• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering

Cybersecurity

Group logo of Cybersecurity
Public Group active 1 hour, 58 minutes ago

Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.

  • Home
  • Forum

Insider threats

  • This topic has 16 replies, 1 voice, and was last updated 1 year, 7 months ago by basxmaty.
  • Creator
    Topic
  • 2019-08-29 at 16:20 #60303
    mabilkasimov
    Participant

    Hi, what kind of preventive and detective controls are the most efficient for insider threats?

  • Creator
    Topic
Viewing 14 reply threads
  • Author
    Replies
    • 2019-08-30 at 15:55 #60318
      Ziya
      Participant

      Hello Mabilkasimov,

      Insider threats usually comes from people within the organization as consciously or unconsciously and unfortunately it’s a serious problem for organization today.

      The Report of Ponemon Institute “2018 Cost of Insider threats” shows that average cost of an insider-related incident is around $513,000. Insider-related incidents can cost a company up to $8.76 million a year.

      There are many different solutions for this problem. First of all companies should give the right permissions to the right users to protect their data. On the other hand, they should prepare a password policy to to enhance security by strong password. It is also possible to use two factor authentication solutions to improve the security in terms of authentication. On the other hand, it is possible to use an user behaviour solutions to analyse users’ activities and for risk scoring to prevent any anomaly situation. DLP- Data lose prevention is also another solution for Insider threats problems, companies could control user & data activities to avoid from potential data leakage. It’s possible to record the sessions and create alarms in the case of threat for critical systems on behalf of proactive security. USB port usage of users’ PCs should be under the management by company as a security policy.

      Of course Network and correspondingly network security is also very important and network is like a hearth of company. Users shouldn’t be connected the network without any control. All applications and systems run on the network and network could be under the attack (inside threat or external threat). Therefore, Network access control and management should be implemented by companies for data security, and business & operational continuity.

    • 2019-08-30 at 19:07 #60323
      healthdatacybersecurity
      Participant

      Hi Mabilkasimov,

      Similar to Ziya response, to address potential insider malicious cyber criminality you may want to consider implementing a zero-trust cybersecurity architecture (monitors all users access and data traffic) and ensure all users of the IT network are provided access based on a least-privilege principle.

      Another preventive measure that is essential for all data that is maintained by the entity that aims to mitigate cybercriminal activity is to encrypt and back-up all data.

      Appreciative of the question.

      Gratefully,

      Carlos Alberto Hernandez

    • 2019-08-31 at 08:11 #60331
      yzaw
      Participant

      Hence cybersecurity is the processes implementing by combination of people, process and technology, let me add some controls and list out together suggested by @Ziya @healthdatacybersecurity

        Preventive Controls

      2FA, strong password policy
      HR Screening potential insider threats
      vendor/supplier contracts
      Role based user access
      DLP
      Device Control, USB policy
      end-to-end Encryption
      identify the critical systems, IT assets and segregate

        Detective control

      Monitoring and logging to critical assets
      User Behavior analysis
      Network Admission Control / Identity awareness solution
      IDS
      SIEM

      • This reply was modified 1 year, 7 months ago by yzaw.
    • 2019-08-31 at 14:54 #60340
      shlairshe
      Participant

      The insider threat is real and unless your organization has a holistic risk management plan in place that accommodates for preventative and detective controls, then exposure to a potential threat to your system will always be possible.
      There a few insider threats I will like to mention, but personally, majority of them normally fall under the same umbrella. Within an organization there is always the probability of have bad apples, sometimes these bad apples are initially not bad, but in the event of let say a person is let go, and for unsuspecting reasons the person who got fired somehow does not think they deserved the outcome. This is the sort of thing that can lead to a one kind of insider threat. There are a few categories of insider threats that I personally think exist, to mention a few.

      a. A Malicious employee or persons who executes damaging things to the core business, such things such as deleting important and classified data, launching a ddos type attack, or deliberately stealing an important hardware component or offloading classified data from respective specific hardware.
      b. You also have those that pretend to be someone else, such a person impersonates and uses the credentials of another unsuspecting user or employee and uses it to cause harm to the critical parts of the business operations

      Preventing the insider threat is a task that involves a consistent approach to things such as regularly training employees, taking note of employee odd behavior, monitoring all data and access to data that is associated with the critical business operations. Alternatively, access controls need to be revised for existing employees, and access should be given to a very few limited persons who require access to classified or data that is consider critical to the operations of the business.

    • 2019-08-31 at 22:46 #60349
      cyberfit
      Participant

      I would like to provide two more controls to the very comprehensive list highlighted above, “TIMELY” termination of user accounts and monitoring of user “PRIVILEGE ESCALATION”. Even when RBAC may be tight, when employees leave the company or change roles you need to ensure you remove those accounts or unnecessary access to any systems. This controls tends to be weak in the majority of the organizations, mainly when employees change roles within the organization. As for monitoring privilege escalation, this is a key indicator that something might be happening and you want to look at this activity a little bit deeper, set proper thresholds and alerts. This works for insider and outsider actors.

    • 2019-08-31 at 23:47 #60350
      fsp666
      Participant

      I would summarize it into three approaches:
      1) Visibility of the behavior of the employee (monitoring) (PREVENTIVE & DETECTIVE)
      2) Exit protocol when a user leaves the company (PREVENTIVE)
      3) Permits and segregation of duties to minimize security risks. (PREVENTIVE)

      • 2019-09-03 at 15:31 #60468
        jmkern26
        Participant

        I agree with @fsp666 that thinking about how you are managing these three processes is a good start to protect yourself from the insider threat. @mabilkasimov – The insider threat is underrated, so it’s important not to overlook this when designing your cybersecurity program. But it sounds like it’s a priority for you already.

    • 2019-09-01 at 09:22 #60352
      pnyambi
      Participant

      Hi all, with most companies moving to remote setups, more employees are working outside of company premises meaning a higher level of monitoring is needed on those remote works stations.
      I think access to company network should be restricted during the hours when IT or monitoring is not available ie nonoffice hours.
      Thanks

      Pam

    • 2019-09-02 at 15:46 #60366
      gd2009
      Participant

      Since CyberSecurity is Context driven you have to understand the environment to figure out the best controls to put in place. For one when dealing with insider threats . You have to consider the CIA triad and determine how much security is enough? How much will it cost? What is the trade off?

      Defense in Depth , Avoid single point of failure- Key man risk . Separation of Duties – Implement Least Privilege,And always measure your controls effectiveness.

    • 2019-09-02 at 17:18 #60371
      sidhu007
      Participant

      As a manager who doesn’t do any daily IT activities, how do I make sure that my employees are not insider threats? I try to make sure my team is happy and offer flexible work schedules, but sometimes you never really know if an employee is truly happy. I was thinking of working with my IT staff to send a test email to make sure that they listen to me when I say “don’t click on the links in emails etc.” Is there something else I can do?

    • 2019-09-02 at 18:08 #60375
      jrobertson68
      Participant

      There are a couple different things that companies/organizations could do to mitigate the risk of insider threats. One thing that could be done to reduce the risk of insider threats would be to conduct regular audits on employee accounts in order to determine whether there are any anomalies in the number of logins, what information has been accessed, and the frequency in which that information has been accessed. Additionally, once an employee is terminated, it is imperative that they be removed from the office immediately and not be allowed to return to their work space as they may retaliate against their employer by intentionally downloading malware onto the network. Lastly, limiting the number of employees that have access to sensitive information is important as well. This ensures that the information is only in the hands of the employees that need access to it in order to do their jobs and reduces the chances of the information getting into the wrong hands.

    • 2019-09-02 at 19:59 #60377
      baghchel6391
      Participant

      Insider threats are difficult to spot… A foundational strategy is base around culture and is driven from top down. Leadership are best positioned to prevent insider threats. They set the tone for how security is perceived. Leaders also are closest to the employees and in best position to see any behavior changes before they manifest online.

      Security teams should arms leaders with the security privileges of their staff and educate them on signs of insider threat. They should give them tools to proactively reduce privileges or increase monitoring of employees exhibiting these signs.

      Cyber security is more psychological warfare than technical warfare when it comes to insider threats.

    • 2019-09-02 at 23:36 #60383
      skumbhat
      Participant

      @mabilkasimov – Food for thought for Preventative Insider Threat protection –

      Dynamic Access – Need to know and have Privileged Access. Static privileged keys are like waiting for a disaster. The distribution of static privileged credentials is very hard to control and thus dynamic credentials need to be deployed.

      Tightly Scoped Authorization – Privileged Authorization and Entitlements should be on a request/approval basis. That request/response could be either automated based on the context from the user/device/application and/or depending on a case by case basis. The aim here is to limit static authorization allowances.

      Privileged System Protection – Systems with the key assets, such as Databases should have fine grained security access controls deployed to prevent mass data leaks. Ability to create anonymous users and/or duplications should be strictly restricted.

    • 2019-09-03 at 11:10 #60424
      profsol
      Participant

      @jrobertson68 I completely agree with you! I believe it’s absolutely important to apply all defenses proposed by @ziya @healthdatacybersecurity @yzaw but we always need to consider Human Factor, particularly in moments of contrasts or when “leaving” the company. I will consider a strong policy to notify the person the end of a contract and not to leave the person access any more any company system. All access codes or permission linked to a personal badge, to extranet etc must be blocked and put under strict security control. It’s difficult to imagine all possible scenarios when talking about insider threat and I personally feel that this is a very huge problem for companies of all-sizes. NO matter how many employees, just one of them may be capable to harm within an high-level of knowledge of internal procedures. As consultant and a trainer in security matter, I challenge involved people, at all level, to explain how they may attack their own company and most of the time, there are bad news for the management!!!

    • 2019-09-03 at 14:57 #60466
      omarahomsi
      Participant

      Hello,

      Can you please share your thoughts on the following:

      – The best way to utilize DLP in a corporate?
      – Considering DLP is implemented, how would you classify legit users accessing and sharing critical data from attack actors?
      – Does DLP helps with the encryption applied on its side? Are there tools out there offering this combination?

      Thank you

    • 2019-09-03 at 18:06 #60470
      basxmaty
      Participant

      Insider threat is hard to control since there is a level of trust. However, creating users and restricting them access wise is one of the key methods. Users must not have access to more than they are supposed to.

  • Author
    Replies
Viewing 14 reply threads

You must be logged in to reply to this topic.

sidebar

Community Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Cully Patch

An internal CSIAC SME with a passion for learning, teaching, and supporting the warfighter, Mr. Cully Patch has been a member of the CSIAC staff for 5 years. Cully was instrumental in leading the development and instruction of an extensive course on DoD Cybersecurity Analysis and Reporting (DoDCAR) - a threat-based approach to addressing system cybersecurity. As a senior program manager for cybersecurity and intelligence, Mr. Patch has extensive experience in providing cybersecurity training and education to both university students and military operators. Cully is a retired US Air Force military officer with career accomplishments in the fields of research, Intelligence, cybersecurity operations, planning, and technical course instruction. CSIAC is honored to have Mr. Patch as a subject matter expert, where he leads teams of technologists through problem solving, training program development, scientific and technical information generation, and analysis of complex system requirements.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Explore the Innovare Advancement Center-Part 1 Series: Innovare Advancement Center & The CSIAC Podcast
  • Cybersecurity Maturity Model Certification (CMMC): The Road to Compliance Series: The CSIAC Podcast
  • Deep Learning for Radio Frequency Target Classification Series: CSIAC Webinars
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
View all Podcasts

Upcoming Events

Thu 29

Data Connectors Phoenix Virtual Cybersecurity Summit

April 29
Organizer: Data Connectors
636-778-9495
May 17

SANS Purple Team Summit & Training 2021

May 17 - May 28
Organizer: SANS Institute
May 27

DockerCon LIVE 2021

May 27 @ 06:00 - 14:00 EDT
May 28

LayerOne 2021

May 28 - May 30
Oct 18

IEEE Secure Development Conference

October 18 - October 21
Organizer: Institute of Electrical and Electronics Engineers (IEEE)
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT