© 2007-2011 Carnegie Mellon University

The CERT Insider Threat Center

2

Notices

© 2007-2011 Carnegie Mellon University

This material is distributed by the SEI  only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract.  Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.  

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

 THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

3

What is CERT?

Center of Internet security expertise

Established in 1988 by theUS Department of Defenseon the heels of the Morrisworm that created havoc onthe ARPANET, the precursorto what is the Internet today

Part of the Software Engineering Institute (SEI)• Federally Funded Research & Development Center

(FFRDC)• Operated by Carnegie Mellon University (Pittsburgh,

Pennsylvania)

4

Who is a Malicious Insider?

Current or former employee, contractor, or other business partner who

has or had authorized access to an organization’s network, system or data and

intentionally exceeded or misused that access in a manner that

negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

5

Assist organizations in identifying indications and warnings of insider threat by

• performing vulnerability assessments• assisting in the design and implementation of policies, practices,

and technical solutions

CERT Insider Threat Center – Mission

based on our ongoing research of hundreds of actual cases of insider IT sabotage, theft of intellectual property,

fraud, and espionage

6

2011 CyberSecurity Watch Survey -1

CSO Magazine, USSS, CERT & Deloitte

607 respondents

38% of organizations

have more than 5000

employees

37% of organizations

have less than

500 employees

2004 2005 2006 2007 2008 20100

20

40

60

80

100

41 39

5549 51

43

Percentage of Participants Who Experienced an Insider Incident

Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.

7

2011 CyberSecurity Watch Survey -2

46 % of respondents Damage caused by insider attacks more damaging than outsider attacks

Most common insider e-crime

Unauthorized access to / use of corporate information (63%)

Unintentional exposure of private or sensitive data (57%)

Virus, worms, or other malicious code (37%)

Theft of intellectual property (32%)

Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.

8

Sabotage Fraud Theft of IP Misc Espionage0

50

100

150

200

250

127

214

88

43

120

U.S. Crimes by Category

CERT’s Insider Threat Case Database

9

CERT’s Case Collection Approach

Ongoing collection Cases from1996 – present that occurred in the U.S. are coded in the CERT database

Sources Court documents, interviews, media, investigators’ notes

Big picture approach Examine technical, psychological, and organizational aspects of the problem

Objective Analyze actual cases to develop information for prevention & early detection

10

Current Body of Work

Incident Response

Forensic Investigations (internal & external attacks)

Controls

Open source solutions

Optimized configurations for commercial technology

Risk scoring algorithms

New functional requirements

Standards

Cases

Models

Assessments

Lit Reviews

Research

Insider threat risk management process

Workshops

Senior Executive Workshops

Demos

VTE Modules

Exercises

11

Points of Contact

Insider Threat Technical Solutions LeadJoji MontelibanoCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-6946 – Phonejmm137@cert.org– Email http://www.cert.org/insider_threat/