Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Government Targets Insider Threat

Defense, Justice, and HUD developing new strategies for stopping internal security leaks

ARLINGTON, Va. -- Black Hat DC -- Major U.S. government agencies are developing new strategies to detect and respond to insider computer security attacks, officials said at a conference here today.

Security officials working with the U.S. Departments of Defense, Justice, and Housing and Urban Development today gave insights on their directions at a small conference focused on best practices for defending against insider threats.

The Department of Defense, for example, is close to completing an RFP for a new technology that will help detect, monitor, and stop policy-breaking behavior across at least 22 defense-related services and agencies.

"We're close," said Bruce Gabrielson, chairman of the DOD's Enterprise-wide Solutions Steering Group's Insider Threat Technology Advisory Group. The RFP is the culmination of four years of study on the insider threat at many of the major military and intelligence agencies, including the National Security Agency.

The Insider Threat TAG has defined a plan for using technology to collect and analyze risky behavior among employees and other trusted insiders in the major defense-related departments, Gabrielson said. The plan involves the deployment of lightweight agents to all trusted insiders to detect policy-breaking behavior, combined with sophisticated security event management, correlation, and analysis tools that will eventually let the DOD analyze user activity down to the workstation level.

The new system will include simple, off-the-shelf tools to let agencies identify everyday mistakes and violations of system usage policies, but it will also allow them to track data that's being read on classified systems and re-typed on non-classified systems, Gabrielson said. It will combine centralized security analysis applications with end-point agents that are deployed and updated regularly, just as antivirus apps are today.

The new system will ask vendors to fill some functional gaps in currently-available applications for monitoring and analyzing insider behavior, Gabrielson said. "One of the difficult parts for us is that the most plentiful tools are for lowest-risk threats, from our perspective," he said. "The greatest threat for us is passive malicious behavior, the kind of activity that wouldn't show up on most of the security applications out there right now."

For example, the ESSG will ask for vendors to deliver better technology for profiling user behavior and correlating data across end user monitoring applications, Gabrielson said. Current systems also need better methods for reducing the overabundance of security event data and for improving investigations and audits of end-user behavior, he said.

Gabrielson did not give a date for the expected issue of the RFP, but he said that ESSG's members have already agreed to fund the purchase of the insider threat protection system once it has been selected. He did not reveal the group's budget for the purchase.

Meanwhile, other U.S. government agencies are fleshing out their efforts to counter the insider threat. Dennis Heretick, deputy CIO for IT security at the Department of Justice, said the agency is weaving a number of insider-oriented capabilities to its Cyber Security Assessment and Management (CSAM) system, which tracks and monitors security issues across the DOJ and related agencies.

"For us, the insider threat is the least likely to happen, but it's potentially the most damaging if it did happen," Heretick said. The most likely "insider" problems at DOJ are accidental breaches by employees or trusted parties involving simple user commands, he said.

The DOJ has enhanced its CSAM system to include a number of insider-oriented capabilities, such as end user monitoring, data flow analysis, and real-time monitoring of IDS data and remote devices, Heretick said. The agency is also doing "intelligent encryption," adding encryption to a variety of systems while stopping short of encrypting all data inside the organization, he said.

The DOJ has suffered one public incidence of insider attack, in which a user took his administrative ID and password with him after being terminated, Heretick said. "We had to take everybody off of that system and shut it off, and that put a lot of strain on another one of our systems, because it had to do the work of two. The insider threat is very real."

HUD is also moving to protect its systems against the insider threat, adding encryption to some systems while restricting the use of portable devices such as iPods and thumb drives that could be used to carry data out, according to Kelvin Taylor, an information security specialist at the agency.

"Today's biggest threat to computer security is the users," Taylor said. He cited recent numbers from Gartner, which state that 70 percent of unauthorized access to systems is committed by insiders.

HUD is moving toward more substantial safeguards, such as encryption, but it is trying to use common sense, Taylor said. "We had a request to encrypt some 'inside' data, including the number of times the toilets were flushed in the building," he recalled. "Our question was, why? You've got to ask questions like that. We don't encrypt everything."

Several experts at the conference spoke about trends in insider threats, including Arcsight CSO Brian Contos, who presented data from a joint study his company conducted with Ponemon Institute. "Seventy-eight percent of the companies surveyed said they have had an insider incident in the last year that wasn't disclosed publicly," he said. "Eighty-nine percent said insider threats are a top three issue, along with malware and patch management."

Efforts such as the ESSG TAG's insider threat system are a reflection that government agencies, like corporations, are recognizing the gravity of the insider threat, Contos said. "What ESSG is doing shows they are very serious, not just about talking about it, but about really doing something."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with Firmware versions Fritz!OS 6.80 and 6.83 allows physically proximate attackers to view slices of previously transmitted packets or portions of memory via via unspecified vectors.
PUBLISHED: 2019-10-22
Apache Traffic Server is vulnerable to HTTP/2 setting flood attacks. Earlier versions of Apache Traffic Server didn't limit the number of setting frames sent from the client using the HTTP/2 protocol. Users should upgrade to Apache Traffic Server 7.1.7, 8.0.4, or later versions.
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to Argument Injection via special characters in the username field. Upon successful exploitation, a remote unauthenticated user can create a local system user with sudo privileges, and use that user to login to the...
PUBLISHED: 2019-10-22
The Sangoma Session Border Controller (SBC) 2.3.23-119 GA web interface is vulnerable to an authentication bypass via an argument injection vulnerability involving special characters in the username field. Upon successful exploitation, a remote unauthenticated user can login into the device's admin ...
PUBLISHED: 2019-10-22
GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusi...