English

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) ,1st edition::9780132906043

Access educator resources

Published by Addison-Wesley (January 20, 2012) © 2012

Dawn Cappelli | Andrew Moore | Randall Trzeciak
    VitalSource eTextbook (Lifetime access)
    €31,99
    Adding to cart… The item has been added
    ISBN-13: 9780132906043

    The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) ,1st edition

    Published 2012

    Language: English

    Since 2001, the CERT® Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute (SEI) has collected and analyzed information about more than seven hundred insider cyber crimes, ranging from national security espionage to theft of trade secrets. The CERT® Guide to Insider Threats describes CERT’s findings in practical terms, offering specific guidance and countermeasures that can be immediately applied by executives, managers, security officers, and operational staff within any private, government, or military organization.

     

    The authors systematically address attacks by all types of malicious insiders, including current and former employees, contractors, business partners, outsourcers, and even cloud-computing vendors. They cover all major types of insider cyber crime: IT sabotage, intellectual property theft, and fraud. For each, they present a crime profile describing how the crime tends to evolve over time, as well as motivations, attack methods, organizational issues, and precursor warnings that could have helped the organization prevent the incident or detect it earlier. Beyond identifying crucial patterns of suspicious behavior, the authors present concrete defensive measures for protecting both systems and data.

     

    This book also conveys the big picture of the insider threat problem over time: the complex interactions and unintended consequences of existing policies, practices, technology, insider mindsets, and organizational culture. Most important, it offers actionable recommendations for the entire organization, from executive management and board members to IT, data owners, HR, and legal departments.

     

    With this book, you will find out how to

    • Identify hidden signs of insider IT sabotage, theft of sensitive information, and fraud
    • Recognize insider threats throughout the software development life cycle
    • Use advanced threat controls to resist attacks by both technical and nontechnical insiders
    • Increase the effectiveness of existing technical security tools by enhancing rules, configurations, and associated business processes
    • Prepare for unusual insider attacks, including attacks linked to organized crime or the Internet underground

    By implementing this book’s security practices, you will be incorporating protection mechanisms designed to resist the vast majority of malicious insider attacks.

    Preface xvii

    Acknowledgments xxxi

     

    Chapter 1: Overview 1

    True Stories of Insider Attacks 3

    The Expanding Complexity of Insider Threats 6

    Breakdown of Cases in the Insider Threat Database 7

    CERT’s MERIT Models of Insider Threats 9

    Overview of the CERT Insider Threat Center 13

    Timeline of the CERT Program’s Insider Threat Work. 16

    Caveats about Our Work 20

    Summary 20

     

    Chapter 2: Insider IT Sabotage 23

    General Patterns in Insider IT Sabotage Crimes 28

    Mitigation Strategies 46

    Summary 59

     

    Chapter 3: Insider Theft of Intellectual Property 61

    Impacts 66

    General Patterns in Insider Theft of Intellectual Property Crimes 68

    The Entitled Independent 69

    The Ambitious Leader 78

    Theft of IP inside the United States Involving Foreign Governments or Organizations 83

    Mitigation Strategies for All Theft of Intellectual Property Cases 88

    Mitigation Strategies: Final Thoughts 97

    Summary 98

     

    Chapter 4: Insider Fraud 101

    General Patterns in Insider Fraud Crimes 106

    Insider Fraud Involving Organized Crime 115

    Organizational Issues of Concern and Potential Countermeasures 120

    Mitigation Strategies: Final Thoughts 126

    Summary 127

     

    Chapter 5: Insider Threat Issues in the Software Development Life Cycle 129

    Requirements and System Design Oversights 131

    System Implementation, Deployment, and Maintenance Issues 136

    Programming Techniques Used As an Insider Attack Tool 139

    Mitigation Strategies 142

    Summary 143

     

    Chapter 6: Best Practices for the Prevention and Detection of Insider Threats 145

    Summary of Practices 146

    Practice 1: Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments 151

    Practice 2: Clearly Document and Consistently Enforce Policies and Controls 155

    Practice 3: Institute Periodic Security Awareness Training for All Employees 159

    Practice 4: Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process 164

    Practice 5: Anticipate and Manage Negative Workplace Issues 168

    Practice 6: Track and Secure the Physical Environment 171

    Practice 7: Implement Strict Password- and Account-Management Policies and Practices 174

    Practice 8: Enforce Separation of Duties and Least Privilege 178

    Practice 9: Consider Insider Threats in the Software Development Life Cycle 182

    Practice 10: Use Extra Caution with System Administrators and Technical or Privileged Users 187

    Practice 11: Implement System Change Controls 191

    Practice 12: Log, Monitor, and Audit Employee Online Actions 195

    Practice 13: Use Layered Defense against Remote Attacks 200

    Practice 14: Deactivate Computer Access Following Termination 203

    Practice 15: Implement Secure Backup and Recovery Processes 207

    Practice 16: Develop an Insider Incident Response Plan 211

    Summary 213

    References/Sources of Best Practices 214

     

    Chapter 7: Technical Insider Threat Controls 215

    Infrastructure of the Lab 217

    Demonstrational Videos 218

    High-Priority Mitigation Strategies 219

    Control 1: Use of Snort to Detect Exfiltration of Credentials Using IRC 220

    Control 2: Use of SiLK to Detect Exfiltration of Data Using VPN 221

    Control 3: Use of a SIEM Signature to Detect Potential Precursors to Insider IT Sabotage 223

    Control 4: Use of Centralized Logging to Detect Data Exfiltration during an Insider’s Last Days of Employment 231

    Insider Threat Exercises 239

    Summary 239

     

    Chapter 8: Case Examples 241

    Sabotage Cases 241

    Sabotage/Fraud Cases 256

    Theft of IP Cases 258

    Fraud Cases 262

    Miscellaneous Cases 269

    Summary 273

     

    Chapter 9: Conclusion and Miscellaneous Issues 275

    Insider Threat from Trusted Business Partners 275

    Malicious Insiders with Ties to the Internet Underground 286

    Final Summary 293

     

    Appendix A: Insider Threat Center Products and Services 299

    Appendix B: Deeper Dive into the Data 307

    Appendix C: CyberSecurity Watch Survey 319

    Appendix D: Insider Threat Database Structure 325

    Appendix E: Insider Threat Training Simulation: MERIT InterActive 333

    Appendix F: System Dynamics Background 345

     

    Glossary of Terms 351

    References 359

    About the Authors 365

    Index 369
    !