The Insider: A Significant Threat

Which Should Be Addressed

Sponsored by:

ASIS International Human Threat Management Council

ASIS International Intellectual Property Protection Council

Disclaimer

The topics discussed in this presentation do not

reflect the official opinions or policies of the U.S.

Department of Defense, Department of Justice,

the United States Air Force, the Federal Bureau of

Investigation or the National Archives and

Records Administration!

Agenda

• Introduction (Kevin Peterson - Moderator)

• History and Behavioral Indicators of an Insider

Threat (Neil Carmichael)

• Threat Vectors (Bruce Wimmer)

• New Government and Law Enforcement

Requirements (Charlie Margiotta)

• Trusted Insiders (Neil Carmichael)

• Trusted Partners (Myrah Kirkwood)

• Building an Insider Threat Program (Joe Rector)

• Questions & Answers

History and Behavioral Indicators of

an Insider Threat

Neil C. Carmichael, Jr., ITPM

Director, Insider Threat Program

National Archives and Records Administration

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. The insider threat comes in two categories:

Malicious insiders, which are people who take advantage of their access to inflict harm on an organization;

Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk; and

Definition

Aldrich Ames (1994) Central Intelligence Agency

US Classified Information

Ander Burius (1995 & 2004) National Library of Sweden

Two antique books from the National Library

Robert Hanessen (2001) Federal Bureau of Investigation

US Classified Information

Sergey Aleynikov (2007-2009) Goldman Sachs

Downloaded 32 MB of propriety computer codes that could have cost his employer millions

David Yan Lee (2009-2010) Valpar

Downloading trade secrets from secure computer system valued at $7 million and $20 million

Michael Mitchell (2010) DuPont

Stole Trade Secrets to Rival Company $187K

Shalin Jhaveri (2011) Bristol-Myers Squib

Stole information to start rival company

History

Chelsea Manning (2013) U.S. Army

Unauthorized release of classified documents

Edward Snowden (2013) Booz Allen Hamilton

Unauthorized release of classified documents

Unknown Insider (2016) Mossack Fonseca

“Panama Papers” 11.4 million documents

Candace Marie Claiborne, (2019) Department of State

Concealed Foreign Contacts

Jerry Chun Shing Lee, (2010-2019) Central Intelligence Agency

Money transferred to account from Hong Kong

Steffan Needham, (2019) Voova IT Consultant

Accessed servers and deleted customers information, $650K in damage

Mulazim Hussain, (2018) Apotex

Stole intellectual property with plans to set up own business

Galen Marsh, (2015) Morgan Stanley

Stole details of 10% Morgan Stanley wealth clients

Behavioral Indicators

•Access without need or authorization, takes proprietary or other material home via documents, thumb drives, computer disks, or e-mail.

•Inappropriately seeks or obtains proprietary or classified information on subjects not related to their work duties.

•Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.

•Unnecessarily copies material, especially if it is proprietary or classified. Remotely accesses the computer network while on vacation, sick leave, or at other odd times.

•Disregards company computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

•Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.

•Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel. Short trips to foreign countries for unexplained or strange reasons.

•Unexplained affluence; buys things that they cannot afford on their household income. Engages in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals.

•Overwhelmed by life crises or career disappointments.

•Shows unusual interest in the personal lives of coworkers; asks inappropriate questions regarding finances or relationships.

•Concern that they are being investigated; leaves traps to detect searches of their work area or home; searches for listening devices or cameras.

Threat Vectors

Bruce Wimmer, CPP

Senior Director of Corporate Risk Services, G4S

“Insiders” include:

- Current employees (full-time and part-time)

- Former employees (especially those who just resigned or

were terminated)

- Contractors/Vendors (also including repair/maintenance

support, shippers, cleaners, security, cafeteria, legal, etc.)

Insider Threats include:

- Inadvertent/negligent employees

- Disgruntled/activist employee

- Planted insider

- Employees colluding with outsiders

• State sponsored

• Competitors (including new businesses formed by former

employees)

• Criminals

- Malicious employees/selfish ladder climbers

- Non-responsive employees

Threat Activities Include:

-Theft of Trade Secrets, Intellectual Property and Research

and Development data

- Theft of property of value

- Sabotage

- Embezzlement

- Planting misinformation or misleading information

- Using cyber compromise; theft or

- Eavesdropping/recording

- Copying/printing

- Trash Cover

New Requirements for Government

and Law Enforcement

Charles Margiotta

Deputy Assistant Director, Security Division

Federal Bureau of Investigation

Trusted Insiders

Neil C. Carmichael, Jr., IPTM

Director, Insider Threat Program

National Archives and Records Administration

A DEFINITION OF INSIDER THREAT from Digital Guardian

An insider threat is most simply defined as a security threat that originates from within the organization being attacked or targeted, often an employee or officer of an organization or enterprise. An insider threat does not have to be a present employee or stakeholder, but can also be a former employee, board member, or anyone who at one time had access to proprietary or confidential information from within an organization or entity.

Contractors, business associates, and other individuals or third-party entities who have knowledge of an organization’s security practices, confidential information, or access to protected networks or databases also fall under the umbrella of insider threat. An insider threat may also be described as a threat that cannot be prevented by traditional security measures that focus on preventing access to unauthorized networks from outside the organization or defending against traditional hacking methods.

Trusted Insiders

Holistic Approach

Employee

Holistic Approach

Contractor and Partners

Trusted Partners

Myrah Kirkwood, CPP

Area Manager – Asset Protection, AT&T

BEST PRACTICES

• Trusted partners (subcontractors/

vendors/franchisees) who access

company systems, facilities, etc.,

have a direct impact on the

organization’s insider threat

program.

DEFINE POLICIES

• Trusted Partner agreements must be in place that include language stating that company systems are restricted to authorized users for official company business only and unauthorized access, attempted access, use or modification of any systems will result in revoking access and/or criminal and civil penalties.

ACCESS RISK

• Benjamin Lawsky, Superintendent of Financial Services for the State of New York opined that “a company’s cybersecurity is often only as good as the cybersecurity of its vendors.” This saying is true whether it involves cybersecurity, or a disgruntled employee who causes a security incident.

AUTHENTICATE USERS

• The best way to protect credentials is to proactively manage and control them. When someone joins a partner organization, an account is created and access is provided. That account and access must then be

• terminated when that individual leaves the company or changes role.

• To ensure such actions are handled in a timely fashion, automated

• vendor reporting of staffing changes is advised.

ENFORCE PROCEDURES

• Processes/policies that are in place,

must be enforced by the business

units who own the vendor relationships

and handle the associated operational

processes.

MONITOR COMPLIANCE AND INVESTIGATE

• Monitoring compliance of policies and procedures is required in protecting and enhancing a company's brand, reputation and profitability. The specific level and scope of monitoring depend on the company’s risk and exposure considerations. Once a system breach or security incident is discovered or reported, vigorous investigation of the matter is paramount to mitigation.

Building an Insider Threat Program

Joseph Rector, CPP, PSP, PCI, CISSP

Deputy Director, 11th Security Forces Group

Program Goal:

Prevent, Detect, Respond

Source: The CERT Guide to Insider Threats

Essential Elements

of an InTP

Source: http://www.insaonline.org/InsiderThreat

Key Components of an

Insider Threat Program • Formalized/Defined Program

• Policies and Procedures

• Integration w/ Enterprise Risk Management

• Insider Threat Practices with regards to Trusted Business

Partners

• Insider Threat Training and Awareness

• Insider Threat Incident Response Plan

• Insider Threat Communication Plan

• Prevention, Detection and Response Infrastructure

• Data Collection and Analysis Tools, Techniques and Practices

• Program Oversight and Compliance

• Confidential Reporting Tools and Mechanisms

• Organization-wide Participation

Resources

• Carnegie Mellon University Software Engineering Institute CERT

Resources - https://www.sei.cmu.edu/research-capabilities/all-

work/display.cfm?customel_datapageid_4050=21232

• Center for Development of Security Excellence Insider Threat Toolkit

- https://www.cdse.edu/toolkits/insider/index.php

• Defense Human Resources Activity Resources -

https://www.dhra.mil/PERSEREC/Products/#InsiderRisk

• Intelligence and National Security Alliance (INSA) -

https://www.insaonline.org/?s=insider+threat

Resources (Cont)

• National Insider Threat Task Force –

https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf

• Federal Bureau of Investigation Resources –

https://www.fbi.gov/resources

• National Intellectual Property Rights Coordination Center –

https://www.iprcenter.gov/

• United States Secret Service National Threat Assessment Center

(NTAC) – https://www.secretservice.gov/protection/ntac/

Insider Threat

Awareness Month

Questions and Answers