Common Sense Guide to Mitigating Insider Threats, Sixth ...

Common Sense Guide to Mitigating Insider Threats, Sixth Edition

CERT National Insider Threat Center December 2018 TECHNICAL REPORT CMU/SEI-2018-TR-010 CERT Division [Distribution Statement A] Approved for Public Release; Distribution Is Unlimited

REV-04.06.2018.0

Copyright 2018 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. * These restrictions do not apply to U.S. government entities. Carnegie Mellon? and CERT? are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM18-1336

CMU/SEI-2018-TR-010 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY Distribution Statement A: Approved for Public Release; Distribution Is Unlimited

Table of Contents

Acknowledgments

vii

Executive Summary

ix

Abstract

xii

The History of the Common Sense Guide

1

Introduction

3

1 Know and protect your critical assets.

11

1.1 Protective Measure - Conducting a Risk Assessment

11

1.2 Protective Measure - Asset Tracking

13

1.3 Protective Measure - Conducting a Privacy Impact Assessment

14

1.4 Metrics

15

1.5 Challenges to Asset Identification

15

1.6 Case Studies

16

1.7 Quick Wins and High-Impact Solutions

16

1.7.1 All Organizations

16

2 Develop a formalized insider threat program.

18

2.1 Protective Measures

18

2.2 Understanding and Avoiding Potential Pitfalls

27

2.3 Challenges

28

2.4 Governance of an Insider Threat Program

29

2.5 Case Studies

29

2.6 Quick Wins and High-Impact Solutions

31

2.6.1 All Organizations

31

2.6.2 Large Organizations

31

3 Clearly document and consistently enforce policies and controls.

32

3.1 Protective Measures

32

3.2 Challenges

33

3.3 Case Studies

33

3.4 Quick Wins and High-Impact Solutions

35

3.4.1 All Organizations

35

4 Beginning with the hiring process, monitor and respond to suspicious or disruptive

behavior.

36

4.1 Protective Measures

36

4.2 Challenges

37

4.3 Case Studies

38

4.4 Quick Wins and High-Impact Solutions

40

4.4.1 All Organizations

40

5 Anticipate and manage negative issues in the work environment.

41

5.1 Protective Measures

41

5.2 Challenges

42

5.3 Case Studies

42

5.4 Quick Wins and High-Impact Solutions

43

5.4.1 All Organizations

43

CMU/SEI-2018-TR-010 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

i

Distribution Statement A: Approved for Public Release; Distribution is Unlimited

6 Consider threats from insiders and business partners in enterprise-wide risk

assessments.

44

6.1 Protective Measures

44

6.2 Challenges

46

6.3 Case Studies

46

6.4 Quick Wins and High-Impact Solutions

47

6.4.1 All Organizations

47

6.4.2 Large Organizations

47

7 Be especially vigilant regarding social media.

49

7.1 Protective Measures

49

7.2 Challenges

51

7.3 Case Studies

51

7.4 Quick Wins and High-Impact Solutions

52

7.4.1 All Organizations

52

7.4.2 Large Organizations

52

8 Structure management and tasks to minimize insider stress and mistakes.

53

8.1 Protective Measures

53

8.2 Challenges

53

8.3 Case Studies

54

8.4 Quick Wins and High-Impact Solutions

55

8.4.1 All Organizations

55

8.4.2 Large Organizations

55

9 Incorporate malicious and unintentional insider threat awareness into periodic security

training for all employees.

56

9.1 Protective Measures

56

9.2 Challenges

59

9.3 Case Studies

60

9.4 Quick Wins and High-Impact Solutions

60

9.4.1 All Organizations

60

9.4.2 Large Organizations

61

10 Implement strict password and account management policies and practices.

62

10.1 Protective Measures

62

10.2 Challenges

64

10.3 Case Studies

64

10.4 Quick Wins and High-Impact Solutions

65

10.4.1 All Organizations

65

10.4.2 Large Organizations

65

11 Institute stringent access controls and monitoring policies on privileged users.

66

11.1 Protective Measures

66

11.2 Challenges

68

11.3 Case Studies

68

11.4 Quick Wins and High-Impact Solutions

69

11.4.1 All Organizations

69

11.4.2 Large Organizations

69

12 Deploy solutions for monitoring employee actions and correlating information from

multiple data sources.

70

12.1 Protective Measures

70

12.2 Challenges

74

12.3 Case Studies

75

12.4 Quick Wins and High-Impact Solutions

75

CMU/SEI-2018-TR-010 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

ii

Distribution Statement A: Approved for Public Release; Distribution is Unlimited

12.4.1 All Organizations

75

12.4.2 Large Organizations

76

13 Monitor and control remote access from all end points, including mobile devices.

77

13.1 Protective Measures

77

13.2 Challenges

80

13.3 Case Studies

80

13.4 Quick Wins and High-Impact Solutions

81

13.4.1 All Organizations

81

13.4.2 Large Organizations

81

14 Establish a baseline of normal behavior for both networks and employees.

83

14.1 Protective Measures

83

14.2 Challenges

84

14.3 Case Studies

85

14.4 Quick Wins and High-Impact Solutions

85

14.4.1 All Organizations

85

14.4.2 Large Organizations

86

15 Enforce separation of duties and least privilege.

87

15.1 Protective Measures

87

15.2 Challenges

88

15.3 Case Studies

88

15.4 Quick Wins and High-Impact Solutions

89

15.4.1 All Organizations

89

15.4.2 Large Organizations

89

16 Define explicit security agreements for any cloud services, especially access restrictions

and monitoring capabilities.

90

16.1 Protective Measures

90

16.2 Challenges

92

16.3 Case Studies

93

16.4 Quick Wins and High-Impact Solutions

93

16.4.1 All Organizations

93

17 Institutionalize system change controls.

95

17.1 Protective Measures

95

17.2 Challenges

96

17.3 Case Studies

97

17.4 Quick Wins and High-Impact Solutions

97

17.4.1 All Organizations

97

17.4.2 Large Organizations

97

18 Implement secure backup and recovery processes.

99

18.1 Protective Measures

99

18.2 Challenges

101

18.3 Case Studies

101

18.4 Quick Wins and High-Impact Solutions

102

18.4.1 All Organizations

102

18.4.2 Large Organizations

102

19 Close the doors to unauthorized data exfiltration.

103

19.1 Protective Measures

103

19.2 Challenges

106

19.3 Case Studies

106

19.4 Quick Wins and High-Impact Solutions

107

CMU/SEI-2018-TR-010 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY

iii

Distribution Statement A: Approved for Public Release; Distribution is Unlimited

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download