Vulnerabilities / Threats //

Insider Threats

6/20/2017
02:00 PM
Thomas Jones
Thomas Jones
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Feds Call on Contractors to Play Ball in Mitigating Insider Threats

It's said that you're only as strong as your weakest player. That's as true in security as it is in sports.

Anyone who has ever played a team sport understands the importance of two key tenets when it comes to winning: practice makes perfect, and your team is only as strong as its weakest player.

The same can be said as they relate to mitigating the insider threat, one of the most pressing IT security and risk management challenges we face today.

Time and time again, we've seen attackers leverage compromise of authorized access to networks, most often granted to third-party contractors, to bypass otherwise effective security defenses. In other cases, unchecked activity on the part of those contractors with access has resulted in cataclysmic security incidents.

High-profile commercial examples of this phenomenon include the massive Target data breach, in which attackers hacked the credentials of an authorized HVAC services provider to make off with millions of customer records. In the government sector, merely citing one name — contractor Edward Snowden — conveys the risk that pertains to malicious activities of a single unmonitored actor.

According to recent research published by security vendors TrendMicro and PhishMe, as much as 90% of all successful cyber attacks leverage some form of user manipulation or phishing. This is typically carried out in the form of tricking someone to click on an infected URL link or open an attachment that carries some form of malware.

To help address the insider threat in the federal government, a recent update to the National Industrial Security Program Operating Manual, or NISPOM — which governs private industry access to classified information — finds regulators communicating to their contractor partners that when it comes to security awareness, it's time to step up.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Under the NISPOM Change 2 Insider Threat Mandate, which went into effect on May 31, federal contractors will be forced to have a much tighter game plan in place; much of this revolves around renewed focus on end-user security training. While the federal government required all cleared personnel to go through insider training in the past, NISPOM 2 dictates that each company must retrain anyone who will handle sensitive data within the next year.

I can see you rolling your eyes, but security training does have a significant impact, even for experienced practitioners. This is where "practice makes perfect" comes in.

According to CyberSecurity Ventures, the CISO at Wells Fargo estimates that his company recently reduced exposure to phishing by 40% through a renewed training program. According to our own data collected from real-world business environments, when employees are called out by their employer, close to 80% make changes and become more security-conscious. This proves that training needs to be an ongoing process — one that's cyclical, not static.

In that sense, NISPOM 2 is a good step forward, although training should be mandated continuously, on an as-policy-violations-happen and at-least-once-a-quarter basis vs. annually, as required now.

In addition to mandated end-user training, NISPOM 2 also requires contractors to have a written insider threat plan in place, and to conduct more frequent self-assessment reviews, ensuring that related policies and practices are effective. In general, I think this approach works because it calls for greater accountability across the board from these contract holders.

In addition to these practical tactics of increased training and more frequent self-review, NISPOM 2 would appear to be an improved strategy for insider threat mitigation as it specifically calls for the involved contractors to increasingly do these three things:

  1. Be aware of the signs of insider threats
  2. Be cognizant of penalties for leaking sensitive information
  3. Know how and to whom to report any suspicious behavior

NISPOM 2 also goes one step further in requiring a minimal level of security around insider threats from other government partners, such as IT systems integrators. In general, the mandate is more thorough and prescriptive than previous efforts to address this range of potential risk factors.

So why is this happening now? This change comes as a direct result of high-profile insider cases such as those of Snowden and Harold Thomas Martin, who both were contractors. It's that simple.

At the same time, the Chinese army's alleged cyber spying unit, known as Unit 61398, actively targets contractors' home systems, in addition to their work systems, to gain access to U.S. government networks.

It would seem safe to assume the other state actors are employing similar tactics. At the end of the day, this is because the perception is that contractors are easier to subvert and therefore make better targets.

By pushing federal contractors to be more aware and focus on mitigating the insider threat, the federal government is taking a purposeful step toward protecting the core of its domain. As a result, this effort is likely to help build a more secure environment across the board.

If you want to win the game, you need to keep at the training and make sure everyone on your team is working together. If you do, you're almost certain to see better results on the playing field.

Related Content:

Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.