Posted on by Insider Threatin
As part of an ongoing effort to keep you informed about our latest work, I'd like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in and systems engineering, resilience, and insider threat. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.
This report describes the data collection and analysis process used to support the assessment of project performance for the systems engineering effectiveness study being conducted by the SEI, the National Defense Industrial Association (NDIA) Systems Engineering Division, and the Institute of Electrical and Electronic Engineers (IEEE) Aerospace and Electronic Systems Society. This study seeks to identify relationships between the application of specific systems engineering practices on development projects and the performance of those projects, as measured by their satisfaction of budget, schedule, and technical requirements.
Analyzing Cases of Resilience Success and Failure--A Research Study
By Julia H. Allen, Pamela D. Curtis, Nader Mehravari (Executive VP at IT Cadre and SEI Affiliate), Andrew P. Moore, Kevin G. Partridge, Robert W. Stoddard, & Randall F. Trzeciak
Organizations that are using the CERT Resilience Management Model and organizations that are considering using it want information about the business value of implementing resilience processes and practices and how to determine which ones to implement. This report describes the SEI research study that begins to address this need. It includes a discussion of the completed phase-1 study and a proposed phase-2 project. Phase 1 included forming a hypothesis and set of research questions and using a variety of techniques to collect data and evaluate whether resilience practices have a discernible (measurable) effect on operational resilience--that is, an organization's ability to continue to carry out its mission (provide critical services) in the presence of operational stress and disruption. The outcomes of phase 1 provide the foundation for the proposed phase 2. The longer term goal includes developing a quantitative, validated business case for prioritizing and implementing specific resilience practices, including decision criteria for selecting and measuring investments in improved resilience.
Common Sense Guide to Mitigating Insider Threats, 4th Edition
By George Silowash, Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak, Timothy J. Shimeall, & Lori Flynn
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT Insider Threat Center, based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization--human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.
Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources
By George Silowash & Christopher King
Removable media, such as universal serial bus (USB) flash drives, present unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.
Organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.
This report focuses on the theft of intellectual property using removable media, in particular, USB devices. We present methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. We also explore OpenDLP, an open source tool for identifying where sensitive data resides on organizational systems.
Insider Threat Control: Using Universal Serial Bus (USB) Device Auditing to Detect Possible Data Exfiltration by Malicious Insiders
By George Silowash & Christopher King
Universal serial bus (USB) storage devices are useful for transferring information within an organization; however, they are a common threat vector through which data exfiltration can occur. Despite this, many organizations permit the use of USB devices on their systems. Implementing controls to track the use of these devices is necessary if organizations wish to retain situational awareness and auditing capabilities during a data theft incident.
This report presents methods to audit USB device use within a Microsoft Windows environment. Using various tools--the Windows Task Scheduler, batch scripts, Trend Micro's OSSEC host-based intrusion-detection system (HIDS), and the Splunk log analysis engine--we explore means by which information technology professionals can centrally log and monitor USB device use on Microsoft Windows hosts within an organization. In addition, we discuss how the central collection of audit logs can aid in determining whether sensitive data may have been copied from a system by a malicious insider.
For the latest SEI technical reports and papers, please visit