View
214
Download
0
Embed Size (px)
Citation preview
7/30/2019 Best Practices Against Insider Threats in All Nations
1/23
Best Practices Against Insider Threats in
All Nations
Lori FlynnCarly Huth
Randy Trzeciak
Palma Buttles
August 2013
TECHNICAL NOTECMU/SEI-2013-TN-023
CERT Division
http://www.sei.cmu.edu
http://www.sei.cmu.edu/http://www.sei.cmu.edu/7/30/2019 Best Practices Against Insider Threats in All Nations
2/23
7/30/2019 Best Practices Against Insider Threats in All Nations
3/23
7/30/2019 Best Practices Against Insider Threats in All Nations
4/23
CMU/SEI-2013-TN-023 | ii
7/30/2019 Best Practices Against Insider Threats in All Nations
5/23
7/30/2019 Best Practices Against Insider Threats in All Nations
6/23
7/30/2019 Best Practices Against Insider Threats in All Nations
7/23
7/30/2019 Best Practices Against Insider Threats in All Nations
8/23
7/30/2019 Best Practices Against Insider Threats in All Nations
9/23
7/30/2019 Best Practices Against Insider Threats in All Nations
10/23
7/30/2019 Best Practices Against Insider Threats in All Nations
11/23
7/30/2019 Best Practices Against Insider Threats in All Nations
12/23
7/30/2019 Best Practices Against Insider Threats in All Nations
13/23
7/30/2019 Best Practices Against Insider Threats in All Nations
14/23
CMU/SEI-2013-TN-023|8
Practice 12: Use a log correlation engine or Security Event and Information
Management (SIEM) system to log, monitor, and audit employee actions.
Organizations can make better informed decisions if they correlate events in their ever-increasing
data collection, rather than simply log information. Organizations can use a SIEM system to
understand both baseline and irregular activity and to adjust the granularity of monitoring. The
development and execution of monitoring policies require input and collaboration from teams
across the enterprise, including Legal, Human Resources (HR), and Information Assurance (IA).
For example, CERT research has shown that malicious insiders often attack within 30 days of
their resignation, so HR should notify IA of pending terminations.
International Considerations
How, when, and what an employer can monitor, in the technical and nontechnical realms, may
vary greatly depending on the organizations industry and nation. Culture may greatly influence
an organizations decision on what employee information to capture. Some employees may resent
an intrusion into information they consider private, while others might not consider that data to be
private at all. International laws and regulations may also impact the collection and correlation ofemployee information, as well as organizations decisions based on it. Some nations may govern
what data employers can collect and requirements for employee notification and consent.
However, differences may exist among nations, for example in defining sensitive data [Spring
2012] and in regulating monitoring [ECHR 2007, Wugmeister 2008].
Practice 13: Monitor and control remote access from all end points, inc luding
mobile devices.
The increasing trend toward a mobile workforce has also increased the potential for malicious use
of mobile devices. Their cameras, microphones, mass storage, and communications capabilities
could be used to capture and exfiltrate sensitive information. Organizations must be aware of
potential risks posed by mobile application functionality that insiders could use maliciously. Amulti-layered defense can include prohibiting personally owned devices, limiting remote access to
critical data, limiting the number of privileged users with remote access, and using application
gateways for non-organizational equipment. Organizations should more closely log and audit all
remote transactions and ensure that remote access is disabled during employee termination.
International Considerations
National laws may affect how an organization uses particular mobile features, for example by
recommending that employers adopt geolocation services available on mobile devices when
demonstrably necessary for a legitimate business purpose and the same goals cannot be achieved
with less intrusive means [DPWP 2011]. Cultural norms or laws may also define whatmonitoring is acceptable for devices that can be used for both personal and work matters [USSC
2010]. Nations may set forth specific requirements for collecting information on remote workers,
for example by requiring employers to ensure that the employees personality [sic] and moral
freedom are respected [Italian Data Protection Authority 2003, Section 115]. Such considerations
impact monitoring of system access, especially from mobile devices.
7/30/2019 Best Practices Against Insider Threats in All Nations
15/23
CMU/SEI-2013-TN-023|9
Practice 14: Develop a comprehensive employee termination procedure.
Organizations should develop, communicate, and consistently follow a policy for dealing with
voluntary and involuntary employee terminations. All terminated employee accounts must be
closed, all organization-owned equipment returned, and all co-workers notified of the departure.
Organizations should develop and follow a termination checklist, with an individual assigned to
each task, to ensure that the terminated employees physical and electronic accesses are disabled.
Finally, organizations should consider reviewing the departing employees online actions during
the 30 days prior to termination to identify any suspicious network activity [Hanley 2011].
International Considerations
Standard organizational structures vary between countries, as do the set of departments
responsible for termination tasks. Laws governing monitoring the online actions of terminating
employees and notifying co-workers of the termination vary among jurisdictions. Organizations
must consider legal issues surrounding enforcement of agreements on noncompetition,
nondisclosure, and intellectual property.
Practice 15: Implement secure backup and recovery processes.
Organizations must have a secure, tested backup and recovery process to ensure compliance with
all SLAs. If possible, organizations should implement separation of duties to ensure that a single
privileged IT administrator cannot modify the backup and recovery process to prevent the
organization from recovering. Transaction logs should be protected so that IT administrators
cannot modify logs to obfuscate or delete records of malicious activity. Organizations that rely on
a cloud service provider for their secure backup and recovery process should refer to Practice 9.
International Considerations
The availability, variety, and affordability of technical solutions vary among nations of different
levels of development. Practice 11s considerations apply here.
Practice 16: Develop a formalized insider threat program.
An insider threat program should be enterprise-wide and establish clearly defined roles and
responsibilities for preventing, detecting, and responding to insider incidents. The goal of an
insider threat program is to develop clear criteria for identifying insider threats, a consistent
procedure for implementing technical and nontechnical controls to prevent malicious insider
behavior, and a response plan in the event an insider does harm the organization.
Legal counsel is vital during the information-gathering process to ensure all evidence is gathered
and maintained in accordance with legal standards and to issue a prompt legal response whennecessary. Legal counsel should also ensure that information is shared properly among the insider
threat team members, for instance, to ensure the lawful privacy of employees mental and
physical health information.
International Considerations
There are national differences in the amount and type of employee online activity that can be
logged, monitored, and investigated, as well as the circumstances under which it can be done.
7/30/2019 Best Practices Against Insider Threats in All Nations
16/23
7/30/2019 Best Practices Against Insider Threats in All Nations
17/23
7/30/2019 Best Practices Against Insider Threats in All Nations
18/23
CMU/SEI-2013-TN-023|12
Future Work
Planned work includes expanding on the ideas described broadly in this paper to create a detailed
international and cross-cultural framework for fighting insider threat. Much work must be done to
better understand and characterize different nations cultural, technical, legal, regulatory, and
corruption environments as they affect information security in general and insider threats in
particular. Country-specific sets of cases need to be gathered and empirically analyzed for
significant correlations between countries and indicators of insider threat risks. The CERT
Division has begun collecting international insider threat cases to add to a database originally
composed of only cases from the United States, which will help researchers characterize insider
threats in various countries.
7/30/2019 Best Practices Against Insider Threats in All Nations
19/23
CMU/SEI-2013-TN-023|13
Bibliography
URLs are valid as of the publication date of this document.
[AEPD 1999]
Spanish Data Protection Agency (AEPD).Royal Decree 994/1999, of 11 June, which Approvesthe Regulation on Mandatory Security Measures for the Computer Files which Contain Personal
Data.http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/reglamento_ingles_pdf.pdf (1999).
[Ben Cohen 2010]
Ben Cohen, Eyal. Navigating the International Background Screening Jungle Safely andLegally.EmployeeScreenIQ University, April 7, 2010.http://www.employeescreen.com/university/navigating-the-international-background-screening-jungle-safely-and-legally/
[Bishop 2008]
Bishop, M. & Gates, C. Defining the Insider Threat, article 15. Proceedings of the 4th AnnualWorkshop on Cyber Security and Information Intelligence Research: Developing Strategies to
Meet the Cyber Security and Information Intelligence Challenges Ahead. Oak Ridge, TN, May2008. ACM, 2008.
[CIA 2013a]Central Intelligence Agency (CIA) of the United States. Legal System, The World Factbook.https://www.cia.gov/library/publications/the-world-factbook/fields/2100.html (2013).
[CIA 2013b]Central Intelligence Agency (CIA) of the United States. Economy Overview, The WorldFactbook. https://www.cia.gov/library/publications/the-world-factbook/fields/2116.html (2013).
[Coll ins 2010]
Collins, P.; Stein, L.; & Trombino, C. Consider the Source: How Weak WhistleblowerProtection Outside the United States Threatens to Reduce the Impact of the Dodd-Frank RewardAmong Foreign Nationals. The Third Annual National Institute on the Foreign CorruptPractices Act, 2010. Perkins Coie LLP, 2010.http://www.perkinscoie.com/files/upload/10_25Article.pdf
[DPWP 2011]
Data Protection Working Party. Opinion 13/2011 on Geolocation Services on Smart MobileDevices, Article 29. http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf(2011).
[ECHR 2007]
European Court of Human Rights (ECHR). Copland v the United Kingdom (ECHR 253). ECHR,2007.
http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfshttp://www.employeescreen.com/university/https://www.cia.gov/library/publications/the-world-factbook/fields/2100.htmlhttps://www.cia.gov/library/publications/the-world-factbook/fields/2116.htmlhttp://www.perkinscoie.com/files/upload/10_25Article.pdfhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdfhttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdfhttp://www.perkinscoie.com/files/upload/10_25Article.pdfhttps://www.cia.gov/library/publications/the-world-factbook/fields/2116.htmlhttps://www.cia.gov/library/publications/the-world-factbook/fields/2100.htmlhttp://www.employeescreen.com/university/http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs7/30/2019 Best Practices Against Insider Threats in All Nations
20/23
CMU/SEI-2013-TN-023|14
[EEOC 2012]
U.S. Equal Employment Opportunity Commission (EEOC). Consideration of Arrest andConviction Records in Employment Decisions under Title VII of the Civil Rights Act of 1964,
EEOC Enforcement Guidance.http://www.eeoc.gov/laws/guidance/arrest_conviction.cfm (2012).
[FDIC 2012]
Federal Deposit Insurance Corporation (FDIC). Section 4.2 Internal Routine and Controls,Segregation of Duties,Risk Management Manual of Examination Policies. FDIC, 2012.http://www.fdic.gov/regulations/safety/manual/section4-2.html
[FTC 2006]
Federal Trade Commission (FTC). Financial Institutions and Customer Information: Complyingwith the Safeguards Rule. http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule (2006).
[Hall 1959]
Hall, E. T. The Silent Language. Double Day, 1959.
[Hanley 2011]
Hanley, Michael & Montelibano, Joji.Insider Threat Control: Using Centralized Logging toDetect Data Exfiltration Near Insider Termination (CMU/SEI-2011-TN-024). SoftwareEngineering Institute, Carnegie Mellon University, 2011.http://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfm
[Hofstede 1980]
Hofstede, G. Cultures Consequences: International Differences in Work-Related Values. Sage,1980.
[Human Rights Watch, India 2012]Human Rights Watch, India. UN Members Should Act to End Caste Discrimination: More Than260 Million Affected Worldwide. http://www.hrw.org/news/2012/05/14/india-un-members-should-act-end-caste-discrimination (2012).
[Italian Data Protection Author ity 2003]
Italian Data Protection Authority. Personal Data Protection. Legislative Decree No. 196 of 30June 2003. http://www.garanteprivacy.it/documents/10160/2012405/DataProtectionCode-2003.pdf (2003).
[Kaplan 2001]
Kaplan, Elaine. The International Emergence of Legal Protections for Whistleblowers. The
Journal of Public Inquiry (Fall/Winter 2001): 37-42.
[Lerner 2012]
Lerner, Carolyn N.Memorandum for Executive Departments and Agencies. U.S. Office of SpecialCounsel, June 20, 2012.
http://www.eeoc.gov/laws/guidance/arrest_conviction.cfmhttp://www.fdic.gov/regulations/safety/manual/section4-2.htmlhttp://business.ftc.gov/documentshttp://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmhttp://www.hrw.org/news/2012/05/14http://www.garanteprivacy.it/documents/10160/2012405/http://www.garanteprivacy.it/documents/10160/2012405/http://www.hrw.org/news/2012/05/14http://www.sei.cmu.edu/library/abstracts/reports/11tn024.cfmhttp://business.ftc.gov/documentshttp://www.fdic.gov/regulations/safety/manual/section4-2.htmlhttp://www.eeoc.gov/laws/guidance/arrest_conviction.cfm7/30/2019 Best Practices Against Insider Threats in All Nations
21/23
7/30/2019 Best Practices Against Insider Threats in All Nations
22/23
7/30/2019 Best Practices Against Insider Threats in All Nations
23/23
REPORT DOCUMENTATION PAGE Form ApprovedOMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions,searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send commentsregarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to WashingtonHeadquarters Services, Directorate for information Operations and Reports, 1215 J efferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and tothe Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1. AGENCY USE ONLY(Leave Blank)
2. REPORT DATEAugust 2013
3. REPORT TYPE AND DATESCOVERED
Final
4. TITLE AND SUBTITLE
Best Practices Against Insider Threats in All Nations
5. FUNDING NUMBERS
FA8721-05-C-0003
6. AUTHOR(S)
Lori Flynn, Carly Huth, Randy Trzeciak, Palma Buttles
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
8. PERFORMING ORGANIZATIONREPORT NUMBER
CMU/SEI-2013-TN-023
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)
AFLCMC/PZE/Hanscom
Enterprise Acquisition Division
20 Schilling Circle
Building 1305
Hanscom AFB, MA 01731-2116
10. SPONSORING/MONITORINGAGENCY REPORT NUMBER
n/a
11. SUPPLEMENTARY NOTES
12A DISTRIBUTION/AVAILABILITY STATEMENT
Unclassified/Unlimited, DTIC, NTIS
12B DISTRIBUTION CODE
13. ABSTRACT (MAXIMUM 200 WORDS)
Based on its analysis of more than 700 case studies, the CERT Insider Threat Center recommends 19 best practices for preventing,
detecting, and responding to harm from insider threats. This technical note summarizes each practice, explains its importance, and
provides an international policy perspective on the practice. Every nation can use this paper as a succinct educational guide to stopping
insider threats and an exploration of international policy issues related to insider threats.
14. SUBJECT TERMS
insider threat, best practices, international, policies, security, information security, cultures,
education
15. NUMBER OF PAGES
23
16. PRICE CODE
17. SECURITY CLASSIFICATION OFREPORT
Unclassified
18. SECURITY CLASSIFICATIONOF THIS PAGE
Unclassified
19. SECURITY CLASSIFICATIONOF ABSTRACT
Unclassified
20. LIMITATION OFABSTRACT
UL
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18298-102