Best Practices for the Prevention and Detection of Insider Threats by CERT.

What is Meant by "Insider Threat?"

CERT’s definition of a malicious insider is:

• A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and
• intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems

Note that one type of insider threat is excluded from this guide: cases of espionage involving classified national security information.

The scope of insider threats has been expanding beyond the traditional threat posed by a current of former employee. Specifically, the CERT team has noted the following important new issues in the expanding scope of insider threat.

Collusion with outsiders: Insider threat has expanded beyond the organizational boundary. Half of the insiders who stole or modified information for financial gain were actually recruited by outsiders, including organized crime and foreign organizations or governments. It is important to pay close attention to the section of the guide titled “Theft or Modification of Information for Financial Gain” It will help you understand the types of employees who may be susceptible to recruitment.

Business partners: A recent trend noted by the CERT research team is the increase in the number of insider crimes perpetrated not by employees, but by employees of trusted business partners who have been given authorized access to their clients’ networks, systems, and data. Suggestions for countering this threat are presented in Practice 1.

Mergers and acquisitions: A recent concern voiced to the CERT team by industry is the heightened risk of insider threat in organizations being acquired by another organization. It is important that organizations recognize the increased risk of insider threat both within the acquiring organization, and in the organization being acquired, as employees endure stress and an uncertain organizational climate. Readers involved in an acquisition should pay particular attention to most of the practices in this guide.

Cultural differences: Many of the patterns of behavior observed in CERT’s insider threat modeling work are reflected throughout this guide. However, it is important for readers to understand that cultural issues could influence employee behaviors; those same behavioral patterns might not be exhibited in the same manner by people who were raised or spent extensive time outside of the U.S.

Issues outside the U.S: CERT’s insider threat research is based on cases that occurred inside the United States. It is important for U.S. companies operating branches outside the U.S. to understand that, in addition to the cultural differences influencing employee behavior, portions of this guide might also need to be tailored to legal and policy differences in other countries.

Are insiders really a threat?

The threat of attack from insiders is real and substantial. The impact from insider attacks can be devastating. One employee working for a manufacturer stole blueprints containing trade secrets worth $100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job with them.

Over the past several years, Carnegie Mellon University has been conducting a variety of research projects on insider threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. Examples of these acts include the following:

?“Low-tech” attacks, such as modifying or stealing confidential or sensitive information for personal gain.

?Theft of trade secrets or customer information to be used for business advantage or to give to a foreign government or organization.

?Technically sophisticated crimes that sabotage the organization’s data, systems, or network.

Damages in many of these crimes are not only financial—widespread public reporting of the event can also severely damage the organization’s reputation.

Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion detection systems, and electronic building access systems are implemented primarily to defend against external threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems.

CERT’s research indicates that use of many widely accepted best practices for information security could have prevented many of the insider attacks examined. Part of CERT’s research of insider threat cases entailed an examination of how each organization could have prevented the attack or at the very least detected it earlier. Previous editions of the Common Sense Guide identified existing best practices critical to the mitigation of the risks posed by malicious insiders. This edition identifies additional best practices based on new methods and contextual factors in recent cases, and also presents some new suggestions for countering insider threat based on findings that could not be linked to established best practices.

Based on our research to date, the practices outlined in this report are the most important for mitigating insider threats.

Summary of practices

The following sixteen practices will provide an organization defensive measures that could prevent or facilitate early detection of many of the insider incidents other organizations experienced in the hundreds of cases examined by CERT.

Some of these practices have been updated from the previous version of the Common Sense Guide based on approximately 100 recent cases collected and examined since that version was published. Other practices are new ones added in this version. Each practice listed below is labeled as either Updated or New.

PRACTICE 1: Consider threats from insiders and business partners in enterprise-wide risk assessments.

It is difficult for organizations to balance trusting their employees, providing them access to achieve the organization’s mission, and protecting its assets from potential compromise by those same employees. Insiders’ access, combined with their knowledge of the organization’s technical vulnerabilities and vulnerabilities introduced by gaps in business processes, gives them the ability and opportunity to carry out malicious activity against their employer if properly motivated. The problem is becoming even more difficult as the scope of insider threats expands due to organizations’ growing reliance on business partners with whom they contract and collaborate. It is important for organizations to take an enterprise-wide view of information security, first determining its critical assets, then defining a risk management strategy for protecting those assets from both insiders and outsiders.

NEW PRACTICE

PRACTICE 2: Clearly document and consistently enforce policies and controls.

Clear documentation and communication of technical and organizational policies and controls could have mitigated some of the insider incidents, theft, modification, and IT sabotage, in the CERT case library. Specific policies are discussed in this section of the report. In addition, consistent policy enforcement is important. Some employees in the cases examined by CERT felt they were being treated differently than other employees, and retaliated against this perceived unfairness by attacking their employer’s IT systems. Other insiders were able to steal or modify information due to inconsistent or unenforced policies.

PRACTICE 3: Institute periodic security awareness training for all employees.

A culture of security awareness must be instilled in the organization so that all employees understand the need for policies, procedures, and technical controls. All employees in an organization must be aware that security policies and procedures exist, that there is a good reason why they exist, that they must be enforced, and that there can be serious consequences for infractions. They also need to be aware that individuals, either inside or outside the organization, may try to co-opt them into activities counter to the organization’s mission. Each employee needs to understand the organization’s security.

policies and the process for reporting policy violations. This section of the guide has been updated with important new findings relevant to recruitment of insiders by outsiders to commit crimes.

PRACTICE 4: Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.

Organizations should closely monitor suspicious or disruptive behavior by employees before they are hired, as well as in the workplace, including repeated policy violations that may indicate or escalate into more serious criminal activity. The effect of personal and professional stressors should also be considered. This section has been updated based on findings in 100 recent cases, particularly due to the high degree of internal and external collusion observed in these cases and the high incidence of previous arrests.

NEW PRACTICE

PRACTICE 5: Anticipate and manage negative workplace issues.

This section describes suggestions for organizations beginning with pre-employment issues and continuing through employment and with termination issues. For example, employers need to clearly formulate employment agreements and conditions of employment. Responsibilities and constraints of the employee and consequences for violations need to be clearly communicated and consistently enforced. In addition, workplace disputes or inappropriate relationships between co-workers can serve to undermine a healthy and productive working environment. Employees should feel encouraged to discuss work-related issues with a member of management or human resources without fear of reprisal or negative consequences. Managers need to address these issues when discovered or reported, before they escalate out of control. Finally, contentious employee terminations must be handled with utmost care, as most insider IT sabotage attacks occur following termination.

NEW PRACTICE

PRACTICE 6: Track and secure the physical environment.

While employees and contractors obviously must have access to organization facilities and equipment, most do not need access to all areas of the workplace. Controlling physical access for each employee is fundamental to insider threat risk management. Access attempts should be logged and regularly audited to identify violations or attempted violations of the physical space and equipment access policies. Of course, terminated employees, contractors, and trusted business partners should not have physical access to non-public areas of the organization facilities. This section details lessons learned from cases in the CERT case library in which physical access vulnerabilities allowed an insider to attack.

PRACTICE 7: Implement strict password and account management policies and practices.

No matter how vigilant an organization is in trying to prevent insider attacks, if their computer accounts can be compromised, insiders have an opportunity to circumvent both manual and automated controls. Password and account management policies and practices should apply to employees, contractors, and business partners. They should ensure that all activity from any account is attributable to the person who performed it. An anonymous reporting mechanism should be available and used by employees to report attempts at unauthorized account access, including potential attempts at social engineering. Audits should be performed regularly to identify and disable unnecessary or expired accounts. This section has been updated to reflect new account issues identified in 100 recent cases added to the CERT case library, many of them involving unauthorized access by trusted business partners.

PRACTICE 8: Enforce separation of duties and least privilege.

If all employees are adequately trained in security awareness, and responsibility for critical functions is divided among employees, the possibility that one individual could commit fraud or sabotage without the cooperation of another individual within the organization is limited. Effective separation of duties requires the implementation of least privilege; that is, authorizing insiders only for the resources they need to do their jobs, particularly when they take on different positions or responsibilities within the organization. This section has been updated to reflect findings from recent cases involving collusion among multiple insiders.

NEW PRACTICE

PRACTICE 9: Consider insider threats in the software development life cycle.

Many insider incidents can be tied either directly or indirectly to defects introduced during the software development life cycle (SDLC). Some cases, such as those involving malicious code inserted into source code, have an obvious tie to the SDLC. Others, like those involving insiders who took advantage of inadequate separation of duties, have an indirect tie. This section of the report details the types of oversights throughout the SDLC that enabled insiders to carry out their attacks.

PRACTICE 10: Use extra caution with system administrators and technical or privileged users.

System administrators and privileged users like database administrators have the technical ability and access to commit and conceal malicious activity. Technically adept individuals are more likely resort to technical means to exact revenge for perceived wrongs. Techniques like separation of duties or two-man rule for critical system administrator functions, non-repudiation of technical actions, encryption, and disabling accounts upon termination can limit the damage and promote the detection of malicious system administrator and privileged user actions. This section has been updated to include recent findings regarding technical employees who stole information for business advantage–to start their own business, take with them to a new job, or give to a foreign government or organization.

PRACTICE 11: Implement system change controls. (Updated)

A wide variety of insider compromises relied on unauthorized modifications to the organization’s systems, which argues for stronger change controls as a mitigation strategy. System administrators or privileged users can deploy backdoor accounts, keystroke loggers, logic bombs, or other malicious programs on the system or network. These types of attacks are stealthy and therefore difficult to detect ahead of time, but technical controls can be implemented for early detection. Once baseline software and hardware configurations are characterized, comparison of current configuration can detect discrepancies and alert managers for action. This section has been updated to reflect recent techniques used by insiders that could have been detected via change controls.

PRACTICE 12: Log, monitor, and audit employee online actions. (Updated)

If account and password policies and procedures are enforced, an organization can associate online actions with the employee who performed them. Logging, periodic monitoring, and auditing provide an organization the opportunity to discover and investigate suspicious insider actions before more serious consequences ensue. In addition to unauthorized changes to the system, download of confidential or sensitive information such as intellectual property, customer or client information, and personally identifiable information can be detected via data leakage tools. New findings detailed in this section can assist organizations in refining their data leakage prevention strategy, for example, in the weeks surrounding employee termination.

PRACTICE 13: Use layered defense against remote attacks. (Updated)

If employees are trained and vigilant, accounts are protected from compromise, and employees know that their actions are being logged and monitored, then disgruntled insiders will think twice about attacking systems or networks at work. Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote access policies and procedures must be designed and implemented very carefully. When remote access to critical systems is deemed necessary, organizations should consider offsetting the added risk with requiring connections only via organization-owned machines and closer logging and frequent auditing of remote transactions. Disabling remote access and collection of organization equipment is particularly important for terminated employees. This section has been updated to include new remote attack methods employed by insiders in recent cases.

PRACTICE 14: Deactivate computer access following termination. (Updated)

When an employee terminates employment, whether the circumstances were favorable or not, it is important that the organization have in place a rigorous termination procedure that disables all of the employee’s access points to the organization’s physical locations, networks, systems, applications, and data. Fast action to disable all access points available to a terminated employee requires ongoing and strict tracking and management practices for all employee avenues of access including computer system accounts, shared passwords, and card control systems.

PRACTICE 15: Implement secure backup and recovery processes. (Updated)

No organization can completely eliminate its risk of insider attack; risk is inherent in the operation of any profitable enterprise. However, with a goal of organizational resiliency, risks must be acceptable to the stakeholders, and as such, impacts of potential insider attacks must be minimized. Therefore, it is important for organizations to prepare for the possibility of insider attack and minimize response time by implementing secure backup and recovery processes that avoid single points of failure and are tested periodically. This section contains descriptions of recent insider threat cases in which the organization’s lack of attention to incident response and organizational resiliency resulted in serious disruption of service to their customers.

NEW PRACTICE

PRACTICE 16: Develop an insider incident response plan.

Organizations need to develop an insider incident response plan to control the damage due to malicious insiders. This is challenging because the same people assigned to a response team may be among the most likely to think about using their technical skills against the organization. Only those responsible for carrying out the plan need to understand and be trained on its execution. Should an insider attack, it is important that the organization have evidence in hand to identify the insider and follow up appropriately. Lessons learned should used to continually improve the plan.