search menu icon-carat-right cmu-wordmark

Posts by CERT Insider Threat Center

Handling Threats from Disgruntled Employees

Handling Threats from Disgruntled Employees

• Blog
CERT Insider Threat Center

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing. Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will...

Read More
InTP Series: Conclusion and Resources (Part 18 of 18)

InTP Series: Conclusion and Resources (Part 18 of 18)

• Blog
CERT Insider Threat Center

The intent of this blog series was to describe a framework that you could use as you build an insider threat program (InTP) in your organization. We hope you found it a useful resource and recommend that you refer back to it as you progress through the Initiation, Planning, Operations, Reporting, and Maintenance phases of building your InTP. Hi, this is Randy Trzeciak, Technical Manager of the CERT Insider Threat Center in the CERT Division...

Read More
InTP Series: Implementation Planning (Part 17 of 18)

InTP Series: Implementation Planning (Part 17 of 18)

• Blog
CERT Insider Threat Center

Implementation plans are an essential component of developing an Insider Threat Program (InTP). It is important to look at the development of an implementation plan from a strategic long-term perspective. Hello, this is Tracy Cassidy, Insider Threat Researcher at the CERT Insider Threat Center. In this next-to-the-last blog post in our insider threat blog series, I'll provide an outline for developing an implementation plan....

Read More
InTP Series: The Insider Threat Framework (Part 16 of 18)

InTP Series: The Insider Threat Framework (Part 16 of 18)

• Blog
CERT Insider Threat Center

The single most important aspect of developing a successful insider threat program (InTP) framework is a clear vision. Therefore, it is imperative that you define your vision in a concept of operations document or charter. Hi, this is Jason W. Clark, Ph.D, an insider threat researcher with the CERT Insider Threat Center. In this blog post, I will briefly describe and define an InTP framework document....

Read More
 InTP Series: Protection of Employee Civil Liberties and Privacy Rights (Part 15 of 18)

InTP Series: Protection of Employee Civil Liberties and Privacy Rights (Part 15 of 18)

• Blog
CERT Insider Threat Center

The news today is buzzing with discussions regarding civil liberties and privacy rights. Insider threat program (InTP) development deals directly with these issues, specifically the protection of employees. It is essential that management to familiarize itself with existing mandates, statutes, laws, and directives that are related to InTP implementation. Hi, my name is Tracy Cassidy. I am an Insider Threat Researcher at the CERT Insider Threat Center. In this, the 15th of 18 posts in...

Read More
 InTP Series: Policies, Procedures, and Practices (Part 14 of 18)

InTP Series: Policies, Procedures, and Practices (Part 14 of 18)

• Blog
CERT Insider Threat Center

An InTP requires two sets of policies, procedures, and practices: one set describing the operation and components of the program and the other set describing insider threat program (InTP) activities. Hi, I'm Cindy Nesta of the CERT Insider Threat Center. In this 14th installment of the InTP Blog Series, I will provide you with a clear explanation of the policies, procedures, and practices that an InTP requires....

Read More
 InTP Series: Communicating Insider Threat Events (Part 13 of 18)

InTP Series: Communicating Insider Threat Events (Part 13 of 18)

• Blog
CERT Insider Threat Center

When building your organization's Insider Threat Program (InTP), be sure to clearly identify defined processes for communicating insider threat events and incidents. It is important to ensure that all affected parties are made aware of the situation. As we all know, clear, concise, detailed, and documented communication is valuable. Hi, I'm Cindy Nesta of the CERT Insider Threat Team. In this 13th installment of the InTP Series, I will touch on several things, including the...

Read More
 InTP Series: Incident Response Planning (Part 12 of 18)

InTP Series: Incident Response Planning (Part 12 of 18)

• Blog
CERT Insider Threat Center

Your incident response plan should cover the entire incident lifecycle, including processes for how incidents are detected, reported, contained, remediated, documented, and prosecuted (if applicable). Hello, this is Mark Zajicek at the CERT Insider Threat Center. In this week's blog post, I summarize some guidance and suggest considerations to help you to develop an insider incident response plan....

Read More
 InTP Series: Data Collection and Analysis (Part 11 of 18)

InTP Series: Data Collection and Analysis (Part 11 of 18)

• Blog
CERT Insider Threat Center

A core capability of any insider threat program (InTP) involves collecting data from multiple sources and analyzing that data to identify indicators of insider anomalous activity or an increase in the probability of future insider activity. This is Dan Costa, a cybersecurity solutions developer at the CERT Insider Threat Center. This week, in the eleventh installment of the InTP blog series, I'll present strategies for increasing the effectiveness of an InTP's data collection and analysis...

Read More
InTP Series: Trusted Business Partners (Part 10 of 18)

InTP Series: Trusted Business Partners (Part 10 of 18)

• Blog
CERT Insider Threat Center

In today's business environment, few organizations are able to operate without contractors, subcontractors, temporary employees, contract employees, or other trusted business partners. Understanding how they fit into your insider threat program (InTP) and how to manage your organization's relationships with trusted business partners is critical to protecting your organization's data, assets, and reputation. Hi, this is Ian McIntyre of the CERT Insider Threat Center. In this 10th installment of our blog series on establishing an...

Read More
InTP Series: Confidential Reporting (Part 9 of 18)

InTP Series: Confidential Reporting (Part 9 of 18)

• Blog
CERT Insider Threat Center

"If you see something, say something." That phrase has been a popular security slogan for some time, and it applies to insider threat as well as other security arenas. Organizations need to develop a robust reporting capability that their employees can use because they may observe concerning behaviors and dispositions that technical controls might miss. Hi, this is David McIntire of the CERT Insider Threat Center. In this installment of our blog series on establishing...

Read More
InTP Series: Training and Awareness (Part 8 of 18)

InTP Series: Training and Awareness (Part 8 of 18)

• Blog
CERT Insider Threat Center

The cornerstones of any insider threat program (InTP) are a formal training and awareness curriculum and a defined set of educational activities. A successful InTP requires multiple levels of training for different parts of the organization and different types of employees. Of course, any training program should fit within the mission and culture of the implementing organization and should leverage existing expertise and processes. Hi, this is Robin Ruefle, team lead of the Organizational Solutions...

Read More
InTP Series: Prevention, Detection, and Response (Part 7 of 18)

InTP Series: Prevention, Detection, and Response (Part 7 of 18)

• Blog
CERT Insider Threat Center

The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond to insider threat events. My name is Derrick Spooner, a member of the technical staff of the CERT Insider Threat Center in the Software Engineering Institute (SEI) at Carnegie Mellon University. Previous posts have introduced...

Read More
 InTP Series: Oversight of Program Compliance and Effectiveness (Part 5 of 18)

InTP Series: Oversight of Program Compliance and Effectiveness (Part 5 of 18)

• Blog
CERT Insider Threat Center

Why should anyone care about program compliance and effectiveness? The CERT Division's answer to this question is simple: If you're going to have an Insider Threat Program (InTP), you want it to work well and within the limits of the law. We advocate that InTPs comply with all applicable laws, regulations, policies, and established procedures in a way that effectively deters, detects, and mitigates insider threats. Be sure to regularly work with your organization's general...

Read More
InTP Series: Participation of Business Areas (Part 4 of 18)

InTP Series: Participation of Business Areas (Part 4 of 18)

• Blog
CERT Insider Threat Center

An effective Insider Threat Program includes participation from the essential business areas of an organization. The National Insider Threat Task Force (NITTF) Minimum Standards identify the particular groups that should be represented in an insider threat program. Hi, this is Mike Albrethsen of the CERT Insider Threat Center with information about which groups should be included in the operation of an effective InTP and why. These are the groups that the NITTF recommends participate in...

Read More
 InTP Series: The Formalized Program (Part 3 of 18)

InTP Series: The Formalized Program (Part 3 of 18)

• Blog
CERT Insider Threat Center

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. This week in the third installment of our series, we'll take a look at the first component of an insider threat program: the formalized program itself. In last week's post, I summarized the elements of a successful insider threat program. Why a formalized program? A formalized insider threat program demonstrates the commitment of the organization to due care and due diligence...

Read More
InTP Series: Key Elements of an Insider Threat Program (Part 2 of 18)

InTP Series: Key Elements of an Insider Threat Program (Part 2 of 18)

• Blog
CERT Insider Threat Center

Before establishing an insider threat program in your organization, you first must understand the required components of such a program. In this second of a series of 18 posts, I will introduce you to the elements of an effective insider threat program. Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. In the previous post, Randy Trzeciak discussed CERT insider threat work and reasons why an organization might want to...

Read More
InTP Series: Establishing an Insider Threat Program (Part 1 of 18)

InTP Series: Establishing an Insider Threat Program (Part 1 of 18)

• Blog
CERT Insider Threat Center

Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is a good idea and summarize the topics my colleagues and I will be covering in this series. My name is Randy Trzeciak, the Technical Manager of the Insider Threat Center in the CERT Division of...

Read More
Unintentional Insider Threats by Economic Sector

Unintentional Insider Threats by Economic Sector

• Blog
CERT Insider Threat Center

Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents. For the past year, the CERT Insider Threat Center, sponsored by the Department of Homeland Security, has been publishing reports on UIT. These reports include the initial and follow-on reports: Unintentional Insider Threats: A Foundational Study and Unintentional Insider Threats: Social Engineering....

Read More

"Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis" Paper Released

• Blog
CERT Insider Threat Center

Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT sabotage and initial results from a review of 46 cases from the CERT Insider Threat Database (MERIT Database). Each pattern was developed to prevent or detect potentially malicious actions related to insider threat IT sabotage...

Read More
Theft of Intellectual Property by Insiders

Theft of Intellectual Property by Insiders

• Blog
CERT Insider Threat Center

This is Matt Collins, Insider Threat Researcher at the CERT Insider Threat Center. In this post, I cover statistics related to a group of cases in the CERT Division's insider threat database related to the theft of intellectual property (IP). The CERT database was started in 2001 and contains insider threat cases that can be categorized into one of four groupings: Fraud Sabotage Theft of Intellectual Property (IP) Miscellaneous Today I'm discussing cases in our...

Read More
Analyzing Insider Threat Data in the MERIT Database

Analyzing Insider Threat Data in the MERIT Database

• Blog
CERT Insider Threat Center

Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider Threat (MERIT) database. The CERT Insider Threat Center began recording cases of insider threat in 2001. To date we've recorded over 800 incidents using publicly available information. Those 800 plus cases span the years 1995...

Read More
The Latest CERT Research of Unintentional Insider Threats: Social Engineering

The Latest CERT Research of Unintentional Insider Threats: Social Engineering

• Blog
CERT Insider Threat Center

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on unintentional insider threats, in particular social engineering. Earlier this year, the CERT Division's Insider Threat Team published the report Unintentional Insider Threats: A Foundational Study that documents results of a study of unintentional insider threats (UIT), which was sponsored by the Department of Homeland Security Federal Network Resilience (FNR). Following the success of that report, we on...

Read More
Seven Ways Insider Threat Products Can Protect Your Organization

Seven Ways Insider Threat Products Can Protect Your Organization

• Blog
CERT Insider Threat Center

Hi, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division. Organizations may be searching for products that address insider threats but have no real way of knowing if a product will meet their needs. In the recently released report, Insider Threat Attributes and Mitigation Strategies, I explore the top seven attributes that insider threat cases have according to our database of over 700 insider incidents. These attributes can be used...

Read More
A Multi-Dimensional Approach to Insider Threat

A Multi-Dimensional Approach to Insider Threat

• Blog
CERT Insider Threat Center

This is Dave Mundie, senior member of the technical staff in the CERT Division. Previous SEI blog posts ("Protecting Against Insider Threats with Enterprise Architecture Patterns" and "Effectiveness of a Pattern for Preventing Theft by Insiders") have described the the pattern language for insider threat that my colleague Andrew Moore and I have been developing. This pattern language consists of 26 mitigation patterns derived from the examination of more than 700 insider threat cases in...

Read More
Unintentional Insider Threats: The Non-Malicious Within

Unintentional Insider Threats: The Non-Malicious Within

• Blog
CERT Insider Threat Center

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on the unintentional insider threat. Organizations often suffer from individuals who have no ill will or malicious motivation, but whose actions cause harm. The CERT Insider Threat Center conducts work, sponsored by the Department of Homeland Security's Federal Network Resiliency Division, that examines such cases. We call this category of individuals the "unintentional insider threat" (UIT)....

Read More
Attend Our Insider Threat Webinar

Attend Our Insider Threat Webinar

• Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak, Technical Manager of the Enterprise Threat and Vulnerability Management team in the CERT Division. On Thursday, August 8, the SEI is hosting the webinar Managing the Insider Threat: What Every Organization Should Know. Join me and my colleagues as we discuss insider threat challenges that organizations face today....

Read More
Controlling the Malicious Use of USB Media

Controlling the Malicious Use of USB Media

• Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division of the Software Engineering Institute. Earlier this year, we released the report Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources. In this report, we discuss the challenges universal serial bus (USB) flash drives present to organizations, especially those concerned with protecting their intellectual property....

Read More
How Ontologies Can Help Build a Science of Cybersecurity

How Ontologies Can Help Build a Science of Cybersecurity

• Blog
CERT Insider Threat Center

Hello, this is David Mundie, a Senior Member of the Technical Staff in the CERT Program. The term "science of cybersecurity" is a popular one in our community these days. For some time now I have advocated ontologies and controlled vocabularies as an approach to building such a science. I am fond of citing the conclusion of the Jason Report, that the most important step towards a "science of cybersecurity "would be the construction of...

Read More
CERT Insider Threat Events at the RSA Conference

CERT Insider Threat Events at the RSA Conference

• Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. The RSA Conference is rapidly approaching, and since many of you will likely be there, I thought I'd let you know how to find us there. Also, if you would like to get together to discuss insider threat while you're there please email us at insider-threat-feedback@cert.org this week and we'll make arrangements to meet....

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the last of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the eighteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 17 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 17 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the seventeenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst and Lori Flynn, Insider Threat Researcher for the CERT Program, with the sixteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the fifteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Eleni Tsamitis, Insider Threat Administrator for the CERT Program, with the fourteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Ying Han, Graduate Research Assistant of the CERT Enterprise Threat and Vulnerability Management team, with the thirteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Sam Perl, Cybersecurity Analyst for the CERT Program, with the twelfth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 11 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 11 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen, Cybersecurity Threat and Incident Analyst for the CERT Program, with the eleventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Marcus Smith, a graduate assistant for the CERT Program, with the tenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Mike Albrethsen, Information Systems Security Analyst for the CERT Program, with the ninth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 8 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 8 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Jeremy Strozer, Senior Cyber Security Specialist for the CERT Program, with the eighth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 7 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 7 (of 19)

• Blog
CERT Insider Threat Center

Hi, this is Chris King, Member of the Technical Staff for the CERT Program, with the seventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 6 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 6 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Jason Clark, Insider Threat Researcher for the CERT Program, with the sixth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 5 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 5 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the fifth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Carly Huth, Insider Threat Researcher for the CERT Program, with the fourth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 3 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 3 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the third of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 2 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 2 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Insider Threat Research for the CERT Program, with the second of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19)

• Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Program, with the first of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. In the coming weeks, my colleagues and I in the CERT Insider Threat Center will, in a series of blog posts, introduce this edition of the guide by presenting each recommended practice in...

Read More
Fourth Edition of the Common Sense Guide to Mitigating Insider Threats Is Released

Fourth Edition of the Common Sense Guide to Mitigating Insider Threats Is Released

• Blog
CERT Insider Threat Center

Hello, this is Lori Flynn, insider threat researcher for the CERT Program. We are proud to announce the release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats. We are grateful to the U.S. Department of Homeland Security, Federal Network Resilience (FNR) division within the Office of Cybersecurity and Communications, which sponsored updating and augmenting the previous edition released in 2009.The newest edition is based on our significantly expanded database of...

Read More

"Spotlight On: Insider Threat from Trusted Business Partners" Article Revised and Released

• Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen of the CERT Insider Threat Center. We are excited to announce that a revised version of our Spotlight On: Insider Threat from Trusted Business Partners article has been released. It has been almost three years since the first version of this article was published. During that time, our collection of insider threat case data has grown significantly. Specifically, we have collected 30 additional cases involving trusted business partners (TBPs) alone,...

Read More
External Threat Analysis

External Threat Analysis

• Blog
CERT Insider Threat Center

Hi, this is Dan Klinedinst of the CERT Enterprise Threat and Vulnerability Management team. Recently we've been looking to extend the methodologies from our insider threat research to other sorts of threats. Personally, I'm interested in applying well-known analysis techniques to security data in an automated fashion. The goal is to identify classes of threats and watch how they evolve over time. This analysis will allow organizations to adjust their defenses and resources based on...

Read More
The Insider Threat Awareness Virtual Roundtable Webinar

The Insider Threat Awareness Virtual Roundtable Webinar

• Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. Last week I had the pleasure of participating in The Insider Threat Awareness Virtual Roundtable webinar, which was sponsored by the DHS Office of Infrastructure Protection. The webinar was moderated by Jon Richeson from DHS, and I was joined by the Supervisory Special Agent from the Insider Threat Investigations Unit of the FBI....

Read More
Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail

Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail

• Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 8 of a 10-part series on cloud-related insider threats. In this post, we discuss three more areas of future research for cloud-related insider threats: identifying cloud-based indicators of insider threats, virtualization and hypervisors, and awareness and reporting....

Read More
CERT Insider Threat Center in the News

CERT Insider Threat Center in the News

• Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli of the CERT Insider Threat Center. We always feel proud when we see others recognize our hard work and, better yet, communicate the results of our work to others. SC Magazine, FedTech, Information Week, eWeek, and GovInfoSecurity have all published articles about the work that the CERT Insider Threat Center has done. We've collected excerpts from each here with a link to the complete article so you can take a...

Read More
Insider Threats Evident in All Industry Sectors

Insider Threats Evident in All Industry Sectors

• Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen, information systems security analyst for the CERT Insider Threat Center. We recently conducted a cursory search through our MERIT database for case examples across different industry sectors. This search reminded us just how indiscriminately insider attacks can appear throughout public and private sectors. In other words, while certain insider attacks tend to manifest themselves more often in specific industry sectors, no sector is free from the actions of malicious insiders....

Read More
Study on Insider Cyber Fraud in Financial Services Released

Study on Insider Cyber Fraud in Financial Services Released

• Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak of the CERT Insider Threat Center. Recently, we completed a study that revealed insights into the type of insiders who commit insider financial cyber fraud, how they do it, and what they steal. The study, funded by the U.S. Department of Homeland Security (DHS) Science and Technology Directorate, involved 80 real cases of insider cyber fraud in the financial services sector. We conducted the study working with the U.S. Secret...

Read More
Insider Threats Related to Cloud Computing--Installment 4: Using the Cloud to Conduct Nefarious Activity

Insider Threats Related to Cloud Computing--Installment 4: Using the Cloud to Conduct Nefarious Activity

• Blog
CERT Insider Threat Center

A third type of cloud-related insider is one who uses cloud services to carry out an attack on his own employer. This type of insider is similar to the previous type who targets systems or data in the cloud. In contrast, the third type of insider uses the cloud as a tool to carry out an attack on systems or data targeted, which are not necessarily associated with cloud-based systems....

Read More
Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities

Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities

• Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 3 of a 10-part series on cloud-related insider threats. In this post, we discuss a second type of cloud-related insider threat: those that exploit weaknesses introduced by use of the cloud. Last week we discussed the rogue administrator, one type of cloud-related insider threat. A second type of cloud-related insider threat, often overlooked by security researchers, is the insider who exploits vulnerabilities exposed by the...

Read More
Insider Threats Related to Cloud Computing--Installment 2: The Rogue Administrator

Insider Threats Related to Cloud Computing--Installment 2: The Rogue Administrator

• Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 2 of a 10-part series on cloud-related insider threats. In this post, we present three types of cloud-related insiders and discuss one in detail--the "rogue administrator." This insider typically steals the cloud provider's sensitive information, but can also sabotage its IT infrastructure. The insider described by this threat may be motivated financially or by revenge....

Read More
Insider Threats Related to Cloud Computing--Installment 1: Introduction

Insider Threats Related to Cloud Computing--Installment 1: Introduction

• Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb, lead research scientist for the CERT Insider Threat Center and Alex Nicoll, technical team lead for Insider Threat Technical Solutions and Standards. Over the next few months, we will discuss, in a series of blog posts, problems related to insiders in the cloud, defending against them, and researching approaches that could help solve some of these problems....

Read More
Pay Attention: Are Your Company Secrets at Risk from Insiders?

Pay Attention: Are Your Company Secrets at Risk from Insiders?

• Blog
CERT Insider Threat Center

For years the CERT Insider Threat Center has been studying organizations' current and former employees, contractors, and trusted business partners who steal intellectual property (IP) from their organizations. We have published reports that detail the problem: who does it, why, when, how, etc. We have also published reports on mitigation strategies based on our analysis of the problem. (Links to the reports are at the bottom of this post). These strategies focus on the detection...

Read More
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

• Blog
CERT Insider Threat Center

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley's InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575....

Read More
Insiders and Organized Crime

Insiders and Organized Crime

• Blog
CERT Insider Threat Center

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT's insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found...

Read More
Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

• Blog
CERT Insider Threat Center

The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report:...

Read More
Preparing for Negative Workplace Events - Managing Employee Expectations

Preparing for Negative Workplace Events - Managing Employee Expectations

• Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, technical team lead for the Insider Threat Research Team at the CERT Insider Threat Center. This blog post is intended to serve as a reminder to organizations about the impact that an organization's actions can have on employees. Additionally, I want you to ask yourself the following question, what are you doing to manage employee expectations during negative workplace events?...

Read More
Insider Threat Controls

Insider Threat Controls

• Blog
CERT Insider Threat Center

The mission of the CERT Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our hands-on work doing assessments, workshops, and working with technical security practitioners....

Read More
Data Exfiltration and Output Devices - An Overlooked Threat

Data Exfiltration and Output Devices - An Overlooked Threat

• Blog
CERT Insider Threat Center

Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise...paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack....

Read More
The CERT Insider Threat Database

The CERT Insider Threat Database

• Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak, technical team lead for the Insider Threat Outreach & Transition group at the Insider Threat Center at CERT. Since 2001, our team has been collecting information about malicious insider activity within U.S. organizations. In each of the incidents we have collected, the insider was found guilty in a U.S. court of law....

Read More
Theft of Intellectual Property and Tips for Prevention

Theft of Intellectual Property and Tips for Prevention

• Blog
CERT Insider Threat Center

One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In our recent publication, An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases, we took a critical look at the technical aspects of cases in which insiders who stole IP from their organization. Insiders commit these crimes for various...

Read More
Insider Threat Deep Dive: Theft of Intellectual Property

Insider Threat Deep Dive: Theft of Intellectual Property

• Blog
CERT Insider Threat Center

This entry is part of a series of "deep dives" into insider threat. The previous entry focused on IT sabotage. Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single category. We found that there are individuals who steal or commit fraud for financial gain, others who steal intellectual property because of a sense of entitlement or to obtain a position with a competitor, and...

Read More
Insider Threat and Physical Security of Organizations

Insider Threat and Physical Security of Organizations

• Blog
CERT Insider Threat Center

Physical access to an organization's secure areas, equipment, or materials containing sensitive data may make it easier for a malicious insider to commit a crime. Therefore, an organization's physical security controls are often just as important as its technical security controls. This entry reviews some real case examples of physical security issues as well as some physical security controls....

Read More
Insider Threat Best Practices from Industry

Insider Threat Best Practices from Industry

• Blog
CERT Insider Threat Center

Hello, this is George Silowash from the Insider Threat Center at CERT. I had the opportunity to attend RSA Conference 2011 with two of my colleagues, Dawn Cappelli and Joji Montelibano. Insider threat was a popular topic at the conference this year--vendors discussed it in sales pitches, and security practitioner presentations focused on the problem. In addition to being speakers at the conference, staff members from the Insider Threat Center were there to gather ideas...

Read More
Insider Threats in the Software Development Lifecycle

Insider Threats in the Software Development Lifecycle

• Blog
CERT Insider Threat Center

Developers often have full access to the source code of critical systems to do their job. This same access can also be used to insert logic bombs, sabotage the system, or siphon money from an organization. We have seen numerous cases of developers and system administrators exploiting parts of the software development lifecycle to commit their crimes. In this entry, we examine some recent cases involving developers who became malicious insiders....

Read More
Insider Threat Case Trends of Technical and Non-Technical Employees

Insider Threat Case Trends of Technical and Non-Technical Employees

• Blog
CERT Insider Threat Center

This is the second of two blog entries that explore questions we were asked during a recent meeting with leaders from the U.S. financial services sector. In this entry, we focus on what role malicious insiders typically hold in an organization: a non-technical position, a technical position, or both. "Non-technical" includes positions such as management, sales, and auditors. "Technical" includes positions such as system or database administrators, programmers, and helpdesk employees. "Both" includes overlapping jobs...

Read More
Insider Threat Case Trends for Employee Type and Employment Status

Insider Threat Case Trends for Employee Type and Employment Status

• Blog
CERT Insider Threat Center

We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them right away. Others require more extensive data mining in our case database. In this entry, we address the following question: Between current employees, former employees, and contractors, is one group most likely to commit these...

Read More
Interesting Insider Threat Statistics

Interesting Insider Threat Statistics

• Blog
CERT Insider Threat Center

Hello, my name is Joji Montelibano, and I work in the CERT Insider Threat Center. When members of our team give presentations, conduct assessments, or teach courses, one of the most common questions is, "Just how bad is the insider threat?" According to the 2010 CyberSecurity Watch Survey, sponsored by CSO Magazine, the United States Secret Service (USSS), CERT, and Deloitte, the mean monetary value of losses due to cyber crime was $394,700 among the...

Read More
A Threat-Centric Approach to Detecting and Preventing Insider Threat

A Threat-Centric Approach to Detecting and Preventing Insider Threat

• Blog
CERT Insider Threat Center

Hi, this is Chris King. Any organization that stores data about individuals has a responsibility to protect that information. We regularly hear news stories about celebrities' personal information being stolen and released to the media. Some of these leaks are caused by unauthorized individuals at organizations who are entrusted with confidential data. Recently, the media reported on an incident in which the confidential records of a contestant on a popular reality television show were improperly...

Read More
Insider Threat Deep Dive: IT Sabotage

Insider Threat Deep Dive: IT Sabotage

• Blog
CERT Insider Threat Center

This entry is the first in a series of "deep dives" into insider threat. Hi, this is Chris King from the CERT Insider Threat Center. Through the course of our research, we noticed that insiders couldn't be lumped into a single category. There are individuals who steal or commit fraud for profit, others who steal because of a sense of entitlement, and some who want to exact revenge against an organization simply because they are...

Read More
Welcome to the Insider Threat Blog

Welcome to the Insider Threat Blog

• Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, technical manager of the Insider Threat Center at CERT. Thanks for taking the time to visit our new insider threat blog. As many of you know, we've been doing insider threat research since 2001. Our mission is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will...

Read More

Contact the Author

CERT Insider Threat Center

SEI Digital Library

SEI Publications

Visit the SEI Digital Library to see other publications by CERT Insider Threat Center

View publications