SEI Publishes The CERT Guide to Insider Threats Book
What do ACTA, SEPA, PIPA, Stuxnet, Google have in common? They all have been hot topics in the press during the last months and they are dealing with information security. What, however, is commonly forgotten are internal threats related to espionage and stealing of company information. The book authors Dawn Cappelli, Andrew Moore, and Randall Trzeciak from the CMU SEI (Carnegie Mellon University Software Engineering Institute) are covering this issue in depth.
In their book, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional, common threats and countermeasures as well as guidelines are addressed.
According to the SEI the book explains how to
identify hidden signs of insider IT sabotage, theft of sensitive information, and fraud
recognize insider threats throughout the software development life cycle
use advanced threat controls to resist attacks by both technical and nontechnical insiders
increase the effectiveness of existing technical security tools by enhancing rules, configurations, and associated business processes
prepare for unusual insider attacks, including attacks linked to organized crime or the Internet underground
It is a common observation that software architects and developers seldom address this kind of security issue in the necessary depth.
According to Dawn Capelli, one of the writers, there are ten tips to deal with these risks. The tips were published in a news by the bankinfosecurity web site:
- Repeat Offenders and Offenses. Learn from past incidents. Most organizations get hit more than once because they fail to address their weaknesses.
- Focus on the Crown Jewels. You can't protect everything, so identify what information is most important and focus on protecting and securing that information first.
- Use Existing Technology. Don't rush out to buy new systems; just learn to use your existing technologies differently. The same fraud-detection systems used to detect and prevent external attacks can be used to monitor internal behavior.
- Mitigate Threats from Business Partners. Anyone with access to your systems and databases poses risk.
- Recognize Concerning Behavior or Patterns. Incidents don't happen in isolation. If you pay attention to the signs, you can often prevent a breach.
- Recruited Employees. Many internal threats are posed by employees who have either been planted or those who are disgruntled and have been recruited to commit fraud.
- Watch Behavior During Resignation or Termination. How much access and information does the individual have, and what can you do to secure it?
- Be Mindful of Employee Privacy Concerns. Bring your general counsel in to the discussion. You want to monitor behavior, but you don't want to violate employee privacy policies and laws.
- Cross-Department Involvement. Make the fight against internal fraud an organizational initiative. "Create an insider threat program," Capelli said. "It's a very complex issue. It involves management and HR, and even the janitor, who could plant malicious code on your network."
- Get Buy-In from the Top. Executives have to understand the threats, so then they can support your initiatives to mitigate the risks.
Needless to say that software engineers have the responsibility to address security threats thoroughly in their systems. It is not only about management. And it definitely is not a SEP (Somebody Else’s Problem).
About published books
John S Wolter
I remain concerned about published works being available in most engineering libraries. We need to find a way to have the immediacy of online open access & printed copies for the time being. Publish on demand? Publishers-Printers have not been the friends of libraries. I'm sure they will say "we give them books" but lately these are only in the form of the well worn phrase "[Electronic Resources]". These are only available as if you are a register student or faculty at a large university with a engineering department and large library.
Shane Hastie on Distributed Agile Teams, Product Ownership and the Agile Manifesto Translation Program
Shane Hastie Apr 17, 2015