Internal Risk Management

Internal Risk Managementa.k.a.

the Insider Threat

MN Government IT Symposium

Wed. May 13, 2009

Session 32

Barry Caplin

Chief Information Security Officer

MN Department of Human Services

In The News

Agenda

• What is it?

• How big an issue?

• What do we do?

What is Internal Risk Management?

• IRM = Management of the “Insider Threat”

• “Insider Threat” = Risk of actions of an Insider

• Malicious Insider = Current or former employees or contractors who:– intentionally exceeded or misused an authorized

level of access to networks, systems or data, and;– affected the security of the organizations’ data,

systems, or daily business operations(CERT/US Secret Service Insider Threat Study)

What is Internal Risk Management?

• Insider’s intentions can be good or evil

• Actions can be intentional or accidental

• Must consider errors and omissions– Accidents

– Not following process

Background

• Not a new issue

• 2007 CSI/FBI Computer Crime Survey - insiders #1 reported problem.– Old issue, awareness is heightening.– Additional monitoring shows what has always

been there.– Some orgs not fully comfortable with the concept.

• 2008 CSI/FBI Computer Crime Survey– Insider threat decreased

Background• 2008 Verizon report (based on Verizon caseload)

– Most breaches external

– Most costly breaches internal(mostly end-users or admin/root)

– Greatest overall risk - Trusted Partners

• 2009 Verizon report– Most = external, most costly = internal

– Greatest overall risk - external sources!

– But…• 39% multiple parties

• Didn’t consider insiders’ “inaction”

Background

• 2009 Ponemon/Symantec study– 950 people who lost/left jobs

– 60% took confidential info (cd/usb/email)

– 82% did not have exit review

– 24% had network access after leaving

• US CERT actively studying this issue

From: Dark Reading http://darkreading.com/insiderthreat

Types of Internal Risks• Fraud: obtaining property or services from the

organization unjustly through deception or trickery. – Sale of data– Modification of data for pay (licenserecords, criminal records, welfare status)– Stealing money (financial institutions,

government, etc…)• Theft of Information: stealing confidential or

proprietary information from the organization.– Theft of: customer information, source code,

data

Types of Internal Risks• IT Sabotage: acting with intention to harm a

specific individual, the organization, or the organization’s data, systems, and/or daily business operations.– Deletion of data, logic bombs, defacement,

extortion (encryption)• Error/Omission: causing damage to assets or

disclosure of information because of an unintentional mistake.– Leaving a system vulnerable (not patching,

config error, etc.)– Improper disclosure (database accessible,

posting to website, etc.)

• If disgruntled => unmet expectations

• Stressors contributed

• Behavioral precursors often observable but ignored

• Majority attacked after termination

• Created/used access paths unknown to management

• Organizations failed to detect technical precursors.

• Lack of proper access controls

http://www.cert.org/insider_threat/

Observations from CERT Insider Threat Study

What do we do?

CERT Good Practices• Risk assessments - insider/partners threats• Document and enforce policies and

controls.• Security awareness training• Monitor and respond to suspicious or

disruptive behavior, beginning with the hiring process.

• Anticipate/manage negative workplace issues.

CERT Good Practices

• Secure the physical environment.

• Password and account management.

• Separation of duties and least privilege.

• SDLC - Consider insider threats

• Consider extra controls for privileged users.

CERT Good Practices

• Change control

• Log, monitor, and audit

• Defense in Depth

• Deactivate access after termination

• Secure backup and recovery

• Incident response plan

According to Schneier

Five basic techniques to deal with trusted people (Schneier):

• Limit the number of trusted people. • Ensure that trusted people are also

trustworthy. • Limit the amount of trust each person has.• Give people overlapping spheres of trust.• Detect breaches of trust after the fact and

issue sanctions.

ShackF00Security areas of focus during layoffs (Dave

Shackleford – ShackF00 blog)• Monitor logs• Watch the back door• Monitor physical access• Institute strict change monitoring of code and

files• Revocation of access to resources• Reclaiming corporate computing assets• Forensics

The DHS Approach

• SMT briefing– Philosophical direction

– Previous focus on external threats

– New area of focus

– Cross-divisional work – Security, Privacy, Audit, Legal, Compliance

– Culture change - May not be popular

Examples• Background studies• Media/device

encryption• Privileged

accounts/Local Admin/activity

• Improved provisioning• Annual recertification

• Security Lifecycle Management

• Training via audio/video

• Improved server control software /logging/NBA

• Improved change management

The DHS Approach

Next Steps

• Examining current environment and resources

• Plan mitigations

• Create recommended project/tools list

• Create implementation plan

Where to Learn More…

• CMU CyLab - http://www.cylab.cmu.edu/

• CERT - http://www.cert.org/insider_threat/

• Data Breach Blog - http://breach.scmagazineblogs.com/

• OSF DataLossdb - http://datalossdb.org/

• Dark Reading - http://darkreading.com/insiderthreat/

Discussion…