) has found that over 15% of insider threat incidents were perpetrated by someone in the victim organization’s supply chain. Although even more incidents of this kind occur in the private sector, that figure demonstrates that the issue remains relevant in the government sector. A case example of a supply chain incident follows:

The insider was employed as a customer service representative by a TBP of the victim organization, who was responsible for handling the organization’s employees’ healthcare claims. The insider worked with 3 outsiders. While on site and during work hours, the insider used their access over 6 months to steal addresses of medical service providers from the organization’s database, and also manipulated the organization’s system to divert millions of dollars in payouts to fraudulent Medicare claims. The insider was not able to make all of the necessary data modifications, and built a rapport with two employees who were able to do so, enabling themselves to carry out the scheme. The organization performed an internal audit and detected the fraud. The insider was arrested, convicted, and ordered to pay $89,000. The insider was sentenced to about 8 years imprisonment and about 5 years of probation. The incident related impact was $1.2 – $20 million.

By modeling the motivations, methods, and targets of the perpetrators in these incidents, it is possible to identify a set of best practices that can be used to develop and implement a mitigation strategy for supply chain risk management.

Mandates and Regulations

Several existing mandates and regulations provide organizations a given set of standards. Even if an organization is not legally required to follow them, these standards are a great starting point for developing robust and secure supply chain policies and procedures. To begin, your organization should consider how insiders might collude with someone in the supply chain or take advantage of weaknesses in supply chain processes and how that might affect your organization, and you should review existing policies and procedures with those repercussions in mind.

Here are a few examples of the available mandates and regulations your organization can use as a starting point: the International Organization for Standardization (ISO) 28000 series, ISO 20243, ISO/IEC 15408 Common Criteria, National Institute for Standards and Technology (NIST) SP 800-161, NIST SP 800-171, NIST 800-53, and the Defense Federal Acquisition Regulation Supplement (DFARS).

Best Practices

The list below outlines several best practices that are available to assist you with mitigating insider threat risk within the supply chain. You should revisit these practices on an annual basis as they might change over time.

  • Establish and put supply chain trusted insiders’ scope review, risk identification, and risk management in place. To accomplish this, review and identify each supplier’s scope of activities and where they fit into your organization’s supply chain. You must also use any risk management and assessment activities conducted by your organization to identify and address specific risks and threats to critical assets and data that members of the supply chain might introduce.
  • Define and document the rules of engagement for the supplier’s operation within your organization’s daily activities by establishing supplier and organizational terms and conditions. Ensuring these rules are integrated into the contract between your organization and the supplier can provide protections for your organization if the supplier fails to follow the set terms and conditions.
  • Deploy a monitoring strategy that identifies criteria for monitoring supplier interactions and methods for identifying anomalies or deviations. Be sure to outline these criteria in the supplier and organizational defined terms and conditions.
  • Form effective relationships and communications strategies that are supported by all levels of your organization. These strategies are critical because TBP management focuses on establishing an appropriate level of controls to manage the risks that originate from or are related to the organization’s dependence on these external entities.
  • Make background screenings required for all supply chain providers to ensure that the supply chain adequately mitigates insider threat risk. The rigor of these screenings should be equal to those conducted by your organization, at a minimum. Be sure to consider all legal requirements when creating policies involving background screenings.
  • Develop a formal onboarding process that includes clear, formal, and codified agreements with suppliers as part of the initiation process to help your organization manage its resilience over the lifecycle of the relationship. Assign and update all appropriate points of contacts for both your organization and the supplier as necessary.
  • Ensure the Acceptable Use Policy (AUP), which informs employees of the proper use of the organization’s IT systems and services, is followed by supply chain personnel who have been granted access to the organization’s IT systems. You might need to put customized AUPs in place for those who have temporary or guest-level access.
  • Develop an intellectual property (IP) ownership right policy defining your organization’s ownership rights over IP created by TBPs. Documents such as non-disclosure agreements (NDAs), non-competes, and IP agreements should be required and enforced.
  • Reporting of policy violations should be mandatory for all TBPs. These reports can include technical or physical security violations, and should contain any violations that indicate insider risk. Violations should be reported immediately to an appointed point of contact at the organization (e.g. Insider Threat Program Manager or Corporate Security) through a defined process. A clearly articulated Supplier Code of Conduct should be put in place and suppliers should be monitored for adherence.
  • Ensure that the appropriate mandates and regulations are reviewed and applied as necessary and that the best practices are put in place at your organization.

Summary

Insider threat remains a large part of an organization’s overall risk, and TBPs who are part of an organization’s supply chain account for a portion of insider threat incidents. The CERT Division’s National Insider Threat Center (NITC) at the Software Engineering Institute at Carnegie Mellon University has used its expansive incident corpus of over 1,000 empirically analyzed cases to identify nine best practices related to the prevention, detection, and response to insider threats within the supply chain. The best practices discussed above, along with the mandates and regulations, should be reviewed and applied as necessary to help reduce insider threat risk to the supply chain. Policies and procedures associated with insider threat risk should also be incorporated into the organization’s overall security framework.

Posted on Leave a comment

Moving Beyond Resilience to Prosilience

Our researchers have spent over a decade at the CERT Division exploring, developing, and analyzing operational resilience as a way to not just manage risks, but to achieve mission assurance. Resilience has been codified in our CERT-Resilience Management Model (CERT-RMM), which is a maturity framework of best practices across security, business continuity, and information technology operations focused on an organization’s critical assets.
CERT-RMM assists an organization in achieving its mission before, during, and after a disruptive event and ensuring that the organization can return to a full operating capability. This body of work has expanded into derivatives that have been used to assess the cybersecurity capabilities of over 500 (and counting) critical infrastructure owners and operators, and continues to be used as a way for organizations to measure their performance (e.g., against the NIST Cybersecurity Framework) as well as baseline and improve their capabilities.

There is much work left to be done in the area of resilience, and CERT researchers continue to expand and improve the resilience body of knowledge. As a Department of Defense Federally Funded Research and Development Center (DoD FFRDC), it is also critical that we look beyond what is needed now. Our mission is to anticipate and solve the nation’s cybersecurity challenges. The space around us is evolving on multiple planes with increasingly complex systems and expanding attack surfaces as the Internet of Things becomes a reality. Our adversaries and their tools are also becoming both more numerous and more sophisticated.

Some organizations perform post-mortems or lessons-learned activities to identify what caused an issue, and they then work to fix errors made by people, processes, or technology. This is the action of a mature organization with resilient properties. However, emerging areas of technology have moved beyond the age-old steps of fail→investigate→fix to concepts of self-healing and artificial intelligence giving systems the IQ of an average four-year-old human. Don’t we want our organizations to be at least as smart as this? So what comes after resilience? Haven’t we “won” if we can achieve our mission even in a degraded state during a disruptive event?

I propose that we build operationally PROSILIENT organizations. If operational resilience, as we like to say, is risk management “all grown up,” then prosilience is resilience with consciousness of environment, self-awareness, and the capacity to evolve. It is not about being able to operate through disruption, it is about anticipating disruption and adapting before it even occurs–a proactive version of resilience. Nascent prosilient capabilities include exercises (tabletop or technical) that simulate how organizations would respond to a scenario. The goal, however, is to automate, expand, and perform continuous exercises based on real-world indicators rather than on scenarios.

Operational prosilience is not a state; it is an evolving set of characteristics and capabilities. We at the CERT Division are exploring these characteristics and capabilities as part of our DoD mission. We encourage you to engage with us in the discussion and their design. Look for more about this exciting new CERT research soon!