Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

Asset Loss

Security Management:
Confronting the Insider Threat
Michael G. Gelles, Psy.D., Deloitte & Touche LLP
March 3, 2008
Setting the Stage:
System Study for Municipal Domestic Water Security
Damage to key components of a domestic municipal water system from
source to distribution resulting from the trusted insider threat. Some
issues to be taken into consideration include:
– How effective are current measures against this threat?
– What are state-of-the-art emerging concepts for improved defenses
against insider threats?
– What level of damage might be inflicted on a system depending on
the level of knowledge of the insider?
– What are the effects of physical sabotage vs electronic sabotage in
terms of severity of damage?
– Provided by L. Vance Taylor
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Objectives
• Examine the nature of the insider threat, including
any employee who has access to sensitive,
classified, or proprietary information.
• Assess how changes in today’s global economy,
evolving technology and changing workforce
impact risks.
• Review potential strategies for managing the threat
and minimizing damage.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Asset Loss Defined
• Asset loss is the end result of actions taken by an employee
or insider who has access to sensitive, classified, or
proprietary information that when disclosed causes damage
to an organization’s interests.
• The insider threat exists within every organization where an
employee perceives some inequity or injustice that leads the
employee to consider some action as solution to their
perceived problem
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Asset Loss
•
•
•
•
•
•
•
•
•
•
Exploitation of research and technology solutions
Disruption of supply chains
Directed sabotage and contamination
Disclosure of proprietary to classified information
Complacency to security policy
Undermining protection to Infrastructure
Manipulating financial accounts
National security/national interests
Information systems infrastructure
Economic/proprietary interests
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Espionage, embezzlement, sabotage
Espionage
Embezzlement
The act or practice of
spying or of using
spies to obtain secret
information, as about
another government or
a business competitor
“The fraudulent
conversion of property
of another by a person
in lawful possession of
that property.”
The deliberate act of
destruction or
disruption in which
equipment or a
product is damaged.
Crimes of this nature
generally have
involved a relationship
of trust and
confidence, such as an
agent, fiduciary,
trustee, treasurer, or
attorney.
To hinder normal
operations.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Sabotage
Infrastructure such as
power stations or
products such as pet
food or medication
and IT systems.”
Ana Montes
• Synopsis:
–Turned over classified photos,
info on US military games and
DIA assessments of Cuba
–Revealed identity of 4 undercover
agents
• Motivation:
–Moral conviction: A love of Cuba
and a loathing of US policy
toward the “impoverished nation”
–A strong need to help the little guy
Source: Washington Times, September 22, 2006; Frontpagemag.com, “Castros Top Spy,” March 29, 2002
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Terrorism
While our greatest national investment has been in focused on an attempt
to mitigate the never ending physical vulnerability, some of our greatest
vulnerabilities exist with the people who function physically within those
allegedly secure facilities.
• The adversary has repeatedly attempted to use “insiders” to access
information, material, and/or knowledge of facilities and secure sites
• The greatest threat posed to security and safety may be someone who
is already on the “inside”, who becomes radicalized
• While considerable efforts have been taken to insure the physical
security of ports of entry, the true vulnerability rests with the people
who work at the ports and facilities, and who handle material and
cargo that is transferred along a supply chain.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Iyman Farris
• 34 year old of Kashmiri descent, came to US in 1994,
citizenship 1999, lived in Columbus, OH
• Made pilgrimage to Mecca in 2000, then traveled to
Afghanistan and trained in AQ camps via TJ
• Tasked by KSM to target the US infrastructure. Assessed
the feasibility of bringing down the Brooklyn Bridge by
slashing it’s suspension cables. Sent an email to KSM prior
to March, 2003: “The weather is too hot.” (target too hard)
• “Drove fuel trucks to airports”
• Plead guilty to 2 counts of providing material support to
terrorists
Source: CNN, “Ohio Trucker Joined Al Qaeda Jihad,” June 19, 2003
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Process
Insider Threat
Assets
• access to sensitive,
classified or proprietary
information if improperly
disclosed, could cause
damage
• employee perceives
some inequity or injustice
• leads the employee to
consider some action
against the organization as
a solution to their
perceived problem
• sees themselves above
the rules
•assets include people,
material, and
information
+
•assets are the core
components of the
organization and if not
properly managed can
impact the agency’s
success and future.
Asset Loss
The end result of a
pattern of discernible
behavior exhibited by
an employee or close
associate of an
organization or
corporation that results
in eventual asset loss
An organization’s greatest strength and vulnerability are its people.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
How does asset loss happen?
• Individual disclosures
• Public disclosures
• Violence as a solution to problem
• Contamination
• Extortion
• Facilitation of others through complacency
• Public demonstration
• Media leaks
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Underlying Themes
• Process of idea to action
• Discernible patterns of behavior
• Personality Styles
• Crisis is a trigger
• Cumulative problems, conflicts and disputes
• Actions are deemed to be a solution
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Consequences
• The results of insider exploitation can have a deleterious
and destructive effect on
– the organization, corporation
– general public
– free trade, commerce
– national security
– public confidence and safety
• The loss of critical assets can result not just in loss of
revenue, but also
– loss of confidence
– loss of security
– in some instances loss of life.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Mitigating the Threat
• Recognize Vulnerabilities
• Identify a pattern of risk
• Interrupt Forward Motion
• Disrupt potential loss
• Manage the context: technology, facilities,
personnel
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Context may have changed, behavior has not
• Criminal intent versus complacency
• “Bits and bites vs. bricks and mortar”
• Recruitment and exploitation online: web page, chat
rooms
• Changing work force: Gen Y and networked lifestyle
• Scientific ‘romance’
• Career mobility and resiliency
• Dual identity and dual loyalty
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Catalysts
• Entitled and undervalued in the organization
• “Connectedness” and Validation in
cyberspace anonymous and subjected to
internal verses external constraints
• A world built on immediate access
• Minimal commitments to employers; greater
commitment to self and career
• Distance no obstacle
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Cyber Security
•
•
•
•
•
•
•
•
•
•
Viruses, worms, trojans
Hacking/Cracking
Brute force attacks
Identity theft
Denial of service attacks
Cons/Fraud
Disgruntled employees
Disruption of infrastructure
Openness of university systems
University networks as conduits
Copyright © 2007 Deloitte Development LLC. All rights reserved.
The Maroochy Water Services Case
• One of the most celebrated SCADA (systems security of
supervisory control and data acquisition) system breaches
occurred at Maroochy. Water Services on Queensland’s
Sunshine Coast in Australia [6, 13]. In March2000, Maroochy
Shire Council experienced problems with its new wastewater
• System. Communications sent by radio links to wastewater
pumping stations were being lost, pumps were not working
properly, and alarms put in place to alert staff to faults were
not going off.
• It was initially thought there were teething problems with the
new system.
• Some time later, an engineer who was monitoring every
signal passing through the system, discovered that someone
was hacking into the system and deliberately causing the
problems. In time, the perpetrator, Vitek Boden, a former
contractor, was arrested and eventually jailed.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
The Maroochy Water Services Case
• Mr. Boden used a laptop computer and a radio
transmitter to take control of 150 sewage pumping
stations. Over a three-month period, he released
one million liters of untreated sewage into a storm
water drain from where it flowed to local waterways.
• The attack was motivated by revenge on the part of
Mr. Boden after he failed to secure a job with the
Maroochy Shire Council.
• The Maroochy Water Services case has been cited
around the world as an example of the damage that
could occur if SCADA systems are not secured.
• This SCADA security incident also has to be viewed
in the context of Australian
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Characteristics of the employee at risk
• Not impulsive
• No single motive
• History of managing crises
ineffectively
• Pattern of frustration,
disappointment, and a sense
of inadequacy
• Seeks validation
• Aggrandized view of their
abilities and achievements
• Strong sense of entitlement
• Views self above the rules
• Actions seek immediate
gratification, validation and
satisfaction.
• If needs not met:
–
–
–
–
–
–
–
–
–
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Rebellious
Passive aggressive
Destructive
Complacent
Self perceived value exceeds
performance
Intolerance of criticism
Inability to assume responsibility
for their actions,
Blaming of others
Minimizing their mistakes or
faults
Exploitation of employees or associates
• Persons with access can also be exploited by
others whether they are witting or unwitting
based on a belief that they are being
–polite
–helpful
–responsive
–interested
–validated
–manipulated due to unmet needs
–complacent and passive aggressive
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Risk triangle: “The Perfect Storm”
• Personality Factors
• A Life Crisis
• Access
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Brian Patrick Regan
USAF Analyst/
TRW Contractor at NRO
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Synopsis:
• Buried 20,000+ pgs of
TS/SCI materials. Letter
to Hussein offering
locations and orbits of
Spy satellites & reports
on Iran for $13 mil.
Similar letter drafted for
Libya.
Brian Patrick Regan
Tradecraft: Addresses for the European diplomatic
offices of Iraq, Iran, & Libya in his shoe when boarding
flight to Switzerland. Classified docs, encrypted notes
and a GPS device were in his bag.
A salt shaker a toothbrush holder were
buried in which he kept his own secret
codes that recorded the 19 locations
in MD & VA State parks where he
buried docs, CD's, & videos.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Brian Patrick Regan
Motivation:
• $100,000 in debt
• The need to sustain an
image of being
responsible and
competent
• Feared humiliation
Copyright © 2007 Deloitte Development LLC. All rights reserved.
At-Risk Personality Predisposition
•
•
•
•
•
•
Grandiose/self serving
High achievement
Entitled
Limited attachments
Some degree of past learning/future ideals
Manipulative/rules to self-serve
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Challenges of Competing identities
• Benefits to the US and a Global Economy
– Valued talent and skill
– Born in a foreign country
– Immigrated to the US
– Educated in the US from Abroad
– Support technological growth and superiority
• Vulnerabilities
– Degree of assimilation
– Influence of living in migrant communities
– Dual identity
• Risk
– Dual loyalty
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Robert Chaegon Kim
Civilian Computer Expert, Naval Intelligence
Synopsis: Passed classified info on N. & S. Korea,
China and a computerized maritime tracking system
to a S. Korean Navy Captain attached to the ROK
Embassy in DC.
Tradecraft: Removed all classification markings on military and
intelligence subjects
and printed in his office.
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Robert Chaegon Kim
Motivation:
• “For the love of my two
countries”
• Ties with country of birth,
family ties, reconciliation;
received no money
• Committed with his
brother-in-law
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Gen Y : The Future is Here
•
•
•
•
•
•
•
•
•
Most diverse and educated
“Digital natives” who are information fluent.
Connected 24/7
Expect speed and change
Energetic, positive, innovative and creative.
Value teamwork and collaborative efforts.
Need “Space” to explore
Loyalty must go both ways
“They work to live”
Copyright © 2007 Deloitte Development LLC. All rights reserved.
A lower risk profile?
Just as there are many negative factors identified with potential security
risk, there are mediating factors that balance some risk indicators.
• Most useful factors include
– Evidence of long-term commitments or relationships
– Capacity for loyalty
– Social consciousness
• Individuals who
– Work well with others
– Display genuine warmth and compassion toward others
– Lack a sense of entitlement
– Responds well to criticism without becoming defensive
– Characterized as good-natured
– Can clearly and appropriately express frustration and anger
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Management: an effective defense
• Remain attentive to the evolving threat
• Assemble a multidisciplinary team
• Create a reporting mechanism that facilitates the flow of
information to security managers; Workforce as an active
security monitor
• Be sensitive to employees in crisis
• Human Resources must partner with security
• Identify "at-risk behavior" prior to hiring
• Personnel and physical security become the primary
mechanism for prevention, detection and early intervention.
• Security awareness and training
• Early intervention can minimize asset loss
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Integrated Approach to Mitigating Asset Loss
Risk
Management
Information
Sharing and
Management
Mitigating Asset
Loss
People
Management
Physical/IT
Security
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Risk avoidance vs. risk management
Risk Avoidance
Risk Management
• Strict criteria for eligibility
• Limited tolerance for indiscretion
or deviant behavior
• Little concern for potential acting
out or retaliatory actions
• Discernible personality factors and
behavior
• Realistic assessment of
vulnerabilities
• Acknowledgment of external
threat
• Recognition of mission essential
demands
• Cost-benefit risk assessment
• Available monitors and control
• Selected recruitment and selection
• Plan of action
• Emergency contingency
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Risk Management Model
•
•
•
•
•
Conceptualize the risk/threat
Recognize the personnel vulnerabilities
Security vulnerabilities
Evaluate mission essential factors
Anticipate asset loss
Personnel Security Risk Model
Vulnerability
Threat
Context
Asset Loss
RISK
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Consequence
Recovery
Information
Management
Framework
The three categories
are offered as a way to organize
information obtained in a personnel
risk assessment. Organizing information into these three categories assists in developing
a management plan.
Risk Assessment Model
Category 1
No Evidence of Risk to
Assets
No evidence to suggest
the presence of any
vulnerability factors
within the individuals
involved.
Source: Mike Gelles, Psy.D., © 2007
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Category 2
Minimal to Moderate
Risk to
Assets/Manageable
There is evidence to
suggest that a potential risk
to security exists.
The information/assets that
the individual has access to
could possibly be
compromised in a witting
or unwitting manner.
Category 3
Significant Risk to
Assets/Not Manageable
There is evidence to suggest
a significant and potentially
unmanageable risk is
present, based on the
identified vulnerabilities,
threat, mission, asset and
consequence.
A human resource approach to secure work
environment in a global economy
Old
New
Acquire and Retain:
“Seek” talent and give them access and
keep them in their seats
Recruit, Position and Manage:
“Engaging” talent by focusing on what
competencies that reflect a risk managed
workforce meeting business objectives
Position Talent
Recruit Necessary Skills
Creating experiences to
perform to full extent of
abilities while managing the
vulnerabilities and threats
Identify competencies and
develop capabilities to for a
secure and productive
workforce that achieves
business goals
Manage
Manage a Secure Workforce
Cultivating networks of
high-quality relationships within a secure work
environment
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Competencies for a secure workforce
Mission Awareness
 Mission
 Strategy
awareness
External
Vision
Teamwork
and
partnership
Internal and
external
communicator
Integrity
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Organizational
thinking
Core
Competencies
of a Secure
Workforce
Maturity and
judgment
Accountability
Addressing potential asset loss
Manage The Vulnerability
People-to-People
Cultivating
high-performance
networks of
high-quality
Relationships who are
security minded
Copyright © 2007 Deloitte Development LLC. All rights reserved.
People-to-Purpose
Building and
sustaining
a sense of personal
and organizational
mission
People-to-Resources
Managing access,
knowledge,
technology, tools,
capital, and time to
achieve professional
and business goals
Identify “Value Events” in Security Programming
Identify
and
Prioritize
Value
Events
What are the
important
interaction points
between
organizations?
Analyze
and Design
Events
What is the desired
behaviour within
value events?
Pilot and
Execute
Events
How can the
desired behaviour
be initiated and
kept in place?
• Traditional Physical Security Program
• Evolving IT Security Practices
• Security Awareness Communications Strategy
• Workforce Reporting Mechanism
• Multidisciplinary Risk Management Approach
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Monitor
and
Manage
Effectiveness
How can
performance be
assessed and
maintained?
The Bottom Line
• Understand the process
• Risk assessment and management
model
• Preemptive strategies
• Methods for monitoring
• Interventions to interrupt forward motion
Copyright © 2007 Deloitte Development LLC. All rights reserved.
A member firm of
Deloitte Touche Tohmatsu
Copyright © 2007 Deloitte Development LLC. All rights reserved.
Related documents
Position: Audit Intern
Position: Audit Intern
Name of Company DELOITTE VIETNAM COMPANY
Name of Company DELOITTE VIETNAM COMPANY
Claudia Cattani Member of the Board of Statuary Auditors Ferrovie
Claudia Cattani Member of the Board of Statuary Auditors Ferrovie
Experian PO Box 2002 Allen, TX 75013 I dispute the reporting of the
Experian PO Box 2002 Allen, TX 75013 I dispute the reporting of the
Microsoft Word File
Microsoft Word File
Download