Category: Mission Assurance

The CERT National Insider Threat Center (NITC) Insider Threat Incident Corpus contains over 2,000 incidents, which, as Director Randy Trzeciak writes, acts as the "foundation for our empirical research and analysis." This vast data set shows us that insider incidents impact both the public and private sector, with federal government organizations being no exception. As Carrie Gardner introduced in the previous blog post in this series, federal government organizations fall under the NAICS Codes for the public administration category. Public administration, in this context, refers to a collection of organizations working primarily for the public benefit, including within national security. This blog post will cover insider incidents within federal government, specifically malicious, non-espionage incidents.

As Randy Trzeciak mentioned in the first blog in this series, we are often asked about the commonalities of insider incidents for a particular sector. These questions invariably begin conversations about which sector-specific best practices and controls are best suited to address the common incident patterns faced by these organizations. To better address this question, we decided to update our model for coding industry sectors1, or what classification system we use to organize the organizations in our insider threat database.

Individual organizations spend millions per year complying with information security mandates, which tend to be either too general or too specific. However, organizations focusing solely on compliance miss the opportunity to strengthen their information security culture. This blog post will explain the benefits of information security culture and demonstrate how compliance with information security mandates may prevent organizations from achieving their full information security culture potential.

Hello, I am Randy Trzeciak, Director of the CERT National Insider Threat Center (NITC). I would like to welcome you to the NITC blog series on insider threat incidents within various sectors. In this first post, I (1) describe the purpose of the series and highlight what you can expect to see during the series, and (2) review the NITC insider threat corpus, which is the foundation for our empirical research and analysis. Join us over this nine-part series as we explore in-depth specific issues pertaining to insider threat. We hope you will follow along, and we encourage you to provide feedback about other sectors that we should analyze.

The costs of the steady stream of data breaches and attacks on sensitive and confidential data continue to rise. Organizations are responding by making data protection a critical component of their leadership and governance strategies. The European Union's recent General Data Protection Regulation (GDPR) adds layers of complexity to protecting the data of individuals in the EU and European Economic Area. Organizations are struggling to understand GDPR's requirements, much less become compliant. In this series of blog posts, I'll describe how to use the CERT Resilience Management Model (CERT-RMM) to approach GDPR compliance and, more fundamentally, data privacy.

In the first post in this two-part series, we covered five unique challenges that impact insider threat programs and hub analysts. The challenges included lack of adequate training, competing interests, acquiring data, analyzing data, and handling false positives.

As you read the new challenges introduced in this post, ask yourself the same questions: 1) How many of these challenges are ones you are facing today? 2) Are there challenges in this list that lead to an "aha" moment? 3) Are there challenges you are facing that did not make the list? 4) Do you need assistance with combating any of these challenges? Let us know your answers and thoughts via email at insider-threat-feedback@cert.org.

The purpose of this two-part blog series is to discuss five challenges that often plague insider threat programs and more specifically the analysts that are working in insider threat hubs. I am in a unique position to discuss this area because I have many years of experience working directly with operational insider threat programs of varying maturity levels. Thus I have a front-row vantage point to understand the challenges that analysts face on a daily basis. In this blog post, I will discuss some of the key challenges and associated recommendations (e.g., quick wins) facing many organizations.

The National Institute for Science and Technology (NIST) recently released version 1.1 of its Cybersecurity Framework (CSF). Organizations around the world--including the federal civilian government, by mandate--use the CSF to guide key cybersecurity activities. However, the framework's 108 subcategories can feel daunting. This blog post describes the Software Engineering Institute's recent efforts to group the 108 subcategories into 15 clusters of related activities, making the CSF more approachable for typical organizations. The post also gives example scenarios of how organizations might use the CSF Activity Clusters to facilitate more effective cybersecurity decision making.

Mitigating insider threats is a multifaceted challenge that involves the collection and analysis of data to identify threat posed by many different employee types (such as full-time, part-time, or contractors) with authorized access to assets such as people, information, technology, and facilities. The landscape of software and tools designed to aid in this process is almost as wide and varied as the problem itself, which leaves organizations with the challenge of understanding not only the complexities of insider threats, but also the wide array of tools and techniques that can assist with threat mitigation. This post explores some of the recommended tool features and functionality available through use of a combination of tools, as well as a proposed process to implement and operate controls at an organization.

The European Union's General Data Protection Regulation (GDPR) is a directive that concerns the processing of personal data by private organizations operating in the European Union, whether as employers or as service providers. While many organizations have focused their GDPR readiness efforts on managing data subjects' personal information on customers, employees are also considered data subjects. This post will focus on an organization's obligations to its EU employees (inclusive of contractors and trusted business partners, regardless of a formal contract) under GDPR.

This blog post outlines best practices for establishing an appropriate level of control to mitigate the risks involved in working with outside entities that support your organization's mission. In today's business landscape, organizations often rely on suppliers such as technology vendors, suppliers of raw materials, shared public infrastructure, and other public services. These outside entities are all examples of the supply chain, which is a type of trusted business partner (TBP). However, these outside entities can pose significant security risks.

Insiders have been known to collude with others, both with coworkers (i.e., other insiders) and outsiders. In our previous post on insider collusion and its impact, we explored 395 insider incidents of collusion and found that insiders working with outsider-accomplices had greater financial impact to their organization than those working with other insiders. When an insider works alone, or when an insider works with others within their organization, User Activity Monitoring (UAM) / User and Entity Behavior Analytics (UEBA) tools have the ability to identify one or multiple insiders as engaging in anomalous or suspicious activity. When insiders are working together, further analysis can correlate that suspicious activity and provide insight into where data may have moved. But what insight do organizations have when an insider reaches out to others to commit a malicious act? In this post, we explore a subset of these insider-outsider collusion incidents that involve an insider's significant other (i.e., current or former partners or spouses).

In this blog post, I will discuss substance abuse as a potential precursor to increased insider threat and share statistics from the CERT National Insider Threat Center's (NITC) Insider Incident Corpus on incidents that involved some type of substance use or abuse by the insider. In relation to insider threats, I will discuss the prevalence of substance abuse and discuss some of its impacts on organizations. Finally, I will outline some technical means of detecting employee substance abuse and share some best practices from the CERT Common Sense Guide for Mitigating Insider Threats.

Increasingly, organizations, including the federal government and industry, are recognizing the need to counter insider threats and are doing it through specially focused teams. The CERT Division National Insider Threat Center (NITC) offers an Insider Threat Program Manager certificate to help organizations build such teams and supports programs that are flexible, based on best practices, and tailored to the unique circumstances of individual organizations.

The transition from on-premises information systems to cloud services represents a significant, and sometimes uncomfortable, new way of working for organizations. Establishing meaningful Service Level Agreements (SLAs) and monitoring the security performance of cloud service providers are two significant challenges. This post proposes that a process- and data-driven approach would alleviate these concerns and produce high-quality SLAs that reduce risk and increase transparency.

Each year brings new cybersecurity threats, breaches, and previously unknown vulnerabilities in established systems. Even with unprecedented vulnerabilities such as Spectre and Meltdown, the approach to dealing with the risks they pose is the same as ever: sound risk management with systematic processes to assess and respond to risks. This post offers seven considerations for cyber risk management.