The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes Book Review
|Working as a Software Architect one of the main concerns we always have is Security. At an application level that can usually be easily implemented if you are up to speed with the latest industry standards and best practices for the technology you are working in.|
Working as an Enterprise Architect, security becomes a much broader subject. Insider threats become part of the picture and there is no cookie cutter solution for them. I have seen plenty of potential issues thwarted, and over the years working as a consultant I have witnessed plenty of successful insider attacks.
One of my first experiences with insider threat was when I was still in the engineering field. We used an email product called Pega eMail. A few of us discovered that no password was required to log into another person's email if it was done in a certain way. We would do goofy stuff like rename each other's folders to stupid names. We got bored with it in about a day and forgot about it. As time went on our company was purchased by an England company.
The new parent company sent in a new president. One of the new president's jobs was to reorganize. People were let go and offices were moved. Some of the people in one of the departments decided they wanted the inside scoop. Apparently they had learned about the email trick. They began reading all the new presidents emails. From what I heard one of them mentioned something in a meeting that was confidential between the new president and the company's London office.
The IT security team started to investigate and discovered the email product flaw. They then monitored the IP logging into the presidents email and discovered the entire department was guilty. One Friday afternoon they were all escorted out of the building.
I have experienced several insider threat scenarios but the worst one was at a small company that decided it was a good idea to hire a hacker to be the lead network administrator. At the time he was very good at hacking, but not so good with ethical hacking. Actually he wasn't so good with ethics at all. I am pretty sure he had a drug problem also. Either that or he was just downright nuts. He came and went as he pleased. In the weeks leading up to the incident he was missing for days at a time. When he did show up, it was better to avoid him. He was a mess.
They eventually called him in and told him he had to straighten up, or else. He politely apologized, said no problem, and proceeded to change all the network and server passwords and remove everyone else's access. He then disappeared for good. It took the company a few days to figure out what had happened. There only choice was to completely rebuild a mirror company infrastructure. It took weeks and cost them a ton of cash.
That is just two of many things I have witnessed over the years as a consultant. You like to think you work with people you can trust, but everyone has the potential for having an off day and making a bad choice. The problem is being able to identify those individuals that are heading towards their bad day and their bad decision. This book is a tremendous resource in helping with that.
Below are the chapters and appendices included in the book.
Chapter 1: Overview
Chapter 2: Insider IT Sabotage
Chapter 3: Insider Theft of Intellectual Property
Chapter 4: Insider Fraud
Chapter 5: Insider Threat Issues in the Software Development Life Cycle
Chapter 6: Best Practices for the Prevention and Detection of Insider Threats
Chapter 7: Technical Insider Threat Controls
Chapter 8: Case Examples
Chapter 9: Conclusion and Miscellaneous Issues
Appendix A: Insider Threat Center Products and Services
Appendix B: Deeper Dive into the Data
Appendix C: CyberSecurity Watch Survey
Appendix D: Insider Threat Database Structure
Appendix E: Insider Threat Training Simulation: MERIT InterActive
Appendix F: System Dynamics Background
This book has categorized insider threats into IT Sabotage, theft of intellectual property (IP), and fraud. After the introduction in chapter 1 the book has a chapter on each category. It mainly covers attacks by current and former employees, contractors, and trusted business partners. They each cover patterns related to the crimes and offer mitigation strategies.
Insider IT Sabotage covers patterns like Personal Predispositions, Disgruntlement and Unmet Expectations, Behavioral Precursors, Stressful Events, Technical Precursors and Access Paths, and The Trust Trap. Some of the mitigation strategies include Handling Disgruntlement through Positive Intervention, Eliminating Unknown Access Paths, A Risk-Based Approach to Prioritizing Alerts, Measures upon Demotion or Termination, and Test Backup and Recovery Process.
Insider Theft of Intellectual Property patterns include Insider Contribution and Entitlement, Insider Dissatisfaction, Insider Theft and Deception, Insider Planning of Theft, and Increasing Access. This chapter also cover the who, what, and why of the crimes. Some of the mitigation strategies covered include Network Data Exfiltration, Host Data Exfiltration, Physical Exfiltration, Exfiltration of Specific Types of IP, and Concealment.
Insider Fraud patterns include Origins of Fraud, Outsider Facilitation, Recruiting Other Insiders into the Scheme, and Insider Stressors. This chapter also includes a cool who, why, what, and how section. This chapter countermeasure such as watching out for Inadequate Auditing of Critical and Irregular Processes, Employee/Coworker Susceptibility to Recruitment, Financial Problems, and Excessive Access Privilege.
The authors use MERIT (Management and Education of the Risk of Insider Threat) diagrams to design the most effective mitigation strategies. They really help put the threat into context. The really cool thing about the MERIT diagrams in the book is that they are mirrors of actual working system dynamics models. I wish these models were available for download.
The chapter on Insider Threat Issues in the Software Development Life Cycle really points out the importance of following a good SDLC and how a an inadequate job of following one can later lead to exploitations. It covers topics like Separation of Duties, Automated Data Integrity Checks, Exception Handling, Code Reviews, Attribution, System Deployment, and Backups.
Best Practices for the Prevention and Detection of Insider Threats is worth the price of the book. It covers 15 practices. A few of them include Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments, Institute Periodic Security Awareness Training for All Employees, Anticipate and Manage Negative Workplace Issues, and Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process. Each principle includes section explaining what you can do, and offers a case study to give you an example of what can happen if you don't.
One of the things I like most about this book is all the examples that are included. They are very interesting. They help to put you in the shoes of a person that may commit a crime. They really will help you identify and head off attacks.
The CERT Insider Threat Center has a ton of additional information available. You can learn a lot form the site, but I highly recommend reading the book. It has put everything together in one place in a logical reading order.
Over all I think every single person that has anything to do with IT should read this book. Even if you don't deal with sensitive data, you are at risk for sabotage.
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering)