"�A Guide to Mitigating the Insider Threat�"
“A Guide to Mitigating the Insider Threat” Mr. Walter Kendricks, CISSP California Highway Patrol Information Security Officer November 13, 2008 1 What is an Insider Threat? Typically described as disgruntled or unscrupulous employee trying to gain access to information they shouldn‟t, and sharing it for personal gain, espionage or revenge. Current or former employees or contractors who Intentionally exceeded or misused an authorized level of network, system or data access in a manner that affected the security of the organizations‟ data, systems, or daily business operations (Carnegie Mellon, April 2008). 2 The Insider Threat A summer 2006 E-Crime Watch Survey by CERT and the U. S. Secret Service stated the following: Of 434 responses to the survey, 55% of organizations were victims of electronic crimes and ~30% of those were from insiders. (reference: U.S. Secret Service and CERT/SEI, Insider Threat Study, Illicit Cyber Activity in the Government Sector) 3 What is the history of Insider Threats? Espionage and spying are amongst the oldest political and military trades. There are references to spies in ancient Greek history and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal sabotage. 4 Case 1: Can you guess who this is? Position: He was an Insider Motive: Money Prestige/power How was the threat implemented? He had a plan (Obfuscation, Gesture, Diversion). He had expert knowledge. What was the cost? The cost was significant. The punishment was severe. Can you guess who? Picture from www.encyclopedia.com 5 Case 2: Can you guess who this is? Position: He was an insider. Motives: His was pride was damaged (disgruntled, revenge). He needed money. He had prior problems with the law. How was the threat implemented? He defected with all the knowledge he had gained as an insider and made a plan. He passed a message as a note. He had expert knowledge. The cost was significant due to loss of trust. The punishment was severe. Can you guess who this is? Picture from HVF, Historical , The Picket 6 Post various authors, 1947-1961 Society Case 3: Can you guess who this is? Position: He was an insider Motives: He wanted prestige/Power. He wanted money. How was the threat implemented? He had unlimited access to all past insider attacks and investigations of his organization. No due diligence by organization. He had expert knowledge. Cost to organization and the United States was priceless due the type of secrets that were released and number of lives loss. Punishment was severe. Can you guess who this is? Picture From Wikipedia, the free encyclopedia 7 Case 4: Can you guess who this is? Position: Insider Motive: He was a disgruntled employee. He wanted power. He had prior problems with the law. How was the threat implemented? He developed a plan. He had unlimited access. He had expert knowledge. What was the cost? Significantly High. Reputation of organization was severely damaged. Can you guess who this is? How could this threat have been prevented? 8 What kind of Insider Threat profile does these four cases create? (These results are not to be viewed as nothing more than personal opinions) Expert Disgruntled Wanted History of Needed Had a Knowledge Employee Power Bad Money Plan /Prestige Behavior Case 1 Yes Yes Yes No ? Yes (Ancient) Case 2 Yes Yes Yes Yes Yes Yes (Colonial) Case 3 Yes Yes Yes Yes Yes Yes (The eighties) Case 4 Yes Yes Yes Yes ? Yes 9 “Guidelines for Mitigating Insider Threats” Gartner recommends taking a multifaceted approach to mitigating the Insider Threat. They say combine high- tech, low-tech and “no tech” approaches to provide “defense in depth.” I support these recommendations. In addition, we should evaluate and implement controls that are appropriate to the enterprise‟s technical environment, corporate culture, regulatory environment, risk profile, business needs and other enterprise-specific factors. 10 No-Tech and Low-Tech Approach Institute periodic enterprise-wide risk assessments. Institute periodic security awareness training for all employees. Enforce separation of duties and least privilege. Implement strict password and account management policies and practices. Log, monitor, and audit employee online actions. Use extra caution with system administrators and privileged users (“Keys to the Kingdom”). Actively defend against malicious code. Use layered defense against remote attacks. Monitor and respond to suspicious or disruptive behavior. Deactivate computer access following termination. Collect and save data for use in investigations. Implement secure backup and recovery processes. Clearly document insider threat controls. 11 No-Tech and Low-Tech Approach Continued Perform employee prescreening. Implement terms and conditions of employment. Promote corporate ethics. Treat staff fairly. Develop an Appropriate Use of System Administrative Privileges for all System Administrators. 12 No-Tech and Low-Tech Approach Continued Implement logon banners Manage System Administrative accounts more effectively: Minimize the number of shared accounts routinely used. Restrict the use of shared administrative accounts to special circumstances. If shared administrative accounts are still in day-to-day use for normal operations, then do not allow passwords to be shared. Establish processes and controls for managing shared accounts and their passwords, but be aware that manual processes and controls do not scale well and need careful oversight. 13 Sample Administrator Policies (1) Systems Administrators. Systems Administrators have ultimate responsibility for securing the computer systems they administer and maintain. Individuals assigned these responsibilities will ensure commonly accepted security practices detailed in Section 7., Password Management, of this chapter, are followed, and that extra precautions are taken to eliminate vendor issued (default) passwords and hard-coded passwords. Moreover, passwords yielding access to administrator-equivalent accounts shall not be compromised in any way. Additionally, the system administrator will review the system logs ___ for security variances and will verify at least once every ____ that all applicable vendor security patches are current or scheduled to be installed. (a) Each server that is attached to the network shall include documentation of the baseline configuration. This documentation shall be completed by the respective System Administrator and updated whenever there is an authorized change to the server. The System Administrator is responsible for periodically reviewing (at least ___) the server configuration to ensure that no unauthorized changes have been applied. (b) Operating system upgrades shall be reviewed by the respective System Administrator for appropriateness and impact. The technology manager, in conjunction with the Department ISO, will approve all upgrades prior to installation. Once approved, the respective System Administrator shall thoroughly test all proposed modifications and develop an installation strategy. The technology manager will verify that sufficient testing has been completed and approve the installation strategy. The System Administrator will review the system logs daily for security variances and will verify at least once every ______ that all applicable vendor security 14 patches are current or scheduled to be installed. Routine patches shall be tested and distributed on a set ____ schedule. Critical patches (as identified by the Department ISO) shall be tested and distributed as soon as feasible. Policies, Budget Letters, Management Memos, and Standards State Administration Manual, Chapter 5300 Management Memo 08-11, Safeguarding against and Responding to a Breach of Security Involving Personal Information. Federal Information Processing Standards (FIPS) ISO/IEC 27002:2005 HIPAA Security Standards North America Electric Reliability Corporation Standards. 15 Sample Logon Banner Language This is a OUR ORGANIZATION’S computer system. These computer systems are provided for processing official business. All data contained within these computer systems is owned by the OUR ORGANIZATION, and may be monitored, intercepted, recorded, read, copied, or captured in any manner and disclosed in any manner, by authorized personnel. Users should have no expectation of privacy as to any communication on or information stored within the system, including information stored locally on the hard drive or other media in use with this unit (e.g., floppy disks, Thumb Drives, PDAs, and other hand-held peripherals, CD-ROMs, etc.). THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. Unauthorized access or use of OUR ORGANIZATION’S local and wide area network, Intranet, and Internet is strictly prohibited and is punishable under Section 502 of the California Penal Code. System personnel may disclose any potential evidence of crime found on the OUR ORGANIZATION’S computer systems for any reason. By Clicking on the “Okay” button below, users are acknowledging they are familiar with the policies and procedures outlined in Security Policy and any related memoranda, and accept responsibility for the safety and integrity of their assigned computer systems. 16 Sample Appropriate use of Administrative Privileges Agreement The California Office of Information Security and Privacy Protection (OISPP) is responsible for establishing the State‟s information security policies and activities as well as information security oversight. OISPP issued a new risk management policy on March 2008 establishing the new process for implementation to avoid or reduce risk to acceptable levels. This process includes both the identification and assessment of risk through risk analysis and the initiation and monitoring of appropriate practices in response to that analysis through the agency‟s risk management program. On Month Day, Year, the Agency Director, Mr./Ms. John/Jane Doe, ID ####, requested Mr./Ms. John/Jane Doe, ID ####, the Information Security Officer (ISO), to perform a vulnerability assessment on the Agency's‟ electronic personal, confidential, and sensitive information. To mitigate one of the findings of the vulnerability assessment, each System Administrator, Network Administrator, and Database Administrator is reminded of their responsibilities when performing their jobs and must adhere to the following: Comply with the requirements spelled out in the Information Security and Network Administration Manual. All access granted in performing your duties must be done within the scope of your duties and for legitimate work purposes only. Do not without authorization destroy, tamper, modify, delete, disclose information, allow information access, and allow access to agency files or databases. An employee who misuses automated information is subject to disciplinary and criminal action punishable under Section 502 of the California Penal Code. The Department will take appropriate action which may include dismissal and the 17 submission of criminal evidence to the local district attorney. High-Tech Approach Audit for compliance periodically determined by risk. Audit logging and monitoring Coarse-Grained access controls Intrusion prevention systems which are strategically placed at various points inside the perimeter. Implement the following: Content Monitoring and Filtering/Data Loss Prevention Solutions Database Activity Monitoring Tools Security Information and Event Management Products Shared-Account/Software-Account Password Management Tools Identity Administration Tools 18 Data Leak Prevention (DLP) Tools 19 Content Monitoring and Filtering and DLP Tools 20 Recommendations To deal with insider threats, take a multifaceted approach that combines high-tech, low-tech and "no tech" approaches and apply the "defense in depth philosophy." Tactical: Implement No-Tech and Low-Tech Security Measures Implement pre-employment screening. Enhance the security awareness program. Find out who has the “Keys to the Kingdom.” Update policy and compliance requirements. Enforce policies and procedures. Audit for compliance. Implement your current high tech security tools and identify gaps Audit for compliance Strategic: Based on results of the audits make changes to your policies and procedures and purchase tools to increase the effectiveness and efficiency of the security program. 21 Questions/Comments Contact Walter Kendricks Phone 657-9090, X4212 firstname.lastname@example.org 22 Computer Security Incident Reporting Emergency Notification Tactical Alert Center (ENTAC) is designed to be a statewide notification center for emergency incidents, including natural disaster, civil disturbance, terrorism, the protection of the state infrastructure, and other incidents. ENTAC is available 24 hours a day, seven days a week, to receive reports. They can be reached at (916) 657-8287. 23 Computer Crimes Investigative Unit (CCIU) Government Code Section 14613.7(a) requires state agencies to report to the California Highway Patrol (CHP) all crimes on state-owned or state-leased property where state employees are discharging their duties. The CHP‟s CCIU is responsible for investigating any computer crime or information technology security incident involving state-owned or state-leased computers. 24 References Office of Information Security & Privacy Protection, State Administration Manual, Section 5300 Government Code Section 11549 and Section 14613.7(a) Adrian Havill, “The Spy who stayed out in the cold” Historic Valley Forge, Historical , The Picket Post various authors, 1947-1961 Society “San Francisco hunts for mystery device on city network”, Robert McMillan, IDS News Service, 9/10/08 Insider Threat Study: Illicit Cyber Activity in the Government Sector, January 2008, CERT, U.S. Secret Service, Carnegie Mellon, Software Engineering Institute Ellen Messmer, Network World, 07/16/08 Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, CERT, U.S. Secret Service, May 2005, Carnegie Mellon, Software Engineering Institute Gartner Publication Date: 28 March 2008, “Best Practices for Managing Shared Superuser and Firecall Accounts,” Ant Allan Gartner Publication Date: 25 July 2008, “Best Practices for Managing „Insider‟ Security Threats,” Perry Carpenter The Forrester Wave: Data Leak Prevention, Q2 2008, For Security & Risk Professionals, Insider Threat Protection Becomes a Must-Have and the Market Consolidates. Information Security & Privacy Protection, “Hostile Takeover”, Insider Threats, Information Sheet No. 5, July 25, 2008 Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention, Gartner RAS Core Research Note G00157450, E. Ouellet, P. Proctor, 17 June 2008, R2775 06182009 Magic Quadrant for Mobile Data Protection, 2007, John Girad, Ray Wagner, Research Note G00151075, September 10, 2007 Judas picture from www.encyclopedia.com Risk Mitigation Strategies: Lesson Learned from Actual Insider Attacks, Dawn M. Cappelli, Andrew P. Moore, CERT Program – Software Engineering Institute, Carnegie 25 Mellon University, 04/09/08, Session Code: DEF-203, RSA Conference 2008