The presentation, which highlighted new research from The Institute for Critical Infrastructure Technology (ICIT), was groundbreaking in many respects. While the report highlights critical infrastructure sectors, the findings and solutions also apply to state and local governments, and other private-sector companies in numerous ways.
ICIT is a leading cybersecurity think tank that “bridges the gap between the legislative community, federal agencies and critical infrastructure leaders.” They do this with a wide variety of legislative briefs, research reports, events and other materials that offer outstanding insights and action steps. Their extensive list of free legislative briefs and research reports can be found here.
The presenter on insider threats was a respected colleague who I’ve known for several years — Mr. Parham Eftekhari, co-founder and senior fellow at ICIT, who has been working with technology and security leaders in the federal government for more than 15 years.
Describing the insider threat challenges we faced, Mr. Eftekhari said this: “Critical Infrastructure leaders and policy makers are just now beginning to understand the potential for catastrophic digital and cyber-kinetic incidents at the hands of insider threats. As the authors point out, mitigating malicious and non-malicious insiders must be a top priority not only for our government, but for all private-sector organizations. This publication is a powerful asset for any organization looking to build or improve an insider threat mitigation program.”
Insider Threats: A Deep Dive
Starting with definitions, the presentation used a definition by US CERT Common Sense Guide to Mitigating Insider Threats, which states that an insider threat:
- Has or had authorized access to an organization’s network, system or data
- Has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems
- Careless or Uninformed Users
- Undertrained Staff
- Accident-Prone Employees
- Negligent Workers
- Mismanaged Third-Party Contractors
- Overwhelmed Personnel
- Malicious Users
- Undertrained Staff
- Accident-Prone Employees
- Negligent Workers
- Mismanaged Third-Party Contractors
- Overwhelmed Personnel
Hacker for Hire
Self-Proclaimed Insider Threat
W2 Database For Sale on Alphabay
Disgruntled Employee Solicitation
The primary author of the insider threat paper is James Scott, co-founder and senior fellow at ICIT. The new brief is titled: “In 2017, the insider threat epidemic begins.”
On recommendations, Mr. Scott said, “The best protection against insider threat is a basic level of layered security-by-design endpoint protection paired with a combination of solutions that secure data according to its value, according to the principle of least privilege, and according to role-based access controls, as well as other technical controls, and that monitor personnel and users using bleeding-edge artificial intelligence, big data analytics, and solutions that automate cyberhygiene and ensure verifiable accountability trails.”
The solutions offered in the report are vast as well as rather complex. They include these nontechnical controls, such as:
- Utilize the Information Security Team
- Heed the Information Security Team
- Hire Trusted Personnel
- Cultivate a Culture of Trust
- Effectively Communicate
- Appreciate Personnel
- Train Personnel to Defend the Organization
- Principles of Least Privilege
- Limit Access According to Duties
- Segregate Administrative Duties Based on Roles
- Address Cybersecurity in SLAs (service level agreements)
- COTS (commercial-off-the-shelf software)
- Data Encryption
- Network Segmentation
- Predictive Artificial Intelligence
- Security Information and Event Management (SIEM)
- User and Entity Behavior Analytics (UEBA)
- Identity and Access Management
- Data Loss Protection (DLP)
- User Activity Monitoring
- Co-Chaired: DNI and U.S. Attorney General
- Agencies with Classified Networks are Required to Establish Insider Threat Detection and Prevention Programs Aligned with NITTF
- NITTF Provides Assessments, Training, Assistance, Education
This is not the first time, nor will it be the last that this insider threat topic is brought up in the Lohrmann on Cybersecurity & Infrastructure blog. As a reminder, this topic was even hot back in 2010 when I wrote the blog: “Are you an insider threat?” for CSO Magazine.
I also wrote my views on Edward Snowden, which haven’t changed much, touching on insider threat topics as well. Yes — some good has come from Snowden, but the ends do not justify the means, in my opinion.
Other good reports and publications on addressing insider threats are available at:
Final Thoughts
Regardless of your views on individuals such as Edward Snowden or interest in national defense issues surrounding insider threats, we all face similar insider threat challenges in our workplaces. The many reports and presentations offered for free by ICIT are an outstanding set of resources that I highly recommend your teams take time to review.
I also want to give a shout-out to the ICIT Annual Forum (www.icitforum.org) June 7 in D.C.
The insider threat issues within cybersecurity and physical security are increasing worldwide. Small, medium and large-sized organizations need to take immediate action to address this growing challenge. These materials can show you how.