Insider Threat Working Group
Transcript of Insider Threat Working Group
Insider Threat Working Group
3
. 1. Make sure you have the right personnel on-point to develop the program
2. Make sure your program comprehends the essential design elements
3. Integrate technical and non-technical indicators to identify, prevent, detect, and respond
4. Infuse lessons learned, communicate ROI & performance with formidable metrics
5. Execute the plan – catch bad guys!
1. People can temporarily change their behavior but not their personality traits.
2. Insider Threat personality traits are identifiable and measurable.
3. Early identification and help to those at risk is critical.
4. Review Security Metrics Evaluation Tool (SMET) described in ASIS Foundation Report Persuading Senior Management.
Model Collaboration Component
Model Education Component
Q & A Session
4
6
Why Collaborate?
Internal Collaboration
Industry Collaboration
Government Collaboration
Scalable Collaboration Basic-Intermediate-Advance
Conclusion
Required internally to operate the ITP
Required within industry sectors for threat management and developing best practices
Required with government to prosecute criminal acts and to safeguard nations critical infrastructure
We rely on each other to work effectively and cooperatively to
produce the best outcomes…
Teamwork and trust are critical to who we are and what we do.
ITP Operations Management & Planning design element defines cross-organization requirements for program management
The following is a non-exclusive list of cross-organizational units that participate in the ITP collaboration:
S e n i o r M a n a g e m e n t
L e g a l
I n f o r m a t i o n T e c h n o l o g y
H u m a n R e s o u r c e s
L i n e M a n a g e m e n t
S e c u r i t y / F S O
I n s i d e r T h r e a t O f f i c i a l
E m p l o y e e A s s i s t a n c e
We are Smarter than Me
Stakeholder Buy-in on Insider Threat Program
Mitigate Legal and HR risk
Senior Management Buy-In
Information from Line Managers
Integrated ITP protects employees and company from harm
Must coordinate
Slower then individual action by security
Must sell value
Political disputing
Availability of personnel
Pros Cons
Industry Peers (Cleared Defense Contractors) ◦ Classified Threat Reporting from supported offices
Customers and Suppliers
Professional Association and Working Groups ◦ ASIS, AIA, NCMS, National Industrial Security
Program Policy Advisory Committee (NISPPAC), National Intellectual Property Rights Coordination Center
Trade Groups
11
Pepsi gets a letter offering Coca-Cola trade secrets and market info
Pepsi went to Coke; Both went to the FBI
Three charged including an assistant to senior Coke executive
Business rivals cooperate to prevent insider threat
How do you want to win?
US Businesses [DOMESTIC]
◦ NCIX reporting
◦ FBI Field Office
US Businesses [INTERNATIONAL]
◦ U.S. Embassy (Commercial Services, Legal Attaché)
◦ AMCHAM
Law Enforcement (Local, State and Federal)
Regulators/Law Makers
Government Contracting Activities and Security Offices
Defense Security Service (Industrial Security Representatives and Counterintelligence Special Agents)
The reporting requirements for industry will not change from Section 3 of the NISPOM:
o Reports to FBI o Adverse o Suspicious contacts o Change conditions to cleared employee status
As information is gathered from the Internal Insider Threat Working Group, the FSO will report the information IAW NISPOM, paragraphs 1-300 to 1-302
13
Government Contracting Activities/Government Customers
Not a Federal Government Contractor o No requirement to report o Is that in your best interest? o Where can you report?
Will other industry regulators (SEC, etc.) establish Insider Threat reporting requirements?
18 U.S.C. §1831 – Economic Espionage
“Economic espionage is:
(1) whoever knowingly performs targeting or acquisition of trade secrets to
(2) knowingly benefit any foreign government, foreign instrumentality or
foreign agent.”
18 U.S.C. § 1832 – Theft of Trade Secrets (Commonly called Industrial Espionage)
“Theft of trade secrets is:
(1) whoever knowingly performs targeting or acquisition of trade secrets or intends to convert a trade secret to,
(2) knowingly benefit anyone other than the owner.”
14
15
Title 18 U.S.C.,
Section 1831
Title 18 U.S.C.,
Section 1832
Knowingly targets or
acquires
Trade Secrets Trade Secrets
For the benefit of
Foreign government,
instrumentality, or
agent
Anyone other than the
owner
Max. imprisonment
(Individual)
15 years 10 years
Max. fine (Individual) $5,000,000 $250,000
Max. fine
(Organization)
$10 Million or 3X value of
Trade Secret $5 Million
16
Has potential or actual economic value
Not generally known to public
Reasonably protected
A trade secret can come in many forms, both tangible
and intangible, but it must cover these three areas:
17
Liew was tasked by PRC Government to acquire trade secret for production of commercial chemical compound
Maegerle retired from named chemical products company
Liew contracted with a Chinese partner to provide the production technology to China. Maegerle provided technical plans and engineering know-how
First federal jury conviction under Economic Espionage Act of 1996
18
Accused of directing China-based hackers to steal specific data files
related to U.S. military aircraft production from named defense company.
Canadian resident, owner of China-based aviation company
C-17 Transport, F-22 and F-35 Fighter aircraft targeted
Collaboration between companies, supported agencies, and FBI
Company trade secrets protected in open court
Arrested by Canadian authorities in collaboration with U.S. Government investigators; awaiting extradition
19
Basic Intermediate Advanced
• Insider Threat Focal point as liaison
with Internal/External contacts
• Policy established and Risk
assessment cycle started
• Procedures for Internal/External
Collaboration
• Tracking Productive/Unproductive
Collaboration
• Corporate IT system requirements
support Insider threat prevention
• ITP is interactive with
Internal/External contacts and uses
info to mitigate internal
vulnerabilities
• Policy reviewed and updated; Risk
assessment cycle improves
• ITP guides Internal/External
Collaboration
• Corporate Info Tech system
requirements support prevention; all
trusted Info Tech (partners, vendors,
etc.) have demonstrable ITP
capabilities
• ITP is active on external
committees/councils promoting best
practices and partnerships
• ID gaps in research needed to
support prevention
• ITP evolves collaboration objectives
and develops metrics to demo ROI
• Corporate Info Tech system
supports Insider Threat prevention;
signature sharing supported (if
warranted)
20
“Mitigating the risks to U. S. critical infrastructure from the insider threat will
require collaboration between government and industry to develop
comprehensive and scalable insider threat program standards that
incorporate long–term employee monitoring policies including background
checks and re-investigations, employee training and termination of access at
separation.”
-- Executive Summary : National Risk Estimate Risks to U.S. Critical Infrastructure
from Insider Threat, Department of Homeland Security (December 2013)
Who must receive insider threat education, training, and awareness?
◦ Insider Threat Program Personnel
◦ Executive Leadership
◦ Workforce
What must be included in the program?
Where and when should it be taught?
How should this training be conducted?
What resources are available to support this training?
22
Section 3-103. Insider Threat Training. The designated Senior contractor official will ensure that contractor program personnel assigned insider threat program responsibilities and all other cleared employees are trained.
a. Contractor Insider Threat Program Personnel must be trained in:
(1) Counterintelligence and security fundamentals to include applicable legal issues;
(2) Procedures for conducting insider threat response actions;
(3) Applicable laws and regulations regarding the gathering, integration, retention, safeguarding, and use of records and data, including the consequences of misuse of such information; and
(4) Applicable legal, civil liberties, and privacy policies.
23
Proposed NISPOM Conforming Change #2 identifies specific Insider Threat training requirements for U.S. defense contractors. The following training syllabus may be required to be implemented during 2015:
Our ITP covers these requirements in all three model types:
Basic – Intermediate – Advanced
24
b. All cleared employees must be provided insider threat awareness training, either in-person or computer-based, within 30 days of initial employment or prior to being granted access to classified information, and annually thereafter. Training will address current and potential threats in the work and personal environment and will include at a minimum:
(1) The importance of detecting potential insider threats by cleared employees and reporting suspected activity to the insider threat program designee;
(2) Methodologies of adversaries to recruit trusted insiders and collect classified information, in particular within information systems;
(3) Indicators of insider threat behavior, and procedures to report such behavior; and
(4) Counterintelligence and security reporting requirements, as applicable.
c. The contractor will establish a system to validate and maintain a record of all cleared employees who have
completed the insider threat briefings.
Section 3-107. Initial Security Briefings. Prior to being granted access to classified information, an employee shall receive an initial security briefing that includes the following:
a. A threat briefing security briefing, to include insider threat awareness in accordance with 3-103b, Insider
Threat Training.
Currently there are no mandates, standards, and or benchmarks that exist for corporations for Insider Threat Programs for the Private Sector.
Your company may not be impacted by this pending U.S. government security requirement.
But other government agencies may consider implementing similar requirements for industries that fall under their regulatory oversight.
Just because there is no requirement doesn’t eliminate the need for Insider Threat education at your company.
If When something happens at your company, what will your CEO say?
Security professionals are expected to be proactive not just reactive.
25
Insider Threat terminology
Different types of Insider Threats
Case examples of Insider Threats
Available data
Personal and organizational factors which prompt an Insider Threat
Behavioral Indicators
Current organizational policies and controls
Legislative and regulatory requirements on the Insider Threat
Laws and related penalties
Document the training program
26
27
Basic Intermediate Advanced
Mention made during:
New Hire Orientation
Initial Security Briefing
Annual Security Refresher Training
Annual Information
Systems Training
Modules Developed for Presentation
During:
New Hire Orientation
Initial Security Briefing
Annual Security Refresher Training
Annual Information Systems Training
Quiz Questions
Specific, Separate Training
Developed for:
New Hires
New Clearance Holders
Individuals with Information Systems
Access
Insider Threat Annual Refresher
Scored Quiz Required to Fulfill
Training Requirement
Pamphlets given to new
employees/workforce
Pamphlets given to new
employees/workforce
Monthly E-Communication sent to all
employees
Pamphlets given to new
employees/workforce
Monthly e-Communication sent to
workforce
IT posters changed monthly
Annual event highlighting IT
Awareness
Quarterly events highlighting IT
Awareness
Annual evaluation
Monthly events highlighting IT
awareness
Continuous evaluation
Executive Leadership: Why is an Insider Threat Program necessary?
How can it be implemented?
What will it cost?
What checks and balances are in place?
Insider Threat Program Personnel:
What should be tracked?
How is reporting managed?
What civil liberties need to be protected?
Workforce: What are we protecting?
What assets are most wanted by others?
How can suspicious activities be reported?
What checks and balances are in place?
28
The Insider Threat is Real
Identify your company’s “Crown Jewels”: Key assets, products and services.
Give real life examples of Insider Threat and show the consequences.
Provide economic rationale and ROI for implementing Insider Threat Program.
Explain ethical obligations, legal limitations and regulatory requirements.
Outline how your program will be established and operated.
Introduce key members of your Insider Threat Program Team.
Gain specific support commitments from each executive.
29
Educate the ITP security team on Insider Threat terminology, behaviors, motives, anomalies and
ways to “connect the dots.”
Educate your team on how data collection points indicate Insider Threat:
◦ Human Resources
◦ Legal
◦ Physical Security
◦ IT Security
◦ Information Assurance
◦ Data Owners
◦ Ethics and Compliance
◦ Internal Audit
◦ EAP
Determine what is normal within your organization (both behavioral and on the computer).
Educate the team members on new and developing trends.
Teach team members how to interpret data and generate metrics.
30
Explain what needs to be protected and why.
Point to policies and procedures already in place.
Explain what suspicious activities look like.
Explain how to report suspicious activities.
Develop a multi-pronged, repetitive approach to education.
Consider your audience when developing materials.
31
Executive Leadership
ITP Personnel
Workforce
Before formalizing this Insider Threat training program consider what current company policies and procedures and resources already in place.
32
Procedures for reporting suspicious behavior or employees / trusted partners.
Access Control Systems / Badging Procedures
Annual Security Awareness training
New Hire Orientation
Pamphlets / Posters
ALL employees should be trained on Insider Threat.
Initial Security Briefing
Computer usage policy / wireless device policy / social media policy
Procedures for handling sensitive, proprietary and personally identifiable information (PII) as well as classified information.
Procedures for reporting suspicious activities and security incidents.
33
Training Venue
Options
Evaluate
New Hire Orientation
Initial Security Brief (cleared employees)
Annual Refresher Training (cleared employees)
Pamphlets
Posters
Email reminders
News Articles
Lunch and Learns (brown bags)
Outside speakers from government
counterintelligence programs to brief your organization
(FBI, IC, DSS, etc.)
Based on quiz questions, interviews, reports submitted.
34
Where is the ASIS Insider Threat Information Repository and who can access it?
Access the ASIS site: www.asisonline.org
Sign in
Under “Membership,” select Library (IRC)
35
36
Type Model
Pamphlets Basic, Intermediate
Posters Basic, Intermediate
Videos Basic, Intermediate, Advanced
Virtual Learning Basic, Intermediate, Advanced
Government Policy & Guidance Basic, Intermediate, Advanced
Legal Statutes Basic, Intermediate, Advanced
Newsletters Basic, Intermediate, Advanced
Research Publications Intermediate, Advanced
Fee-Based Training Intermediate, Advanced
Fee-Based Publications Intermediate, Advanced
Presentations & Briefings Intermediate, Advanced
Fee-Based Technology Intermediate, Advanced
When will the repository be completed?
What is in the
ASIS Insider Threat
Information Repository?
Re-evaluate and conduct self-assessments.
Enable independent assessments for internal audit, senior management, Board of Directors, regulators including government compliance.
Communicate regularly, share information, with industry and government partners.
37
“Insider Threat experts agree that an insider is a person –
a human being – a heartbeat … Whether an organization has
just ten employees or hundreds of thousands, insider
threat is always a security risk.”
- INSA Cyber Council Report, September 2013
38
Presentation can be downloaded from ASIS seminar web page.
Insider Threat Information Repository (ITIR) located in ASIS Library will be available for ASIS members to access by November 1, 2014.
ITWG White Paper to ASIS D&IC in January 2015.
39