The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes
While Julius Caesar likely never said “Et tu, Brute?” the saying associated with his final minutes has come to symbolize the ultimate insider betrayal.
In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats.
There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them.
The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic.
The threat center has investigated nearly 1,000 incidents and their data sets on the topic are unrivaled. With that, the book truly needs to be on the desktop of everyone tasked with data security and intellectual property protection.
The book provides a unique perspective on insider threats as the CERT Insider Threat Center pioneered the study of the topic, and has exceptional and empirical data to back up their findings.
While there are many books on important security topics such as firewalls, encryption, identity management and more; The CERT Guide to Insider Threats is the one of the first to formally and effectively tackle the extraordinary devastating problem of trusted insiders who misappropriate data.
In the introduction, the authors write that a common misconception is that insider threat risk management is the responsibility of IT and information security staff members exclusively. The reality is that it is the responsibility of senior management to ensure that there is an overarching program to deal with insider threats at the enterprise level.
Surpassingly and shockingly, far too few organizations have insider threat programs in place, and the book has scores of stories and case studies on those organizations that have become victims. While senior management created information security solutions to secure the perimeter; they were oblivious to the data leakage emanating from the interior network.
The authors reiterate that it is critical that all levels of management recognize and acknowledge the threat posed by insiders and take appropriate steps to mitigate malicious insiders. While it is impossible to stop every attack, what management can certainly do is build resiliency into their organizations infrastructure and business processes.
This enables the organization to detect the attacks earlier and minimize the financial and operational impact. The book provides the specific details on how an organization can precisely do that.
In 9 detailed chapters and 6 appendices, the book provides a comprehensive and exhaustive analysis of the problem and menace of insider threats. After completing the book, one is well-prepared to initiate an insider threat program.
The book provides examples of insider crimes from nearly every industry segment and ample data to share with management to convince them that the threats, both to their intellectual property and corporate profits, are very real.
After a high-level overview of the topic in chapter 1, the next chapter gets into the details of insider IT sabotage. While some think that stopping IT sabotage is next to impossible, the authors detail and have identified distinct patterns in nearly every IT sabotage case. The book details those patterns and also presents mitigation strategies, both technical and non-technical, to deal with those threats.
The chapter provides fascinating insights into how these crimes are carried out. The authors note that by their very nature, these attacks require technical sophistication and privileged access and are usually carried out by sysadmins, DBA’s and programmers.
A surprising CERT finding is that the majority of the attacks occur after the insider has been terminated or quit the organization. Part of the problem is that many organizations don’t have a process in place to immediate terminate access when a worker resigns or is fired. In addition, 25% of the cases were carried out by full-time contractors.
Chapter 3 provides an intriguing look at the issue of insider theft of intellectual property (IP). Any firm that has a sizable amount invested in their IP (i.e., anything you can put on a USB stick) needs to take this chapter to heart. One of the many misconceptions CERT research has uncovered on this topic is that sysadmins are indeed not the biggest threat to IP, even though they have complete access to networks, systems and data.
According to the CERT data, they have not found a single case in which a sysadmin stole IP. Rather the biggest threat to IP is insider theft by scientists, engineers, programmers or salespeople. Also, CERT found that about a third of the IP cases were carried out for the benefit of a foreign government of organization, with China having more cases of IP theft than the other 9 countries combined.
Given the nature of China and its appetite for data theft, the book is surprisingly silent on specific suggestions in which to deal with threats from China. I would have liked to have seen at least a chapter dedicated to this topic.
The chapter continues and provides detailed lists of issues leading to job dissatisfaction that can lead a trusted employee or contractor to commit IP theft, and provides detailed steps on what companies can do to stop it.
Chapter 4 details everything you need to know about insider fraud. A fascinating statistic detailed is that the average insider fraud crime spans about 15 months, with half of the crimes lasting 5 months or more. The authors write that insider fraud is typically a long and ongoing crime. All of this is happening, over the course of months and years, and the organizations being pilfered are oblivious to it.
The book is worth reading for chapter 6 alone, which details best practices for the prevention and detection of insider threats. The best practices in chapter 6 give the reader a framework for establishing an insider threat program.
Many of the best practices detailed are elements of a good security program, so they should not be news to anyone. Some of the best practices include: security awareness training, physical security controls, separation of duties, and perhaps the most blatantly obvious suggestion of them all: deactivate access following termination.
Another fascinating fact detailed in the book is that almost all insiders involved in acts of IT sabotage displayed behavioral indicators prior to committing their crimes. Some of those indicators include: conflicts with coworkers or supervisors, improper use of data assets, sanctions and rule violations. Organizations that act on these precursors can prevent the insider crimes from taking place.
Aside from its lack of coverage on how to specifically deal with the China threat, the only other lacking in the book is that in all of the examples and case studies, even those whose breaches are publicly known, organizations are not mentioned by name.
According to author Dawn Cappelli, Technical Manager at the CERT Insider Threat Center, they took that approach based on interviews for approximately 230 of their cases, with prosecutors, investigators, victim organization, or convicted insiders. In those interviews they guaranteed confidentiality of the information they obtained.
Therefore, CERT considers the success of their research directly related to their reputation in the community for being trustworthy for maintaining confidentiality. While there reasoning makes sense, anonymous case studies are often unsatisfying
Insider threats are pervasive and undisputable. Organizations such as the CERT Insider Threat Center and individuals like provide vital services evangelizing about this critical topic. This entertaining from DEFCON 17 is a great primer on the topic.
Most of the firms who fall victim to insider threats are oblivious to them as they occur. The book details effective and operational security practices which can help every organization create an insider threat program to counterattack the majority of insider attacks.
When it comes to insider threats, the only way to avert them is to have a prevention program in place. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, the authors have created an invaluable guidebook, with myriad details in which to enable the reader do that. The facts around insider threats speak for themselves.
Anyone charged with protection of corporate data should ensure this book is on their required reading list. If not, and they fall victim to an insider attack, they have no one to blame but themselves.
Cross-posted from RSA