CERT insider threat guide

The fifth edition of the Common Sense Guide to Mitigating Insider Threats was published at the end of 2016 by the CERT Insider Threat Center.  As we've come to expect from CMU/SEI & CERT), it's an impressive, well-written piece of work.

In short, these are the 20 best practices they recommend:

1. Know and protect your critical assets. 
2. Develop a formalized insider threat program. 
3. Clearly document and consistently enforce policies and controls. 
4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. 
5. Anticipate and manage negative issues in the work environment. 
6. Consider threats from insiders and business partners in enterprise-wide risk assessments.
7. Be especially vigilant regarding social media.
8. Structure management and tasks to minimize unintentional insider stress and mistakes. 
9. Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. 
10. Implement strict password and account management policies and practices. 
11. Institute stringent access controls and monitoring policies on privileged users. 
12. Deploy solutions for monitoring employee actions and correlating information from multiple data sources.
13. Monitor and control remote access from all end points, including mobile devices.
14. Establish a baseline of normal behavior for both networks and employees.
15. Enforce separation of duties and least privilege.
16. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
17. Institutionalize system change controls.
18. Implement secure backup and recovery processes.
19. Close the doors to unauthorized data exfiltration. 
20. Develop a comprehensive employee termination procedure.

The guide expands substantially on each of those, explaining the challenges, describing case studies and offering quick wins for many of them. Pre-hiring background checks, for instance, aren't mentioned in the list above but feature several times in the guide.

I've picked out practice 9 for special attention, given my interest in security awareness. In the main body, the guide states:

"Without broad understanding and buy-in from the organization, technical or managerial controls will be short lived. Periodic security training that includes malicious and unintentional insider threat awareness supports a stable culture of security in the organization."

Well said! It goes on to note several warning signs:

"Security awareness training should encourage employees to identify malicious insiders not by stereotypical characteristics but by their behavior, including

• threatening the organization or bragging about the damage the insider could do to the organization or coworkers 

• downloading sensitive or proprietary data within 30 days of resignation 

• using the organization’s resources for a side business or discussing starting a competing business with co-workers 

• attempting to gain employees’ passwords or to obtain access through trickery or exploitation of a trusted relationship (often called “social engineering”) 

Awareness training for the unintentional insider threat should encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event, including

• level of risk tolerance—someone willing to take more risks than the norm

• attempts at multi-tasking—individuals who multi-task may be more likely to make mistakes

• large amounts of personal or proprietary information shared on social media

• lack of attention to detail"

I'm intrigued by the concept of 'unintentional' insider threats.

"We define unintentional insider threats as a current or former employee, contractor, or other business partner who:

• has or had authorized access to an organization’s network, system, or data and 

• had no malicious intent associated with his or her action (or inaction) that caused harm or substantially increased the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems."

Seems to me that covers almost everyone since we humans all experience the odd errors and accidents, but I guess it's a matter of degree: most of us catch our typoos etc. in time, without precipitating global meltdowns.

The advice includes "Training programs should create a security culture appropriate for the organization and include all personnel" - OK so far on both points. "The training program should be offered at least once a year" is not so good if it is taken to mean a single annual event or session is sufficient, but I'm relieved that it goes on to mention 'refresher training'.

The recommendations are sound:

"All organizations:

• Develop and implement an enterprise-wide training program that discusses various topics related to insider threat. The training program must have the support of senior management to be effective. Management must be seen participating in the course and must not be exempt  from it, which other employees could see as a lack of support and an unequal enforcement of policies. 

• Train all new employees and contractors in security awareness, including insider threat, before giving them access to any computer system. Make sure to include training for employees who may not need to access computer systems daily, such as janitorial and maintenance staff. These users may require a special training program that covers security scenarios they may encounter, such as social engineering, active shooter, and sensitive documents left out in the open. 

• Train employees continuously. However, training does not always need to be classroom instruction. Posters, newsletters, alert emails, and brown-bag lunch programs are all effective training methods. Your organization should consider implementing one or more of these programs to increase security awareness. 

• Establish an anonymous or confidential mechanism for reporting security incidents. Encourage employees to report security issues and consider incentives to reporting by rewarding those who do.

 Large organizations:

• The information security team can conduct periodic inspections by walking through areas of your organization, including workspaces, and identifying security concerns. Your organization should bring security issues to the employee’s attention in a calm, nonthreatening manner and in private. Employees spotted doing something good for security, like stopping a person without a badge, should be rewarded. Even a certificate or other item of minimal value goes a long way to improving employee morale and increasing security awareness. Where possible, these rewards should be presented before a group of the employee’s peers. This type of program does not have to be administered by the security team but could be delegated to the employee’s peer team members or first-level management."  

The quotes above are just part of the 6 pages on that one practice area, a small fraction of the guide's 175 pages - well worth the trouble to read if your organization has humans on the payroll, or depends on third party personnel for that matter - those nice people who do their level best to keep the lights on whatever the weather, for instance. 

PS  If anyone from CERT reads this blog, please stop referring to awareness and training as if they are the same thing. They aren't. See NIST SP800-50 and SP800-16 ... or ask me!