December 2005 - Best Computer Practices for Defending Against Insider Threats

CERT and the U.S. Secret Service’s National Threat Assessment Center (NTAC) joined efforts in 2002 to conduct a study of insider incidents, the Insider Threat Study (ITS). This effort was spearheaded by concern over the ability of insiders to exploit known system vulnerabilities and the effect of this activity on organizations, particularly those within critical infrastructures. Such infrastructures include telecommunications, banking and finance, energy, transportation, and essential government services.

The ITS was designed to analyze incidents from both a behavioral and a technical perspective. The cases examined were incidents perpetrated by insiders (i.e., current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organization's data, systems, or daily business operations.

CERT has published two reports on its analyses. The first report, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, focused on cases within the Banking and Finance Sector and was published in August 2004. The study is available at www.cert.org/archive/pdf/bankfin040820.pdf. The second report, Insider Threat Study:Computer System Sabotage in Critical Infrastructure Sectors, which was published in May 2005, examined forty-nine insider incidents across critical infrastructure sectors in which the insider’s primary goal was to sabotage some aspect of the organization (e.g., business operations, information/data files, system/network, and/or reputation) or direct specific harm towards an individual. That study is available at www.cert.org/archive/pdf/insidercross051105.pdf.

At the Computer Security Institute Conference in Washington, DC on November 14, 2005, Dawn Cappelli, Senior Member of the Technical Staff, Carnegie Mellon University, presented Preventing Insider Sabotage:Lessons Learned from Actual Attacks, which provided a summary of the CERT studies, as well as a recommended list of “best practices” that can be used reduce insider threat vulnerabilities. These best practices were:

• Conduct background checks and consider results carefully.
• Institute periodic employee security awareness training for all employees.
• Enforce separation of duties and least privilege.
• Implement strict password and account management policies and practices.
• Log, monitor, and audit employee online actions.
• Use additional controls for system administrators and privileged users.
• Actively defend against malicious code.
• Use layered defense against remote attacks.
• Monitor and respond to suspicious or disruptive behavior.
• Deactivate access following termination.
• Collect and save data for use in investigations.
• Implement secure backup and recovery processes.
• Clearly document insider threat controls.

The text of the presentation is available at www.cert.org/archive/pdf/InsiderThreatCSI.pdf.

The CERT Coordination Center, which is located at Carnegie Mellon University's Software Engineering Institute, coordinates responses to security compromises, identifies trends in intruder activity, identifies solutions to security problems, and disseminates information to the broader community. CERT conducts research and development to create solutions to security problems and provides training to help individuals build skills in dealing with cyber security issues.

COPYRIGHT ©2005, ISO Services Properties, Inc.

The information contained in this publication was obtained from sources believed to be reliable. ISO Services Properties, Inc., its companies and employees make no guarantee of results and assume no liability in connection with either the information herein contained or the safety suggestions herein made. Moreover, it cannot be assumed that every acceptable safety procedure is contained herein or that abnormal or unusual circumstances may not warrant or require further or additional procedure.