Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/13/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.

Kelly’s words ring especially true today with respect to the murky underworld of cybercrime and insider threats. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. More frightening still is the fact that over a third of insider attacks target the personally identifiable information (PII) of either employees or customers.

Those facts alone are cause for concern. But it gets worse. The statistics cited above apply only to malicious insiders. Mounting evidence indicates the magnitude of risks realized due to unwitting insider threat actors. Unwitting insider threats are trusted persons who fail to exercise good cyber hygiene. This can range from failing to follow good patch management practices to opening email attachments and clicking on links found in communications from untrusted sources.

The impact of the unwitting insider threat is large. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing or spear phishing attacks. Put another way, half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors.

It’s worth noting that these are just the costs that can be quantified economically. The impact to national security of cyber attacks occasioned through the actions of either malicious or unwitting insiders is impossible to fully quantify. Perhaps the words of Executive Order 13526, which describes certain information as being so sensitive that its unauthorized disclosure can reasonably be expected to “cause exceptionally grave damage to the national security,” best illustrates the point.

Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. Thankfully, that state of affairs is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.

Specifically, Conforming Change 2 will require all cleared US government contractors to establish an insider threat program that gathers, integrates, and reports relevant information on insider threat activity in accordance with Executive Order 13587. Additionally, contractors will be required to designate a senior official to manage the insider threat program to ensure that it has the necessary levels of executive authority within the organization.

Conforming Change 2 requires contractors to maintain, and be prepared to provide, records pertinent to insider threat information, including:

  • Counterintelligence and security records
  • Network data
  • Personnel records

Importantly, Conforming Change 2 also requires that contractor personnel be properly trained with respect to insider threats within 30 days of hiring or before being granted access to classified information. The training must cover:

  • Counterintelligence and security fundamentals including applicable legal issues
  • Procedures for conducting insider threat response actions
  • Laws and regulations on gathering, integrating, retaining, safeguarding, and using records and data and on the consequences of misuse of such information
  • Legal, civil liberties, and privacy policies
  • Detecting and reporting insider threats

Perhaps the most effective component of the change is that contractors will now be required to monitor activity on classified networks to detect insider threat indicators. While implementation details are not specified, monitoring mechanisms must adhere to guidance issued by the Cognizant Security Agency (CSA) and federal systems requirements as specified by FISMA, NIST, CNSS, and others.

Is Conforming Change 2 a silver bullet with respect to the insider threats? No. But it does provide sorely needed regulatory teeth to address a problem that has long plagued both industry and government. And DSS taking steps toward that end is indisputably a good thing.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:09:29 AM
Re: A good start or too little too late?
Good point. That is at least something....Thx!
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 9:07:58 AM
Re: A good start or too little too late?
So as not to conflate POST Snowden with PRE Snowden, it's worth noting that at the very least, internal government networks are being significantly fortified with respect to security in the POST Snowden era.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:06:10 AM
Re: A good start or too little too late?
I'm actually surprised that in all the hand-wringing and finter-pointing in the wake of the  Edward Snowden leaks, the goverment didn't try to put in place more stringent technical safegards.. I guess that is the nature of bureaucracy..
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 8:55:15 AM
Re: A good start or too little too late?
Hi Marilyn,


I think such rules would have been a good start.  However, like most rules of that sort, they are deliberately vague as to implementation details in order to give organizations the maximum amount of flexibility.  I think that prevention of such a data loss would have required very specific technical safeguards to have been in place.  That being said, this rulemaking provides important impetus (and is a great step in overcoming organizational inertia) toward that goal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:27:06 AM
A good start or too little too late?
Good article, Adam. But I[m curious. Do you think having insider threat rules in place pre-Snowden could have prevented his leaking of classified NSA docs? 
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.