Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

This post is also authored by Matt Trevors.

The 2003 Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires health care organizations to safeguard electronic protected health information (ePHI). We have recently mapped the practice questions in the Cyber Resilience Review (CRR) to the Security Rule requirements. This post describes the mapping and how organizations can use the CRR alongside the HIPAA Security Rule.

Many organizations allow limited personal use of organizational equipment. To move personal data to or from the organization's devices and network, employees typically use email, removable media, or cloud storage--the same channels a malicious insider would use for data exfiltration. This post explores a new way, based on cross-domain solutions, for employees to safely transfer personal data between an organization's network and their own systems.

After 30 years, cyber command centers, educators, and Internet threat intelligence organizations have yet to embrace a standardized, encompassing, and intuitive way to represent the entities and activities of the Internet. Such a representation would make the Internet more understandable and allow shared situational awareness of Internet events and activities--the much-sought-after "Cyber Common Operational Picture." This post describes Atlas: a working demonstration application for visualizing the Internet.

Since 1988's Morris Worm, which infected 10% of the estimated 60,000 computers connected to the internet, cybersecurity has grown into an industry expected to exceed $1 trillion in global spending between 2017 and 2021. Cybercrime will cost the global business market an estimated average of $6 trillion annually through the same time frame! So how do we spend just enough money on cybersecurity to be resilient and achieve our business objectives despite disruptive events like cyber-attacks?

By Matt Mackie

When the Internet was still ARPANET, hostnames were converted to numerical addresses using a hosts.txt file stored locally on each computer. This system evolved into today's hierarchical domain name system (DNS). Namecoin is a new--and old--alternative to DNS: it relies on a locally stored file, like the hosts.txt file, but the file is a blockchain, similar to that used in Bitcoin financial transactions. This cryptoDNS offers anonymity, security, and resistance to censorship--features that make it attractive to privacy advocates and criminals alike.

Developing security metrics within an organization is an ongoing challenge. Organizations want to know "Am I secure enough?" While this is the common question, it lacks context. Organizations vary in size, mission, risk appetites, and budget for security. There is no "one size fits all" for security metrics.

Increasingly, organizations, including the federal government and industry, are recognizing the need to counter insider threats and are doing it through specially focused teams. The CERT Division National Insider Threat Center (NITC) offers an Insider Threat Program Manager certificate to help organizations build such teams and supports programs that are flexible, based on best practices, and tailored to the unique circumstances of individual organizations.

The transition from on-premises information systems to cloud services represents a significant, and sometimes uncomfortable, new way of working for organizations. Establishing meaningful Service Level Agreements (SLAs) and monitoring the security performance of cloud service providers are two significant challenges. This post proposes that a process- and data-driven approach would alleviate these concerns and produce high-quality SLAs that reduce risk and increase transparency.