Organizations must know where their sensitive data lives before mitigation strategies can be used to protect it. Data may reside on servers, workstations, laptops, and mobile devices. Each of these devices is a potential exit point for sensitive data and must be included in the organization’s overall risk assessment. Once an organization understands where its data lives, who has authorized access to it, and the possible exit points, mitigation strategies can then be implemented to mitigate the risk of the unauthorized data exfiltration.

In this report, we explore how Microsoft Windows operating system controls can be used to control and audit the use of USB removable media. We also look at an open-source tool for identifying where sensitive data lives. Finally, we discuss the importance of a security information and event management system for analyzing and correlating events to help paint a bigger picture of what is happening in the organization’s information systems.

We are interested in hearing your feedback on this control. If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Most recently, I have transferred that vocabulary to a machine-processable ontology language, specifically, the W3C's OWL, or Web Ontology Language. That transfer made it possible to combine the vocabulary with a competency model that maps semantic clusters from the vocabulary onto specific job competencies. So-called Ontology-Based Competency Models have been quite popular recently, because combining rigorous models of domain knowledge with rigorous models of competencies provides a solid basis for building training programs, performance assessments, and hiring plans. Two examples are An Ontological Approach to Competency Management and Ontology-Based Competency Management.

Although still in its infancy, we think our combination of the malware analysis vocabulary and the competency model holds a lot of promise, and hope to present it at this year's SecOnt workshop. The following screen shot shows the top level of the ontology being edited in Stanford's Protégé tool.

If you have questions or want more information about our work on a malware ontology, send email to insider-threat-feedback@cert.org.

Here is a summary of CERT Insider Threat events at RSA:

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
Monday, Feb 25, 2013
Presented by Randy Trzeciak of the CERT Insider Threat Center and Ed Cabera of the USSS
This work, sponsored by DHS Science & Technology, will be part of the RSA Conference eFraud Global Forum. Because of the expected high interest in the topic, the presentation will be held twice during the forum: 11:30 AM and 3:15 PM.

HT-R32: Intriguing Insider Threat Cases - Make Sure This Doesn’t Happen to You!
Thursday, Feb 28, 2013 @ 9:20 AM in Room 135
Presented by Dawn Cappelli, Technical Manager of the CERT Insider Threat Center
Abstract: Chances are your employees, contractors or business partners could misuse your systems with criminal intent. We collected over 800 insider threat cases for the past 12 years. This session details the most intriguing cases—some present unique mitigation challenges; others had serious results and can provide lessons learned. There will also be recommendations for mitigating these threats.

STU-R37A: Studio: Intriguing Insider Threat Cases - Make Sure This Doesn’t Happen to You!
Thursday, Feb 28, 2013 @ 3:40 PM in Room 300
Presented by Dawn Cappelli, Technical Manager of the CERT Insider Threat Center
Abstract: Chances are your employees, contractors, or business partners could misuse your systems with criminal intent. We collected over 800 insider threat cases for the past 12 years. This session details the most intriguing cases—some present unique mitigation challenges; others had serious results and can provide lessons learned. There will also be recommendations for mitigating these threats.

Other CERT presentations include the following:

SEM-004: Advancing Information Risk Practices Seminar (Half Day - Delegates only)
Monday, Feb 25, 2013 @ 1:00 PM in Room 302

GRC-F42: Cybersecurity SLAs: Managing Requirements at Arm’s Length
Friday, Mar 1, 2013 @ 10:20 AM in Room 133

Don’t forget to email us at insider-threat-feedback@cert.org this week arrange to meet with us.

Practice 19: Close the doors to unauthorized data exfiltration.

This practice deals with raising awareness of the myriad methods of exfiltrating sensitive organizational data and recommending solutions to combat those methods. The following items represent three high-level categories of data-egress points (an expanded list can be found in the Common Sense Guide to Mitigating Insider Threats):

• Removable media (e.g., USB flash drives, DVD-RW, smartphones)
• Network (e.g., cloud storage, webmail, social media, SSH)
• Physical (e.g., printers, copiers, fax machines)

Removable media is a significant risk due to the prevalence of data transfer volumes, including audio/visual peripherals. Solutions range from physical or software-based disabling of these devices, to monitoring, to organizational required approval of data transfer. Choosing the method used to secure devices is a delicate balance between security and productivity.

The most direct disabling of USB devices, for example, would be to use active directory group policies to completely disable copying to flash drives. Commercial tools can apply finer grained controls, such as allowing file copies but snapshotting a copy of the files for further review. Another method of controlling file copies is to require that a trusted employee perform the actual copy operation after it has been approved.

Network exfiltration can be prevented by storing sensitive information, such as source code, in an air-gapped or heavily restricted and firewalled enclave network that users can only access while physically at the organization or via thoroughly hardened workstations. Connections to trusted business partners should be monitored via full-packet capture or network-flow data, and be scrutinized as much as or even more than the organization’s internet service provider (ISP) uplink.

Secure sockets layer (SSL) encrypted traffic poses some of the highest risk because most organizations are unable to collect detailed information about the transmission. Consider proxy solutions that decrypt, inspect, and re-encrypt SSL sessions to allow full evaluation of the traffic for sensitive data or other disguised, malicious action. Cloud-based services have become commonplace and should be restricted or monitored via the aforementioned proxy recommendation. File transfer protocols should also be restricted or monitored.

Finally, the most basic physical exfiltration methods are still commonplace. Organizations should heavily monitor printers, scanners, copiers, and fax machines to ensure that employees are not taking advantage of the ease with which these devices can exfiltrate data. Consider solutions that maintain redundant copies of all jobs submitted and periodically review these copies.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 18: Be especially vigilant regarding social media.

Insiders using social media sites or applications can intentionally or unintentionally pose a threat to an organization’s information systems and data. It is essential that organizations develop policies that clearly state what is considered acceptable use of social media and that clearly describe the responsibilities the employee has to protect the organization’s critical assets.

These policies must not only be created, but must also be clearly communicated and consistently enforced across the organization to ensure compliance. Finally, training should be provided to educate employees, business partners, and contractors on the risks inherent in the use of social media. They should also be trained on how to protect themselves and the organization while at work and at home.

Social media allows people to easily share information about themselves and their organizations. Information about everything from birthdays and family members to business affiliations and hobbies can all be obtained from a user’s social media profile. This information makes employees who use social media vulnerable to possible social engineering. Malicious individuals can use this information to develop spear phishing email attacks against an organization by crafting narrowly targeted, malicious emails that seem authentic.

In addition, there are cases in which employees have intentionally posted information about the company or their customers. While employers must remain vigilant of such activity, they must also be aware of current and upcoming laws and regulations addressing social media. Some states have laws prohibiting employers from requiring candidates or employees to divulge social media user IDs and passwords.

For organizations under the jurisdiction of the National Labor Relations Board, reports have been issued, providing examples of both good and unenforceable organizational social media policies.

Finally, organizations should ensure that they make ownership of organizational social media accounts clear, as there has been litigation of this issue.

Challenges to addressing the use of social media in organizations include the following:

1. Organizations may find it difficult to control and monitor what employees post on social media sites.
2. Organizations should have a data classification policy that establishes the protections that must be afforded to data of different sensitivity levels.
3. Organizations must involve legal counsel while developing and enforcing the social media usage policy.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 19, Close the doors to unauthorized data exfiltration, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 17: Establish a baseline of normal network device behavior.

Anomalous network activity can be a key indicator of security incidents, including insider threats. To detect anomalous activity requires that you first create a baseline of normal network activity. Establishing a trusted baseline involves identifying the following:

• network data points of interest
• length of the baseline data collection period
• methods and tools used to collect and store data

Suggested network data points of interest include the following:

• a list of predetermined devices a given workstation or server should communicate with
• VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information
• the known set of ports and protocols in use by the network
• firewall and intrusion detection system logs

The longer the period of data collection is, the higher the quality of the baseline  because longer baseline data collection periods provide data that accounts for a wider range of the organization’s normal behaviors and trends for an organization’s network and users. By monitoring network and user activity and comparing current activity against the established baseline, you can identify anomalous behavior and take appropriate steps to further investigate it.

The investigation of anomalous activity can lead to the detection of malicious insider activity. For example, the CERT Insider Threat Center’s collection of insider threat cases includes instances in which insiders stole an organization’s intellectual property by accessing and downloading large volumes of information that were well beyond normal use by an average user. With an established baseline of normal network and user activity and vigilant monitoring of current activity, you can more effectively detect and respond to similar situations.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 18, Be especially vigilant regarding social media, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 16: Develop a formalized insider threat program.

One of the key elements to mitigating the insider threat is to have an insider threat program. It should have an enterprise-wide scope with an established vision and defined roles and responsibilities for preventing, detecting, and responding to insider incidents. An insider threat program develops clear criteria for identifying insider threats, a consistent procedure for implementing technical and nontechnical controls to prevent and/or detect malicious insider behavior, and a response plan in the event an insider does harm to the organization.

As shown in the figure below, which represents the information flow within a generic insider threat program, relevant information is gathered from many parts of the organization, but received and analyzed only by the insider threat program’s core team and manager. Organizations in the U.S. generally use functional groups and position names shown in the figure. The insider threat program’s core team usually consists of a representative from each of the following departments:

• Information Technology
• Information Assurance
• Human Resources
• Physical Security
• Legal Counsel

A C-level manager (or equivalent) should act as the program manager or chairperson of the insider threat program so that its members have the authority to perform the program’s duties. While the five department representatives are key members of the program, they must work with other team members from across the organization to receive information they need to be effective.

A formal insider threat program includes members of different teams from across the enterprise on an as-needed basis. People from across the organization can fill many of the program’s roles; however, it is important to identify these individuals and roles before an insider incident occurs. The insider threat core team’s response plan must include a method that can be used to communicate privately in case standard communication channels are compromised.

Legal counsel participation is required for information-gathering processes to ensure that all evidence is gathered and maintained according to legal standards. Legal counsel should also ensure that information is shared properly among insider threat project members, working within the confines of the law while maintaining privacy and confidentiality. Maintaining confidentiality is important to protecting the integrity of inquiries and the reputation of innocent inquiry subjects.

These are just a few things to consider when developing an insider threat program. For a more detailed discussion, we encourage you to review best practice 16 in the Common Sense Guide to Mitigating Insider Threats.

Check back in a few days to read about best practice 17, Establish a baseline of normal network device behavior, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 15: Implement secure backup and recovery processes.

Insiders pose a substantial threat to an organization’s critical assets by virtue of their knowledge and access to facilities, information, and technology. Trusted insiders can bypass existing physical and electronic security measures through legitimate measures and in many instances know what controls are in place to prevent or detect suspicious activity. Despite all of the protections applied throughout the organization, it is possible that a determined insider may still cause harm. It is essential that organizations recognize the threat posed by insiders and take the necessary steps to ensure organizational resilience by implementing and regularly testing backup and recovery processes.

The backup, logging, and recovery processes should all be secure, both in terms of what is being backed up as well as where and how the backups and logs are stored. Consider implementing dual control in backup generation, logging, and recovery processes. In a number of cases in the CERT Insider Threat Database, a disgruntled IT employee was able to disrupt the backup process, steal the backup media, modify various systems logs to frame another employee for malicious activity or wipeout all evidence of the incident, hindering the organization’s ability to recover or investigate the incident.

Backup and recovery strategies should include

• controlled access to the backup storage facility
• controlled access to the physical media
• separation of duties and the two-person rule when changes are made to the backup process
• separate backup and recovery administrators

Ask yourself the following questions when assessing your backup and recovery processes:

• Are you confident you can recover from a disruption of service to the levels specified in your service level agreements, including disruptions perpetrated by trusted insiders?
• When was the last time you tested your complete recovery process for all systems and services throughout your organization?
• Does your disaster recovery process include recovery from an incident committed by an insider working for a trusted business partner responsible for implementing your backup and recovery strategy?

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 16, Develop a formalized insider threat program, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 14: Develop a comprehensive employee termination procedure.

Organizations need to have procedures in place to reduce possible insider threat risk when an employee departs from the organization. These procedures are protective measures that must encompass all aspects of the termination process. A good way to guarantee that these measures protect the organization is to make sure that there is a termination checklist. Employee accounts are closed; access is terminated; equipment is collected; and remaining employees are notified.

To revoke all organizational access to departing employees, cooperation from many departments may be required. Managers must ensure an exit interview is completed, provide final performance feedback, and determine payment disbursement for the final weeks of employment. The Finance department must ensure employees return company credit cards and close accounts. IT must terminate all accounts and points of access to the former employee’s computer, such as email, VPN, and cloud services. All equipment belonging to the organization must also be collected and verified against inventory records. Cooperation from HR and Security departments provides the necessary paperwork for termination, reviews agreements about intellectual property and nondisclosure of information, conducts a security debriefing, and collects all issued access badges and keys from the former employee.

The CERT Insider Threat Database includes several cases that involved damage caused by former employees that were terminated but retained their company’s physical property, including but not limited to badges, laptops, access cards, and mobile devices. This property allowed the former employee continued access to information and thus the ability to wreak havoc on company servers. A physical inventory system that tracks all equipment issued to employees is an indispensable mechanism that can be used to track the distribution of and assist in the recovery of company-owned property.

Organizations should also conduct a review of the departing employee’s online actions during the final 30 days of employment. The review should include (1) reviewing email activity to ensure confidential information wasn’t passed outside the organization and (2) reviewing system logs to determine if any of the organization’s information was downloaded to removable media. If a former employee used cloud-based storage, the organization should also ensure that sensitive company information is not stored on an external server.

If remaining employees are unaware of recent terminations, they may unintentionally disclose information to former coworkers. Thus, the organization should notify all remaining employees that the terminated employee is no longer with the company. No further information needs to be disclosed. 

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 15, Implement secure backup and recovery processes, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 13: Monitor and control remote access from all end points, including mobile devices.

As information plays an essential role in our daily business, there is an increasing need for employees to be connected to their company network from anywhere to accomplish business tasks from home or in the field. When companies cannot move quickly enough to set up remote access to their company network, they frequently do not adequately address the security of this access.

An inherent vulnerability unique to employees accessing a company network remotely is the absence of the environmental constraints that may be a deterrent against IT crimes. Without being physically present at the workplace, a disgruntled employee may be more emboldened to sabotage the company network infrastructure or exfiltrate critical data in an environment because there are no coworkers available to observe any suspicious activity.

From a remote location, an insider may be able to exfiltrate data without fear of detection and without fear of having to physically escape from the crime scene. By using a public network IP address, a device that is not owned by the insider, and only remote access credentials, it may be difficult to prove whether the crime was committed by the owner of the credential without an in-depth forensic investigation. These confounding variables may give the malicious insider the illusion that his or her identity is hidden.

A type of remote access that has recently emerged is having employees bring their own devices to work, a practice that increases the vulnerability of the organization. As a result, multiple types of devices now provide avenues to remote access through unprotected network connections. For example, smart phones connected to cellular networks can access a company network by bypassing a company’s IT security control procedures, such as intrusion detection systems, intrusion prevention systems, network logs, and firewalls. Not only is there a risk of connecting through an untrusted cellular network, there is the risk that the access can allow the insider to exfiltrate data from anywhere.

Since business operations will require employees to have remote access to the company network, it is important for companies to recognize the different vulnerabilities that accompany that access. Companies should investigate the technical controls that can be implemented to reduce the risk of an incident and to provide valuable evidence for forensic analysis when a crime is committed.

The following is a list of best practices an organization should consider:

• Implement end-point logging.
• Audit remote transactions regularly.
• Allow remote access only via company-managed devices.
• Record all remote login information, including for successful and failed login attempts.
• Require authorization for remote access of critical data.
• Immediately disable remote access credentials of terminating employees.
• Allow remote access permission via non-organization owned devices with caution.

From a security viewpoint, organizations should use the following procedures as part of the termination of an employee with remote access:

• Close all open connections.
• Require the return of all company-owned devices.
• Disable all network access credentials, including remote and local access to the firewall.
• Change the passwords for all shared accounts, such as system or database administrator accounts.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 14, Develop a comprehensive employee termination procedure, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 12: Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.

Security and logging capabilities have reached the point where data overload is as challenging a problem as data collection. So simply logging all online events is not sufficient to protect an organization’s infrastructure from malicious activity. Organizations have reacted by placing new emphasis on the ability to spot important connections across seemingly different but related events.

Our analysis of insider crimes in the CERT Insider Threat Database revealed that correlation of events from the following infrastructure areas would, in many cases, provide useful information to use against insiders:

• firewall logs
• authentication attempts (successful and unsuccessful)
• intrusion detection system (IDS) and intrusion prevention system (IPS) logs
• web proxy logs
• antivirus alerts
• change management logs
• physical security events (such as badging in/out logs)

Organizations should implement policies and procedures for auditing, logging, and monitoring these infrastructure areas and combine them with knowledge of the organization’s assets (see Practice 6, Know your assets) to create an effective collection and analysis capability.

Before an organization begins monitoring, it should first inform employees that their use of organizational assets, including information systems, is restricted by policy and is subject to monitoring. It should also consult with legal counsel to ensure that its procedures meet legal requirements and disclosures and do not violate employee rights.

In the fourth edition of the Common Sense Guide to Mitigating Insider Threats, we include

• protective measures that organizations can take to implement a correlation capability
• expected challenges
• quick wins and high impact solutions
• a mapping to common standards that also mentions the use of event correlation to improve security

We also describe two specific incidents where insiders made changes to the IT infrastructure that would have been observable had the victims implemented monitoring that included log correlation or security information and event management tools.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 13, Monitor and control remote access from all end points, including mobile devices; or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

This best practice is one that could have prevented a substantial number of insider attacks that we’ve researched. While these controls are most often thought to prevent cases of IT sabotage, there are many cases of insider fraud that could have been detected and prevented if change control systems were in place. For example, let’s look at a case from our recent Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector:

The insider was employed as a lead software developer at a prominent credit card company. This credit card company had a rewards points program where customers could earn points based on the volume and frequency of their credit card usage. These points could later be "cashed in" for gift cards, services, and other items of monetary value. Due to the high transaction volume of corporate accounts, a typical corporate account would hypothetically accumulate an immense number of rewards points. Therefore, the rewards points program was set up in such a way that the back-end software would not allow corporate accounts to earn points. At an unknown date, the insider devised a scheme by which he could earn fraudulent rewards points by bypassing the back-end checks in the software and linking his personal accounts to corporate business credit card accounts of third-party companies. After compromising a coworker's domain account by guessing the password, he was able to temporarily change the database security configuration to enable him to successfully link his personal accounts to several corporate accounts. The insider would cash in the rewards points for items of value, such as gift cards to popular chain stores, and then sell them in online auctions for cash. In all, the insider was able to accumulate approximately 46 million rewards points, $300,000 of which he was able to turn into cash before being caught by internal fraud investigators. The insider admitted to the scheme and bargained with investigators to reduce his sentence if he agreed to give them information on how he changed the security configuration and how to prevent a similar occurrence from happening in the future.

As you can see, a change control system could have easily and effectively detected the insider temporarily changing the security controls in the database. Had the organization audited the changes to critical configurations, the insider could have been caught well before 46 million rewards points had accumulated in his personal account.

So what type of system would be considered a “change control system”? Homebrew solutions are in place in many organizations, but the most prominent classification that comes to mind is Host-Based Intrusion Detection Systems (HIDS). Whereas the more commonly known Network Intrusion Detection System (NIDS) analyzes networks for suspicious traffic, a HIDS analyzes suspicious activity on any host with an ‘agent’, whether the host is a workstation, server, network appliance, or something else.

A simple and common feature of HIDS is the ability to constantly monitor a file’s integrity, usually done through cryptographic hash algorithms. If a file’s cryptographic hash changes, it must be because its data changed. There are many configuration files on systems that should rarely (if ever) change, so having a HIDS agent monitor these files for modification is an effective way to ensure the integrity (and therefore security) of a system.

If there are systems or applications with configurations that change regularly, such as antivirus signature databases, implementing a change control system for monitoring these data will create too much “noise” to effectively filter out suspicious change events. However, for critical systems with concrete configurations, change control systems are ideal.

For example, have your change control system monitor for critical network appliance changes, such as firewall and router configurations. These configurations likely don’t change all that often, and if they do, the impact can be high. Therefore, have a HIDS or other change control system generate an alert each time a modification is made to a critical configuration. These alerts are an effective way to detect abnormal or irregular changes that have a direct impact on your organization’s security posture.

Insider threats can severely damage an organization’s reputation, competitive advantage, and bottom line, so be sure to take proactive measures to mitigate these costly events from occurring. Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats  for a comprehensive understanding of the issues and recommendations mentioned and see how change control systems can effectively assist you in your battle against insider threats.

Check back in a few days to read about best practice 12, Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions; or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 10: Institute stringent access controls and monitoring policies on privileged users.

This best practice focuses on system administrators and technical or privileged users. These individuals often have the technical ability, access, and oversight-related capabilities necessary to commit and conceal malicious activity. System administrators and privileged users have greater access to systems, networks, or applications than other users, thus posing an increased risk.

According to our research, a majority of insiders who commit sabotage and more than half of those who steal confidential or proprietary information hold technical positions at the victim organizations. Examples of technically sophisticated methods of carrying out and concealing malicious activity have included:

• creating backdoor accounts
• installing remote system administration tools
• modifying system logs

Separating duties and requiring actions by multiple users address the need for stringent access controls and monitoring policies on privileged users. An organization must employ at least two system administrators to enforce separation of duties, which may be difficult for small organizations. A privileged user can be prevented from maliciously altering the system if he or she is not permitted or technically able to release changes to the production environment without action by at least one other user.

Organizations should consider having privileged users sign a privileged user agreement or rules of behavior that outlines what is required of them. In addition, organizations must be especially careful to disable system access to former system administrators and technical or privileged users. Many of the malicious insiders documented in the CERT insider threat database were former employees of the victim organizations.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threat for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 11, Institutionalize system change controls, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

Practice 9: Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.

It is important that organizations and their cloud providers have explicit agreements in place that address security services related to cloud environments. These agreements help to ensure that the organization can extend current security policies in its own infrastructure to the cloud infrastructure, which may be under the control of trusted third parties. In addition to understanding what the cloud provider will be doing, organizations must understand potential vulnerabilities associated with using a cloud environment.

The GAO identifies four types of cloud providers that are currently available to organizations:

1. Private cloud—operated solely for one organization
    
2. Community cloud—shared by several organizations
    
3. Public cloud—available to any customer
    
4. Hybrid cloud—two or more clouds (private, community, or public) that are connected

In the community and public cloud models, organizations must trust outside employees with access to their infrastructure. The same protections that the organization uses to secure its data and infrastructure should extend to the service provider. Regular audits and monitoring are recommended to ensure that agreements are being honored, to ensure that attacks are detected, and to help the organization fully understand the cloud infrastructure being used.

In a cloud environment, new access paths to an organization’s critical assets are created that can be exploited by attackers. In particular, malicious insiders employed by the cloud provider can have significant access to the systems and the information stored within. To effectively assess threats, a thorough understanding of what type of control is afforded to administrators who have access to the underlying hardware, hypervisors, administrative interfaces, and management tools that are used to run the cloud itself is required. This level of understanding highlights the importance of also understanding the vetting process for employees of the service provider. In addition to threats from privileged users, vulnerabilities associated with the cloud infrastructure itself should be considered.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 10, Institute stringent access controls and monitoring policies on privileged users, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.

This practice is relevant to HR, Legal, Physical Security, and IT departments as well as data owners and software engineers in an organization. The goal of this practice is to limit the damage that malicious insiders can inflict by implementing separation of duties and least privilege in business processes, including Information Technology, by making technical modifications to critical systems and information.

Separation of duties requires dividing functions among multiple people to limit the possibility that one employee could harm an organization without the cooperation of others. In general, employees are less likely to engage in malicious acts if they must collaborate with other employees. Ideally, organizations should include separation of duties in the design of their business processes and enforce these processes through technical and nontechnical means.

Effective separation of duties also requires implementation of least privilege, which means authorizing people to use only the resources needed to do their job. Organizations must manage least privilege as an ongoing process, particularly when employees move through the organization as a result of promotions, transfers, relocations, and demotions.

These privileges can be controlled using physical, administrative, and technical means. Access control based on separation of duties and least privilege is crucial to mitigating the threat of an insider attack. These principles apply in both the physical and virtual worlds where organizations need to prevent employees from gaining physical or online access to resources not required by their work roles.

There are challenges to implementing separation of duties and least privileges.  Small organizations find it more difficult to implement separation of duties and least privilege security models because they may not be staffed to accommodate these practices. Implementing these practices at a granular level may also interfere with business processes. Most organizations find it challenging to strike a balance between implementing these recommendations and accomplishing the organization’s mission. Despite these hurdles, some quick wins and high-impact solutions are not only possible, but highly recommended.

Quick Wins and High-Impact Solutions

• Carefully audit user access permissions when an employee changes roles in the organization to avoid privilege creep. In addition, audit user access permissions at least annually, to remove permissions that are no longer needed.
• Establish account management policies and procedures and regularly audit account activity to ensure it reconciles with the documentation.
• Require privileged users to have both an administrative account with the minimum necessary privileges to perform their duties and a standard account that is used for every day, non-privileged activity.

Large organizations can also review positions in the organization that include responsibility for handling sensitive information or performing critical functions. Ensure that employees in these positions cannot perform these critical functions without oversight and approval. For example, backup and restore tasks are often overlooked. One person should not be permitted to perform both backup and restore functions. The organization should separate these roles and regularly test backup and recovery processes (including the media and equipment). In addition, someone other than the backup and restore employees should transport backup tapes off site.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 9, Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.