A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Insider threats are perhaps the most serious challenges that nuclear security systems face. All of the cases of theft of nuclear materials where the circumstances of the theft are known were perpetrated either by insiders or with the help of insiders; given that the other cases involve bulk material stolen covertly without anyone being aware the material was missing, there is every reason to believe that they were perpetrated by insiders as well. Similarly, disgruntled workers from inside nuclear facilities have perpetrated many of the known incidents of nuclear sabotage. The most recent example of which we are aware is the apparent insider sabotage of a diesel generator at the San Onofre nuclear plant in the United States in 2012; the most spectacular was an incident three decades ago in which an insider placed explosives directly on the steel pressure vessel head of a nuclear reactor and then detonated them.While many such incidents, including the two just mentioned, appear to have been intended to send a message to management, not to spread radioactivity, they highlight the immense dangers that could arise from insiders with more malevolent intent. As it turns out, insiders perpetrate a large fraction of thefts from heavily guarded non-nuclear facilities as well. Yet organizations often find it difficult to understandand protect against insider threats. Why is this the case?Part of the answer is that there are deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their nuclear facilities and operations. But another part of the answer is that those managing nuclear security often have limited information about incidents that have happened in other countries or in other industries, and the lessons that might be learned from them.The IAEA and the World Institute for Nuclear Security (WINS) produce"best practices" guides as a way of disseminating ideas and procedures that have been identified as leading to improved security. Both have produced guides on protecting against insider threats.5 But sometimes mistakes are even moreinstructive than successes.Here, we are presenting a kind of "worst practices" guide of serious mistakes made in the past regarding insider threats. While each situation is unique, and serious insider problems are relatively rare, the incidents we describe reflect issues that exist in many contexts and that every nuclear security manager should consider. Common organizational practices -- such as prioritizing production over security, failure to share information across subunits, inadequate rules or inappropriate waiving of rules, exaggerated faith in group loyalty, and excessive focus on external threats -- can be seen in many past failures to protect against insider threats

ІНСАЙДЕРИ ТА ІНСАЙДЕРСЬКА ІНФОРМАЦІЯ: СУТЬ, ЗАГРОЗИ, ДІЯЛЬНІСТЬ ТА ПРАВОВА ВІДПОВІДАЛЬНІСТЬ

The constant development of information technologies, the growing role at the present stage of human potential create new internal threats to the information security of enterprises. The article investigates and analyzes the problems of information security associated with internal violators of companies and their insider activity. Economic reports and analytical materials allowed to determine the relevance and importance of this work. Based on scientific literature, a review of various approaches to the definition of "insider" and "insider information" was carried out. The main key indicators of the insider and signs of insider information are described. The classification of data sources for the study of insider threats is presented, among which real data of the system journal and data from social networks are allocated; analytical information with synthetic anomalies; simulated data due to the formation of stochastic models; theoretical and gaming approach. Insider threat detection algorithms are described depending on intentions, behavior, capabilities of insiders, how resources are used, as well as models involving several algorithms. The normative issues of protection of insider information from unauthorized disclosure and legal responsibility for illegal use of insider information in Ukrainian legislation are covered.Постійний розвиток інформаційних технологій, зростаюча роль на сучасному етапі людського потенціалу створюють нові внутрішні загрози для інформаційної безпеки підприємств. У статті досліджено і проаналізовано проблеми інформаційної безпеки, пов’язані з внутрішніми порушниками компаній та їх інсайдерською діяльністю. Економічні звіти та аналітичні матеріали дозволили визначити актуальність і важливість даної роботи. Спираючись на наукову літературу, було здійснено огляд різних підходів до визначення поняття «інсайдер» та «інсайдерська інформація». Охарактеризовані основні ключові індикатори інсайдера та ознаки інсайдерської інформації. Представлена класифікація джерел даних для дослідження інсайдерських загроз, серед яких виділяють реальні дані системного журналу та дані із соціальних мереж; аналітична інформація з синтетичними аномаліями; змодельовані дані внаслідок формування стохастичних моделей; теоретико-ігровий підхід. Описані  алгоритми виявлення інсайдерських загроз в залежності від намірів, поведінки, можливостей інсайдерів, від способів використання ресурсів, а також моделі, що включають декілька алгоритмів. Висвітлюються нормативні питання захисту інсайдерської інформації від несанкціонованого розголошення та правової відповідальності за неправомірне використання інсайдерської інформації в українському законодавстві

Forensic Evidence Identification and Modeling for Attacks against a Simulated Online Business Information System

Forensic readiness of business information systems can support future forensics investigation or auditing on external/internal attacks, internal sabotage and espionage, and business fraud. To establish forensics readiness, it is essential for an organization to identify which fingerprints are relevant and where they can be located, to determine whether they are logged in a forensically sound way and whether all the needed fingerprints are available to reconstruct the events successfully. Also, a fingerprint identification and locating mechanism should be provided to guide potential forensics investigation in the future. Furthermore, mechanisms should be established to automate the security incident tracking and reconstruction processes. In this research, external and internal attacks are first modeled as augmented attack trees based on the vulnerabilities of business information systems. Then, modeled attacks are conducted against a honeynet that simulates an online business information system, and a forensic investigation follows each attack. Finally, an evidence tree, which is expected to provide the necessary contextual information to automate the attack tracking and reconstruction process in the future, is built for each attack based on fingerprints identified and located within the system

Comprehensiveness of Response to Internal Cyber-Threat and Selection of Methods to Identify the Insider

A range of international regulatory documents state the importance of counteracting insiders, especially cyber-insiders, in  critical facilities and simultaneously providing complex protection, which includes technical, administrative and information protection. In that case the insider, who is familiar with the protection or information system, will be able to find vulnerabilities and weak points in the protection of the information system or control system. One of the most important aspects of the preventive measures against insiders is personnel checks using different techniques, including interviews, social network analysis, and local area network analysis. In the case of having limited financial resources, it is necessary to choose a technique from a checklist rationally

A critical reflection on the threat from human insiders--its nature, industry perceptions, and detection approaches

Organisations today operate in a world fraught with threats, including “script kiddies”, hackers, hacktivists and advanced persistent threats. Although these threats can be harmful to an enterprise, a potentially more devastating and anecdotally more likely threat is that of the malicious insider. These trusted individuals have access to valuable company systems and data, and are well placed to undermine security measures and to attack their employers. In this paper, we engage in a critical reflection on the insider threat in order to better understand the nature of attacks, associated human factors, perceptions of threats, and detection approaches. We differentiate our work from other contributions by moving away from a purely academic perspective, and instead focus on distilling industrial reports (i.e., those that capture practitioners’ experiences and feedback) and case studies in order to truly appreciate how insider attacks occur in practice and how viable preventative solutions may be developed

Mitigating Insider Sabotage and Espionage: A Review of the United States Air Force\u27s Current Posture

The security threat from malicious insiders affects all organizations. Mitigating this problem is quite difficult due to the fact that (1) there is no definitive profile for malicious insiders, (2) organizations have placed trust in these individuals, and (3) insiders have a vast knowledge of their organization’s personnel, security policies, and information systems. The purpose of this research is to analyze to what extent the United States Air Force (USAF) security policies address the insider threat problem. The policies are reviewed in terms of how well they align with best practices published by the Carnegie Mellon University Computer Emergency Readiness Team and additional factors this research deems important, including motivations, organizational priorities, and social networks. Based on the findings of the policy review, this research offers actionable recommendations that the USAF could implement in order to better prevent, detect, and respond to malicious insider attacks. The most important course of action is to better utilize its workforce. All personnel should be trained on observable behaviors that can be precursors to malicious activity. Additionally, supervisors need to be empowered as the first line of defense, monitoring for stress, unmet expectations, and disgruntlement. In addition, this research proposes three new best practices regarding (1) screening for prior concerning behaviors, predispositions, and technical incidents, (2) issuing sanctions for inappropriate technical acts, and (3) requiring supervisors to take a proactive role

How Explanation Adequacy of Security Policy Changes Decreases Organizational Computer Abuse

We use Fairness Theory to help explain why sometimes security policy sometimes backfire and increase security violations. Explanation adequacy—a key component of Fairness Theory—is expected to increase employees’ trust in their organization. This trust should decrease internal computer abuse incidents following the implementation of security changes. The results of our analysis provide support for Fairness Theory as applied to our context of computer abuse. First, the simple act of giving employees advance notification for future information security changes positively influences employees’ perceptions of organizational communication efforts. The adequacy of these explanations is also buoyed by SETA programs. Second, explanation adequacy and SETA programs work in unison to foster organizational trust. Finally, organizational trust significantly decreases internal computer abuse incidents. Our findings show how organizational communication can influence the overall effectiveness of information security changes among employees and how organizations can avoid becoming victim to their own efforts