Insider Threat Publications

Common Sense Guide to Mitigating Insider Threats, Fifth Edition
In this report, the authors present recommendations for mitigating insider threat based on CERT's continued research and analysis of over 1,000 cases.

Special Issue on Insider Threat Modeling and Simulation
This special issue of an online Springer publication demonstrates the potential for modeling and simulation to help understand the insider threat problem and help test the mitigation controls.

An Insider Threat Indicator Ontology
This report presents an ontology for insider threat indicators, describes how the ontology was developed, and outlines the process by which it was validated.

Analytic Approaches to Detect Insider Threats
This paper identifies steps that organizations can use to enhance their security posture to detect potential insider threats.

An Ontology for Insider Threat Indicators
In this conference paper, selected as the Michael Dean Best Paper Award at the STIDS (Semantic Technology for Intelligence, Defense,and Security) Conference, the authors describe their ongoing development of an insider threat indicator ontology.
 

Unintentional Insider Threat and Social Engineering
In this blog post, David Mundie highlights recent research that aims to add to the body of knowledge about the factors that lead to unintentional insider threat (UIT) and about how organizations in industry and government can protect themselves.

The CERT Guide to Insider Threats
This book is recommended by Rick Howard, CSO of Palo Alto Networks, as part of what he calls his Cybersecurity Cannon, a list of must-read books that "genuinely represent an aspect of the community that is true and precise and that, if not read, will leave a hole in the cybersecurity professional's education that will make the practitioner incomplete." In this book, the authors present best practices for managing the security and survivability of people, information, technology, and facilities.

Make Sure this Doesn't Happen to You!
In this YouTube video, Dawn Cappelli describes a number of insider threat cases and identifies serious critical issues you need to consider regarding insider threats.

The CERT Top 10 List for Winning the Battle Against Insider Threats
In this presentation Dawn Cappelli provides real-case examples to reinforce best practices in mitigating insider threat.

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures
In this report, the authors describe seven observations about insider IT sabotage based on their empirical data and study findings.

General

Insider Threats: Actual Attacks by Current and Former Software Engineers
In this presentation, Dawn Cappelli describes the CERT Insider Threat Crime Profiles and strategies to mitigating insider threat.

Spotlight On: Programming Techniques Used as an Insider Attack Tool
In this report, the authors focus on persons who use programming techniques to commit malicious acts against their organizations.

Insider Threat and the Software Development Lifecycle
In this podcast, Dawn Cappelli explains how insider threat vulnerabilities can be introduced during all phases of the software development lifecycle.

Controls and Indicators

Combating the Insider Cyber Threat
In this article, the authors explain how organizations must implement effective training to raise staff awareness about insider threats and the need for organizations to adopt a more effective approach to identifying potential risks and then taking proactive steps to mitigate them.

Indicators and Controls for Mitigating Insider Threat
In this podcast, Michael Hanley explains how technical controls can be effective in helping to prevent, detect, and respond to insider crimes.

The CERT Top 10 List for Winning the Battle Against Insider Threats
In this presentation, Dawn Cappelli provides real-case examples to reinforce best practices in mitigating insider threat.

Combat IT Sabotage: Technical Solutions From The CERT Insider Threat Lab
In this presentation, the authors discuss crime profiles and countermeasures related to insider IT sabotage.

The Key to Successful Monitoring for Detection of Insider Attacks
In this presentation, Software Engineering Institute researchers show how to detect insider threats successfully by monitoring and auditing network activity.

Mitigating Insider Threat—New and Improved Practices Fourth Edition
In this podcast, participants explain how 371 cases of insider attacks led to 4 new and 15 updated best practices for mitigating insider threats.

Indicators and Controls for Mitigating Insider Threat
In this podcast, Michael Hanley explains how technical controls can be effective in helping to prevent, detect, and respond to insider crimes.

Protecting Against Insider Threat
In this podcast, Dawn Cappelli describes the real and substantial threat of attack from insiders.

Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection
In this report, the authors present methods for detecting and preventing data exfiltration using a Linux-based proxy server in a Microsoft Windows environment.

Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.

Case Analysis

Common Sense Guide to Mitigating Insider Threats, 4th Edition
In this report, the authors define insider threats and outline current insider threat patterns and trends.

Intriguing Insider Threat Cases – Make Sure this Doesn't Happen to You!
In this YouTube video, Dawn Cappelli describes a number of insider threat cases and identifies serious critical issues you need to consider regarding insider threats.

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector
In this report, the authors describe insights and risk indicators of malicious insider activity in the banking and finance sector.

Insider Fraud in Financial Services
This brochure presents the findings of a study that analyzed computer criminal activity in the financial services sector.

Insider Threats to Cloud Computing: Directions for New Research Challenges
In this paper, the authors explain how cloud computing related insider threats are a serious concern, but that this threat has not been thoroughly explored.

An Analysis of Technical Observations in Insider Theft of Intellectual Property
In this report, the authors provide an overview of techniques used by malicious insiders to steal intellectual property.

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector
In this 2005 report, the authors outline the ITS, a study of insider incidents identified by public reporting or in fraud cases from the Secret Service.

Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors
In this report, the authors seek to close the gaps in the literature that make it difficult for organizations to fully understand the insider threat.

Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector
In this paper, the authors present the findings of research examining reported insider incidents in the information technology and telecommunications sectors.

Chronological Examination of Insider Threat Sabotage: Preliminary Observations
In this paper, the authors examine 15 cases of insider threat sabotage of IT systems to identify points in the attack time-line.

Executive Summary of Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector
In this paper, the authors present the findings of research examining reported insider incidents in information technology and telecommunications sectors.

Insider Threat Study: Illicit Cyber Activity in the Government Sector
In this paper, the authors present the findings of a research effort to examine reported insider incidents in the government sector.

Executive Summary of Insider Threat Study: Illicit Cyber Activity in the Government Sector
In this paper, the authors present the findings of a research effort to examine reported insider incidents within the government sector.

Modeling and Simulation

Effective Insider Threat Programs: Understanding and Avoiding Potential Pitfalls
In this paper, the authors describe the potential ways an insider threat program (InTP) could go wrong and to engage the community to discuss its concerns.

A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders
In this report, the authors present techniques for helping organizations plan, prepare, and implement means to mitigate insider theft of intellectual property.

Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis
In this report, the authors examine the psychological, technical, organizational, and contextual factors that contribute to espionage and insider sabotage.

Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders
In this report, the authors justify applying the pattern "Increased Review for Intellectual Property (IP) Theft by Departing Insiders."

The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures
In this report, the authors describe seven observations about insider IT sabotage based on their empirical data and study findings.

Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage
In this paper, the authors describe the MERIT insider threat model and simulation results.

Preliminary System Dynamics Maps of the Insider Cyber-threat Problem
In this paper, Georgia Killcrece describes a Computer Security Incident Response Team (CSIRT)and their challenges and benefits.

A Preliminary Model of Insider Theft of Intellectual Property
In this report, the authors describe general observations about and a preliminary system dynamics model of insider crime based on our empirical data.

Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model
In this paper, the authors identify actions that may inadvertently lead to increased vulnerability to threats from employees, contractors, and clients.

Combating the Insider Cyber Threat
In this IEEE paper, the authors mention the E-Crime Watch Survey and CERT Division work related to insider threats.

Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model
In this paper, the authors describe general observations about, and a preliminary system dynamics model of, insider crime based on our empirical data.

Cybersecurity Watch Survey

2014 U.S. State of Cybercrime Survey
In this presentation, CSO Magazine, USSS, the CERT Division of the SEI and PWC provide results of the 2014 U.S. State of Cybercrime Survey.

2013 U.S. State of Cybercrime Survey: How Bad Is the Insider Threat?
This presentation shows the results of the 2013 Cybercrime Survey.

As Cybercrime Threats Continue to Escalate, 2013 State of Cybercrime Survey from PwC and CSO Finds Companies Aren't Doing Enough to Defend Themselves
This press release about the 2013 Cybercrime Survey reveals findings that there is more to be done to combat cybercrime.

2012 Cybersecurity Watch Survey: How Bad Is the Insider Threat?
This presentation describes the results of the 2012 Cybersecurity Watch Survey.

2011 Cybersecurity Watch Survey: Organizations Need More Skilled Cyber Professionals to Stay Secure
This press release about the 2011 cybersecurity watch survey reveals findings that more attacks are committed by outsiders but attacks by insiders are viewed to be the most costly to organizations.

2011 Cybersecurity Watch Survey: How Bad Is the Insider Threat?
This presentation shows the results of the 2011 Cybersecurity Watch Survey, which was conducted to identify electronic crime fighting trends and techniques, including best practices and emerging trends.

2010 Cybersecurity Watch Survey: Cybercrime Increasing Faster than Some Company Defenses
This press release describes how cybercrime threats posed to targeted organizations are increasing faster than many organizations can combat them, according to the 2010 CyberSecurity Watch Survey.

2005 E-Crime Watch Survey: Survey Results
This press release summarizes the findings of the 2005 E-Crime Watch Survey. The survey was conducted online and designed to skip questions that were not relevant or to ask follow-up questions based on previous responses.

2005 E-Crime Watch Survey: Summary of Findings
This report summarizes the findings of the 2005 E-Crime Watch survey, which was conducted to unearth electronic crime fighting trends and techniques, including best practices and emerging trends. Respondents' answers are based on the 2004 calendar year.

2005 E-Crime Watch Survey Shows E-Crime Fighters Making Headway
This press release describes the results of the 2005 E-Crime Watch survey, which was conducted among security executives and law enforcement personnel. The survey reveals the fight against electronic crimes (e-crimes) may be paying off.

2004 E-Crime Watch Survey
This report details the results of the 2004 E-Crime Watch Survey, which was conducted to unearth e-crime fighting trends and techniques, including best practices and emerging trends.

  • 01/19/2017 2016 U.S. State of Cybercrime Highlights Each year, the CERT Division of the SEI collaborates with CSO Magazine to develop a State of Cybercrime report. These reports are based on surveys of approximately 400 organizations across the country, ranging in size from less than 100 employees...
  • 12/16/2016 Defending Against Phishing When IT and security professionals discuss phishing, the need for improved user education is often the main focus. While user education is vital and can lead to faster discovery of attacks through increased reporting of phishing attempts, it's important to...
  • 12/14/2016 Sentiment Analysis in the Context of Insider Threat In this blog post, I describe sentiment analysis and discuss its use in the area of insider threat. Sentiment analysis, often referred to as opinion mining, refers to the application of natural language processing (NLP), computational linguistics, and text analytics...
  • 09/14/2016 Insider Threat Deep Dive on IT Sabotage: Lessons for Organizations (Part 2 of 2) In my previous blog post, I began to update sabotage statistics provided in 2010. In this second post, I explore how organizations can begin to protect themselves from IT sabotage by learning to identify and appropriately respond to its precursors....
  • 09/07/2016 Insider Threat Deep Dive on IT Sabotage: Updated Statistics (Part 1 of 2) IT sabotage has been an area of increasing interest and concern across government, research, industry, and the public sector. IT sabotage is defined as incidents wherein malicious insiders intentionally use technical methods to disrupt or cease normal business operations of...
  • 08/18/2016 Malicious Insiders in the Workplace Series: Malicious Insiders' Salaries and the Financial Impact of Insider Incidents (Part 4 of 4) In parts one, two, and three of this series, the roles held by malicious insiders and their estimated salary were reviewed. In this final post, we see if there is a relationship between an insider's salary and the financial impact...
  • 08/11/2016 Malicious Insiders in the Workplace Series: What Do Malicious Insiders Get Paid? (Part 3 of 4) In parts one and two of this series, I analyzed the gender and organizational roles of malicious insiders. In this third part of the series, I analyze the CERT Insider Threat Incident Corpus for insights into the salaries of the...
  • 08/02/2016 Malicious Insiders in the Workplace Series: What Positions Do Malicious Insiders Hold? (Part 2 of 4) In the first part of this series, we analyzed the gender of malicious insiders as it relates to the categories of insider threat incidents. In this post, understanding the roles that insiders play within their victim organizations further contextualizes the...
  • 07/27/2016 Building an Insider Threat Program: Some Low-Cost Tools (Part 2 of 2) This is the second part of a two-part series about considering low-cost tools for starting your insider threat program. In the first part of this series, I discussed the five categories of tools available to insider threat programs to use,...
  • 07/26/2016 Building an Insider Threat Program: Five Important Categories of Tools (Part 1 of 2) This is the first part of a two-part series that explores open source, free, or low-cost solutions to help you get the technical portion of your insider threat program started. As defined by opensource.com, open source software is "software with...
  • 07/21/2016 Malicious Insiders in the Workplace Series: How Does an Insider's Gender Relate to the Type of Incident? (Part 1 of 4) Much attention has been paid to understanding the impacts of an insider threat incident. In examining recorded cases, trends begin to emerge over time just as with any other data set. However, despite these malicious insiders using technical means to...
  • 06/23/2016 Responding to New Federal Requirements for Contractors On May 18, 2016, the DOD published Change 2 to DoD 5220.22-M, "National Industrial Security Operating Manual (NISPOM)," which requires contractors to establish and maintain an insider threat program to detect, deter, and mitigate insider threats. The intent of this...
  • 06/22/2016 The Frequency and Impact of Insider Collusion Collusion among malicious insiders can produce a larger attack surface in terms of access to organizational assets. In theory, multiple actors could perform reconnaissance from within the "need-to-know" aspect of their job responsibilities to commit fraud or theft of intellectual...
  • 06/14/2016 Mitigating Insider Incidents with Threat Indicator Standardization Effective cross-department collaboration usually requires a common standard language for communication. Until recently, the insider threat community has suffered from a lack of standardization when expressing potential insider threat risk indicators. The CERT Division's research into insider threat detection, prevention,...
  • 07/15/2015 Handling Threats from Disgruntled Employees Disgruntled employees can be a significant risk to any organization because they can have administrative privileges and access to systems that are necessary for the daily operation of the organization. These disgruntled employees can be identified and monitored, but without...
  • 07/08/2015 InTP Series: Conclusion and Resources (Part 18 of 18) The intent of this blog series was to describe a framework that you could use as you build an insider threat program (InTP) in your organization. We hope you found it a useful resource and recommend that you refer back...
  • 07/01/2015 InTP Series: Implementation Planning (Part 17 of 18) Implementation plans are an essential component of developing an Insider Threat Program (InTP). It is important to look at the development of an implementation plan from a strategic long-term perspective. Hello, this is Tracy Cassidy, Insider Threat Researcher at the...
  • 06/24/2015 InTP Series: The Insider Threat Framework (Part 16 of 18) The single most important aspect of developing a successful insider threat program (InTP) framework is a clear vision. Therefore, it is imperative that you define your vision in a concept of operations document or charter. Hi, this is Jason W....
  • 06/17/2015 InTP Series: Protection of Employee Civil Liberties and Privacy Rights (Part 15 of 18) The news today is buzzing with discussions regarding civil liberties and privacy rights. Insider threat program (InTP) development deals directly with these issues, specifically the protection of employees. It is essential that management to familiarize itself with existing mandates, statutes,...
  • 06/03/2015 InTP Series: Policies, Procedures, and Practices (Part 14 of 18) An InTP requires two sets of policies, procedures, and practices: one set describing the operation and components of the program and the other set describing insider threat program (InTP) activities. Hi, I'm Cindy Nesta of the CERT Insider Threat Center....
  • 05/28/2015 InTP Series: Communicating Insider Threat Events (Part 13 of 18) When building your organization's Insider Threat Program (InTP), be sure to clearly identify defined processes for communicating insider threat events and incidents. It is important to ensure that all affected parties are made aware of the situation. As we all...
  • 05/20/2015 InTP Series: Incident Response Planning (Part 12 of 18) Your incident response plan should cover the entire incident lifecycle, including processes for how incidents are detected, reported, contained, remediated, documented, and prosecuted (if applicable). Hello, this is Mark Zajicek at the CERT Insider Threat Center. In this week's blog...
  • 05/13/2015 InTP Series: Data Collection and Analysis (Part 11 of 18) A core capability of any insider threat program (InTP) involves collecting data from multiple sources and analyzing that data to identify indicators of insider anomalous activity or an increase in the probability of future insider activity. This is Dan Costa,...
  • 05/06/2015 InTP Series: Trusted Business Partners (Part 10 of 18) In today's business environment, few organizations are able to operate without contractors, subcontractors, temporary employees, contract employees, or other trusted business partners. Understanding how they fit into your insider threat program (InTP) and how to manage your organization's relationships with...
  • 04/29/2015 InTP Series: Confidential Reporting (Part 9 of 18) "If you see something, say something." That phrase has been a popular security slogan for some time, and it applies to insider threat as well as other security arenas. Organizations need to develop a robust reporting capability that their employees...
  • 04/22/2015 InTP Series: Training and Awareness (Part 8 of 18) The cornerstones of any insider threat program (InTP) are a formal training and awareness curriculum and a defined set of educational activities. A successful InTP requires multiple levels of training for different parts of the organization and different types of...
  • 04/15/2015 InTP Series: Prevention, Detection, and Response (Part 7 of 18) The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond...
  • 04/08/2015 InTP Series: Integration with Enterprise Risk Management (6 of 18) Like any other threat to the enterprise, risk must be considered when managing the insider threat. This management cannot be done without first acknowledging the risk and implementing it with other risk management processes the organization should already be doing....
  • 04/01/2015 InTP Series: Oversight of Program Compliance and Effectiveness (Part 5 of 18) Why should anyone care about program compliance and effectiveness? The CERT Division's answer to this question is simple: If you're going to have an Insider Threat Program (InTP), you want it to work well and within the limits of the...
  • 03/25/2015 InTP Series: Participation of Business Areas (Part 4 of 18) An effective Insider Threat Program includes participation from the essential business areas of an organization. The National Insider Threat Task Force (NITTF) Minimum Standards identify the particular groups that should be represented in an insider threat program. Hi, this is...
  • 03/18/2015 InTP Series: The Formalized Program (Part 3 of 18) Hi, I'm Matt Collins, an Insider Threat Researcher at the CERT Insider Threat Center. This week in the third installment of our series, we'll take a look at the first component of an insider threat program: the formalized program itself....
  • 03/11/2015 InTP Series: Key Elements of an Insider Threat Program (Part 2 of 18) Before establishing an insider threat program in your organization, you first must understand the required components of such a program. In this second of a series of 18 posts, I will introduce you to the elements of an effective insider...
  • 03/04/2015 InTP Series: Establishing an Insider Threat Program (Part 1 of 18) Are you planning on establishing an insider threat program in your organization? If so, you'll find this series of 18 blog posts helpful. In this post, the first in the series, I explain why having an insider threat program is...
  • 07/22/2014 Unintentional Insider Threats by Economic Sector Hello, I'm Tracy Cassidy, a CERT cybersecurity researcher. This post is about the research the CERT Division is doing on unintentional insider threat (UIT) with a particular emphasis on phishing and malware incidents. For the past year, the CERT Insider...
  • 05/14/2014 "Four Insider IT Sabotage Mitigation Patterns and an Initial Effectiveness Analysis" Paper Released Hello, this is Matt Collins of the CERT Insider Threat Center. We are pleased to announce the publication of our paper "Four Insider IT Sabotage Patterns and an Initial Effectiveness Analysis." The paper describes four mitigation patterns of insider IT...
  • 12/18/2013 Theft of Intellectual Property by Insiders This is Matt Collins, Insider Threat Researcher at the CERT Insider Threat Center. In this post, I cover statistics related to a group of cases in the CERT Division's insider threat database related to the theft of intellectual property (IP)....
  • 10/17/2013 Analyzing Insider Threat Data in the MERIT Database Greetings! This is Matt Collins, an insider threat researcher with the CERT Insider Threat Center. In this post I describe some of the types of insider incident data we record in our Management and Education of the Risk of Insider...
  • 09/30/2013 The Latest CERT Research of Unintentional Insider Threats: Social Engineering Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on unintentional insider threats, in particular social engineering. Earlier this year, the CERT Division's Insider Threat Team published the report Unintentional Insider Threats:...
  • 09/03/2013 International Considerations for Cybersecurity Best Practices Hi! We are Lori Flynn and Carly Huth, CERT cybersecurity researchers. This post is about our recently published paper that describes how strategies for implementing international cybersecurity best practice should account for five factors: technology profile, laws and regulations, law...
  • 08/23/2013 Seven Ways Insider Threat Products Can Protect Your Organization Hi, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division. Organizations may be searching for products that address insider threats but have no real way of knowing if a product will meet their needs. In...
  • 08/20/2013 A Multi-Dimensional Approach to Insider Threat This is Dave Mundie, senior member of the technical staff in the CERT Division. Previous SEI blog posts ("Protecting Against Insider Threats with Enterprise Architecture Patterns" and "Effectiveness of a Pattern for Preventing Theft by Insiders") have described the the...
  • 08/07/2013 Unintentional Insider Threats: The Non-Malicious Within Hello, I'm David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on the unintentional insider threat. Organizations often suffer from individuals who have no ill will or malicious motivation, but whose actions cause harm....
  • 08/01/2013 Attend Our Insider Threat Webinar Hi, this is Randy Trzeciak, Technical Manager of the Enterprise Threat and Vulnerability Management team in the CERT Division. On Thursday, August 8, the SEI is hosting the webinar Managing the Insider Threat: What Every Organization Should Know. Join me...
  • 05/06/2013 Controlling the Malicious Use of USB Media Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division of the Software Engineering Institute. Earlier this year, we released the report Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events...
  • 03/12/2013 How Ontologies Can Help Build a Science of Cybersecurity Hello, this is David Mundie, a Senior Member of the Technical Staff in the CERT Program. The term "science of cybersecurity" is a popular one in our community these days. For some time now I have advocated ontologies and controlled...
  • 02/19/2013 CERT Insider Threat Events at the RSA Conference Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. The RSA Conference is rapidly approaching, and since many of you will likely be there, I thought I'd let you know how to find us there. Also, if...
  • 02/13/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 19 (of 19) Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the last of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 02/11/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 18 (of 19) Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the eighteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to...
  • 02/08/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 17 (of 19) Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the seventeenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 02/06/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 16 (of 19) Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst and Lori Flynn, Insider Threat Researcher for the CERT Program, with the sixteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of...
  • 02/04/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 15 (of 19) Hello, this is Randy Trzeciak, Technical Team Lead of Research in the CERT Insider Threat Center, with the fifteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to...
  • 02/01/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 14 (of 19) Hello, this is Eleni Tsamitis, Insider Threat Administrator for the CERT Program, with the fourteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The...
  • 01/30/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 13 (of 19) Hello, this is Ying Han, Graduate Research Assistant of the CERT Enterprise Threat and Vulnerability Management team, with the thirteenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide...
  • 01/28/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19) Hello, this is Sam Perl, Cybersecurity Analyst for the CERT Program, with the twelfth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The CERT...
  • 01/25/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 11 (of 19) Hello, this is Todd Lewellen, Cybersecurity Threat and Incident Analyst for the CERT Program, with the eleventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider...
  • 01/23/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 10 (of 19) Hello, this is Marcus Smith, a graduate assistant for the CERT Program, with the tenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The...
  • 01/21/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 9 (of 19) Hello, this is Mike Albrethsen, Information Systems Security Analyst for the CERT Program, with the ninth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 01/18/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 8 (of 19) Hello, this is Jeremy Strozer, Senior Cyber Security Specialist for the CERT Program, with the eighth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 01/16/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 7 (of 19) Hi, this is Chris King, Member of the Technical Staff for the CERT Program, with the seventh of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider...
  • 01/14/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 6 (of 19) Hello, this is Jason Clark, Insider Threat Researcher for the CERT Program, with the sixth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The...
  • 01/11/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 5 (of 19) Hello, this is Derrick Spooner, Cyber Threat Solutions Engineer for the CERT Program, with the fifth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 01/09/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 4 (of 19) Hello, this is Carly Huth, Insider Threat Researcher for the CERT Program, with the fourth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. The...
  • 01/08/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 3 (of 19) Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the third of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats....
  • 01/03/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 2 (of 19) Hello, this is Randy Trzeciak, Technical Team Lead of Insider Threat Research for the CERT Program, with the second of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to...
  • 01/03/2013 Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19) Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Program, with the first of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating...
  • 12/14/2012 The Common Sense Guide to Mitigating Insider Threats Expanded Hi, this is George Silowash of the CERT Insider Threat Center. I am happy to announce the release of the Common Sense Guide to Mitigating Insider Threats, 4th Edition. This edition introduces four new best practices for preventing and detecting...
  • 12/13/2012 Fourth Edition of the Common Sense Guide to Mitigating Insider Threats Is Released Hello, this is Lori Flynn, insider threat researcher for the CERT Program. We are proud to announce the release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats. We are grateful to the U.S. Department of...
  • 11/14/2012 Insider Threats in State and Local Government Hello, this is Matt Collins, a graduate assistant at the CERT Insider Threat Center. While the center's research has found that insider threats impact all industry sectors, this post narrows the focus to insider threats in the state and local...
  • 11/02/2012 "Spotlight On: Insider Threat from Trusted Business Partners" Article Revised and Released Hello, this is Todd Lewellen of the CERT Insider Threat Center. We are excited to announce that a revised version of our Spotlight On: Insider Threat from Trusted Business Partners article has been released. It has been almost three years...
  • 10/05/2012 External Threat Analysis Hi, this is Dan Klinedinst of the CERT Enterprise Threat and Vulnerability Management team. Recently we've been looking to extend the methodologies from our insider threat research to other sorts of threats. Personally, I'm interested in applying well-known analysis techniques...
  • 10/01/2012 Insider Threats Related to Cloud Computing--Installment 10: Conclusion Hi, this is Bill Claycomb and Alex Nicoll with the final installment of a series on cloud-related insider threats. In this post, we present our conclusion on the current state of cloud-related insider threats and our vision for the future....
  • 09/25/2012 The Insider Threat Awareness Virtual Roundtable Webinar Hi, this is Dawn Cappelli, Director of the CERT Insider Threat Center. Last week I had the pleasure of participating in The Insider Threat Awareness Virtual Roundtable webinar, which was sponsored by the DHS Office of Infrastructure Protection. The webinar...
  • 09/24/2012 Insider Threats Related to Cloud Computing--Installment 9: Two More Proposed Directions for Future Research Hi, this is Bill Claycomb and Alex Nicoll with installment 9 of a 10-part series on cloud-related insider threats. In this post, we discuss in detail two final areas of future research for cloud-related insider threats: normal user behavior analysis...
  • 09/17/2012 Insider Threats Related to Cloud Computing--Installment 8: Three More Proposed Directions for Future Research in Detail Hi, this is Bill Claycomb and Alex Nicoll with installment 8 of a 10-part series on cloud-related insider threats. In this post, we discuss three more areas of future research for cloud-related insider threats: identifying cloud-based indicators of insider threats,...
  • 09/12/2012 Insider Threats Related to Cloud Computing--Installment 7: Seven Proposed Directions for Research and Two in Detail Hi, this is Bill Claycomb and Alex Nicoll with installment 7 of a 10-part series on cloud-related insider threats. In this post, we introduce seven proposed directions for cloud-related insider threat research and discuss two of them in detail: socio-technical...
  • 09/10/2012 CERT Insider Threat Center in the News Hi, this is Dawn Cappelli of the CERT Insider Threat Center. We always feel proud when we see others recognize our hard work and, better yet, communicate the results of our work to others. SC Magazine, FedTech, Information Week, eWeek,...
  • 09/07/2012 Insider Threats Evident in All Industry Sectors Hello, this is Todd Lewellen, information systems security analyst for the CERT Insider Threat Center. We recently conducted a cursory search through our MERIT database for case examples across different industry sectors. This search reminded us just how indiscriminately insider...
  • 09/06/2012 Study on Insider Cyber Fraud in Financial Services Released Hi, this is Randy Trzeciak of the CERT Insider Threat Center. Recently, we completed a study that revealed insights into the type of insiders who commit insider financial cyber fraud, how they do it, and what they steal. The study,...
  • 09/04/2012 Insider Threats Related to Cloud Computing--Installment 6: Securing Against Other Cloud-Related Insiders Hi, this is Bill Claycomb and Alex Nicoll with installment 6 of a 10-part series on cloud-related insider threats. In this post, we discuss how to secure against two other types of cloud-related insider threats: cloud exploits and those using...
  • 08/30/2012 Upcoming Appearances by CERT Insider Threat Experts Hi, this is the Insider Threat Team letting you know about where some of us will be appearing in the coming weeks. We will be addressing topics related to insider threats, risk, and cybersecurity at events in both the U.S....
  • 08/27/2012 Insider Threats Related to Cloud Computing--Installment 5: Securing Against Cloud-Related Insiders Hi, this is Bill Claycomb and Alex Nicoll with installment 5 of a 10-part series on cloud-related insider threats. In this post, we discuss how to secure against one type of cloud-related insider threat: rogue administrators....
  • 08/20/2012 Insider Threats Related to Cloud Computing--Installment 4: Using the Cloud to Conduct Nefarious Activity A third type of cloud-related insider is one who uses cloud services to carry out an attack on his own employer. This type of insider is similar to the previous type who targets systems or data in the cloud. In...
  • 08/13/2012 Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities Hi, this is Bill Claycomb and Alex Nicoll with installment 3 of a 10-part series on cloud-related insider threats. In this post, we discuss a second type of cloud-related insider threat: those that exploit weaknesses introduced by use of the...
  • 08/06/2012 Insider Threats Related to Cloud Computing--Installment 2: The Rogue Administrator Hi, this is Bill Claycomb and Alex Nicoll with installment 2 of a 10-part series on cloud-related insider threats. In this post, we present three types of cloud-related insiders and discuss one in detail--the "rogue administrator." This insider typically steals...
  • 07/31/2012 Insider Threats Related to Cloud Computing--Installment 1: Introduction Hi, this is Bill Claycomb, lead research scientist for the CERT Insider Threat Center and Alex Nicoll, technical team lead for Insider Threat Technical Solutions and Standards. Over the next few months, we will discuss, in a series of blog...
  • 07/02/2012 Pay Attention: Are Your Company Secrets at Risk from Insiders? For years the CERT Insider Threat Center has been studying organizations' current and former employees, contractors, and trusted business partners who steal intellectual property (IP) from their organizations. We have published reports that detail the problem: who does it, why,...
  • 05/31/2012 The CERT Insider Threat Center has been busy this spring. The CERT Insider Threat Center has been busy this spring developing publications, presenting podcasts, and attending conferences to extend the knowledge and research we've collected into the public domain. This blog post contains a few highlights of recent accomplishments and...
  • 03/23/2012 The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley's InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575....
  • 02/15/2012 Insiders and Organized Crime The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists. The reality today is more nuanced; especially as organized crime groups have moved their activities online. The CERT Insider Threat Center recently released a...
  • 01/26/2012 Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage The Insider Threat Center at CERT recently released a new insider threat control that is specifically designed to detect the presence of a malicious insider based on key indicators to Information Technology (IT) sabotage activity. This blog post provides an...
  • 12/15/2011 Preparing for Negative Workplace Events - Managing Employee Expectations Hello, this is Randy Trzeciak, technical team lead for the Insider Threat Research Team at the CERT Insider Threat Center. This blog post is intended to serve as a reminder to organizations about the impact that an organization's actions can...
  • 11/16/2011 Insider Threat Controls The mission of the CERT Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our...
  • 10/17/2011 Data Exfiltration and Output Devices - An Overlooked Threat Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise...paper. Yes, paper. In particular, printouts and devices that allow for extraction of...
  • 08/15/2011 The CERT Insider Threat Database Hi, this is Randy Trzeciak, technical team lead for the Insider Threat Outreach & Transition group at the Insider Threat Center at CERT. Since 2001, our team has been collecting information about malicious insider activity within U.S. organizations. In each...
  • 07/21/2011 Theft of Intellectual Property and Tips for Prevention One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In our recent publication, An Analysis of...
  • 06/27/2011 Insider Threat Deep Dive: Theft of Intellectual Property This entry is part of a series of "deep dives" into insider threat. The previous entry focused on IT sabotage. Hi, this is Chris King. From our research, we realized that malicious insiders do not all fit into a single...
  • 05/10/2011 Insider Threat and Physical Security of Organizations Physical access to an organization's secure areas, equipment, or materials containing sensitive data may make it easier for a malicious insider to commit a crime. Therefore, an organization's physical security controls are often just as important as its technical security...
  • 04/06/2011 Insider Threat Best Practices from Industry Hello, this is George Silowash from the Insider Threat Center at CERT. I had the opportunity to attend RSA Conference 2011 with two of my colleagues, Dawn Cappelli and Joji Montelibano. Insider threat was a popular topic at the conference...
  • 02/23/2011 Insider Threats in the Software Development Lifecycle Developers often have full access to the source code of critical systems to do their job. This same access can also be used to insert logic bombs, sabotage the system, or siphon money from an organization. We have seen numerous...
  • 01/26/2011 Insider Threat Case Trends of Technical and Non-Technical Employees This is the second of two blog entries that explore questions we were asked during a recent meeting with leaders from the U.S. financial services sector. In this entry, we focus on what role malicious insiders typically hold in an...
  • 12/21/2010 Insider Threat Case Trends for Employee Type and Employment Status We recently met with leaders from the U.S. financial services sector, and they asked a number of questions about recent trends in insider threat activities. We are often asked these types of questions, and we can answer many of them...
  • 12/06/2010 Upcoming Insider Threat Presentations Members of the Insider Threat Center will be giving numerous presentations during the next few months:...
  • 10/25/2010 Interesting Insider Threat Statistics Hello, my name is Joji Montelibano, and I work in the CERT Insider Threat Center. When members of our team give presentations, conduct assessments, or teach courses, one of the most common questions is, "Just how bad is the insider...
  • 10/11/2010 A Threat-Centric Approach to Detecting and Preventing Insider Threat Hi, this is Chris King. Any organization that stores data about individuals has a responsibility to protect that information. We regularly hear news stories about celebrities' personal information being stolen and released to the media. Some of these leaks are...
  • 09/22/2010 Insider Threat Deep Dive: IT Sabotage This entry is the first in a series of "deep dives" into insider threat. Hi, this is Chris King from the CERT Insider Threat Center. Through the course of our research, we noticed that insiders couldn't be lumped into a...
  • 09/08/2010 Welcome to the Insider Threat Blog Hi, this is Dawn Cappelli, technical manager of the Insider Threat Center at CERT. Thanks for taking the time to visit our new insider threat blog. As many of you know, we've been doing insider threat research since 2001. Our...