11

“ “A Guide to Mitigating the A Guide to Mitigating the Insider Threat”Insider Threat”

Mr. Walter Kendricks, CISSPMr. Walter Kendricks, CISSP

California Highway PatrolCalifornia Highway Patrol

Information Security OfficerInformation Security Officer

November 13, 2008November 13, 2008

22

What is an Insider Threat?What is an Insider Threat? Typically described as disgruntled or Typically described as disgruntled or

unscrupulous employee trying to gain unscrupulous employee trying to gain access to information they shouldn’t, and access to information they shouldn’t, and sharing it for personal gain, espionage or sharing it for personal gain, espionage or revenge. revenge.

Current or former employees or Current or former employees or contractors whocontractors who Intentionally exceeded or misused an Intentionally exceeded or misused an

authorized level of network, system or data authorized level of network, system or data access in a manner that affected the security access in a manner that affected the security of the organizations’ data, systems, or daily of the organizations’ data, systems, or daily business operations (Carnegie Mellon, April business operations (Carnegie Mellon, April 2008).2008).

33

The Insider ThreatThe Insider Threat

A summer 2006 E-Crime Watch A summer 2006 E-Crime Watch Survey by CERT and the U. S. Secret Survey by CERT and the U. S. Secret Service stated the following:Service stated the following: Of 434 responses to the survey, 55% of Of 434 responses to the survey, 55% of

organizations were victims of electronic organizations were victims of electronic crimes and ~30% of those were from crimes and ~30% of those were from insiders.insiders.

(reference: U.S. Secret Service and CERT/SEI, Insider Threat Study, Illicit Cyber Activity in the (reference: U.S. Secret Service and CERT/SEI, Insider Threat Study, Illicit Cyber Activity in the Government Sector) Government Sector)

44

What is the history of Insider Threats?What is the history of Insider Threats?

Espionage and spying are amongst the oldest political and Espionage and spying are amongst the oldest political and military trades. There are references to spies in ancient military trades. There are references to spies in ancient Greek history and ancient Egyptian spies were among the Greek history and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal first to develop methods of carrying out acts of internal sabotage.sabotage.

Picture from www.encyclopedia.comPicture from www.encyclopedia.com 55

Case 1: Can you guess who this is?Case 1: Can you guess who this is?

Position: He was an InsiderPosition: He was an Insider Motive:Motive:

MoneyMoney Prestige/powerPrestige/power

How was the threat How was the threat implemented?implemented? He had a plan (Obfuscation, He had a plan (Obfuscation,

Gesture, Diversion).Gesture, Diversion). He had expert knowledge.He had expert knowledge.

What was the cost?What was the cost? The cost was significant.The cost was significant.

The punishment was severe.The punishment was severe. Can you guess who?Can you guess who?

Picture from HVF, Historical , The Picket PoPicture from HVF, Historical , The Picket Post various authors, 1947-1961 Society st various authors, 1947-1961 Society

66

Case 2: Case 2: Can you guess who this is?Can you guess who this is?

Position: He was an insider.Position: He was an insider. Motives:Motives:

His was pride was damaged (disgruntled, His was pride was damaged (disgruntled, revenge).revenge).

He needed money. He needed money. He had prior problems with the law.He had prior problems with the law.

How was the threat implemented?How was the threat implemented? He defected with all the knowledge he had He defected with all the knowledge he had

gained as an insider and made a plan.gained as an insider and made a plan. He passed a message as a note.He passed a message as a note. He had expert knowledge.He had expert knowledge.

The cost was significant due to loss of trust.The cost was significant due to loss of trust. The punishment was severe.The punishment was severe. Can you guess who this is?Can you guess who this is?

77

Case 3: Case 3: Can you guess who this is?Can you guess who this is? Position: He was an insiderPosition: He was an insider Motives:Motives:

He wanted prestige/Power.He wanted prestige/Power. He wanted money.He wanted money.

How was the threat implemented?How was the threat implemented? He had unlimited access to all past insider He had unlimited access to all past insider

attacks and investigations of his organization.attacks and investigations of his organization. No due diligence by organization.No due diligence by organization. He had expert knowledge.He had expert knowledge.

Cost to organization and the United States was Cost to organization and the United States was priceless due the type of secrets that were priceless due the type of secrets that were released and number of lives loss.released and number of lives loss. Punishment was severe.Punishment was severe.

Can you guess who this is?Can you guess who this is?

Picture From Wikipedia, the free encyclopedia

88

Case 4: Case 4: Can you guess who this is?Can you guess who this is?

Position: InsiderPosition: Insider Motive:Motive:

He was a disgruntled employee.He was a disgruntled employee. He wanted power.He wanted power. He had prior problems with the law.He had prior problems with the law.

How was the threat implemented?How was the threat implemented? He developed a plan.He developed a plan. He had unlimited access.He had unlimited access. He had expert knowledge.He had expert knowledge.

What was the cost?What was the cost? Significantly High.Significantly High. Reputation of organization was severely Reputation of organization was severely

damaged.damaged. Can you guess who this is?Can you guess who this is? How could this threat have been How could this threat have been

prevented?prevented?

99

What kind of Insider Threat profile does What kind of Insider Threat profile does these four cases create?these four cases create?

(These results are not to be viewed as nothing more than personal opinions)(These results are not to be viewed as nothing more than personal opinions)

Expert Expert KnowledgeKnowledge

Disgruntled Disgruntled EmployeeEmployee

Wanted Wanted Power Power /Prestige/Prestige

History of History of Bad Bad BehaviorBehavior

Needed Needed MoneyMoney

Had a Had a PlanPlan

Case 1Case 1

(Ancient)(Ancient)

YesYes YesYes YesYes NoNo ?? YesYes

Case 2Case 2

(Colonial)(Colonial)

YesYes YesYes YesYes YesYes YesYes YesYes

Case 3Case 3

(The (The eighties)eighties)

YesYes YesYes YesYes YesYes YesYes YesYes

Case 4Case 4 YesYes YesYes YesYes YesYes ?? YesYes

1010

““Guidelines for Mitigating Insider Guidelines for Mitigating Insider Threats”Threats”

Gartner recommends taking a Gartner recommends taking a multifaceted approach to mitigating the multifaceted approach to mitigating the Insider Threat. They say combine high-Insider Threat. They say combine high-tech, low-tech and “no tech” approaches tech, low-tech and “no tech” approaches to provide “defense in depth.” to provide “defense in depth.”

I support these recommendations.I support these recommendations. In addition, we should evaluate and In addition, we should evaluate and

implement controls that are appropriate to implement controls that are appropriate to the enterprise’s technical environment, the enterprise’s technical environment, corporate culture, regulatory environment, corporate culture, regulatory environment, risk profile, business needs and other risk profile, business needs and other enterprise-specific factors.enterprise-specific factors.

1111

No-Tech and Low-Tech ApproachNo-Tech and Low-Tech Approach

Institute periodic enterprise-wide risk assessments.Institute periodic enterprise-wide risk assessments. Institute periodic security awareness training for all Institute periodic security awareness training for all

employees.employees. Enforce separation of duties and least privilege.Enforce separation of duties and least privilege. Implement strict password and account management policies Implement strict password and account management policies

and practices.and practices. Log, monitor, and audit employee online actions.Log, monitor, and audit employee online actions. Use extra caution with system administrators and privileged Use extra caution with system administrators and privileged

users (“Keys to the Kingdom”).users (“Keys to the Kingdom”). Actively defend against malicious code.Actively defend against malicious code. Use layered defense against remote attacks.Use layered defense against remote attacks. Monitor and respond to suspicious or disruptive behavior.Monitor and respond to suspicious or disruptive behavior. Deactivate computer access following termination.Deactivate computer access following termination. Collect and save data for use in investigations.Collect and save data for use in investigations. Implement secure backup and recovery processes.Implement secure backup and recovery processes. Clearly document insider threat controls.Clearly document insider threat controls.

1212

No-Tech and Low-Tech Approach No-Tech and Low-Tech Approach ContinuedContinued

Perform employee prescreening.Perform employee prescreening. Implement terms and conditions of Implement terms and conditions of

employment.employment. Promote corporate ethics.Promote corporate ethics. Treat staff fairly.Treat staff fairly. Develop an Appropriate Use of System Develop an Appropriate Use of System

Administrative Privileges for all System Administrative Privileges for all System Administrators.Administrators.

1313

No-Tech and Low-Tech Approach No-Tech and Low-Tech Approach ContinuedContinued

Implement logon bannersImplement logon banners Manage System Administrative accounts more Manage System Administrative accounts more

effectively:effectively: Minimize the number of shared accounts routinely used.Minimize the number of shared accounts routinely used. Restrict the use of shared administrative accounts to Restrict the use of shared administrative accounts to

special circumstances. If shared administrative special circumstances. If shared administrative accounts are still in day-to-day use for normal accounts are still in day-to-day use for normal operations, then do not allow passwords to be shared.operations, then do not allow passwords to be shared.

Establish processes and controls for managing shared Establish processes and controls for managing shared accounts and their passwords, but be aware that manual accounts and their passwords, but be aware that manual processes and controls do not scale well and need processes and controls do not scale well and need careful oversight.careful oversight.

1414

Sample Administrator PoliciesSample Administrator Policies (1) Systems Administrators. Systems Administrators have ultimate responsibility for

securing the computer systems they administer and maintain. Individuals assigned these responsibilities will ensure commonly accepted security practices detailed in Section 7., Password Management, of this chapter, are followed, and that extra precautions are taken to eliminate vendor issued (default) passwords and hard-coded passwords. Moreover, passwords yielding access to administrator-equivalent accounts shall not be compromised in any way. Additionally, the system administrator will review the system logs ___ for security variances and will verify at least once every ____ that all applicable vendor security patches are current or scheduled to be installed.

(a) Each server that is attached to the network shall include documentation of the baseline configuration. This documentation shall be completed by the respective System Administrator and updated whenever there is an authorized change to the server. The System Administrator is responsible for periodically reviewing (at least ___) the server configuration to ensure that no unauthorized changes have been applied.

(b) Operating system upgrades shall be reviewed by the respective System Administrator for appropriateness and impact. The technology manager, in conjunction with the Department ISO, will approve all upgrades prior to installation. Once approved, the respective System Administrator shall thoroughly test all proposed modifications and develop an installation strategy. The technology manager will verify that sufficient testing has been completed and approve the installation strategy.

The System Administrator will review the system logs daily for security variances and will verify at least once every ______ that all applicable vendor security patches are current or scheduled to be installed. Routine patches shall be tested and distributed on a set ____ schedule. Critical patches (as identified by the Department ISO) shall be tested and distributed as soon as feasible.

1515

Policies, Budget Letters, Management Memos, and Policies, Budget Letters, Management Memos, and StandardsStandards

State Administration Manual, Chapter 5300State Administration Manual, Chapter 5300 Management Memo 08-11, Safeguarding against Management Memo 08-11, Safeguarding against

and Responding to a Breach of Security Involving and Responding to a Breach of Security Involving Personal Information.Personal Information.

Federal Information Processing Standards (FIPS)Federal Information Processing Standards (FIPS) ISO/IEC 27002:2005ISO/IEC 27002:2005 HIPAA Security StandardsHIPAA Security Standards North America Electric Reliability Corporation North America Electric Reliability Corporation

Standards.Standards.

1616

Sample Logon Banner LanguageSample Logon Banner Language

This is a This is a OUR ORGANIZATION’SOUR ORGANIZATION’S computer system. These computer computer system. These computer systems are provided for processing official business. All data contained systems are provided for processing official business. All data contained within these computer systems is owned by the within these computer systems is owned by the OUR ORGANIZATIONOUR ORGANIZATION, and , and may be monitored, intercepted, recorded, read, copied, or captured in any may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized personnel. Users manner and disclosed in any manner, by authorized personnel. Users should have no expectation of privacy as to any communication on or should have no expectation of privacy as to any communication on or information stored within the system, including information stored locally information stored within the system, including information stored locally on the hard drive or other media in use with this unit (e.g., floppy disks, on the hard drive or other media in use with this unit (e.g., floppy disks, Thumb Drives, PDAs, and other hand-held peripherals, CD-ROMs, etc.). Thumb Drives, PDAs, and other hand-held peripherals, CD-ROMs, etc.). THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access or THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access or use of use of OUR ORGANIZATION’SOUR ORGANIZATION’S local and wide area network, Intranet, and local and wide area network, Intranet, and Internet is strictly prohibited and is punishable under Section 502 of the Internet is strictly prohibited and is punishable under Section 502 of the California Penal Code. System personnel may disclose any potential California Penal Code. System personnel may disclose any potential evidence of crime found on the evidence of crime found on the OUR ORGANIZATION’SOUR ORGANIZATION’S computer systems computer systems for any reason. for any reason.

By Clicking on the “Okay” button below, users are acknowledging they are By Clicking on the “Okay” button below, users are acknowledging they are familiar with the policies and procedures outlined in Security Policy and familiar with the policies and procedures outlined in Security Policy and any related memoranda, and accept responsibility for the safety and any related memoranda, and accept responsibility for the safety and integrity of their assigned computer systems.integrity of their assigned computer systems.

1717

Sample Appropriate use of Administrative Sample Appropriate use of Administrative Privileges AgreementPrivileges Agreement

The California Office of Information Security and Privacy Protection (OISPP) is responsible for The California Office of Information Security and Privacy Protection (OISPP) is responsible for establishing the State’s information security policies and activities as well as information establishing the State’s information security policies and activities as well as information security oversight. OISPP issued a new risk management policy on March 2008 establishing security oversight. OISPP issued a new risk management policy on March 2008 establishing the new process for implementation to avoid or reduce risk to acceptable levels. This process the new process for implementation to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the agency’s risk and monitoring of appropriate practices in response to that analysis through the agency’s risk management program.management program.

On Month Day, Year, the Agency Director, Mr./Ms. John/Jane Doe, ID ####, requested Mr./Ms. On Month Day, Year, the Agency Director, Mr./Ms. John/Jane Doe, ID ####, requested Mr./Ms. John/Jane Doe, ID ####, the Information Security Officer (ISO), to perform a vulnerability John/Jane Doe, ID ####, the Information Security Officer (ISO), to perform a vulnerability assessment on the Agency's’ electronic personal, confidential, and sensitive information.assessment on the Agency's’ electronic personal, confidential, and sensitive information.

To mitigate one of the findings of the vulnerability assessment, each System Administrator, To mitigate one of the findings of the vulnerability assessment, each System Administrator, Network Administrator, and Database Administrator is reminded of their responsibilities when Network Administrator, and Database Administrator is reminded of their responsibilities when performing their jobs and must adhere to the following:performing their jobs and must adhere to the following: Comply with the requirements spelled out in the Information Security and Network Comply with the requirements spelled out in the Information Security and Network

Administration Manual.Administration Manual. All access granted in performing your duties must be done within the scope of your All access granted in performing your duties must be done within the scope of your

duties and for legitimate work purposes only.duties and for legitimate work purposes only. Do not without authorization destroy, tamper, modify, delete, disclose information, allow Do not without authorization destroy, tamper, modify, delete, disclose information, allow

information access, and allow access to agency files or databases.information access, and allow access to agency files or databases.

An employee who misuses automated information is subject to disciplinary and criminal An employee who misuses automated information is subject to disciplinary and criminal action punishable under Section 502 of the California Penal Code. The Department will take action punishable under Section 502 of the California Penal Code. The Department will take appropriate action which may include dismissal and the submission of criminal evidence to appropriate action which may include dismissal and the submission of criminal evidence to the local district attorney.the local district attorney.

1818

High-Tech ApproachHigh-Tech Approach Audit for compliance periodically determined by risk.Audit for compliance periodically determined by risk. Audit logging and monitoringAudit logging and monitoring

Coarse-Grained access controlsCoarse-Grained access controls Intrusion prevention systems which are strategically placed at Intrusion prevention systems which are strategically placed at

various points inside the perimeter.various points inside the perimeter. Implement the following:Implement the following:

Content Monitoring and Filtering/Data Loss Prevention SolutionsContent Monitoring and Filtering/Data Loss Prevention Solutions Database Activity Monitoring ToolsDatabase Activity Monitoring Tools Security Information and Event Management ProductsSecurity Information and Event Management Products Shared-Account/Software-Account Password Management Shared-Account/Software-Account Password Management

ToolsTools Identity Administration ToolsIdentity Administration Tools

1919

Data Leak Prevention (DLP) ToolsData Leak Prevention (DLP) Tools

2020

Content Monitoring and Filtering and DLP ToolsContent Monitoring and Filtering and DLP Tools

2121

RecommendationsRecommendationsTo deal with insider threats, take a multifaceted approach that To deal with insider threats, take a multifaceted approach that

combines high-tech, low-tech and "no tech" approaches combines high-tech, low-tech and "no tech" approaches and apply the "defense in depth philosophy." and apply the "defense in depth philosophy."

Tactical:Tactical: Implement No-Tech and Low-Tech Security MeasuresImplement No-Tech and Low-Tech Security Measures

Implement pre-employment screening.Implement pre-employment screening. Enhance the security awareness program.Enhance the security awareness program. Find out who has the “Keys to the Kingdom.”Find out who has the “Keys to the Kingdom.” Update policy and compliance requirements. Enforce Update policy and compliance requirements. Enforce

policies and procedures.policies and procedures. Audit for compliance.Audit for compliance.

Implement your current high tech security tools and Implement your current high tech security tools and identify gapsidentify gaps

Audit for complianceAudit for compliance Strategic:Strategic:

Based on results of the audits make changes to your Based on results of the audits make changes to your policies and procedures and purchase tools to increase policies and procedures and purchase tools to increase the effectiveness and efficiency of the security program. the effectiveness and efficiency of the security program.

2222

Questions/CommentsQuestions/Comments

Contact Walter KendricksContact Walter Kendricks

Phone 657-9090, X4212Phone 657-9090, X4212

wkendricks@chp.ca.govwkendricks@chp.ca.gov

2323

Computer Security Incident ReportingComputer Security Incident Reporting

Emergency Notification Tactical Alert Emergency Notification Tactical Alert Center (ENTAC) is designed to be a Center (ENTAC) is designed to be a statewide notification center for statewide notification center for emergency incidents, including natural emergency incidents, including natural disaster, civil disturbance, terrorism, the disaster, civil disturbance, terrorism, the protection of the state infrastructure, and protection of the state infrastructure, and other incidents. ENTAC is available 24 other incidents. ENTAC is available 24 hours a day, seven days a week, to receive hours a day, seven days a week, to receive reports. They can be reached at (916) 657-reports. They can be reached at (916) 657-8287.8287.

2424

Computer Crimes Investigative Unit Computer Crimes Investigative Unit (CCIU)(CCIU)

Government Code Section 14613.7(a) Government Code Section 14613.7(a) requires state agencies to report to the requires state agencies to report to the California Highway Patrol (CHP) all crimes California Highway Patrol (CHP) all crimes on state-owned or state-leased property on state-owned or state-leased property where state employees are discharging where state employees are discharging their duties.their duties.

The CHP’s CCIU is responsible for The CHP’s CCIU is responsible for investigating any computer crime or investigating any computer crime or information technology security incident information technology security incident involving involving state-ownedstate-owned or or state-leased state-leased computerscomputers..

2525

ReferencesReferences Office of Information Security & Privacy Protection, State Administration Manual, Section Office of Information Security & Privacy Protection, State Administration Manual, Section

53005300 Government Code Section 11549 and Section 14613.7(a)Government Code Section 11549 and Section 14613.7(a) Adrian Havill, “The Spy who stayed out in the cold”Adrian Havill, “The Spy who stayed out in the cold” Historic Valley Forge, Historical , The Picket Post various authors, 1947-1961 Society Historic Valley Forge, Historical , The Picket Post various authors, 1947-1961 Society ““San Francisco hunts for mystery device on city network”, Robert McMillan, IDS News San Francisco hunts for mystery device on city network”, Robert McMillan, IDS News

Service, 9/10/08Service, 9/10/08 Insider Threat Study: Illicit Cyber Activity in the Government Sector, January 2008, CERT, Insider Threat Study: Illicit Cyber Activity in the Government Sector, January 2008, CERT,

U.S. Secret Service, Carnegie Mellon, Software Engineering Institute U.S. Secret Service, Carnegie Mellon, Software Engineering Institute Ellen Messmer, Network World, 07/16/08Ellen Messmer, Network World, 07/16/08 Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, CERT, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, CERT,

U.S. Secret Service, May 2005, Carnegie Mellon, Software Engineering InstituteU.S. Secret Service, May 2005, Carnegie Mellon, Software Engineering Institute Gartner Publication Date: 28 March 2008, “Best Practices for Managing Shared Superuser Gartner Publication Date: 28 March 2008, “Best Practices for Managing Shared Superuser

and Firecall Accounts,” Ant Allanand Firecall Accounts,” Ant Allan Gartner Publication Date: 25 July 2008, “Best Practices for Managing ‘Insider’ Security Gartner Publication Date: 25 July 2008, “Best Practices for Managing ‘Insider’ Security

Threats,” Perry CarpenterThreats,” Perry Carpenter The Forrester Wave: Data Leak Prevention, Q2 2008, For Security & Risk Professionals, The Forrester Wave: Data Leak Prevention, Q2 2008, For Security & Risk Professionals,

Insider Threat Protection Becomes a Must-Have and the Market Consolidates.Insider Threat Protection Becomes a Must-Have and the Market Consolidates. Information Security & Privacy Protection, “Hostile Takeover”, Insider Threats, Information Information Security & Privacy Protection, “Hostile Takeover”, Insider Threats, Information

Sheet No. 5, July 25, 2008Sheet No. 5, July 25, 2008 Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention, Gartner Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention, Gartner

RAS Core Research Note G00157450, E. Ouellet, P. Proctor, 17 June 2008, R2775 RAS Core Research Note G00157450, E. Ouellet, P. Proctor, 17 June 2008, R2775 0618200906182009

Magic Quadrant for Mobile Data Protection, 2007, John Girad, Ray Wagner, Research Note Magic Quadrant for Mobile Data Protection, 2007, John Girad, Ray Wagner, Research Note G00151075, September 10, 2007G00151075, September 10, 2007

Judas picture from Judas picture from www.encyclopedia.comwww.encyclopedia.com Risk Mitigation Strategies: Lesson Learned from Actual Insider Attacks, Dawn M. Cappelli, Risk Mitigation Strategies: Lesson Learned from Actual Insider Attacks, Dawn M. Cappelli,

Andrew P. Moore, CERT Program – Software Engineering Institute, Carnegie Mellon Andrew P. Moore, CERT Program – Software Engineering Institute, Carnegie Mellon University, 04/09/08, Session Code: DEF-203, RSA Conference 2008University, 04/09/08, Session Code: DEF-203, RSA Conference 2008