Best Practices Against Insider Threats in All Nations

7/30/2019 Best Practices Against Insider Threats in All Nations

1/23

Best Practices Against Insider Threats in

All Nations

Lori FlynnCarly Huth

Randy Trzeciak

Palma Buttles

August 2013

TECHNICAL NOTECMU/SEI-2013-TN-023

CERT Division

http://www.sei.cmu.edu
http://www.sei.cmu.edu/http://www.sei.cmu.edu/


2/23


3/23


4/23

CMU/SEI-2013-TN-023 | ii


5/23


6/23


7/23


8/23


9/23


10/23


11/23


12/23


13/23


14/23

CMU/SEI-2013-TN-023|8

Practice 12: Use a log correlation engine or Security Event and Information

Management (SIEM) system to log, monitor, and audit employee actions.

Organizations can make better informed decisions if they correlate events in their ever-increasing

data collection, rather than simply log information. Organizations can use a SIEM system to

understand both baseline and irregular activity and to adjust the granularity of monitoring. The

development and execution of monitoring policies require input and collaboration from teams

across the enterprise, including Legal, Human Resources (HR), and Information Assurance (IA).

For example, CERT research has shown that malicious insiders often attack within 30 days of

their resignation, so HR should notify IA of pending terminations.

International Considerations

How, when, and what an employer can monitor, in the technical and nontechnical realms, may

vary greatly depending on the organizations industry and nation. Culture may greatly influence

an organizations decision on what employee information to capture. Some employees may resent

an intrusion into information they consider private, while others might not consider that data to be

private at all. International laws and regulations may also impact the collection and correlation ofemployee information, as well as organizations decisions based on it. Some nations may govern

what data employers can collect and requirements for employee notification and consent.

However, differences may exist among nations, for example in defining sensitive data [Spring

2012] and in regulating monitoring [ECHR 2007, Wugmeister 2008].

Practice 13: Monitor and control remote access from all end points, inc luding

mobile devices.

The increasing trend toward a mobile workforce has also increased the potential for malicious use

of mobile devices. Their cameras, microphones, mass storage, and communications capabilities

could be used to capture and exfiltrate sensitive information. Organizations must be aware of

potential risks posed by mobile application functionality that insiders could use maliciously. Amulti-layered defense can include prohibiting personally owned devices, limiting remote access to

critical data, limiting the number of privileged users with remote access, and using application

gateways for non-organizational equipment. Organizations should more closely log and audit all

remote transactions and ensure that remote access is disabled during employee termination.


National laws may affect how an organization uses particular mobile features, for example by

recommending that employers adopt geolocation services available on mobile devices when

demonstrably necessary for a legitimate business purpose and the same goals cannot be achieved

with less intrusive means [DPWP 2011]. Cultural norms or laws may also define whatmonitoring is acceptable for devices that can be used for both personal and work matters [USSC

2010]. Nations may set forth specific requirements for collecting information on remote workers,

for example by requiring employers to ensure that the employees personality [sic] and moral

freedom are respected [Italian Data Protection Authority 2003, Section 115]. Such considerations

impact monitoring of system access, especially from mobile devices.


15/23

CMU/SEI-2013-TN-023|9

Practice 14: Develop a comprehensive employee termination procedure.

Organizations should develop, communicate, and consistently follow a policy for dealing with

voluntary and involuntary employee terminations. All terminated employee accounts must be

closed, all organization-owned equipment returned, and all co-workers notified of the departure.

Organizations should develop and follow a termination checklist, with an individual assigned to

each task, to ensure that the terminated employees physical and electronic accesses are disabled.

Finally, organizations should consider reviewing the departing employees online actions during

the 30 days prior to termination to identify any suspicious network activity [Hanley 2011].


Standard organizational structures vary between countries, as do the set of departments

responsible for termination tasks. Laws governing monitoring the online actions of terminating

employees and notifying co-workers of the termination vary among jurisdictions. Organizations

must consider legal issues surrounding enforcement of agreements on noncompetition,

nondisclosure, and intellectual property.

Practice 15: Implement secure backup and recovery processes.

Organizations must have a secure, tested backup and recovery process to ensure compliance with

all SLAs. If possible, organizations should implement separation of duties to ensure that a single

privileged IT administrator cannot modify the backup and recovery process to prevent the

organization from recovering. Transaction logs should be protected so that IT administrators

cannot modify logs to obfuscate or delete records of malicious activity. Organizations that rely on

a cloud service provider for their secure backup and recovery process should refer to Practice 9.


The availability, variety, and affordability of technical solutions vary among nations of different

levels of development. Practice 11s considerations apply here.

Practice 16: Develop a formalized insider threat program.

An insider threat program should be enterprise-wide and establish clearly defined roles and

responsibilities for preventing, detecting, and responding to insider incidents. The goal of an

insider threat program is to develop clear criteria for identifying insider threats, a consistent

procedure for implementing technical and nontechnical controls to prevent malicious insider

behavior, and a response plan in the event an insider does harm the organization.

Legal counsel is vital during the information-gathering process to ensure all evidence is gathered

and maintained in accordance with legal standards and to issue a prompt legal response whennecessary. Legal counsel should also ensure that information is shared properly among the insider

threat team members, for instance, to ensure the lawful privacy of employees mental and

physical health information.


There are national differences in the amount and type of employee online activity that can be

logged, monitored, and investigated, as well as the circumstances under which it can be done.


16/23


17/23


18/23

CMU/SEI-2013-TN-023|12

Future Work

Planned work includes expanding on the ideas described broadly in this paper to create a detailed

international and cross-cultural framework for fighting insider threat. Much work must be done to

better understand and characterize different nations cultural, technical, legal, regulatory, and

corruption environments as they affect information security in general and insider threats in

particular. Country-specific sets of cases need to be gathered and empirically analyzed for

significant correlations between countries and indicators of insider threat risks. The CERT

Division has begun collecting international insider threat cases to add to a database originally

composed of only cases from the United States, which will help researchers characterize insider

threats in various countries.


19/23

CMU/SEI-2013-TN-023|13

Bibliography

URLs are valid as of the publication date of this document.

[AEPD 1999]

Spanish Data Protection Agency (AEPD).Royal Decree 994/1999, of 11 June, which Approvesthe Regulation on Mandatory Security Measures for the Computer Files which Contain Personal

Data.http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/reglamento_ingles_pdf.pdf (1999).

[Ben Cohen 2010]

Ben Cohen, Eyal. Navigating the International Background Screening Jungle Safely andLegally.EmployeeScreenIQ University, April 7, 2010.http://www.employeescreen.com/university/navigating-the-international-background-screening-jungle-safely-and-legally/

[Bishop 2008]

Bishop, M. & Gates, C. Defining the Insider Threat, article 15. Proceedings of the 4th AnnualWorkshop on Cyber Security and Information Intelligence Research: Developing Strategies to

Meet the Cyber Security and Information Intelligence Challenges Ahead. Oak Ridge, TN, May2008. ACM, 2008.

[CIA 2013a]Central Intelligence Agency (CIA) of the United States. Legal System, The World Factbook.https://www.cia.gov/library/publications/the-world-factbook/fields/2100.html (2013).

[CIA 2013b]Central Intelligence Agency (CIA) of the United States. Economy Overview, The WorldFactbook. https://www.cia.gov/library/publications/the-world-factbook/fields/2116.html (2013).

[Coll ins 2010]

Collins, P.; Stein, L.; & Trombino, C. Consider the Source: How Weak WhistleblowerProtection Outside the United States Threatens to Reduce the Impact of the Dodd-Frank RewardAmong Foreign Nationals. The Third Annual National Institute on the Foreign CorruptPractices Act, 2010. Perkins Coie LLP, 2010.http://www.perkinscoie.com/files/upload/10_25Article.pdf

[DPWP 2011]

Data Protection Working Party. Opinion 13/2011 on Geolocation Services on Smart MobileDevices, Article 29. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf(2011).

[ECHR 2007]

European Court of Human Rights (ECHR). Copland v the United Kingdom (ECHR 253). ECHR,2007.
http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfshttp://www.employeescreen.com/university/https://www.cia.gov/library/publications/the-world-factbook/fields/2100.htmlhttps://www.cia.gov/library/publications/the-world-factbook/fields/2116.htmlhttp://www.perkinscoie.com/files/upload/10_25Article.pdfhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdfhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdfhttp://www.perkinscoie.com/files/upload/10_25Article.pdfhttps://www.cia.gov/library/publications/the-world-factbook/fields/2116.htmlhttps://www.cia.gov/library/publications/the-world-factbook/fields/2100.htmlhttp://www.employeescreen.com/university/http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs


20/23

CMU/SEI-2013-TN-023|14

[EEOC 2012]

U.S. Equal Employment Opportunity Commission (EEOC). Consideration of Arrest andConviction Records in Employment Decisions under Title VII of the Civil Rights Act of 1964,

EEOC Enforcement Guidance.http://www.eeoc.gov/laws/guidance/arrest_conviction.cfm (2012).

[FDIC 2012]

Federal Deposit Insurance Corporation (FDIC). Section 4.2 Internal Routine and Controls,Segregation of Duties,Risk Management Manual of Examination Policies. FDIC, 2012.http://www.fdic.gov/regulations/safety/manual/section4-2.html

[FTC 2006]

Federal Trade Commission (FTC). Financial Institutions and Customer Information: Complyingwith the Safeguards Rule. http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule (2006).

[Hall 1959]

Hall, E. T. The Silent Language. Double Day, 1959.

[Hanley 2011]

Hanley, Michael & Montelibano, Joji.Insider Threat Control: Using Centralized Logging toDetect Data Exfiltration Near Insider Termination (CMU/SEI-2011-TN-024). SoftwareEngineering Institute, Carnegie Mellon University, 2011.http://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfm

[Hofstede 1980]

Hofstede, G. Cultures Consequences: International Differences in Work-Related Values. Sage,1980.

[Human Rights Watch, India 2012]Human Rights Watch, India. UN Members Should Act to End Caste Discrimination: More Than260 Million Affected Worldwide. http://www.hrw.org/news/2012/05/14/india-un-members-should-act-end-caste-discrimination (2012).

[Italian Data Protection Author ity 2003]

Italian Data Protection Authority. Personal Data Protection. Legislative Decree No. 196 of 30June 2003. http://www.garanteprivacy.it/documents/10160/2012405/DataProtectionCode-2003.pdf (2003).

[Kaplan 2001]

Kaplan, Elaine. The International Emergence of Legal Protections for Whistleblowers. The

Journal of Public Inquiry (Fall/Winter 2001): 37-42.

[Lerner 2012]

Lerner, Carolyn N.Memorandum for Executive Departments and Agencies. U.S. Office of SpecialCounsel, June 20, 2012.
http://www.eeoc.gov/laws/guidance/arrest_conviction.cfmhttp://www.fdic.gov/regulations/safety/manual/section4-2.htmlhttp://business.ftc.gov/documentshttp://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmhttp://www.hrw.org/news/2012/05/14http://www.garanteprivacy.it/documents/10160/2012405/http://www.garanteprivacy.it/documents/10160/2012405/http://www.hrw.org/news/2012/05/14http://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmhttp://business.ftc.gov/documentshttp://www.fdic.gov/regulations/safety/manual/section4-2.htmlhttp://www.eeoc.gov/laws/guidance/arrest_conviction.cfm


21/23


22/23


23/23

REPORT DOCUMENTATION PAGE Form ApprovedOMB No. 0704-0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions,searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send commentsregarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to WashingtonHeadquarters Services, Directorate for information Operations and Reports, 1215 J efferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and tothe Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.

1. AGENCY USE ONLY(Leave Blank)

2. REPORT DATEAugust 2013

3. REPORT TYPE AND DATESCOVERED

Final

4. TITLE AND SUBTITLE

Best Practices Against Insider Threats in All Nations

5. FUNDING NUMBERS

FA8721-05-C-0003

6. AUTHOR(S)

Lori Flynn, Carly Huth, Randy Trzeciak, Palma Buttles

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213

8. PERFORMING ORGANIZATIONREPORT NUMBER

CMU/SEI-2013-TN-023

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

AFLCMC/PZE/Hanscom

Enterprise Acquisition Division

20 Schilling Circle

Building 1305

Hanscom AFB, MA 01731-2116

10. SPONSORING/MONITORINGAGENCY REPORT NUMBER

n/a

11. SUPPLEMENTARY NOTES

12A DISTRIBUTION/AVAILABILITY STATEMENT

Unclassified/Unlimited, DTIC, NTIS

12B DISTRIBUTION CODE

13. ABSTRACT (MAXIMUM 200 WORDS)

Based on its analysis of more than 700 case studies, the CERT Insider Threat Center recommends 19 best practices for preventing,

detecting, and responding to harm from insider threats. This technical note summarizes each practice, explains its importance, and

provides an international policy perspective on the practice. Every nation can use this paper as a succinct educational guide to stopping

insider threats and an exploration of international policy issues related to insider threats.

14. SUBJECT TERMS

insider threat, best practices, international, policies, security, information security, cultures,

education

15. NUMBER OF PAGES

23

16. PRICE CODE

17. SECURITY CLASSIFICATION OFREPORT

Unclassified

18. SECURITY CLASSIFICATIONOF THIS PAGE

Unclassified

19. SECURITY CLASSIFICATIONOF ABSTRACT

Unclassified

20. LIMITATION OFABSTRACT

UL

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18298-102

Documents

Best Practices Against Insider Threats in All Nations