• Security from the Inside
• Michael Tillison
• Senior Vice President
• ManTech International Corp.
The Threat - People
• Company insiders, employees, contractors,
vendors, etc…consitute the greatest risk:
• Risky Internet Behavior
• Unsolicited email attachments
• Divulge proprietary information
• Introduce wireless risks to corp. networks
• Neglect security in their daily activities
• Intentional and unintentional activities that put
sensitive company information at risk.
The Threat - People
• 85% of companies and Govt. Agencies have
experienced breaches ($59 Billion per yr.) (NSI)
• 75% of security breaches are insiders (NCIX)
• 59% of employees leaving a company admit to
taking proprietary information with them (FBI)
• Industry SCRs up 600% since 2009 (DSS)
• 800 insider threat cases-majority of subjects took
the information within the last 30 days of
employment (CERT; Carnegie Mellon)
The Threat - People
• Security attacks increasing with the economic
downturn –
• Data breaches increased 50% in past 2 yrs
(ITRC)
• 2013 – Insiders incidents have overtaken
computer viruses as the most frequent
reported type of security incident.
Employee Behavior doesn’t have to be
Malicious to be dangerous
• Common gateways to hacker attacks,
information theft, viruses and other incidents:
Carelessness with passwords
Opening unexpected email attachments
Ignorance about wireless/mobile devices risk
Naiveté’ towards social engineers contact and
questions
– Laptop loss due to theft or carelessness
– Cavalier attitude towards security policy and
procedures
–
–
–
–
Unintentional Insider Solution –
Education/Awareness Program
• Employee understands the value of company’s
information assets and the consequences if
compromised.
• Security perceived as synonymous with market
capitalization, full employment, revenue growth,
increased profits and market expansion –
• Employees accept responsibility as owners of the
enterprise
• Education/Training raises employee awareness
and provides critical knowledge and skills to
counter the growing threat.
ROI
• Hacker and virus damage short-term and
long-term costs to companies - $1.6 Trillion
• Liability exposure with e-commerce,
partnering and other third-party relationships.
• Reduced liability insurance premiums
• Strong security culture may defend against
disgruntled employee sabotage/Workplace
Violence, etc…
Malicious Insider Threat – “We have met the
enemy and he is us”
•
•
•
•
Bradley Manning
Bryan Underwood
Edward Snowden
Others -----
Government Response
• Executive Order 13587 – Structural Reforms to
improve Security of Classified Networks
• Executive Order 13556 – Controlled Unclassified
Information
• DFARS – Unclassified IT Security
• Insider Threat Task Force – DNI
• Insider Threat Policy/Standards
• NISPOM conforming change requiring Insider
Threat Program
• Contract Requirements
Holistic vs. Cyber Approach
• Cyber (SOC)
– Detects data access and policy infractions
– Reactive or post intrusion forensics
– Difficult to discern between malicious vs. user error or training
issues
– Smaller number of data sources
• Holistic
–
–
–
–
–
Proactive identification of high risk threats before the event.
Facilitates more accurate targeting
Facilitates removing vulnerabilities before exploitation
Enables enhanced awareness training
Able to tailor the tools and program to fit the business model
Insider Threat Program
•
•
•
•
•
•
•
Policy-Program Development
Communications
High Risk Employee List
Enhanced Monitoring
Investigations
Case Escalation
Reporting
Preconditions for Insider Betrayal
• The same conditions apply for other insider
crimes: embezzlement, sabotage and
procurement fraud.
– An opportunity to commit the crime
– A motive or need to be satisfied through the
crime
– An ability to overcome natural inhibitions to
criminal behavior. (moral values, loyalty, fear)
– A trigger that sets the betrayal in motion
Risk Indicators
•
•
•
•
•
•
Personal Indicators
Loyalty Indicators
Technology Indicators
Performance Indicators
Foreign Influence Indicators
Security Indicators
My Major Concern
• The individual who can preserve a calm
outward demeanor while their private life
descends into a pit!
• They never present themselves for help
knowing that their careers would be over.
• Self-interest and talent – smart enough to
prevent incriminating matters from becoming
public. (Usual security checks are not
effective)
The Future
• Better profiling and detection tools
• Promote conditions that reduce the
motivation to engage in insider activity before
there is anything to detect.
• Build mechanisms that create safe exits for
troubled insiders before they engage in
malicious activity.
• Termination procedures that protect the
company.
Corporate Teamwork
•
•
•
•
•
•
•
Security
IS
Human Resources
Compliance
Legal
Risk
Executive Management
• Questions??????