Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News SEI Publishes The CERT Guide to Insider Threats Book

SEI Publishes The CERT Guide to Insider Threats Book

This item in japanese

What do ACTA, SEPA, PIPA, Stuxnet, Google have in common? They all have been hot topics in the press during the last months and they are dealing with information security. What, however, is commonly forgotten are internal threats related to espionage and stealing of company information. The book authors Dawn Cappelli, Andrew Moore, and Randall Trzeciak from the CMU SEI (Carnegie Mellon University Software Engineering Institute) are covering this issue in depth.

In their book, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional, common threats and countermeasures as well as guidelines are addressed.

According to the SEI the book explains how to

  • identify hidden signs of insider IT sabotage, theft of sensitive information, and fraud

  • recognize insider   threats throughout the software development life cycle

  • use advanced   threat controls to resist attacks by both technical and nontechnical   insiders

  • increase the   effectiveness of existing technical security tools by enhancing rules,   configurations, and associated business processes

  • prepare for   unusual insider attacks, including attacks linked to organized crime or   the Internet underground

It is a common observation that software architects and developers seldom address this kind of security issue in the necessary depth.

According to Dawn Capelli, one of the writers, there are ten tips to deal with these risks. The tips were published in a news by the bankinfosecurity web site:

    1. Repeat Offenders and Offenses. Learn from past incidents. Most organizations get hit more than once because they fail to address their weaknesses.
    2. Focus on the Crown Jewels. You can't protect everything, so identify what information is most important and focus on protecting and securing that information first.
    3. Use Existing Technology. Don't rush out to buy new systems; just learn to use your existing technologies differently. The same fraud-detection systems used to detect and prevent external attacks can be used to monitor internal behavior.
    4. Mitigate Threats from Business Partners. Anyone with access to your systems and databases poses risk.
    5. Recognize Concerning Behavior or Patterns. Incidents don't happen in isolation. If you pay attention to the signs, you can often prevent a breach.
    6. Recruited Employees. Many internal threats are posed by employees who have either been planted or those who are disgruntled and have been recruited to commit fraud.
    7. Watch Behavior During Resignation or Termination. How much access and information does the individual have, and what can you do to secure it?
    8. Be Mindful of Employee Privacy Concerns. Bring your general counsel in to the discussion. You want to monitor behavior, but you don't want to violate employee privacy policies and laws.
    9. Cross-Department Involvement. Make the fight against internal fraud an organizational initiative. "Create an insider threat program," Capelli said. "It's a very complex issue. It involves management and HR, and even the janitor, who could plant malicious code on your network."
    10. Get Buy-In from the Top. Executives have to understand the threats, so then they can support your initiatives to mitigate the risks.

Needless to say that software engineers have the responsibility to address security threats thoroughly in their systems. It is not only about management. And it definitely is not a SEP (Somebody Else’s Problem).

Rate this Article