Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/13/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.

Kelly’s words ring especially true today with respect to the murky underworld of cybercrime and insider threats. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. More frightening still is the fact that over a third of insider attacks target the personally identifiable information (PII) of either employees or customers.

Those facts alone are cause for concern. But it gets worse. The statistics cited above apply only to malicious insiders. Mounting evidence indicates the magnitude of risks realized due to unwitting insider threat actors. Unwitting insider threats are trusted persons who fail to exercise good cyber hygiene. This can range from failing to follow good patch management practices to opening email attachments and clicking on links found in communications from untrusted sources.

The impact of the unwitting insider threat is large. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing or spear phishing attacks. Put another way, half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors.

It’s worth noting that these are just the costs that can be quantified economically. The impact to national security of cyber attacks occasioned through the actions of either malicious or unwitting insiders is impossible to fully quantify. Perhaps the words of Executive Order 13526, which describes certain information as being so sensitive that its unauthorized disclosure can reasonably be expected to “cause exceptionally grave damage to the national security,” best illustrates the point.

Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. Thankfully, that state of affairs is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.

Specifically, Conforming Change 2 will require all cleared US government contractors to establish an insider threat program that gathers, integrates, and reports relevant information on insider threat activity in accordance with Executive Order 13587. Additionally, contractors will be required to designate a senior official to manage the insider threat program to ensure that it has the necessary levels of executive authority within the organization.

Conforming Change 2 requires contractors to maintain, and be prepared to provide, records pertinent to insider threat information, including:

  • Counterintelligence and security records
  • Network data
  • Personnel records

Importantly, Conforming Change 2 also requires that contractor personnel be properly trained with respect to insider threats within 30 days of hiring or before being granted access to classified information. The training must cover:

  • Counterintelligence and security fundamentals including applicable legal issues
  • Procedures for conducting insider threat response actions
  • Laws and regulations on gathering, integrating, retaining, safeguarding, and using records and data and on the consequences of misuse of such information
  • Legal, civil liberties, and privacy policies
  • Detecting and reporting insider threats

Perhaps the most effective component of the change is that contractors will now be required to monitor activity on classified networks to detect insider threat indicators. While implementation details are not specified, monitoring mechanisms must adhere to guidance issued by the Cognizant Security Agency (CSA) and federal systems requirements as specified by FISMA, NIST, CNSS, and others.

Is Conforming Change 2 a silver bullet with respect to the insider threats? No. But it does provide sorely needed regulatory teeth to address a problem that has long plagued both industry and government. And DSS taking steps toward that end is indisputably a good thing.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:27:06 AM
A good start or too little too late?
Good article, Adam. But I[m curious. Do you think having insider threat rules in place pre-Snowden could have prevented his leaking of classified NSA docs? 
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 8:55:15 AM
Re: A good start or too little too late?
Hi Marilyn,


I think such rules would have been a good start.  However, like most rules of that sort, they are deliberately vague as to implementation details in order to give organizations the maximum amount of flexibility.  I think that prevention of such a data loss would have required very specific technical safeguards to have been in place.  That being said, this rulemaking provides important impetus (and is a great step in overcoming organizational inertia) toward that goal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:06:10 AM
Re: A good start or too little too late?
I'm actually surprised that in all the hand-wringing and finter-pointing in the wake of the  Edward Snowden leaks, the goverment didn't try to put in place more stringent technical safegards.. I guess that is the nature of bureaucracy..
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 9:07:58 AM
Re: A good start or too little too late?
So as not to conflate POST Snowden with PRE Snowden, it's worth noting that at the very least, internal government networks are being significantly fortified with respect to security in the POST Snowden era.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:09:29 AM
Re: A good start or too little too late?
Good point. That is at least something....Thx!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...