search menu icon-carat-right cmu-wordmark

A Threat-Centric Approach to Detecting and Preventing Insider Threat

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Chris King. Any organization that stores data about individuals has a responsibility to protect that information. We regularly hear news stories about celebrities' personal information being stolen and released to the media. Some of these leaks are caused by unauthorized individuals at organizations who are entrusted with confidential data. Recently, the media reported on an incident in which the confidential records of a contestant on a popular reality television show were improperly accessed by employees in multiple law enforcement agencies, a municipal court, a prosecutor's office, and the state department of motor vehicles. These people were eventually identified and punished, but this incident should remind organizations that deal with confidential information that it is important to be proactive about monitoring for unauthorized access.

One approach to preventing malicious insiders from accessing confidential information is to become threat-focused in your monitoring and auditing strategy. For example, if your organization stores confidential data, consider implementing real-time alerts that will notify you when someone accesses information about certain individuals. The following are examples of the types of people you may want to proactively monitor:

  • television celebrities (e.g., actors/actresses, reality TV stars)
  • public figures (e.g., politicians, individuals in the news)
  • local figures of interest (e.g., individuals in your organization's geographical area that may be of interest to employees, high-ranking individuals within your organization)

This approach requires that the information security officer or system "data owner" is aware of current events that employees in their organization may find interesting. After a simple alerting mechanism is implemented, monitoring access to the information should take very little time. It is important to maintain the list to make sure that it stays current. Instituting these alerts could greatly increase the likelihood and speed of catching employee misuse of databases containing confidential information. In addition to the targeted monitoring, conducting security awareness training that informs employees that that they are being watched for improper access could prevent employees from trying to access the data just because they are curious.

You can tailor this approach to fit your scope. If your organization has only one location, maybe local public figures or figures of interest are your only concern. However, if your organization has a national or international presence, be aware of popular individuals at those levels in addition to the local figures for each of your organization's locations.

Have any of you already solved this problem? If so, please consider telling us your solution. We would like to collect input from our readers, anonymize and consolidate the responses, and share them in a future post. As always, we will adhere to our strict code of conduct for maintaining confidentiality--we will not share the identities of our sources. We are hoping to serve as a trusted broker in collecting information on new practices and sharing it with the community in an effort to improve the state of the practice in defense against insider threats.

About the Author