Vulnerabilities / Threats //

Insider Threats

6/20/2017
02:00 PM
Thomas Jones
Thomas Jones
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Feds Call on Contractors to Play Ball in Mitigating Insider Threats

It's said that you're only as strong as your weakest player. That's as true in security as it is in sports.

Anyone who has ever played a team sport understands the importance of two key tenets when it comes to winning: practice makes perfect, and your team is only as strong as its weakest player.

The same can be said as they relate to mitigating the insider threat, one of the most pressing IT security and risk management challenges we face today.

Time and time again, we've seen attackers leverage compromise of authorized access to networks, most often granted to third-party contractors, to bypass otherwise effective security defenses. In other cases, unchecked activity on the part of those contractors with access has resulted in cataclysmic security incidents.

High-profile commercial examples of this phenomenon include the massive Target data breach, in which attackers hacked the credentials of an authorized HVAC services provider to make off with millions of customer records. In the government sector, merely citing one name — contractor Edward Snowden — conveys the risk that pertains to malicious activities of a single unmonitored actor.

According to recent research published by security vendors TrendMicro and PhishMe, as much as 90% of all successful cyber attacks leverage some form of user manipulation or phishing. This is typically carried out in the form of tricking someone to click on an infected URL link or open an attachment that carries some form of malware.

To help address the insider threat in the federal government, a recent update to the National Industrial Security Program Operating Manual, or NISPOM — which governs private industry access to classified information — finds regulators communicating to their contractor partners that when it comes to security awareness, it's time to step up.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Under the NISPOM Change 2 Insider Threat Mandate, which went into effect on May 31, federal contractors will be forced to have a much tighter game plan in place; much of this revolves around renewed focus on end-user security training. While the federal government required all cleared personnel to go through insider training in the past, NISPOM 2 dictates that each company must retrain anyone who will handle sensitive data within the next year.

I can see you rolling your eyes, but security training does have a significant impact, even for experienced practitioners. This is where "practice makes perfect" comes in.

According to CyberSecurity Ventures, the CISO at Wells Fargo estimates that his company recently reduced exposure to phishing by 40% through a renewed training program. According to our own data collected from real-world business environments, when employees are called out by their employer, close to 80% make changes and become more security-conscious. This proves that training needs to be an ongoing process — one that's cyclical, not static.

In that sense, NISPOM 2 is a good step forward, although training should be mandated continuously, on an as-policy-violations-happen and at-least-once-a-quarter basis vs. annually, as required now.

In addition to mandated end-user training, NISPOM 2 also requires contractors to have a written insider threat plan in place, and to conduct more frequent self-assessment reviews, ensuring that related policies and practices are effective. In general, I think this approach works because it calls for greater accountability across the board from these contract holders.

In addition to these practical tactics of increased training and more frequent self-review, NISPOM 2 would appear to be an improved strategy for insider threat mitigation as it specifically calls for the involved contractors to increasingly do these three things:

  1. Be aware of the signs of insider threats
  2. Be cognizant of penalties for leaking sensitive information
  3. Know how and to whom to report any suspicious behavior

NISPOM 2 also goes one step further in requiring a minimal level of security around insider threats from other government partners, such as IT systems integrators. In general, the mandate is more thorough and prescriptive than previous efforts to address this range of potential risk factors.

So why is this happening now? This change comes as a direct result of high-profile insider cases such as those of Snowden and Harold Thomas Martin, who both were contractors. It's that simple.

At the same time, the Chinese army's alleged cyber spying unit, known as Unit 61398, actively targets contractors' home systems, in addition to their work systems, to gain access to U.S. government networks.

It would seem safe to assume the other state actors are employing similar tactics. At the end of the day, this is because the perception is that contractors are easier to subvert and therefore make better targets.

By pushing federal contractors to be more aware and focus on mitigating the insider threat, the federal government is taking a purposeful step toward protecting the core of its domain. As a result, this effort is likely to help build a more secure environment across the board.

If you want to win the game, you need to keep at the training and make sure everyone on your team is working together. If you do, you're almost certain to see better results on the playing field.

Related Content:

Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.