Earlier this month, I was in Washington, D.C., presenting at ISC2’s annual CyberSecureGov Conference, which has become a top-notch federal government cybersecurity event. As I was looking through the agenda after my session, one title grabbed my attention: “Mitigating Insider Threats to our Nation's Critical Infrastructures.”
The presentation, which highlighted new research from The Institute for Critical Infrastructure Technology (ICIT), was groundbreaking in many respects. While the report highlights critical infrastructure sectors, the findings and solutions also apply to state and local governments, and other private-sector companies in numerous ways.
ICIT is a leading cybersecurity think tank that “bridges the gap between the legislative community, federal agencies and critical infrastructure leaders.” They do this with a wide variety of legislative briefs, research reports, events and other materials that offer outstanding insights and action steps. Their extensive list of free legislative briefs and research reports can be found here.
The presenter on insider threats was a respected colleague who I’ve known for several years — Mr. Parham Eftekhari, co-founder and senior fellow at ICIT, who has been working with technology and security leaders in the federal government for more than 15 years.
Describing the insider threat challenges we faced, Mr. Eftekhari said this: “Critical Infrastructure leaders and policy makers are just now beginning to understand the potential for catastrophic digital and cyber-kinetic incidents at the hands of insider threats. As the authors point out, mitigating malicious and non-malicious insiders must be a top priority not only for our government, but for all private-sector organizations. This publication is a powerful asset for any organization looking to build or improve an insider threat mitigation program.”
Insider Threats: A Deep Dive
Starting with definitions, the presentation used a definition by US CERT Common Sense Guide to Mitigating Insider Threats, which states that an insider threat:
Has or had authorized access to an organization’s network, system or data Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems Varieties of insider threats include:
Careless or Uninformed Users Undertrained Staff Accident-Prone Employees Negligent Workers Mismanaged Third-Party Contractors Overwhelmed Personnel Malicious Users Undertrained Staff Accident-Prone Employees Negligent Workers Mismanaged Third-Party Contractors Overwhelmed Personnel While none of these definitions is new or surprising, the real examples shown were much more eye-opening. For example, look at these real screen shots from the deep Web:
Hacker for Hire
Self-Proclaimed Insider Threat
W2 Database For Sale on Alphabay
Disgruntled Employee Solicitation
The primary author of the insider threat paper is James Scott, co-founder and senior fellow at ICIT. The new brief is titled: “In 2017, the insider threat epidemic begins.”
On recommendations, Mr. Scott said, “The best protection against insider threat is a basic level of layered security-by-design endpoint protection paired with a combination of solutions that secure data according to its value, according to the principle of least privilege, and according to role-based access controls, as well as other technical controls, and that monitor personnel and users using bleeding-edge artificial intelligence, big data analytics, and solutions that automate cyberhygiene and ensure verifiable accountability trails.”
The solutions offered in the report are vast as well as rather complex. They include these nontechnical controls, such as:
Utilize the Information Security Team Heed the Information Security Team Hire Trusted Personnel Cultivate a Culture of Trust Effectively Communicate Appreciate Personnel Train Personnel to Defend the Organization Policies, procedures and guidelines:
Principles of Least Privilege Limit Access According to Duties Segregate Administrative Duties Based on Roles Address Cybersecurity in SLAs (service level agreements) COTS (commercial-off-the-shelf software) Technical Controls:
Data Encryption Network Segmentation Predictive Artificial Intelligence Security Information and Event Management (SIEM) User and Entity Behavior Analytics (UEBA) Identity and Access Management Data Loss Protection (DLP) User Activity Monitoring Other resources include the National Insider Threat Task Force.
Co-Chaired: DNI and U.S. Attorney General Agencies with Classified Networks are Required to Establish Insider Threat Detection and Prevention Programs Aligned with NITTF NITTF Provides Assessments, Training, Assistance, Education Additional Helpful Resources on Insider Threats
This is not the first time, nor will it be the last that this insider threat topic is brought up in the Lohrmann on Cybersecurity & Infrastructure blog. As a reminder, this topic was even hot back in 2010 when I wrote the blog: “Are you an insider threat?” for CSO Magazine.
I also wrote my views on Edward Snowden, which haven’t changed much, touching on insider threat topics as well. Yes — some good has come from Snowden, but the ends do not justify the means, in my opinion.
Other good reports and publications on addressing insider threats are available at:
Regardless of your views on individuals such as Edward Snowden or interest in national defense issues surrounding insider threats, we all face similar insider threat challenges in our workplaces. The many reports and presentations offered for free by ICIT are an outstanding set of resources that I highly recommend your teams take time to review.
I also want to give a shout-out to the ICIT Annual Forum (www.icitforum.org) June 7 in D.C.
The insider threat issues within cybersecurity and physical security are increasing worldwide. Small, medium and large-sized organizations need to take immediate action to address this growing challenge. These materials can show you how.