search menu icon-carat-right cmu-wordmark

Subject: Insider Threat

Insider Threat Incident Analysis: Court Outcome Observations

Insider Threat Incident Analysis: Court Outcome Observations

• Insider Threat Blog
Nick Miller

In the United States, legal cases may be tried in criminal court or civil court. According to data in the CERT National Insider Threat Center (NITC) incident corpus, the type of court makes a big difference in the legal outcomes of insider attack cases. This blog post analyzes these differences, specifically sentencing and restitution in criminal cases and findings of liability in civil cases. This blog post does not, and is not intended to, constitute...

Read More
Improving Insider Threat Detection Methods Through Software Engineering Principles

Improving Insider Threat Detection Methods Through Software Engineering Principles

• Insider Threat Blog
Daniel Costa

Tuning detective controls is a key component of implementing and operating an insider threat program, and one we have seen many organizations struggle with. Our work helping organizations with their insider threat programs has revealed common challenges with any tool that generates alerts of potential insider risk, such as user activity monitoring (UAM), security information event management (SIEM), or user and entity behavioral analytics (UEBA) tools. In this blog post, we will discuss some of...

Read More
September Is National Insider Threat Awareness Month

September Is National Insider Threat Awareness Month

• Insider Threat Blog
Daniel Costa

September 2019 has been declared National Insider Threat Awareness Month by the National Insider Threat Task Force, the National Counterintelligence and Security Center, the Federal Bureau of Investigation, the Office of the Under Secretary of Defense (Intelligence), the Department of Homeland Security, and the Defense Counterintelligence and Security Agency. This blog post outlines the CERT National Insider Threat Center's activities in support of this effort....

Read More
Patterns and Trends in Insider Threats Across Industry Sectors (Part 9 of 9: Insider Threats Across Industry Sectors)

Patterns and Trends in Insider Threats Across Industry Sectors (Part 9 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Daniel Costa

In previous posts of our series analyzing and summarizing insider incidents across multiple sectors, we presented up-to-date statistics from the CERT National Insider Threat Center (NITC) Incident Corpus and looked closely at which types of insider incidents are prevalent within certain types of organizations. From there, we presented statistics on what types of assets those insider attacks target, the time frames associated with those attacks, and the tactics, techniques, and procedures the insiders used to...

Read More
High-Level Technique for Insider Threat Program's Data Source Selection

High-Level Technique for Insider Threat Program's Data Source Selection

• Insider Threat Blog
Robert M. Ditmore

This blog discusses an approach that the CERT Division's National Insider Threat Center developed to assist insider threat programs develop, validate, implement, and share potential insider threat risk indicators (PRIs). The motivation behind our approach is to provide a broad, tool-agnostic framework to promote sharing indicator details. You might share these details among your insider threat team personnel and other key stakeholders, such as Human Resources, Legal, and Information Technology, before the direct dive into...

Read More
Windows Event Logging for Insider Threat Detection

Windows Event Logging for Insider Threat Detection

• Insider Threat Blog
Derrick Spooner

In this post, I continue my discussion on potential low-cost solutions to mitigate insider threats for smaller organizations or new insider threat programs. I describe a few simple insider threat use cases that may have been detected using Windows Event logging, and I suggest a low-effort solution for collecting and aggregating logs from Windows hosts....

Read More
The CERT Division's National Insider Threat Center (NITC) Symposium

The CERT Division's National Insider Threat Center (NITC) Symposium

• Insider Threat Blog
Randy Trzeciak

Addressing the Challenges of Maturing an Insider Threat (Risk) Program On May 10, 2019, the Software Engineering Institute's National Insider Threat Center (NITC) will host the 6th Annual Insider Threat Symposium, with this year's theme, "Maturing Your Insider Threat (Risk) Program." The purpose of the symposium is to bring together practitioners on the front lines of insider threat mitigation to discuss the challenges and successes of maturing their insider threat (risk) programs. You will have...

Read More
A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

A New Scientifically Supported Best Practice That Can Enhance Every Insider Threat Program!

• Insider Threat Blog
Michael C. Theis

(Or..."How This One Weird Thing Can Take Your Program to the Next Level!") The CERT National Insider Threat Center (NITC) continues to transition its insider threat research to the public through its publications of the Common Sense Guide to Mitigating Insider Threats (CSG), blog posts, and other research papers. We recently released an updated version of the CSG: the Common Sense Guide to Mitigating Insider Threats, Sixth Edition. In this post, I'll highlight the new...

Read More
Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Entertainment (Part 8 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Mark Dandrea

This post was co-authored by Carrie Gardner. The Entertainment Industry is the next spotlight blog in the Industry Sector series. Movie and television producers have long entertained the public with insider threat dramas such as Jurassic Park, Office Space, or the more recent Mr. Robot. These dramas showcase the magnitude of damage that can occur from incidents involving our assumed good, trusted employees. Yet as we discuss in this post, movie producers and the entertainment...

Read More
Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Healthcare (Part 7 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Josh Vasko

This post was co-authored by Carrie Gardner. Next in the Insider Threats Across Industry Sectors series is Healthcare. As Healthcare-related information security conversations are predominantly driven by security and privacy concerns related to patient care and data, it's important to recognize the magnitude of security lapses in this sector. Patients can face severe, permanent consequences from medical record misuse, alteration, or destruction. And medical record fraud vis-a-vis identify theft, otherwise known simply as Fraud in...

Read More
Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Information Technology (Part 6 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Michaela Webster

This blog post was co-authored by Carrie Gardner. As Carrie Gardner wrote in the second blog post in this series, which introduced the Industry Sector Taxonomy, information technology (IT) organizations fall in the NAICS Code category professional, scientific, and technology. IT organizations develop products and perform services advancing the state of the art in technology applications. In many cases, these services directly impact the supply chain since many organizations rely on products and services from...

Read More
Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

Insider Threats in Finance and Insurance (Part 4 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Sarah Miller

This post was co-authored by Jonathan Trotman. In the previous post of our series analyzing and summarizing insider incidents across multiple sectors, we discussed some of the mandates and requirements associated with federal government insider threat programs as well as documented insider threat incidents. In this post, we will discuss information security regulations and insider threat metrics based on Finance and Insurance incidents from our CERT National Insider Threat Center (NITC) Incident Corpus....

Read More
Performing Text Analytics for Insider Threat Programs: Part 3 of 3

Performing Text Analytics for Insider Threat Programs: Part 3 of 3

• Insider Threat Blog
Carrie Gardner

This blog series reviews topics in performing text analytics to support insider threat mitigation. This post presents a procedural framework for operationalizing this capability. It walks through the process of considering text analytics capability through putting it into practice. The blog also enumerates thought questions about whether to acquire a commercial textual analysis solution, repurpose an existing tool, or develop an in-house capability....

Read More
Insider Threats in the Federal Government (Part 3 of 9: Insider Threats Across Industry Sectors)

Insider Threats in the Federal Government (Part 3 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Sarah Miller

The CERT National Insider Threat Center (NITC) Insider Threat Incident Corpus contains over 2,000 incidents, which, as Director Randy Trzeciak writes, acts as the "foundation for our empirical research and analysis." This vast data set shows us that insider incidents impact both the public and private sector, with federal government organizations being no exception. As Carrie Gardner introduced in the previous blog post in this series, federal government organizations fall under the NAICS Codes for...

Read More
Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy (Part 2 of 9: Insider Threats Across Industry Sectors)

Classifying Industry Sectors: Our New Approach to an Industry Sector Taxonomy (Part 2 of 9: Insider Threats Across Industry Sectors)

• Insider Threat Blog
Carrie Gardner

As Randy Trzeciak mentioned in the first blog in this series, we are often asked about the commonalities of insider incidents for a particular sector. These questions invariably begin conversations about which sector-specific best practices and controls are best suited to address the common incident patterns faced by these organizations. To better address this question, we decided to update our model for coding industry sectors1, or what classification system we use to organize the organizations...

Read More
Insider Threat Incident Analysis by Sector (Part 1 of 9)

Insider Threat Incident Analysis by Sector (Part 1 of 9)

• Insider Threat Blog
Randy Trzeciak

Hello, I am Randy Trzeciak, Director of the CERT National Insider Threat Center (NITC). I would like to welcome you to the NITC blog series on insider threat incidents within various sectors. In this first post, I (1) describe the purpose of the series and highlight what you can expect to see during the series, and (2) review the NITC insider threat corpus, which is the foundation for our empirical research and analysis. Join us...

Read More
Challenges Facing Insider Threat Programs and Hub Analysts: Part 2 of 2

Challenges Facing Insider Threat Programs and Hub Analysts: Part 2 of 2

• Insider Threat Blog
Jason W. Clark

In the first post in this two-part series, we covered five unique challenges that impact insider threat programs and hub analysts. The challenges included lack of adequate training, competing interests, acquiring data, analyzing data, and handling false positives. As you read the new challenges introduced in this post, ask yourself the same questions: 1) How many of these challenges are ones you are facing today? 2) Are there challenges in this list that lead to...

Read More
Challenges Facing Insider Threat Programs and Hub Analysts: Part 1 of 2

Challenges Facing Insider Threat Programs and Hub Analysts: Part 1 of 2

• Insider Threat Blog
Jason W. Clark

The purpose of this two-part blog series is to discuss five challenges that often plague insider threat programs and more specifically the analysts that are working in insider threat hubs. I am in a unique position to discuss this area because I have many years of experience working directly with operational insider threat programs of varying maturity levels. Thus I have a front-row vantage point to understand the challenges that analysts face on a daily...

Read More
Foundational Research Behind Text Analytics for Insider Threat: Part 2 of 3

Foundational Research Behind Text Analytics for Insider Threat: Part 2 of 3

• Insider Threat Blog
Carrie Gardner

In this blog series, I review topics related to deploying a text analytics capability for insider threat mitigation. In this segment, I continue the conversation by disambiguating terminology related to text analysis, summarizing methodological approaches for developing text analytics tools, and justifying how this capability can supplement an existing capability to monitor insider threat risk. In my next post, Acquiring or Deploying a Text Analytics Solution, I will discuss how organizations can think through the...

Read More
Navigating the Insider Threat Tool Landscape

Navigating the Insider Threat Tool Landscape

• Insider Threat Blog
Derrick Spooner

Mitigating insider threats is a multifaceted challenge that involves the collection and analysis of data to identify threat posed by many different employee types (such as full-time, part-time, or contractors) with authorized access to assets such as people, information, technology, and facilities. The landscape of software and tools designed to aid in this process is almost as wide and varied as the problem itself, which leaves organizations with the challenge of understanding not only the...

Read More
GDPR and Its Potential Impacts for Insider Threat Programs

GDPR and Its Potential Impacts for Insider Threat Programs

• Insider Threat Blog
Sarah Miller

The European Union's General Data Protection Regulation (GDPR) is a directive that concerns the processing of personal data by private organizations operating in the European Union, whether as employers or as service providers. While many organizations have focused their GDPR readiness efforts on managing data subjects' personal information on customers, employees are also considered data subjects. This post will focus on an organization's obligations to its EU employees (inclusive of contractors and trusted business partners,...

Read More
Insider Threat Supply Chain Best Practices

Insider Threat Supply Chain Best Practices

• Insider Threat Blog
Jean Marie Handy

This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization's mission. In today's business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities...

Read More
Insiders and their Significant Others: Collusion, Motive, and Concealment

Insiders and their Significant Others: Collusion, Motive, and Concealment

• Insider Threat Blog
Sarah Miller

Insiders have been known to collude with others, both with coworkers (i.e., other insiders) and outsiders. In our previous post on insider collusion and its impact, we explored 395 insider incidents of collusion and found that insiders working with outsider-accomplices had greater financial impact to their organization than those working with other insiders. When an insider works alone, or when an insider works with others within their organization, User Activity Monitoring (UAM) / User and...

Read More
Substance Use and Abuse: Potential Insider Threat Implications for Organizations

Substance Use and Abuse: Potential Insider Threat Implications for Organizations

• Insider Threat Blog
Tracy Cassidy

In this blog post, I will discuss substance abuse as a potential precursor to increased insider threat and share statistics from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus on incidents that involved some type of substance use or abuse by the insider. In relation to insider threats, I will discuss the prevalence of substance abuse and discuss some of its impacts on organizations. Finally, I will outline some technical means of detecting...

Read More
Moving Personal Data at Work

Moving Personal Data at Work

• Insider Threat Blog
Robert M. Ditmore

Many organizations allow limited personal use of organizational equipment. To move personal data to or from the organization's devices and network, employees typically use email, removable media, or cloud storage--the same channels a malicious insider would use for data exfiltration. This post explores a new way, based on cross-domain solutions, for employees to safely transfer personal data between an organization's network and their own systems....

Read More
CERT NITC Insider Threat Program Manager Certificate

CERT NITC Insider Threat Program Manager Certificate

• Insider Threat Blog
Robin M. Ruefle

Increasingly, organizations, including the federal government and industry, are recognizing the need to counter insider threats and are doing it through specially focused teams. The CERT Division National Insider Threat Center (NITC) offers an Insider Threat Program Manager certificate to help organizations build such teams and supports programs that are flexible, based on best practices, and tailored to the unique circumstances of individual organizations....

Read More
CERT Insider Threat Vulnerability Assessments, ITVA Training Course, and ITVA Certificate Program

CERT Insider Threat Vulnerability Assessments, ITVA Training Course, and ITVA Certificate Program

• Insider Threat Blog
Mark T. Zajicek

The CERT National Insider Threat Center (NITC) has been researching insider threats since 2001. In this blog post, we provide an overview of the CERT Insider Threat Vulnerability Assessment methodology, the CERT Insider Threat Vulnerability Assessor (ITVA) Training course, and the CERT Insider Threat Vulnerability Assessor Certificate program....

Read More
2017 U.S. State of Cybercrime Highlights

2017 U.S. State of Cybercrime Highlights

• Insider Threat Blog
Sarah Miller

Each year, the CERT Division of the SEI collaborates with CSO Magazine to develop a U.S. State of Cybercrime report1. These reports are based on surveys of more than 500 organizations across the country, ranging in size from fewer than 500 employees to more than 10,000. Each organization self-reports on information security issues that have impacted them in the past calendar year. The 2017 report covers activity that occurred in 2016. In this blog post,...

Read More
Announcing Insider Threat Program Evaluator Training from the CERT National Insider Threat Center

Announcing Insider Threat Program Evaluator Training from the CERT National Insider Threat Center

• Insider Threat Blog
Robin M. Ruefle

The National Insider Threat Center (NITC) at the CERT Division of the SEI is developing an Insider Threat Program Evaluator (ITPE) Training course based on the methods and techniques the NITC currently uses to conduct Insider Threat Program Evaluations. This three-day, instructor-led, classroom-based, certificate training program presents strategies for measuring and evaluating an operational insider threat program within an organization. The first course will be offered in March 2018....

Read More
Announcing Insider Threat Analyst Training from the CERT National Insider Threat Center

Announcing Insider Threat Analyst Training from the CERT National Insider Threat Center

• Insider Threat Blog
Daniel Costa

The CERT National Insider Threat Center (NITC) has recently developed an Insider Threat Analyst Training course. This three-day, instructor-led, classroom-based course presents strategies for collecting and analyzing data to prevent, detect, and respond to insider activity. Students learn various techniques and methods for designing, implementing, and measuring the effectiveness of various components of an insider threat data collection and analysis capability. The course includes instructor lectures and group discussions, as well as hands-on exercises with...

Read More
Announcing the National Insider Threat Center

Announcing the National Insider Threat Center

• Insider Threat Blog
Randy Trzeciak

The CERT® Division of the Software Engineering Institute (SEI) at Carnegie Mellon University is proud to announce the creation of the CERT National Insider Threat Center (NITC). The establishment of this center builds on our 16 years of work in the insider threat domain. The NITC allows the SEI to enhance its insider threat work across the Department of Defense, U.S. government, industry, and academia. The Center's expanded capabilities give security practitioners access to insider...

Read More
Cyber Hygiene: 11 Essential Practices

Cyber Hygiene: 11 Essential Practices

• Insider Threat Blog
Matthew Trevors

This post is also authored by Charles M. Wallen. Tightening an organization's cybersecurity can be very complex, and just purchasing a piece of new hardware or software isn't enough. Instead, you might begin by looking at the most common baseline cyber practices that other organizations use in their cybersecurity programs--their cyber hygiene. This post will introduce fundamental cyber hygiene practices for organizations and help you understand the cyber-risk problem space....

Read More
The 3 Pillars of Enterprise Cyber Risk Management

The 3 Pillars of Enterprise Cyber Risk Management

• Insider Threat Blog
Brett Tucker

Equifax. Target. The Office of Personnel Management. Each new cyber hack victim has a story that makes the need for cyber risk management more urgent. Any organization hoping to maintain operational resilience during disruption should implement risk management. Unfortunately, that comes with many unknowns: Which risk management framework to use? Is risk management expensive? What's the return on investment? This post will help you guide your organization out of this decision paralysis by introducing the...

Read More
Blog Expands to Cover More

Blog Expands to Cover More

• Insider Threat Blog
Summer Fowler

You've known this blog as the Insider Threat blog, and this will continue to be your go-to source as we share our findings and explore the impact insider threat has on information technology and human resources practices and policies. Our new, expanded content will cover topics across a more broad spectrum that will continue to include insider threat topics as well as others related to how organizations ensure their resilience against disruptive events like cyberattacks....

Read More
Wrap Up of CERT Best Practices to Mitigate Insider Threats Series

Wrap Up of CERT Best Practices to Mitigate Insider Threats Series

• Insider Threat Blog
Randy Trzeciak

We hope you enjoyed our 20-part blog series describing the best practices included in the Common Sense Guide to Mitigating Insider Threats published by the CERT Insider Threat Center. Our goal for the series was to highlight each best practice and provide a few quick wins for you to consider as you attempt to identify and mitigate insider threats in your organization....

Read More
Employee Termination Procedure (Part 20 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Employee Termination Procedure (Part 20 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Jason W. Clark

The 20th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 20: Develop a comprehensive employee termination procedure. In this post, I discuss the importance of establishing a termination procedure that is consistently communicated and applied across the enterprise....

Read More
Institutionalizing System Change Controls (Part 17 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Institutionalizing System Change Controls (Part 17 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Michael C. Hansell

The 17th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 17: Institutionalize System Change Controls. Organizations must change their systems and applications in a consistent, formalized manner. Controls must be put into place to ensure that assets, digital or otherwise, are protected from manipulations by an insider. In this post, I discuss case studies involving change control and a describe how to build a roadmap...

Read More
Cloud Service Agreements (Part 16 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Cloud Service Agreements (Part 16 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Jean Marie Handy

The 16th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 16: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. In this post, I discuss the importance of including provisions for data access control and monitoring in agreements with cloud service providers....

Read More
Establishing Baseline Behaviors (Part 14 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Establishing Baseline Behaviors (Part 14 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Carrie Gardner

The 14th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 14: Establish a baseline of normal behavior for both networks and employees. In this post, I discuss the importance of considering data volume, velocity, variety, and veracity when establishing a baseline of network or employee behavior....

Read More
Mobile Devices and Other Remote Access (Part 13 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Mobile Devices and Other Remote Access (Part 13 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Michael C. Hansell

The 13th practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 13: Monitor and control remote access from all end points, including mobile devices. In this post, I discuss the importance of having policies and procedures in place that dictate how remote access from end points are monitored and controlled....

Read More
Data Management and Event Correlation (Part 12 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Data Management and Event Correlation (Part 12 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Michael J. Albrethsen

The twelfth practice described in the newly released Common Sense Guide to Mitigating Insider Threats is Practice 12: Deploy solutions for monitoring employee actions and correlating information from multiple data sources. In this post, I discuss this newer practice that involves collecting, managing, and analyzing data from multiple sources that offers insights into insider activity that can lead to cybersecurity incidents....

Read More
Privileged Account Management (Part 11 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Privileged Account Management (Part 11 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Derrick Spooner

The eleventh practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 11: Institute stringent access controls and monitoring policies on privileged users. In this post, I discuss the importance of privileged account management and its effect on the security of the organization....

Read More
Security Awareness and Training (Part 9 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Security Awareness and Training (Part 9 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Robin M. Ruefle

The ninth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 9: Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. In this post, I discuss the importance of educating employees, managers, and trusted business partners about the role they play in preventing, detecting, and mitigating insider threats, and practices they should follow for protecting organizational critical assets....

Read More
Stress Management and Mistake Minimization (Part 8 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Stress Management and Mistake Minimization (Part 8 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Samuel J. Perl

The eighth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 8: Structure management and tasks to minimize insider stress and mistakes. In this post, I discuss the importance of understanding the psychology of your organization's workforce and how it can help its employees balance work pressures while maintaining an atmosphere that supports productivity and minimizes stress and mistakes....

Read More
Social Media Awareness (Part 7 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Social Media Awareness (Part 7 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Ryan C. Lewis

The seventh practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 7: Be especially vigilant regarding social media. In this post, I discuss the importance of having clear social media policies and conducting social engineering training to help mitigate issues with unintentional insider threat....

Read More
Enterprise-Wide Risk Assessments (Part 6 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Enterprise-Wide Risk Assessments (Part 6 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Andrew Moore

The sixth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 6: Consider threats from insiders and business partners in enterprise-wide risk assessments. In this post, I discuss the importance of developing a comprehensive, risk-based security strategy to prevent, detect, and respond to insider threats, including those caused by business partners that are given authorized access....

Read More
Negative Issues in the Work Environment (Part 5 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Negative Issues in the Work Environment (Part 5 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Tracy Cassidy

The fifth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 5: Anticipate and manage negative issues in the work environment. In this post, I discuss the importance of understanding organizational issues that may cause employee disgruntlement, being proactive, and identifying and responding to concerning behaviors in the workplace....

Read More
Suspicious and Disruptive Behavior Monitoring and Response (Part 4 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Suspicious and Disruptive Behavior Monitoring and Response (Part 4 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Tracy Cassidy

The fourth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 4: Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. In this post, I discuss the importance of early identification of suspicious and disruptive behavior in the workplace to mitigate potential insider threats....

Read More
Policy and Control Documentation and Enforcement (Part 3 of 20: CERT Best Practices to Mitigate Insider Threats Series)

Policy and Control Documentation and Enforcement (Part 3 of 20: CERT Best Practices to Mitigate Insider Threats Series)

• Insider Threat Blog
Mark T. Zajicek

The third practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 3: Clearly document and consistently enforce policies and controls. In this post, I discuss the importance of having consistent and articulated policies and controls in place within your organization....

Read More
Introduction to the CERT Best Practices to Mitigate Insider Threats Blog Series

Introduction to the CERT Best Practices to Mitigate Insider Threats Blog Series

• Insider Threat Blog
Randy Trzeciak

We at the CERT Insider Threat Center are proud to announce the release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats (CSG). This edition of our best practice guide is based on our significantly expanded corpus of more than 1,000 insider threat incidents and our continued research and analysis. This edition covers new technologies and new threats....

Read More
CERT Definition of 'Insider Threat' - Updated

CERT Definition of 'Insider Threat' - Updated

• Insider Threat Blog
Daniel Costa

Insider Threat - the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization....

Read More
Defending Against Phishing

Defending Against Phishing

• Insider Threat Blog
Michael J. Albrethsen

When IT and security professionals discuss phishing, the need for improved user education is often the main focus. While user education is vital and can lead to faster discovery of attacks through increased reporting of phishing attempts, it's important to understand the limits of user education when trying to reduce phishing risks....

Read More
Sentiment Analysis in the Context of Insider Threat

Sentiment Analysis in the Context of Insider Threat

• Insider Threat Blog
Jason W. Clark

In this blog post, I describe sentiment analysis and discuss its use in the area of insider threat. Sentiment analysis, often referred to as opinion mining, refers to the application of natural language processing (NLP), computational linguistics, and text analytics to identify and extract subjective information in source materials (Wikipedia)....

Read More
Insider Threat Deep Dive on IT Sabotage: Updated Statistics (Part 1 of 2)

Insider Threat Deep Dive on IT Sabotage: Updated Statistics (Part 1 of 2)

• Insider Threat Blog
Sarah Miller

IT sabotage has been an area of increasing interest and concern across government, research, industry, and the public sector. IT sabotage is defined as incidents wherein malicious insiders intentionally use technical methods to disrupt or cease normal business operations of a victim organization. What makes sabotage so compelling a concern is the notion that a few lines of code can put an organization out of business....

Read More
Malicious Insiders in the Workplace Series: Malicious Insiders' Salaries and the Financial Impact of Insider Incidents (Part 4 of 4)

Malicious Insiders in the Workplace Series: Malicious Insiders' Salaries and the Financial Impact of Insider Incidents (Part 4 of 4)

• Insider Threat Blog
Sarah Miller

In parts one, two, and three of this series, the roles held by malicious insiders and their estimated salary were reviewed. In this final post, we see if there is a relationship between an insider's salary and the financial impact of related incidents. Comparing the estimated salary of malicious insiders with impacts self-reported by victim organizations in publicly available sources (i.e., in court filings) may offer analytical insight for quantifying risk....

Read More
Building an Insider Threat Program: Some Low-Cost Tools (Part 2 of 2)

Building an Insider Threat Program: Some Low-Cost Tools (Part 2 of 2)

• Insider Threat Blog
George Silowash

This is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use, as needed, as part of their operations. In this part, I provide examples of low-cost tools that are available in this space....

Read More
Building an Insider Threat Program: Five Important Categories of Tools (Part 1 of 2)

Building an Insider Threat Program: Five Important Categories of Tools (Part 1 of 2)

• Insider Threat Blog
George Silowash

This is the first part of a two-part series that explores open source, free, or low-cost solutions to help you get the technical portion of your insider threat program started. As defined by opensource.com, open source software is "software with source code that anyone can inspect, modify, and enhance." Free tools are available at no cost, but the source code is "closed," meaning that it cannot be examined or modified....

Read More
Malicious Insiders in the Workplace Series: How Does an Insider's Gender Relate to the Type of Incident? (Part 1 of 4)

Malicious Insiders in the Workplace Series: How Does an Insider's Gender Relate to the Type of Incident? (Part 1 of 4)

• Insider Threat Blog
Sarah Miller

Much attention has been paid to understanding the impacts of an insider threat incident. In examining recorded cases, trends begin to emerge over time just as with any other data set. However, despite these malicious insiders using technical means to cause harm, there is still a human component that should be considered. Who, collectively, are these malicious insiders that caused harm? What do we know about them? This blog post is the first of a...

Read More
Responding to New Federal Requirements for Contractors

Responding to New Federal Requirements for Contractors

• Insider Threat Blog
Randy Trzeciak

On May 18, 2016, the DOD published Change 2 to DoD 5220.22-M, "National Industrial Security Operating Manual (NISPOM)," which requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. The intent of this blog post is to describe the summary of changes required by Change 2 and the impact it will have on contracting organizations....

Read More
The Frequency and Impact of Insider Collusion

The Frequency and Impact of Insider Collusion

• Insider Threat Blog
Sarah Miller

Collusion among malicious insiders can produce a larger attack surface in terms of access to organizational assets. In theory, multiple actors could perform reconnaissance from within the "need-to-know" aspect of their job responsibilities to commit fraud or theft of intellectual property. Consequently, these malicious actors could then evade detection, presenting a real threat to an organization. In this blog post, I explore the concept of collusion among malicious insiders....

Read More
Mitigating Insider Incidents with Threat Indicator Standardization

Mitigating Insider Incidents with Threat Indicator Standardization

• Insider Threat Blog
Carrie Gardner

Effective cross-department collaboration usually requires a common standard language for communication. Until recently, the insider threat community has suffered from a lack of standardization when expressing potential insider threat risk indicators. The CERT Division's research into insider threat detection, prevention, and mitigation methods steered the design process for a newly proposed ontology for communicating insider threat indicators. Such an ontology allows organizations to share threat detection intelligence. In this post, I briefly describe our recently...

Read More
Handling Threats from Disgruntled Employees

Handling Threats from Disgruntled Employees

• Insider Threat Blog
CERT Insider Threat Center

Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without knowing what types of outcomes disgruntled insiders might accomplish, monitoring can become strenuous and overbearing. Hi, I'm Richard Bavis, Insider Threat Graduate Intern at the CERT Insider Threat Center. In this blog post, I will...

Read More
InTP Series: Conclusion and Resources (Part 18 of 18)

InTP Series: Conclusion and Resources (Part 18 of 18)

• Insider Threat Blog
CERT Insider Threat Center

The intent of this blog series was to describe a framework that you could use as you build an insider threat program (InTP) in your organization. We hope you found it a useful resource and recommend that you refer back to it as you progress through the Initiation, Planning, Operations, Reporting, and Maintenance phases of building your InTP. Hi, this is Randy Trzeciak, Technical Manager of the CERT Insider Threat Center in the CERT Division...

Read More
InTP Series: Implementation Planning (Part 17 of 18)

InTP Series: Implementation Planning (Part 17 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Implementation plans are an essential component of developing an Insider Threat Program (InTP). It is important to look at the development of an implementation plan from a strategic long-term perspective. Hello, this is Tracy Cassidy, Insider Threat Researcher at the CERT Insider Threat Center. In this next-to-the-last blog post in our insider threat blog series, I'll provide an outline for developing an implementation plan....

Read More
InTP Series: The Insider Threat Framework (Part 16 of 18)

InTP Series: The Insider Threat Framework (Part 16 of 18)

• Insider Threat Blog
CERT Insider Threat Center

The single most important aspect of developing a successful insider threat program (InTP) framework is a clear vision. Therefore, it is imperative that you define your vision in a concept of operations document or charter. Hi, this is Jason W. Clark, Ph.D, an insider threat researcher with the CERT Insider Threat Center. In this blog post, I will briefly describe and define an InTP framework document....

Read More
 InTP Series: Protection of Employee Civil Liberties and Privacy Rights (Part 15 of 18)

InTP Series: Protection of Employee Civil Liberties and Privacy Rights (Part 15 of 18)

• Insider Threat Blog
CERT Insider Threat Center

The news today is buzzing with discussions regarding civil liberties and privacy rights. Insider threat program (InTP) development deals directly with these issues, specifically the protection of employees. It is essential that management to familiarize itself with existing mandates, statutes, laws, and directives that are related to InTP implementation. Hi, my name is Tracy Cassidy. I am an Insider Threat Researcher at the CERT Insider Threat Center. In this, the 15th of 18 posts in...

Read More
 InTP Series: Policies, Procedures, and Practices (Part 14 of 18)

InTP Series: Policies, Procedures, and Practices (Part 14 of 18)

• Insider Threat Blog
CERT Insider Threat Center

An InTP requires two sets of policies, procedures, and practices: one set describing the operation and components of the program and the other set describing insider threat program (InTP) activities. Hi, I'm Cindy Nesta of the CERT Insider Threat Center. In this 14th installment of the InTP Blog Series, I will provide you with a clear explanation of the policies, procedures, and practices that an InTP requires....

Read More
 InTP Series: Communicating Insider Threat Events (Part 13 of 18)

InTP Series: Communicating Insider Threat Events (Part 13 of 18)

• Insider Threat Blog
CERT Insider Threat Center

When building your organization's Insider Threat Program (InTP), be sure to clearly identify defined processes for communicating insider threat events and incidents. It is important to ensure that all affected parties are made aware of the situation. As we all know, clear, concise, detailed, and documented communication is valuable. Hi, I'm Cindy Nesta of the CERT Insider Threat Team. In this 13th installment of the InTP Series, I will touch on several things, including the...

Read More
 InTP Series: Incident Response Planning (Part 12 of 18)

InTP Series: Incident Response Planning (Part 12 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Your incident response plan should cover the entire incident lifecycle, including processes for how incidents are detected, reported, contained, remediated, documented, and prosecuted (if applicable). Hello, this is Mark Zajicek at the CERT Insider Threat Center. In this week's blog post, I summarize some guidance and suggest considerations to help you to develop an insider incident response plan....

Read More
 InTP Series: Data Collection and Analysis (Part 11 of 18)

InTP Series: Data Collection and Analysis (Part 11 of 18)

• Insider Threat Blog
CERT Insider Threat Center

A core capability of any insider threat program (InTP) involves collecting data from multiple sources and analyzing that data to identify indicators of insider anomalous activity or an increase in the probability of future insider activity. This is Dan Costa, a cybersecurity solutions developer at the CERT Insider Threat Center. This week, in the eleventh installment of the InTP blog series, I'll present strategies for increasing the effectiveness of an InTP's data collection and analysis...

Read More
InTP Series: Trusted Business Partners (Part 10 of 18)

InTP Series: Trusted Business Partners (Part 10 of 18)

• Insider Threat Blog
CERT Insider Threat Center

In today's business environment, few organizations are able to operate without contractors, subcontractors, temporary employees, contract employees, or other trusted business partners. Understanding how they fit into your insider threat program (InTP) and how to manage your organization's relationships with trusted business partners is critical to protecting your organization's data, assets, and reputation. Hi, this is Ian McIntyre of the CERT Insider Threat Center. In this 10th installment of our blog series on establishing an...

Read More
InTP Series: Confidential Reporting (Part 9 of 18)

InTP Series: Confidential Reporting (Part 9 of 18)

• Insider Threat Blog
CERT Insider Threat Center

"If you see something, say something." That phrase has been a popular security slogan for some time, and it applies to insider threat as well as other security arenas. Organizations need to develop a robust reporting capability that their employees can use because they may observe concerning behaviors and dispositions that technical controls might miss. Hi, this is David McIntire of the CERT Insider Threat Center. In this installment of our blog series on establishing...

Read More
InTP Series: Training and Awareness (Part 8 of 18)

InTP Series: Training and Awareness (Part 8 of 18)

• Insider Threat Blog
CERT Insider Threat Center

The cornerstones of any insider threat program (InTP) are a formal training and awareness curriculum and a defined set of educational activities. A successful InTP requires multiple levels of training for different parts of the organization and different types of employees. Of course, any training program should fit within the mission and culture of the implementing organization and should leverage existing expertise and processes. Hi, this is Robin Ruefle, team lead of the Organizational Solutions...

Read More
InTP Series: Prevention, Detection, and Response (Part 7 of 18)

InTP Series: Prevention, Detection, and Response (Part 7 of 18)

• Insider Threat Blog
CERT Insider Threat Center

The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond to insider threat events. My name is Derrick Spooner, a member of the technical staff of the CERT Insider Threat Center in the Software Engineering Institute (SEI) at Carnegie Mellon University. Previous posts have introduced...

Read More
 InTP Series: Oversight of Program Compliance and Effectiveness (Part 5 of 18)

InTP Series: Oversight of Program Compliance and Effectiveness (Part 5 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Why should anyone care about program compliance and effectiveness? The CERT Division's answer to this question is simple: If you're going to have an Insider Threat Program (InTP), you want it to work well and within the limits of the law. We advocate that InTPs comply with all applicable laws, regulations, policies, and established procedures in a way that effectively deters, detects, and mitigates insider threats. Be sure to regularly work with your organization's general...

Read More
InTP Series: Participation of Business Areas (Part 4 of 18)

InTP Series: Participation of Business Areas (Part 4 of 18)

• Insider Threat Blog
CERT Insider Threat Center

An effective Insider Threat Program includes participation from the essential business areas of an organization. The National Insider Threat Task Force (NITTF) Minimum Standards identify the particular groups that should be represented in an insider threat program. Hi, this is Mike Albrethsen of the CERT Insider Threat Center with information about which groups should be included in the operation of an effective InTP and why. These are the groups that the NITTF recommends participate in...

Read More
 InTP Series: The Formalized Program (Part 3 of 18)

InTP Series: The Formalized Program (Part 3 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. This week in the third installment of our series, we'll take a look at the first component of an insider threat program: the formalized program itself. In last week's post, I summarized the elements of a successful insider threat program. Why a formalized program? A formalized insider threat program demonstrates the commitment of the organization to due care and due diligence...

Read More
InTP Series: Key Elements of an Insider Threat Program (Part 2 of 18)

InTP Series: Key Elements of an Insider Threat Program (Part 2 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Before establishing an insider threat program in your organization, you first must understand the required components of such a program. In this second of a series of 18 posts, I will introduce you to the elements of an effective insider threat program. Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. In the previous post, Randy Trzeciak discussed CERT insider threat work and reasons why an organization might want to...

Read More
InTP Series: Establishing an Insider Threat Program (Part 1 of 18)

InTP Series: Establishing an Insider Threat Program (Part 1 of 18)

• Insider Threat Blog
CERT Insider Threat Center

Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is a good idea and summarize the topics my colleagues and I will be covering in this series. My name is Randy Trzeciak, the Technical Manager of the Insider Threat Center in the CERT Division of...

Read More
Unintentional Insider Threats by Economic Sector

Unintentional Insider Threats by Economic Sector

• Insider Threat Blog
CERT Insider Threat Center

Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents. For the past year, the CERT Insider Threat Center, sponsored by the Department of Homeland Security, has been publishing reports on UIT. These reports include the initial and follow-on reports: Unintentional Insider Threats: A Foundational Study and Unintentional Insider Threats: Social Engineering....

Read More

"Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis" Paper Released

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT sabotage and initial results from a review of 46 cases from the CERT Insider Threat Database (MERIT Database). Each pattern was developed to prevent or detect potentially malicious actions related to insider threat IT sabotage...

Read More
Theft of Intellectual Property by Insiders

Theft of Intellectual Property by Insiders

• Insider Threat Blog
CERT Insider Threat Center

This is Matt Collins, Insider Threat Researcher at the CERT Insider Threat Center. In this post, I cover statistics related to a group of cases in the CERT Division's insider threat database related to the theft of intellectual property (IP). The CERT database was started in 2001 and contains insider threat cases that can be categorized into one of four groupings: Fraud Sabotage Theft of Intellectual Property (IP) Miscellaneous Today I'm discussing cases in our...

Read More
Analyzing Insider Threat Data in the MERIT Database

Analyzing Insider Threat Data in the MERIT Database

• Insider Threat Blog
CERT Insider Threat Center

Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider Threat (MERIT) database. The CERT Insider Threat Center began recording cases of insider threat in 2001. To date we've recorded over 800 incidents using publicly available information. Those 800 plus cases span the years 1995...

Read More
The Latest CERT Research of Unintentional Insider Threats: Social Engineering

The Latest CERT Research of Unintentional Insider Threats: Social Engineering

• Insider Threat Blog
CERT Insider Threat Center

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on unintentional insider threats, in particular social engineering. Earlier this year, the CERT Division's Insider Threat Team published the report Unintentional Insider Threats: A Foundational Study that documents results of a study of unintentional insider threats (UIT), which was sponsored by the Department of Homeland Security Federal Network Resilience (FNR). Following the success of that report, we on...

Read More
International Considerations for Cybersecurity Best Practices

International Considerations for Cybersecurity Best Practices

• Insider Threat Blog
CERT Insider Threat Center

Hi! We are Lori Flynn and Carly Huth, CERT cybersecurity researchers. This post is about our recently published paper that describes how strategies for implementing international cybersecurity best practice should account for five factors: technology profile, laws and regulations, law enforcement, culture and subcultures, and corruption....

Read More
Seven Ways Insider Threat Products Can Protect Your Organization

Seven Ways Insider Threat Products Can Protect Your Organization

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division. Organizations may be searching for products that address insider threats but have no real way of knowing if a product will meet their needs. In the recently released report, Insider Threat Attributes and Mitigation Strategies, I explore the top seven attributes that insider threat cases have according to our database of over 700 insider incidents. These attributes can be used...

Read More
A Multi-Dimensional Approach to Insider Threat

A Multi-Dimensional Approach to Insider Threat

• Insider Threat Blog
CERT Insider Threat Center

This is Dave Mundie, senior member of the technical staff in the CERT Division. Previous SEI blog posts ("Protecting Against Insider Threats with Enterprise Architecture Patterns" and "Effectiveness of a Pattern for Preventing Theft by Insiders") have described the the pattern language for insider threat that my colleague Andrew Moore and I have been developing. This pattern language consists of 26 mitigation patterns derived from the examination of more than 700 insider threat cases in...

Read More
Unintentional Insider Threats: The Non-Malicious Within

Unintentional Insider Threats: The Non-Malicious Within

• Insider Threat Blog
CERT Insider Threat Center

Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on the unintentional insider threat. Organizations often suffer from individuals who have no ill will or malicious motivation, but whose actions cause harm. The CERT Insider Threat Center conducts work, sponsored by the Department of Homeland Security's Federal Network Resiliency Division, that examines such cases. We call this category of individuals the "unintentional insider threat" (UIT)....

Read More
Attend Our Insider Threat Webinar

Attend Our Insider Threat Webinar

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak, Technical Manager of the Enterprise Threat and Vulnerability Management team in the CERT Division. On Thursday, August 8, the SEI is hosting the webinar Managing the Insider Threat: What Every Organization Should Know. Join me and my colleagues as we discuss insider threat challenges that organizations face today....

Read More
Controlling the Malicious Use of USB Media

Controlling the Malicious Use of USB Media

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division of the Software Engineering Institute. Earlier this year, we released the report Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources. In this report, we discuss the challenges universal serial bus (USB) flash drives present to organizations, especially those concerned with protecting their intellectual property....

Read More
How Ontologies Can Help Build a Science of Cybersecurity

How Ontologies Can Help Build a Science of Cybersecurity

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is David Mundie, a Senior Member of the Technical Staff in the CERT Program. The term "science of cybersecurity" is a popular one in our community these days. For some time now I have advocated ontologies and controlled vocabularies as an approach to building such a science. I am fond of citing the conclusion of the Jason Report, that the most important step towards a "science of cybersecurity "would be the construction of...

Read More
CERT Insider Threat Events at the RSA Conference

CERT Insider Threat Events at the RSA Conference

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. The RSA Conference is rapidly approaching, and since many of you will likely be there, I thought I'd let you know how to find us there. Also, if you would like to get together to discuss insider threat while you're there please email us at insider-threat-feedback@cert.org this week and we'll make arrangements to meet....

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the last of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the eighteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 17 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 17 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the seventeenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst and Lori Flynn, Insider Threat Researcher for the CERT Program, with the sixteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the fifteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Eleni Tsamitis, Insider Threat Administrator for the CERT Program, with the fourteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Ying Han, Graduate Research Assistant of the CERT Enterprise Threat and Vulnerability Management team, with the thirteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Sam Perl, Cybersecurity Analyst for the CERT Program, with the twelfth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 11 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 11 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen, Cybersecurity Threat and Incident Analyst for the CERT Program, with the eleventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Marcus Smith, a graduate assistant for the CERT Program, with the tenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Mike Albrethsen, Information Systems Security Analyst for the CERT Program, with the ninth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 8 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 8 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Jeremy Strozer, Senior Cyber Security Specialist for the CERT Program, with the eighth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 7 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 7 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Chris King, Member of the Technical Staff for the CERT Program, with the seventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 6 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 6 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Jason Clark, Insider Threat Researcher for the CERT Program, with the sixth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 5 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 5 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the fifth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Carly Huth, Insider Threat Researcher for the CERT Program, with the fourth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 3 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 3 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the third of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 2 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 2 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, Technical Team Lead of Insider Threat Research for the CERT Program, with the second of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should...

Read More
Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19)

Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19)

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Program, with the first of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. In the coming weeks, my colleagues and I in the CERT Insider Threat Center will, in a series of blog posts, introduce this edition of the guide by presenting each recommended practice in...

Read More
Fourth Edition of the Common Sense Guide to Mitigating Insider Threats Is Released

Fourth Edition of the Common Sense Guide to Mitigating Insider Threats Is Released

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Lori Flynn, insider threat researcher for the CERT Program. We are proud to announce the release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats. We are grateful to the U.S. Department of Homeland Security, Federal Network Resilience (FNR) division within the Office of Cybersecurity and Communications, which sponsored updating and augmenting the previous edition released in 2009.The newest edition is based on our significantly expanded database of...

Read More

"Spotlight On: Insider Threat from Trusted Business Partners" Article Revised and Released

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen of the CERT Insider Threat Center. We are excited to announce that a revised version of our Spotlight On: Insider Threat from Trusted Business Partners article has been released. It has been almost three years since the first version of this article was published. During that time, our collection of insider threat case data has grown significantly. Specifically, we have collected 30 additional cases involving trusted business partners (TBPs) alone,...

Read More
External Threat Analysis

External Threat Analysis

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Dan Klinedinst of the CERT Enterprise Threat and Vulnerability Management team. Recently we've been looking to extend the methodologies from our insider threat research to other sorts of threats. Personally, I'm interested in applying well-known analysis techniques to security data in an automated fashion. The goal is to identify classes of threats and watch how they evolve over time. This analysis will allow organizations to adjust their defenses and resources based on...

Read More
The Insider Threat Awareness Virtual Roundtable Webinar

The Insider Threat Awareness Virtual Roundtable Webinar

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. Last week I had the pleasure of participating in The Insider Threat Awareness Virtual Roundtable webinar, which was sponsored by the DHS Office of Infrastructure Protection. The webinar was moderated by Jon Richeson from DHS, and I was joined by the Supervisory Special Agent from the Insider Threat Investigations Unit of the FBI....

Read More
Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail

Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 8 of a 10-part series on cloud-related insider threats. In this post, we discuss three more areas of future research for cloud-related insider threats: identifying cloud-based indicators of insider threats, virtualization and hypervisors, and awareness and reporting....

Read More
CERT Insider Threat Center in the News

CERT Insider Threat Center in the News

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli of the CERT Insider Threat Center. We always feel proud when we see others recognize our hard work and, better yet, communicate the results of our work to others. SC Magazine, FedTech, Information Week, eWeek, and GovInfoSecurity have all published articles about the work that the CERT Insider Threat Center has done. We've collected excerpts from each here with a link to the complete article so you can take a...

Read More
Insider Threats Evident in All Industry Sectors

Insider Threats Evident in All Industry Sectors

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Todd Lewellen, information systems security analyst for the CERT Insider Threat Center. We recently conducted a cursory search through our MERIT database for case examples across different industry sectors. This search reminded us just how indiscriminately insider attacks can appear throughout public and private sectors. In other words, while certain insider attacks tend to manifest themselves more often in specific industry sectors, no sector is free from the actions of malicious insiders....

Read More
Study on Insider Cyber Fraud in Financial Services Released

Study on Insider Cyber Fraud in Financial Services Released

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak of the CERT Insider Threat Center. Recently, we completed a study that revealed insights into the type of insiders who commit insider financial cyber fraud, how they do it, and what they steal. The study, funded by the U.S. Department of Homeland Security (DHS) Science and Technology Directorate, involved 80 real cases of insider cyber fraud in the financial services sector. We conducted the study working with the U.S. Secret...

Read More
Insider Threats Related to Cloud Computing--Installment 4: Using the Cloud to Conduct Nefarious Activity

Insider Threats Related to Cloud Computing--Installment 4: Using the Cloud to Conduct Nefarious Activity

• Insider Threat Blog
CERT Insider Threat Center

A third type of cloud-related insider is one who uses cloud services to carry out an attack on his own employer. This type of insider is similar to the previous type who targets systems or data in the cloud. In contrast, the third type of insider uses the cloud as a tool to carry out an attack on systems or data targeted, which are not necessarily associated with cloud-based systems....

Read More
Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities

Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 3 of a 10-part series on cloud-related insider threats. In this post, we discuss a second type of cloud-related insider threat: those that exploit weaknesses introduced by use of the cloud. Last week we discussed the rogue administrator, one type of cloud-related insider threat. A second type of cloud-related insider threat, often overlooked by security researchers, is the insider who exploits vulnerabilities exposed by the...

Read More
Insider Threats Related to Cloud Computing--Installment 2: The Rogue Administrator

Insider Threats Related to Cloud Computing--Installment 2: The Rogue Administrator

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb and Alex Nicoll with installment 2 of a 10-part series on cloud-related insider threats. In this post, we present three types of cloud-related insiders and discuss one in detail--the "rogue administrator." This insider typically steals the cloud provider's sensitive information, but can also sabotage its IT infrastructure. The insider described by this threat may be motivated financially or by revenge....

Read More
Insider Threats Related to Cloud Computing--Installment 1: Introduction

Insider Threats Related to Cloud Computing--Installment 1: Introduction

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Bill Claycomb, lead research scientist for the CERT Insider Threat Center and Alex Nicoll, technical team lead for Insider Threat Technical Solutions and Standards. Over the next few months, we will discuss, in a series of blog posts, problems related to insiders in the cloud, defending against them, and researching approaches that could help solve some of these problems....

Read More
Pay Attention: Are Your Company Secrets at Risk from Insiders?

Pay Attention: Are Your Company Secrets at Risk from Insiders?

• Insider Threat Blog
CERT Insider Threat Center

For years the CERT Insider Threat Center has been studying organizations' current and former employees, contractors, and trusted business partners who steal intellectual property (IP) from their organizations. We have published reports that detail the problem: who does it, why, when, how, etc. We have also published reports on mitigation strategies based on our analysis of the problem. (Links to the reports are at the bottom of this post). These strategies focus on the detection...

Read More
The CERT Insider Threat Center has been busy this spring.

The CERT Insider Threat Center has been busy this spring.

• Insider Threat Blog
CERT Insider Threat Center

The CERT Insider Threat Center has been busy this spring developing publications, presenting podcasts, and attending conferences to extend the knowledge and research we've collected into the public domain. This blog post contains a few highlights of recent accomplishments and a sneak peak of what we're planning for the future....

Read More
The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

• Insider Threat Blog
CERT Insider Threat Center

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley's InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575....

Read More
Insiders and Organized Crime

Insiders and Organized Crime

• Insider Threat Blog
CERT Insider Threat Center

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT's insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found...

Read More
Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage

• Insider Threat Blog
CERT Insider Threat Center

The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an overview of the control and the rationale behind its development. For more details describing the development of the control and the statistical analysis used and applied in this signature please refer to the technical report:...

Read More
Preparing for Negative Workplace Events - Managing Employee Expectations

Preparing for Negative Workplace Events - Managing Employee Expectations

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Randy Trzeciak, technical team lead for the Insider Threat Research Team at the CERT Insider Threat Center. This blog post is intended to serve as a reminder to organizations about the impact that an organization's actions can have on employees. Additionally, I want you to ask yourself the following question, what are you doing to manage employee expectations during negative workplace events?...

Read More
Insider Threat Controls

Insider Threat Controls

• Insider Threat Blog
CERT Insider Threat Center

The mission of the CERT Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our hands-on work doing assessments, workshops, and working with technical security practitioners....

Read More
Data Exfiltration and Output Devices - An Overlooked Threat

Data Exfiltration and Output Devices - An Overlooked Threat

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise...paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack....

Read More
The CERT Insider Threat Database

The CERT Insider Threat Database

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Randy Trzeciak, technical team lead for the Insider Threat Outreach & Transition group at the Insider Threat Center at CERT. Since 2001, our team has been collecting information about malicious insider activity within U.S. organizations. In each of the incidents we have collected, the insider was found guilty in a U.S. court of law....

Read More
Theft of Intellectual Property and Tips for Prevention

Theft of Intellectual Property and Tips for Prevention

• Insider Threat Blog
CERT Insider Threat Center

One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In our recent publication, An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases, we took a critical look at the technical aspects of cases in which insiders who stole IP from their organization. Insiders commit these crimes for various...

Read More
Insider Threat Deep Dive: Theft of Intellectual Property

Insider Threat Deep Dive: Theft of Intellectual Property

• Insider Threat Blog
CERT Insider Threat Center

This entry is part of a series of "deep dives" into insider threat. The previous entry focused on IT sabotage. Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single category. We found that there are individuals who steal or commit fraud for financial gain, others who steal intellectual property because of a sense of entitlement or to obtain a position with a competitor, and...

Read More
Insider Threat and Physical Security of Organizations

Insider Threat and Physical Security of Organizations

• Insider Threat Blog
CERT Insider Threat Center

Physical access to an organization's secure areas, equipment, or materials containing sensitive data may make it easier for a malicious insider to commit a crime. Therefore, an organization's physical security controls are often just as important as its technical security controls. This entry reviews some real case examples of physical security issues as well as some physical security controls....

Read More
Insider Threat Best Practices from Industry

Insider Threat Best Practices from Industry

• Insider Threat Blog
CERT Insider Threat Center

Hello, this is George Silowash from the Insider Threat Center at CERT. I had the opportunity to attend RSA Conference 2011 with two of my colleagues, Dawn Cappelli and Joji Montelibano. Insider threat was a popular topic at the conference this year--vendors discussed it in sales pitches, and security practitioner presentations focused on the problem. In addition to being speakers at the conference, staff members from the Insider Threat Center were there to gather ideas...

Read More
Insider Threats in the Software Development Lifecycle

Insider Threats in the Software Development Lifecycle

• Insider Threat Blog
CERT Insider Threat Center

Developers often have full access to the source code of critical systems to do their job. This same access can also be used to insert logic bombs, sabotage the system, or siphon money from an organization. We have seen numerous cases of developers and system administrators exploiting parts of the software development lifecycle to commit their crimes. In this entry, we examine some recent cases involving developers who became malicious insiders....

Read More
Insider Threat Case Trends of Technical and Non-Technical Employees

Insider Threat Case Trends of Technical and Non-Technical Employees

• Insider Threat Blog
CERT Insider Threat Center

This is the second of two blog entries that explore questions we were asked during a recent meeting with leaders from the U.S. financial services sector. In this entry, we focus on what role malicious insiders typically hold in an organization: a non-technical position, a technical position, or both. "Non-technical" includes positions such as management, sales, and auditors. "Technical" includes positions such as system or database administrators, programmers, and helpdesk employees. "Both" includes overlapping jobs...

Read More
Insider Threat Case Trends for Employee Type and Employment Status

Insider Threat Case Trends for Employee Type and Employment Status

• Insider Threat Blog
CERT Insider Threat Center

We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them right away. Others require more extensive data mining in our case database. In this entry, we address the following question: Between current employees, former employees, and contractors, is one group most likely to commit these...

Read More
Interesting Insider Threat Statistics

Interesting Insider Threat Statistics

• Insider Threat Blog
CERT Insider Threat Center

Hello, my name is Joji Montelibano, and I work in the CERT Insider Threat Center. When members of our team give presentations, conduct assessments, or teach courses, one of the most common questions is, "Just how bad is the insider threat?" According to the 2010 CyberSecurity Watch Survey, sponsored by CSO Magazine, the United States Secret Service (USSS), CERT, and Deloitte, the mean monetary value of losses due to cyber crime was $394,700 among the...

Read More
A Threat-Centric Approach to Detecting and Preventing Insider Threat

A Threat-Centric Approach to Detecting and Preventing Insider Threat

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Chris King. Any organization that stores data about individuals has a responsibility to protect that information. We regularly hear news stories about celebrities' personal information being stolen and released to the media. Some of these leaks are caused by unauthorized individuals at organizations who are entrusted with confidential data. Recently, the media reported on an incident in which the confidential records of a contestant on a popular reality television show were improperly...

Read More
Insider Threat Deep Dive: IT Sabotage

Insider Threat Deep Dive: IT Sabotage

• Insider Threat Blog
CERT Insider Threat Center

This entry is the first in a series of "deep dives" into insider threat. Hi, this is Chris King from the CERT Insider Threat Center. Through the course of our research, we noticed that insiders couldn't be lumped into a single category. There are individuals who steal or commit fraud for profit, others who steal because of a sense of entitlement, and some who want to exact revenge against an organization simply because they are...

Read More
Welcome to the Insider Threat Blog

Welcome to the Insider Threat Blog

• Insider Threat Blog
CERT Insider Threat Center

Hi, this is Dawn Cappelli, technical manager of the Insider Threat Center at CERT. Thanks for taking the time to visit our new insider threat blog. As many of you know, we've been doing insider threat research since 2001. Our mission is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider's decision to act, the indicators and precursors of malicious acts, and the countermeasures that will...

Read More