Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

02:00 PM
Thomas Jones
Thomas Jones
Connect Directly
E-Mail vvv

Feds Call on Contractors to Play Ball in Mitigating Insider Threats

It's said that you're only as strong as your weakest player. That's as true in security as it is in sports.

Anyone who has ever played a team sport understands the importance of two key tenets when it comes to winning: practice makes perfect, and your team is only as strong as its weakest player.

The same can be said as they relate to mitigating the insider threat, one of the most pressing IT security and risk management challenges we face today.

Time and time again, we've seen attackers leverage compromise of authorized access to networks, most often granted to third-party contractors, to bypass otherwise effective security defenses. In other cases, unchecked activity on the part of those contractors with access has resulted in cataclysmic security incidents.

High-profile commercial examples of this phenomenon include the massive Target data breach, in which attackers hacked the credentials of an authorized HVAC services provider to make off with millions of customer records. In the government sector, merely citing one name — contractor Edward Snowden — conveys the risk that pertains to malicious activities of a single unmonitored actor.

According to recent research published by security vendors TrendMicro and PhishMe, as much as 90% of all successful cyber attacks leverage some form of user manipulation or phishing. This is typically carried out in the form of tricking someone to click on an infected URL link or open an attachment that carries some form of malware.

To help address the insider threat in the federal government, a recent update to the National Industrial Security Program Operating Manual, or NISPOM — which governs private industry access to classified information — finds regulators communicating to their contractor partners that when it comes to security awareness, it's time to step up.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Under the NISPOM Change 2 Insider Threat Mandate, which went into effect on May 31, federal contractors will be forced to have a much tighter game plan in place; much of this revolves around renewed focus on end-user security training. While the federal government required all cleared personnel to go through insider training in the past, NISPOM 2 dictates that each company must retrain anyone who will handle sensitive data within the next year.

I can see you rolling your eyes, but security training does have a significant impact, even for experienced practitioners. This is where "practice makes perfect" comes in.

According to CyberSecurity Ventures, the CISO at Wells Fargo estimates that his company recently reduced exposure to phishing by 40% through a renewed training program. According to our own data collected from real-world business environments, when employees are called out by their employer, close to 80% make changes and become more security-conscious. This proves that training needs to be an ongoing process — one that's cyclical, not static.

In that sense, NISPOM 2 is a good step forward, although training should be mandated continuously, on an as-policy-violations-happen and at-least-once-a-quarter basis vs. annually, as required now.

In addition to mandated end-user training, NISPOM 2 also requires contractors to have a written insider threat plan in place, and to conduct more frequent self-assessment reviews, ensuring that related policies and practices are effective. In general, I think this approach works because it calls for greater accountability across the board from these contract holders.

In addition to these practical tactics of increased training and more frequent self-review, NISPOM 2 would appear to be an improved strategy for insider threat mitigation as it specifically calls for the involved contractors to increasingly do these three things:

  1. Be aware of the signs of insider threats
  2. Be cognizant of penalties for leaking sensitive information
  3. Know how and to whom to report any suspicious behavior

NISPOM 2 also goes one step further in requiring a minimal level of security around insider threats from other government partners, such as IT systems integrators. In general, the mandate is more thorough and prescriptive than previous efforts to address this range of potential risk factors.

So why is this happening now? This change comes as a direct result of high-profile insider cases such as those of Snowden and Harold Thomas Martin, who both were contractors. It's that simple.

At the same time, the Chinese army's alleged cyber spying unit, known as Unit 61398, actively targets contractors' home systems, in addition to their work systems, to gain access to U.S. government networks.

It would seem safe to assume the other state actors are employing similar tactics. At the end of the day, this is because the perception is that contractors are easier to subvert and therefore make better targets.

By pushing federal contractors to be more aware and focus on mitigating the insider threat, the federal government is taking a purposeful step toward protecting the core of its domain. As a result, this effort is likely to help build a more secure environment across the board.

If you want to win the game, you need to keep at the training and make sure everyone on your team is working together. If you do, you're almost certain to see better results on the playing field.

Related Content:

Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.