Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/13/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.

Kelly’s words ring especially true today with respect to the murky underworld of cybercrime and insider threats. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. More frightening still is the fact that over a third of insider attacks target the personally identifiable information (PII) of either employees or customers.

Those facts alone are cause for concern. But it gets worse. The statistics cited above apply only to malicious insiders. Mounting evidence indicates the magnitude of risks realized due to unwitting insider threat actors. Unwitting insider threats are trusted persons who fail to exercise good cyber hygiene. This can range from failing to follow good patch management practices to opening email attachments and clicking on links found in communications from untrusted sources.

The impact of the unwitting insider threat is large. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing or spear phishing attacks. Put another way, half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors.

It’s worth noting that these are just the costs that can be quantified economically. The impact to national security of cyber attacks occasioned through the actions of either malicious or unwitting insiders is impossible to fully quantify. Perhaps the words of Executive Order 13526, which describes certain information as being so sensitive that its unauthorized disclosure can reasonably be expected to “cause exceptionally grave damage to the national security,” best illustrates the point.

Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. Thankfully, that state of affairs is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.

Specifically, Conforming Change 2 will require all cleared US government contractors to establish an insider threat program that gathers, integrates, and reports relevant information on insider threat activity in accordance with Executive Order 13587. Additionally, contractors will be required to designate a senior official to manage the insider threat program to ensure that it has the necessary levels of executive authority within the organization.

Conforming Change 2 requires contractors to maintain, and be prepared to provide, records pertinent to insider threat information, including:

  • Counterintelligence and security records
  • Network data
  • Personnel records

Importantly, Conforming Change 2 also requires that contractor personnel be properly trained with respect to insider threats within 30 days of hiring or before being granted access to classified information. The training must cover:

  • Counterintelligence and security fundamentals including applicable legal issues
  • Procedures for conducting insider threat response actions
  • Laws and regulations on gathering, integrating, retaining, safeguarding, and using records and data and on the consequences of misuse of such information
  • Legal, civil liberties, and privacy policies
  • Detecting and reporting insider threats

Perhaps the most effective component of the change is that contractors will now be required to monitor activity on classified networks to detect insider threat indicators. While implementation details are not specified, monitoring mechanisms must adhere to guidance issued by the Cognizant Security Agency (CSA) and federal systems requirements as specified by FISMA, NIST, CNSS, and others.

Is Conforming Change 2 a silver bullet with respect to the insider threats? No. But it does provide sorely needed regulatory teeth to address a problem that has long plagued both industry and government. And DSS taking steps toward that end is indisputably a good thing.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:27:06 AM
A good start or too little too late?
Good article, Adam. But I[m curious. Do you think having insider threat rules in place pre-Snowden could have prevented his leaking of classified NSA docs? 
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 8:55:15 AM
Re: A good start or too little too late?
Hi Marilyn,


I think such rules would have been a good start.  However, like most rules of that sort, they are deliberately vague as to implementation details in order to give organizations the maximum amount of flexibility.  I think that prevention of such a data loss would have required very specific technical safeguards to have been in place.  That being said, this rulemaking provides important impetus (and is a great step in overcoming organizational inertia) toward that goal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:06:10 AM
Re: A good start or too little too late?
I'm actually surprised that in all the hand-wringing and finter-pointing in the wake of the  Edward Snowden leaks, the goverment didn't try to put in place more stringent technical safegards.. I guess that is the nature of bureaucracy..
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 9:07:58 AM
Re: A good start or too little too late?
So as not to conflate POST Snowden with PRE Snowden, it's worth noting that at the very least, internal government networks are being significantly fortified with respect to security in the POST Snowden era.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:09:29 AM
Re: A good start or too little too late?
Good point. That is at least something....Thx!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.