Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

According to the Verizon 2018 Data Breach Investigations Report, email was an attack vector in 96% of incidents and breaches that involved social actions (manipulation of people as a method of compromise). The report also says an average of 4% of people will fall for any given phish, and the more phishing emails they have clicked, the more likely they are to click again. The mantra of "more user training" may be helping with the phishing problem, but it isn't solving it. In this blog post, I will cover four technical methods for improving an organization's phishing defense. These methods are vendor- and tool-agnostic, don't require a large security team, and are universally applicable for small and large organizations alike.

Editor's note: This blog post first appeared on the FAIR Institute Blog.

Organizations with a mix of cutting-edge technologies and legacy systems need adaptable, agile frameworks that provide executives with a real-time view of cyber risks. They also need tools and processes to ensure that everyone from executives to practitioners practice sound, consistent risk management.

Mitigating insider threats is a multifaceted challenge that involves the collection and analysis of data to identify threat posed by many different employee types (such as full-time, part-time, or contractors) with authorized access to assets such as people, information, technology, and facilities. The landscape of software and tools designed to aid in this process is almost as wide and varied as the problem itself, which leaves organizations with the challenge of understanding not only the complexities of insider threats, but also the wide array of tools and techniques that can assist with threat mitigation. This post explores some of the recommended tool features and functionality available through use of a combination of tools, as well as a proposed process to implement and operate controls at an organization.

In our cyber resilience assessments at the CERT Division of the SEI, we often find that organizations struggle with several fundamentals of cybersecurity management. Specifically, organizations have trouble identifying what critical assets need to be protected and then implementing specific cyber architecture controls, such as network segmentation and boundary protection, to protect them. This post will be the first in a series focusing on common weaknesses in organizational cybersecurity architecture. This initial post focuses on the importance of identifying an organization's critical assets and data so it can design a cybersecurity architecture that incorporates controls to protect those systems.

The CERT Division of the SEI has evaluated the cyber resilience of hundreds of organizations. We've seen that many organizations may not have formally established a controls management program. In this blog post, we will describe the basic controls management life cycle and provide a method for establishing effective controls for a new "green field" system or identifying gaps in an existing "brown field" system.

The European Union's General Data Protection Regulation (GDPR) is a directive that concerns the processing of personal data by private organizations operating in the European Union, whether as employers or as service providers. While many organizations have focused their GDPR readiness efforts on managing data subjects' personal information on customers, employees are also considered data subjects. This post will focus on an organization's obligations to its EU employees (inclusive of contractors and trusted business partners, regardless of a formal contract) under GDPR.