BT

SEI Publishes The CERT Guide to Insider Threats Book

by Michael Stal on Mar 03, 2012 |

What do ACTA, SEPA, PIPA, Stuxnet, Google have in common? They all have been hot topics in the press during the last months and they are dealing with information security. What, however, is commonly forgotten are internal threats related to espionage and stealing of company information. The book authors Dawn Cappelli, Andrew Moore, and Randall Trzeciak from the CMU SEI (Carnegie Mellon University Software Engineering Institute) are covering this issue in depth.

In their book, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional, common threats and countermeasures as well as guidelines are addressed.

According to the SEI the book explains how to

  • identify hidden signs of insider IT sabotage, theft of sensitive information, and fraud

  • recognize insider   threats throughout the software development life cycle

  • use advanced   threat controls to resist attacks by both technical and nontechnical   insiders

  • increase the   effectiveness of existing technical security tools by enhancing rules,   configurations, and associated business processes

  • prepare for   unusual insider attacks, including attacks linked to organized crime or   the Internet underground

It is a common observation that software architects and developers seldom address this kind of security issue in the necessary depth.

According to Dawn Capelli, one of the writers, there are ten tips to deal with these risks. The tips were published in a news by the bankinfosecurity web site:

    1. Repeat Offenders and Offenses. Learn from past incidents. Most organizations get hit more than once because they fail to address their weaknesses.
    2. Focus on the Crown Jewels. You can't protect everything, so identify what information is most important and focus on protecting and securing that information first.
    3. Use Existing Technology. Don't rush out to buy new systems; just learn to use your existing technologies differently. The same fraud-detection systems used to detect and prevent external attacks can be used to monitor internal behavior.
    4. Mitigate Threats from Business Partners. Anyone with access to your systems and databases poses risk.
    5. Recognize Concerning Behavior or Patterns. Incidents don't happen in isolation. If you pay attention to the signs, you can often prevent a breach.
    6. Recruited Employees. Many internal threats are posed by employees who have either been planted or those who are disgruntled and have been recruited to commit fraud.
    7. Watch Behavior During Resignation or Termination. How much access and information does the individual have, and what can you do to secure it?
    8. Be Mindful of Employee Privacy Concerns. Bring your general counsel in to the discussion. You want to monitor behavior, but you don't want to violate employee privacy policies and laws.
    9. Cross-Department Involvement. Make the fight against internal fraud an organizational initiative. "Create an insider threat program," Capelli said. "It's a very complex issue. It involves management and HR, and even the janitor, who could plant malicious code on your network."
    10. Get Buy-In from the Top. Executives have to understand the threats, so then they can support your initiatives to mitigate the risks.

Needless to say that software engineers have the responsibility to address security threats thoroughly in their systems. It is not only about management. And it definitely is not a SEP (Somebody Else’s Problem).

Hello stranger!

You need to Register an InfoQ account or to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

About published books by John S Wolter

Some of us will buy this Addison-Wesley Professional book. Most of us will not. The information in the book will be obsolete by the time it is widely read. This publishing business model not viable. The security environment is so dynamic I do not see traditional publishing as being able to keep pace with the subject matter. An open book site combined with effective advertising will most likely generate greater net profits.

I remain concerned about published works being available in most engineering libraries. We need to find a way to have the immediacy of online open access & printed copies for the time being. Publish on demand? Publishers-Printers have not been the friends of libraries. I'm sure they will say "we give them books" but lately these are only in the form of the well worn phrase "[Electronic Resources]". These are only available as if you are a register student or faculty at a large university with a engineering department and large library.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2013 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT