1. Session ID:
Session Classification:
Dawn M. Cappelli
CERT Insider Threat Center - Software Engineering Institute
Carnegie Mellon University
STU-R37A
Intermediate
INTRIGUING INSIDER
THREAT CASES –
MAKE SURE THIS DOESN’T
HAPPEN TO YOU!

2. © 2013 Carnegie Mellon University
Except for the U.S. government purposes described below, this material SHALL NOT be
reproduced or used in any other manner without requesting formal permission from the Software
Engineering Institute at permission@sei.cmu.edu.
This material was created in the performance of Federal Government Contract Number FA8721-
05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute,
a federally funded research and development center. The U.S. government's rights to use, modify,
reproduce, release, perform, display, or disclose this material are restricted by the Rights in
Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013
Alternate I) contained in the above identified contract. Any reproduction of this material or portions
thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for
U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS
ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE
OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.
Notices

3. ► Traffic nightmare for 4 days in major U.S. city…
► System controlling traffic lights sabotaged by 2
employees in the middle of a labor dispute even though
access had been removed for both employees…
Actual Case

4. ► Raise awareness – it CAN happen to you!
► Use actual cases to highlight critical insider threat issues
► Point out unique attack vectors that would be difficult, but not
impossible to prevent / detect
► Alert you to threats that could have serious impacts in many
organizations
► When you leave this presentation you will better
understand the threat posed by insiders, and will be
armed with considerations for a risk management
strategy for mitigating those threats.
Purpose of this Presentation

5. ► Center of Internet security expertise
► Established in 1988 by the
US Department of Defense
► Part of the Software Engineering Institute (SEI)
► Federally Funded Research & Development Center
(FFRDC)
► Operated by Carnegie Mellon University (Pittsburgh,
Pennsylvania)
What is CERT?

6. ► Center of insider threat expertise
► Began working in this area in 2001 with the U.S. Secret
Service
► Our mission: The CERT Insider Threat Center
conducts empirical research and analysis to develop
& transition socio-technical solutions to combat
insider cyber threats.
What is the CERT Insider Threat
Center?

7. ► Meet Alex Nicoll, Lead of the Technical Solutions Team
► All highly technical questions will be answered by him….
My Right Hand Technical Expert

8. Critical Insider
Threat Issues:
Actual Case
Studies

9. ► Company’s trade secrets are lost to their competitor
► Employee of the company’s trusted business partner stole the
information before accepting a job with the competitor.
A Trusted Business Partner that
Should not be Trusted

10. ► Nearly 80,000 encrypted files stolen after three
employees abruptly quit their jobs…
► Files continued to be automatically transmitted to the cloud;
former employees retained cloud access.
Secure File Sharing Utilities not so Secure

11. ► Closely guarded computer trading code exfiltrated from
hedge fund…
► Programmer used virtual machines to evade host based
monitoring.
Virtual Machines Evade Detection of Data
Exfiltration

12. ► Terrorist Watch List was tampered with by employee in
government agency outside the U.S.
► Wife’s name was added to the list three years earlier so she
could not return after leaving the country to visit family.
National Security at Risk by Insiders

13. ► Malware embedded in product forces shutdown after
random number of power cycles
► Contract programmer of 30 years devised the scheme so he
could start a side repair business.
Products Shipped with Embedded Malware

14. ► Company’s trade secrets photographed and emailed
outside the U.S.
► Two engineers servicing the company’s equipment used mobile
phone to take pictures for use in their own contract with Chinese
firm.
A Picture is Worth a Thousand Words…

15. ► Implement mitigation strategies for each of the 3 types of
insider threats: IT sabotage, theft of IP, and fraud
► IT Sabotage: Develop a strategy for handling privileged technical
employees and contractors who are “on the HR radar”.
► Theft of IP: Check for stolen information when employees and
contractors with access to critical information leave.
► Fraud: Seriously consider how your employees could misuse
your systems for financial gain.
What to Do – Foundation of an Insider
Threat Program

16. ► Contractually require protection of your IP by trusted
business partners
► Prohibit mobile devices in secure areas
► Implement physical controls for organization’s devices
What to Do – Low Hanging Fruit

17. ► Increase controls / monitoring of critical systems at times
of organizational duress
► Carefully control use of secure file sharing or cloud
services
► Beware of implications of virtual machines for host based
monitoring
► Monitor and alert on changes to critical files and systems
► Perform code reviews and product inspections prior to
product launch
► Implement strict account controls and audits
What to Do Next

18. ► Insider Threat Center website
(http://www.cert.org/insider_threat/)
► Common Sense Guide to Mitigating Insider Threats, 4th
Edition
(http://www.sei.cmu.edu/library/abstracts/reports/12tr012
.cfm)
► Insider threat workshops
► Insider threat assessments
► New controls from CERT Insider Threat Lab
► Insider threat exercises
CERT Resources

19. ► The CERT® Guide to Insider Threats:
How to Prevent, Detect, and Respond
to Information Technology Crimes
(Theft, Sabotage, Fraud) (SEI Series in
Software Engineering) by Dawn M.
Cappelli, Andrew P. Moore and Randall
F. Trzeciak
CERT Insider Threat Book

20. Best Practices for Insider Threat
Consider threats from insiders and business partners in
enterprise-wide risk assessments.
Clearly document and consistently enforce policies and
controls.
Incorporate insider threat awareness into periodic security
training for all employees.
Beginning with the hiring process, monitor and respond to
suspicious or disruptive behavior.
Anticipate and manage negative issues in the work
environment.
Know your assets.
Implement strict password and account management
policies and practices.
Enforce separation of duties and least privilege.
Define explicit security agreements for any cloud services,
especially access restrictions and monitoring capabilities.
Institute stringent access controls and monitoring policies
on privileged users.
Taken from: Common Sense Guide to Mitigating Insider Threats, 4th
Edition
(http://www.sei.cmu.edu/library/abstracts/reports/12tr012.cfm)

21. Dawn M. Cappelli
Director, CERT Insider Threat
Center
CERT Program, Software
Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890
+1 412 268-9136 – Phone
dmc@cert.org – Email
Points of Contact
http://www.cert.org/insider_threat/
Alex Nicoll
Lead, Technical Solutions Team
CERT Program, Software
Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh, PA 15213-3890
+1 412 268-9205 – Phone
anicoll@cert.org – Email