Expert answer:Security Practices Used to Control Employee behavi

Answer & Explanation:Insider ThreatLearning Objective: Describe the security practices used to control employee behavior and prevent misuse of information.Assignment RequirementsReview CERT’s Common Sense Guide to Prevention and Detection of Insider Threats. Choose one of the 16 best practices listed in the document. Write a summary paper that includes the following:Introduce the problem, the insider threat.Summarize the best practice you selected as if you are describing it to a Human Resource person in your organization.Conclude with a recommendation of how to implement the best practice in your organization.CERT Document : Download Here Submission RequirementsFormat: Microsoft WordFont: Arial, 12-Point, Double- SpaceCitation Style: APALength: 2 pages (plus a cover sheet)
cert.pdf

Unformatted Attachment Preview

Common Sense Guide to Prevention and
Detection of Insider Threats
3rd Edition – Version 3.1
Dawn Cappelli
Andrew Moore
Randall Trzeciak
Timothy J. Shimeall
January 2009
This work was funded by
Copyright 2009 Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE
MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS
TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.
CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT
TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal
use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative
works.
External use. Requests for permission to reproduce this document or prepare derivative works of this document for
external and commercial use should be directed to permission@sei.cmu.edu.
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
Table of Contents
INTRODUCTION ………………………………………………………………………………………………………………………. 4
WHAT IS MEANT BY “INSIDER THREAT?” ……………………………………………………………………………………… 5
CERT’S DEFINITION OF A MALICIOUS INSIDER ………………………………………………………………………………. 5
ARE INSIDERS REALLY A THREAT?……………………………………………………………………………………………….. 6
WHO SHOULD READ THIS REPORT? ………………………………………………………………………………………………. 8
CAN INSIDERS BE STOPPED?………………………………………………………………………………………………………… 8
ACKNOWLEDGEMENTS …………………………………………………………………………………………………………. 9
PATTERNS AND TRENDS OBSERVED BY TYPE OF MALICIOUS INSIDER ACTIVITY …….. 11
INSIDER IT SABOTAGE……………………………………………………………………………………………………………… 15
THEFT OR MODIFICATION FOR FINANCIAL GAIN ………………………………………………………………………….. 18
THEFT OF INFORMATION FOR BUSINESS ADVANTAGE …………………………………………………………………… 21
SUMMARY ……………………………………………………………………………………………………………………………… 24
BEST PRACTICES FOR THE PREVENTION AND DETECTION OF INSIDER THREATS ……. 27
SUMMARY OF PRACTICES …………………………………………………………………………………………………………. 27
PRACTICE 1: CONSIDER THREATS FROM INSIDERS AND BUSINESS PARTNERS IN ENTERPRISE-WIDE RISK
ASSESSMENTS. (UPDATED) …………………………………………………………………………………………………….. 32
PRACTICE 2: CLEARLY DOCUMENT AND CONSISTENTLY ENFORCE POLICIES AND CONTROLS. (NEW) …… 36
PRACTICE 3: INSTITUTE PERIODIC SECURITY AWARENESS TRAINING FOR ALL EMPLOYEES. (UPDATED) 39
PRACTICE 4: MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE
HIRING PROCESS. (UPDATED) …………………………………………………………………………………………………. 43
PRACTICE 5: ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES (NEW) ……………………………….. 47
PRACTICE 6: TRACK AND SECURE THE PHYSICAL ENVIRONMENT (NEW) …………………………………………. 49
PRACTICE 7: IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES.
(UPDATED) ………………………………………………………………………………………………………………………….. 52
PRACTICE 8: ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE. (UPDATED) ………………………… 55
PRACTICE 9: CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE (NEW) ……….. 59
PRACTICE 10: USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED
USERS. (UPDATED) ……………………………………………………………………………………………………………….. 63
PRACTICE 11: IMPLEMENT SYSTEM CHANGE CONTROLS. (UPDATED) ……………………………………………. 66
PRACTICE 12: LOG, MONITOR, AND AUDIT EMPLOYEE ONLINE ACTIONS. (UPDATED) ………………………. 70
PRACTICE 13: USE LAYERED DEFENSE AGAINST REMOTE ATTACKS. (UPDATED) …………………………….. 74
PRACTICE 14: DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION. (UPDATED)…………………. 77
PRACTICE 15: IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES. (UPDATED) …………………….. 81
PRACTICE 16: DEVELOP AN INSIDER INCIDENT RESPONSE PLAN. (NEW) ………………………………………… 85
REFERENCES/SOURCES OF BEST PRACTICES …………………………………………………………………… 87
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
INTRODUCTION
In 2005, the first version of the Common Sense Guide to Prevention and Detection of
Insider Threats was published by Carnegie Mellon University’s CyLab. The document
was based on the insider threat research performed by CERT, primarily the Insider
Threat Study 1 conducted jointly with the U.S. Secret Service. It contained a description
of twelve practices that would have been effective in preventing or detecting malicious
insider activity in 150 actual cases collected as part of the study. The 150 cases occurred
in critical infrastructure sectors in the U.S. between 1996 and 2002.
A second edition of the guide was released in July of 2006. The second edition included a
new type of analysis – by type of malicious insider activity. It also included a new section
that presented a high-level picture of different types of insider threats: fraud, theft of
confidential or proprietary information, and sabotage. also In addition, it contained new
and updated practices based on new CERT insider threat research funded by Carnegie
Mellon CyLab 2 and the U.S. Department of Defense Personnel Security Research
Center. 3 Those projects involved a new type of analysis of the insider threat problem
focused on determining high-level patterns and trends in the cases. Specifically, those
projects examined the complex interactions, relative degree of risk, and unintended
consequences of policies, practices, technology, insider psychological issues, and
organizational culture over time.
This third edition of the Common Sense Guide once again reflects new insights from
ongoing research at CERT. CyLab has funded the CERT Insider Threat Team to collect
and analyze new insider threat cases on an ongoing basis. The purpose of this ongoing
effort is to maintain a current state of awareness of the methods being used by insiders to
commit their attacks, as well as new organizational issues influencing them to attack.
This version of the guide includes new and updated practices based on an analysis of
approximately 100 recent insider threat cases that occurred from 2003 to 2007 in the U.S.
In this edition of the guide, CERT researchers also present new findings derived from
looking at insider crimes in a new way. These findings are based on CERT’s analysis of
118 theft and fraud cases, which revealed a surprising finding. The intent of the research
was to analyze cases of insider theft and insider fraud to identify patterns of insider
behavior, organizational events or conditions, and technical issues across the cases. The
patterns identified separated the crimes into two different classes than originally
expected:
•
Theft or modification of information for financial gain – This class includes cases
where insiders used their access to organization systems either to steal
1
See http://www.cert.org/insider_threat/study.html for more information on the Insider Threat Study.
A report describing the MERIT model of insider IT Sabotage, funded by CyLab, can be downloaded at
http://www.cert.org/archive/pdf/08tr009.pdf.
3
A report describing CERT’s insider threat research with the Department of Defense can be downloaded
from http://www.cert.org/archive/pdf/06tr026.pdf.
2
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
information that they sold to outsiders, or to modify information for financial gain
for themselves or others.
•
Theft of information for business advantage – This class includes cases where
insiders used their access to organization systems to obtain information that they
used for their own personal business advantage, such as obtaining a new job or
starting their own business.
It is important that organizations recognize the differences in the types of employees who
commit each type of crime, as well as how each type of incident evolves over time: theft
or modification for financial gain, theft for business advantage, IT sabotage, and
miscellaneous (incidents that do not fall into any of the three above categories). This
version of the guide presents patterns and trends observed in each type of malicious
activity. There have been minor updates to the IT sabotage information in this guide;
however, the most significant enhancements in this edition were made to the theft and
modification sections.
Some new practices were added in this edition that did not exist in the second edition. In
addition, every practice from the second edition has been modified—some significantly,
others to a lesser degree—to reflect new insights from the past year’s research at CERT.
Case examples from the second edition were retained in this edition for the benefit of
new readers. However, a Recent Findings section was included for all updated practices.
It details recent cases that highlight new issues not covered in the previous edition of this
guide.
What is Meant by “Insider Threat?”
CERT’s definition of a malicious insider is
A current or former employee, contractor, or business
partner who
•
has or had authorized access to an organization’s
network, system, or data and
•
intentionally exceeded or misused that access in
a manner that negatively affected the
confidentiality, integrity, or availability of the
organization’s information or information
systems
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
Note that one type of insider threat is excluded from this guide: cases of espionage
involving classified national security information.
The scope of insider threats has been expanding beyond the traditional threat posed by a
current of former employee. Specifically, the CERT team has noted the following
important new issues in the expanding scope of insider threat.
Collusion with outsiders: Insider threat has expanded beyond the organizational
boundary. Half of the insiders who stole or modified information for financial gain were
actually recruited by outsiders, including organized crime and foreign organizations or
governments. It is important to pay close attention to the section of the guide titled “Theft
or Modification of Information for Financial Gain” It will help you understand the types
of employees who may be susceptible to recruitment.
Business partners: A recent trend noted by the CERT research team is the increase in the
number of insider crimes perpetrated not by employees, but by employees of trusted
business partners who have been given authorized access to their clients’ networks,
systems, and data. Suggestions for countering this threat are presented in Practice 1.
Mergers and acquisitions: A recent concern voiced to the CERT team by industry is the
heightened risk of insider threat in organizations being acquired by another organization.
It is important that organizations recognize the increased risk of insider threat both within
the acquiring organization, and in the organization being acquired, as employees endure
stress and an uncertain organizational climate. Readers involved in an acquisition should
pay particular attention to most of the practices in this guide.
Cultural differences: Many of the patterns of behavior observed in CERT’s insider threat
modeling work are reflected throughout this guide. However, it is important for readers to
understand that cultural issues could influence employee behaviors; those same
behavioral patterns might not be exhibited in the same manner by people who were raised
or spent extensive time outside of the U.S.
Issues outside the U.S: CERT’s insider threat research is based on cases that occurred
inside the United States. It is important for U.S. companies operating branches outside
the U.S. to understand that, in addition to the cultural differences influencing employee
behavior, portions of this guide might also need to be tailored to legal and policy
differences in other countries.
Are insiders really a threat?
The threat of attack from insiders is real and substantial. The 2007 E-Crime Watch
SurveyTM conducted by the United States Secret Service, the CERT® Coordination Center
(CERT/CC), Microsoft, and CSO Magazine, 4 found that in cases where respondents
could identify the perpetrator of an electronic crime, 31% were committed by insiders. In
4
http://www.cert.org/archive/pdf/ecrimesummary07.pdf
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
addition, 49% of respondents experienced at least one malicious, deliberate insider
incident in the previous year. The impact from insider attacks can be devastating. One
employee working for a manufacturer stole blueprints containing trade secrets worth
$100 million, and sold them to a Taiwanese competitor in hopes of obtaining a new job
with them.
Over the past several years, Carnegie Mellon University has been conducting a variety of
research projects on insider threat. One of the conclusions reached is that insider attacks
have occurred across all organizational sectors, often causing significant damage to the
affected organizations. Examples of these acts include the following:
•
•
•
“Low-tech” attacks, such as modifying or stealing confidential or sensitive
information for personal gain.
Theft of trade secrets or customer information to be used for business advantage
or to give to a foreign government or organization.
Technically sophisticated crimes that sabotage the organization’s data, systems, or
network.
Damages in many of these crimes are not only financial—widespread public reporting of
the event can also severely damage the organization’s reputation.
Insiders have a significant advantage over others who might want to harm an
organization. Insiders can bypass physical and technical security measures designed to
prevent unauthorized access. Mechanisms such as firewalls, intrusion detection systems,
and electronic building access systems are implemented primarily to defend against
external threats. However, not only are insiders aware of the policies, procedures, and
technology used in their organizations, but they are often also aware of their
vulnerabilities, such as loosely enforced policies and procedures or exploitable technical
flaws in networks or systems.
CERT’s research indicates that use of many widely accepted best practices for
information security could have prevented many of the insider attacks examined. Part of
CERT’s research of insider threat cases entailed an examination of how each organization
could have prevented the attack or at the very least detected it earlier. Previous editions of
the Common Sense Guide identified existing best practices critical to the mitigation of
the risks posed by malicious insiders. This edition identifies additional best practices
based on new methods and contextual factors in recent cases, and also presents some new
suggestions for countering insider threat based on findings that could not be linked to
established best practices.
Based on our research to date, the practices outlined in this report are the most important
for mitigating insider threats.
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
Who should read this report?
This guide is written for a diverse audience. Decision makers across an organization can
benefit from reading it. Insider threats are influenced by a combination of technical,
behavioral, and organizational issues, and must be addressed by policies, procedures, and
technologies. Therefore, it is important that management, human resources, information
technology, software engineering, legal, security staff, and the “owners” of critical data
understand the overall scope of the problem and communicate it to all employees in the
organization.
The guide outlines practices that should be implemented throughout organizations to
prevent insider threats. It briefly describes each practice, explains why it should be
implemented, and provides one or more actual case examples illustrating what could
happen if it is not, as well as how the practice could have prevented an attack or
facilitated early detection.
Much has been written about the implementation of these practices (a list of references on
this topic is provided at the end of this guide). This report provides a synopsis of those
practices, and is intended to convince the reader that someone in the organization should
be given responsibility for reviewing existing organizational policies, processes, and
technical controls and for recommending necessary additions or modifications.
Can insiders be stopped?
Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only
be prevented through a layered defense strategy consisting of policies, procedures, and
technical controls. Therefore, management must pay close attention to many aspects of its
organization, including its business policies and procedures, organizational culture, and
technical environment. It must look beyond information technology to the organization’s
overall business processes and the interplay between those processes and the technologies
used.
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
Acknowledgements
In sponsoring the Insider Threat Study, the U.S. Secret Service provided more than just
funding for CERT’s research. The joint study team, composed of CERT information
security experts and behavioral psychologists from the Secret Service’s National Threat
Assessment Center, defined the research methodology and conducted the research that
has provided the foundation for all of CERT’s subsequent insider threat research. The
community as a whole owes a debt of gratitude to the Secret Service for sponsoring and
collaborating on the original study, and for permitting CERT to continue to rely on the
valuable casefiles from that study for ongoing research. Specifically, CERT would like to
thank Dr. Marisa Reddy Randazzo, Dr. Michelle Keeney, Eileen Kowalski, and Matt
Doherty from the National Threat Assessment Center, and Cornelius Tate, David
Iacovetti, Wayne Peterson, and Tom Dover, our liaisons with the Secret Service during
the study.
The authors would also like to thank the CERT members of the Insider Threat Study
team, who reviewed and coded cases, conducted interviews, and assisted in writing the
study reports: Christopher Bateman, Casey Dunlevy, Tom Longstaff, David Mundie,
Stephanie Rogers, Timothy Shimeall, Bradford Willke, and Mark Zajicek.
Since the Insider Threat Study, the CERT team has been fortunate to work with
psychologists who have contributed their vast experience and new ideas to our work: Dr.
Eric Sh …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades