The CERT Top 10 List for Winning the Battle Against Insider Threats



Similar documents
The Key to Successful Monitoring for Detection of Insider Attacks

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

2012 CyberSecurity Watch Survey

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Moving Target Reference Implementation

Insider Threat Security Reference Architecture

Supply-Chain Risk Management Framework

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Network Monitoring for Cyber Security

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Breach Found. Did It Hurt?

Combating the Insider Threat at the FBI: Real World Lessons Learned

HIGH-RISK USER MONITORING

Penetration Testing Walkthrough

Practical Steps To Securing Process Control Networks

Logging In: Auditing Cybersecurity in an Unsecure World

SIEM is only as good as the data it consumes

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management

Cyber Intelligence Workforce

Employment Termination Policy

CERT/CC Overview & CSIRT Development Team Activities

Applying Software Quality Models to Software Security

Network Security & Privacy Landscape

INCIDENT RESPONSE CHECKLIST

Into the cybersecurity breach

Cyber Security solutions

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

Working with the FBI

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources

Information Security Incident Management Guidelines

OCIE Technology Controls Program

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Defensible Strategy To. Cyber Incident Response

Common Sense Guide to Prevention and Detection of Insider Threats

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Statement of Qualifications Cybercrime & data breach

Symantec Critical System Protection Configuration Monitoring Edition Release Notes

Welcome. HITRUST 2014 Conference April 22, 2014 HITRUST. Health Information Trust Alliance

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders

Vulnerability Assessment & Compliance

Advanced Threats: The New World Order

Common Sense Guide to Mitigating Insider Threats 4 th Edition

Risk Management Framework

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

IT OUTSOURCING SECURITY

Top Ten Fraud Risks That Impact Your Financial Institution. Presented by Ann Davidson - VP Risk Consulting Allied Solutions LLC.

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Monitoring Trends in Network Flow for Situational Awareness

Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition Version 3.1

Jefferson Glassie, FASAE Whiteford, Taylor & Preston

Cyber Security. John Leek Chief Strategist

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

WRITTEN TESTIMONY OF

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

How Do Threat Actors Move Deeper Into Your Network?

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

Architectural Implications of Cloud Computing

Cybersecurity and Privacy Hot Topics 2015

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Assurance Cases for Design Analysis of Complex System of Systems Software

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

New Zealand Security Incident Management Guide for Computer Security Incident Response Teams (CSIRTs)

Data Breach Response Planning: Laying the Right Foundation

Dealing with Big Data in Cyber Intelligence

Procedure for Managing a Privacy Breach

Defending Against Data Beaches: Internal Controls for Cybersecurity

Solutions and IT services for Oil-Gas & Energy markets

What legal aspects are needed to address specific ICT related issues?

Transcription:

The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification: Intermediate

Notices 2012 Carnegie Mellon University Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN AS IS BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON- INFRINGEMENT). CERT is a registered mark owned by Carnegie Mellon University.

Could this happen to you??? Actual insider incidents: Night time security guard plants malware on organization s computers Programmer quits his job and takes source code back to his country of birth Group of employees work with outsiders to carry out lucrative fraud scheme These are only a few examples of the types of insider threats we are tying to prevent!! 3

Outline of the Presentation Introduction Structure of this presentation Top 10 List Questions / Comments 4

What is the CERT Insider Threat Center? Center of insider threat expertise established in 2001 Our mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider cyber threats. 5

CERT Insider Threat Center Objective Opportunities for prevention, detection, and response for an insider attack

Structure of the Presentation 7

Structure of the Presentation Compelling real case examples to reinforce why each item made the Top 10 list and WHY YOU SHOULD CARE!! Explanation of each mitigation strategy What other organizations are doing Details you need to consider 8

Top 10 List. 9

#10: Learn from past incidents 10

#10: Learn from past incidents Some organizations experience the same types of insider crimes more than once When you have an attack, implement controls to catch it next time Some organizations: Create formal teams to examine past incidents and implement new controls 11

#9: Focus on protecting the crown jewels 12

#9: Focus on protecting the crown jewels One third of CERT s insider theft of IP cases involve a foreign government or organization What would happen if your IP was stolen and taken out of the country??? Most insiders use authorized access to steal IP But they don t always require the access! Some organizations: Implement extra controls for THE most critical IP Protect against erosion of access controls 13

#8: Use your current technologies differently 14

#8: Use your current technologies differently Some organizations Create an insider threat team or train Security Operations Center (SOC) staff about insider threat Use Intrusion Detection Systems (IDS) to examine data going out as well as in Tailor use of tools to reduce information overload (Data Leakage Protection, host based controls, change controls) Create signatures in Security Information and Event Management systems (SIEMs) / log correlation tools to detect suspicious insider activity After-hours reconnaissance activity by privileged system users who are on the HR radar Exfiltration via email within 30 days of resignation 15

#7: Mitigate threats from trusted business partners 16

#7: Mitigate threats from trusted business partners Trusted Business Partners (TBPs) include contractors outsourced companies Some organizations: Specify information security controls in contracts Require the same controls for their TBPs as they require internally Audit TBP policies and procedures Require same policies and procedures for contractors as for employees 17

#6: Recognize concerning behaviors as a potential indicator 18

#6: Recognize concerning behaviors as a potential indicator Concerning behaviors are the 4 th most common issue of concern in the CERT Insider Threat Database Negative employment issues are the 8 th Most prevalent in insider IT sabotage and theft of IP Some organizations Educate management staff on insider threat indicators Communicate employees on the HR radar to security staff Integrate cyber insider threat mitigation with their workplace violence program 19

#5: Educate employees regarding potential recruitment 20

#5: Educate employees regarding potential recruitment Recruitment is the 3 rd most common issue of concern in the CERT Insider Threat Database Carefully consider: do you have any systems or data that an insider could be paid to steal or modify? Financial, Personally Identifiable Information (PII), identity documents, utility bills, food stamps, credit histories, Some organizations: Perform periodic background checks for existing employees 21

#4: Pay close attention at resignation / termination! 22

#4: Pay close attention at resignation / termination! Change in employment status is the TOP issue of concern in the CERT Insider Threat Database BUT Typically not in fraud cases! Some organizations Perform targeted employee monitoring Low performing employees Employees who will be laid off or terminated Implement special controls for their most critical IP 23

#3: Address employee privacy issues with General Counsel 24

#3: Address employee privacy issues with General Counsel Employee privacy issues present a tricky legal issue Laws and regulations differ in private sector, government, and various critical infrastructure sectors Some organizations: Have created and implemented insider threat policies and processes by working with Human Resources, General Counsel, Information Security / Information Technology, Security, and top management 25

#2: Work together across the organization 26

#2: Work together across the organization IT cannot solve this alone! Need communication across Management, Information Security / Information Technology, Security, Data Owners, Software Engineering, General Counsel, and Human Resources Some organizations: Achieve this communication but only after significant suspicious activity warrants an investigation Have achieved proactive communication between some of these organizational units 27

#1: Create an insider threat program NOW! 28

#1: Create an insider threat program NOW! In the first three months following this presentation you should: Obtain buy-in from top management Form an insider threat team Create policies (approved by General Counsel) Develop processes and implement controls Within six months you should: Roll out and consistently enforce the policies Regularly communicate across your organization 29

#1: Create an insider threat program NOW! Some organizations Follow an enterprise-wide insider threat strategic plan which was created by C-level managers Have designated a Director responsible for the insider threat program Have made a significant investment in an insider threat program 30

CERT Resources Insider Threat Center website (http://www.cert.org/insider_threat/) Common Sense Guide to Prevention and Detection of Insider Threats (http://www.cert.org/archive/pdf/csg- V3.pdf) Insider threat workshops (http://www.cert.org/insider_threat/docs/workshop.pdf) Insider threat assessments (http://www.cert.org/insider_threat/docs/assessment.pdf) New controls from CERT Insider Threat Lab (http://www.cert.org/insider_threat/controls/) Insider threat exercises The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) by Dawn M. Cappelli, Andrew P. Moore and Randall F. Trzeciak

The CERT Top 10 List for Winning the Battle Against Insider Threats 10. Learn from past incidents 9. Focus on protecting the crown jewels 8. Use your current technologies differently 7. Mitigate threats from trusted business partners 6. Recognize concerning behaviors as a potential indicator 5. Educate employees regarding potential recruitment 4. Pay close attention at resignation / termination! 3. Address employee privacy issues with General Counsel 2. Work together across the organization 1. Create an insider threat program NOW! 32

Questions / Comments 33

Point of Contact Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213 3890 +1 412 268 9136 Phone dmc@cert.org Email http://www.cert.org/insider_threat/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information