Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization's mission. In today's business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.

Insiders have been known to collude with others, both with coworkers (i.e., other insiders) and outsiders. In our previous post on insider collusion and its impact, we explored 395 insider incidents of collusion and found that insiders working with outsider-accomplices had greater financial impact to their organization than those working with other insiders. When an insider works alone, or when an insider works with others within their organization, User Activity Monitoring (UAM) / User and Entity Behavior Analytics (UEBA) tools have the ability to identify one or multiple insiders as engaging in anomalous or suspicious activity. When insiders are working together, further analysis can correlate that suspicious activity and provide insight into where data may have moved. But what insight do organizations have when an insider reaches out to others to commit a malicious act? In this post, we explore a subset of these insider-outsider collusion incidents that involve an insider's significant other (i.e., current or former partners or spouses).

In this blog post, I will discuss substance abuse as a potential precursor to increased insider threat and share statistics from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus on incidents that involved some type of substance use or abuse by the insider. In relation to insider threats, I will discuss the prevalence of substance abuse and discuss some of its impacts on organizations. Finally, I will outline some technical means of detecting employee substance abuse and share some best practices from the CERT Common Sense Guide for Mitigating Insider Threats.

This post is also authored by Matt Trevors.

The 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires health care organizations to safeguard electronic protected health information (ePHI). We have recently mapped the practice questions in the Cyber Resilience Review (CRR) to the Security Rule requirements. This post describes the mapping and how organizations can use the CRR alongside the HIPAA Security Rule.

Many organizations allow limited personal use of organizational equipment. To move personal data to or from the organization's devices and network, employees typically use email, removable media, or cloud storage--the same channels a malicious insider would use for data exfiltration. This post explores a new way, based on cross-domain solutions, for employees to safely transfer personal data between an organization's network and their own systems.

After 30 years, cyber command centers, educators, and Internet threat intelligence organizations have yet to embrace a standardized, encompassing, and intuitive way to represent the entities and activities of the Internet. Such a representation would make the Internet more understandable and allow shared situational awareness of Internet events and activities--the much-sought-after "Cyber Common Operational Picture." This post describes Atlas: a working demonstration application for visualizing the Internet.

Since 1988's Morris Worm, which infected 10% of the estimated 60,000 computers connected to the internet, cybersecurity has grown into an industry expected to exceed $1 trillion in global spending between 2017 and 2021. Cybercrime will cost the global business market an estimated average of $6 trillion annually through the same time frame! So how do we spend just enough money on cybersecurity to be resilient and achieve our business objectives despite disruptive events like cyber-attacks?

By Matt Mackie

When the Internet was still ARPANET, hostnames were converted to numerical addresses using a hosts.txt file stored locally on each computer. This system evolved into today's hierarchical domain name system (DNS). Namecoin is a new--and old--alternative to DNS: it relies on a locally stored file, like the hosts.txt file, but the file is a blockchain, similar to that used in Bitcoin financial transactions. This cryptoDNS offers anonymity, security, and resistance to censorship--features that make it attractive to privacy advocates and criminals alike.