The Insider Threat To Business - Organisational Resilience

1y ago
6 Views
1 Downloads
1.02 MB
9 Pages
Last View : 1d ago
Last Download : 2m ago
Upload by : Arnav Humphrey
Transcription

THE INSIDER THREAT TO BUSINESSA personnel security handbook

MINISTERIAL FOREWORDBusiness plays a crucial role in Australia’s social and economic wellbeing.But what if a business was disabled for a length of time? What would be theimpact on its profitability, service delivery, employees, and the flow-on effects to thebroader community? What would be the key to the business returning to normaloperations quickly?There are a range of threats or hazards, such as natural disasters and equipmentfailure, that can disrupt or disable business operations.The Hon Nicola Roxon MPAttorney-GeneralThis booklet deals with one particular threat – the ‘insider’ – a person committing amalicious act or causing harm.While malicious acts by insiders are rare, the potential level of threat warrantsalertness by business.In Australia, insider actions have historically been for personal gain or corporate orstate-sponsored espionage. Internationally, however, there have been incidents ofinsider activity for radical and ideological purposes, sometimes furthered by terroristmeans. To help illustrate insider activity, this booklet contains some case studiesthat are based on true stories from around the world.Whatever an insider’s motivations, their activity can be harmful, expensive,embarrassing and disruptive. It can also have long-term detrimental effects onbusiness operations, profitability, reputation and culture.While most insider activity is likely to be for personal gain, it is wise and sensible toprotect your business against the full range of insider threats.This is part of building the resilience of your business – managing both foreseeableand unforseen or unexpected risks.This booklet outlines how you can make your business more resilient to insiders byunderstanding the threat and evaluating the risks, so you can develop a personnelsecurity framework.Good personnel security is good business – it’s also smart business.I encourage all business owners to read this booklet – not only to help maintain yourcompetitive edge and profitability – but also to help protect the broader communityfrom the threat of insiders.THE INSIDER THREAT TO BUSINESS PAGE 1

UNDERSTANDING THE INSIDER THREAT – Who, what, why, how and whenDefinitionThe insider threat can be defined as:one or more individuals with the access and/or insideknowledge of a company, organisation, or enterprisethat would allow them to exploit the vulnerabilities ofthat entity’s security, systems, services, products, orfacilities with the intent to cause harm.1WhoAn insider is someone who is a current or previous workerof an organisation or has legitimate access to its resourcesand uses or attempts to use that access to cause harm.This includes past and present employees and contractors.The insider may be someone who: deliberately seeks employment with an organisation withintent to cause harm causes harm once employed but who had no intention ofdoing so when first employed, or is exploited by others to do harm once employed, and maybe either a passive, unwitting or unwilling insider.WhatInsider activities can range from active betrayal to passive,unwitting or unwilling involvement in causing harm. They mayinclude such things as: unauthorised disclosure of information physical or electronic sabotage facilitating third party access financial or process corruption, and theft.WhyThere are complex reasons why an employee woulddeliberately seek to cause harm.An insider will usually be motivated by one or a combinationof reasons. A useful acronym to understand the motivationsunderlying the willing behaviour is crime coercion – being forced or intimated revenge – for a real or perceived wrong ideology – radicalisation or advancement of an ideologicalor religious objective money – for illicit financial gain, and/or exhilaration – for the thrill of doing something wrongIt is important to note that many employees with motivationand malicious intent never commit an act of betrayal.How and whenInsiders will identify and understand the business’vulnerabilities and know how and when they can be exploited.SCENARIO 1Melissa, 36, had worked for a small pharmaceuticallaboratory for 12 years, almost since its inception. Shewas well known and well liked, mostly because she wasgood fun. Everyone knew she liked the local clubs for adrink and a dabble on the pokies.In January, Melissa came back to work from Christmasholidays less lively than normal. Word got out that shehad separated from her husband. Over the next fewmonths Melissa’s demeanour and behaviour changed;she often arrived late and left early, she was distractedand took a lot of calls outside on her mobile phone.Everyone put this down to the separation.One weekend the laboratory was burgled anda large volume of a chemical used to producemethamphetamines was stolen. There appeared to be nosign of forced entry. Melissa called in sick that week, butno-one took too much notice.The CEO told staff that Melissa was very apologetic andupset when interviewed by police. She also said shehad tried to send signs to a few colleagues that she wasin trouble as she was too scared to tell anyone directly.She pleaded guilty and was sentenced to six months inprison. Her husband took custody of their three childrenand their house was sold to repay some of the debt. Thechemicals were not recovered, although police had threesuspects and were continuing their investigation.note significant changes in an employee’spersonal circumstancesnote when an employee seems underconsiderable stresscheck whether all employees need afterhours accessThe following week, Melissa was arrested. The CEOof the company called a staff meeting to explain thatMelissa had amassed a serious gambling debt and in theprocess dealt with a well known criminal network. Shewasn’t able to repay some of her debt and, with her andher family’s safety under threat, had provided access tothe thieves.They will use the trust invested in them, and their subsequentaccess to resources and facilities, to harm the business. Theymay either abuse legitimate access or take advantage of pooraccess controls to gain unauthorised access.These activities may take place after considerable planning oron the spur of the moment when an opportunity arises.1 Noonan, T. and Archuleta, E. (2008) ‘The National Infrastructure Advisory Council’sFinal Report and Recommendations on the Insider Threat to Critical Infrastructures’PAGE 2 THE INSIDER THREAT TO BUSINESSTHE INSIDER THREAT TO BUSINESS PAGE 3

PERSONNEL SECURITY – What it is and why do you need it?Personnel security is a security framework or a set ofmeasures to manage the risk of an employee exploitingtheir legitimate access to an organisation’s facilities, assets,systems, or people for illicit gain, or to cause harm.Organisational personnel securityImplementing a personnel security framework will help you buildan understanding of any insider threats facing your business andgive you the tools to manage any associated risks. It will alsoallow you to place a level of trust in your employees so that youcan confidently give them access to your business.A Personnel Security FrameworkPre-employment personnel securityYou know your business best; its key roles and keypeople, its strengths and its weaknesses, its environment andits operations.When developing your personnel security framework takeinto account: the broad operational environmentPERSONNEL SECURITY PLANOrganisational personnel securityKnow your businessPage No.Know your businessA good security cultureA personnel security risk assessmentUnderstanding the legal frameworkCommunicating personnel security to your employeesIdentity checksOverseas applicants or applicants who have spent time overseasQualification and employment checksNational criminal history checkFinancial background checksDocument security55666677888Ongoing personnel securityAccess controlsProtective monitoringSecurity cultureCountering manipulationReporting and investigationOngoing checksContractors888891111Information and communicationstechnologiesAccess controlsShared administrative accountsAccount management policies and proceduresStandard operating environmentLogging and monitoringEmployee understanding of the consequences121212121212PAGE 4 THE INSIDER THREAT TO BUSINESS your risk management framework the key positions of trust in your organisation the reliability and integrity of your recruitment processes your human resource structure and processes the interaction between your human resource andprotective and electronic security areas, and implications of incidents which result from a breach ofpersonnel security.A good security cultureA good security culture is vital. It will include most, if not all,of the following characteristics: awareness: the security risks for the organisation areunderstood and accepted by employees ownership: security is viewed as an integral part of theorganisation’s business reporting: security breaches are reported and reportingis accepted as normal by employees compliance: there is a high level of compliance withsecurity policies and procedures discipline: sensitive access or information is not providedunless there is a clear requirement challenge: employees are confident to challenge others ifthey are not complying with security requirements communication: the rationale for security measures isclearly communicated to all employees senior sponsorship: senior managers place, and are seento place, a high value on security enforced disciplinary procedures: security breaches aredealt with consistently and rigorously, according to wellestablished guidelines, and offering incentives: the generation of ideas forimproving security and reporting security breaches isrewarded appropriately.22 Personnel Security: Threats, Challenges and Measures (2007) Centre for theProtection of National Infrastructure www.cpni.gov.ukTHE INSIDER THREAT TO BUSINESS PAGE 5

A personnel security risk assessmentMost businesses have implemented basic risk managementprinciples. These same principles apply when developingyour personnel security framework. Based on your riskassessment you will be able to:In turn, this will provide you with the requisite level of trustin a prospective employee to offer them a job and give themaccess to your business and its resources.As early as possible in your recruitment process advise allapplicants about: prioritise risks to your business your business’ requirements for pre-employment checking develop a personnel security plan, identifying securitymeasures to mitigate the risks why those checks are conducted allocate resources cost effectively and commensurate withthe risk, and to whom the information might be disclosed, and communicate insider risks to managers and employeesand secure their engagement in your personnel securityframework.Understanding the legal frameworkUnderstanding the legal framework is vital. When developingyour personnel security plan, you will need to be aware ofa wide range of legal issues. If you have any concerns orquestions, it is wise to seek legal advice to make sure yourframework and processes comply.Relevant legal issues include: general discrimination, including race, gender, religion,sexual orientation, age and disability criminal history what your business will do with the information collected what subsequent decisions will be made about theapplicants’ suitability for work.The more sensitive the position, the more checks you willprobably want to make.Pre-employment personnel securityIdentity checksVerifying the identity of applicants during recruitment isfundamental. It will give you a level of assurance about yourprospective employee. privacy, and occupational health and safety.These publications can be found at www.saiglobal.com handling personal informationCommunicating personnel security toyour employeesBackground checking is designed to give you confidence thatprospective employees are who they say they are and havethe skills and experience they say they do.PAGE 6 THE INSIDER THREAT TO BUSINESSMany prospective employees will have lived and workedoutside Australia. For Australian citizens who have livedand worked overseas you should try, to the extent possible,to conduct the same checks you would if the applicant hadworked only in Australia.For non-Australian citizens, in addition to the checks youwould conduct for an Australian citizen you should also checkwhether the applicant has the right to work in Australia, inwhat positions and for how long.With all pre-employment background checks, be sure of thecriteria for checking before you start. Identify the requisitelevel of checking for each position.Details on how to verify the identity of potential employeescan be found in Australian Standard AS 4811‑2006Employment Screening and HB 323‑2007 EmploymentScreening Handbook. immigration statusOverseas applicants or applicants who havespent time overseasQualification and employment checksYou should check the details in an applicant’s curriculumvitae to ensure there are no unexplained gaps or anomalies.Where possible you might also like to contact previousemployers to confirm past employment and ensure that thedetails match those in the applicant’s CV.You may also wish to contact previous employers for acharacter reference.When confirming an applicant’s qualifications you should: request original certificates or certified copies compare details with those provided by the applicant, and confirm the existence of the institution and confirm thedetails provided by the applicant.SCENARIO 2Peter, 49, had worked as an accountant in a mediumsized company in the telecommunications sector fortwo years. He was known to be competent, quietand unassuming and fitted neatly into most people’sstereotype of the quiet accountant.Peter’s boss, the Chief Financial Officer, was headhunted to a larger firm and Peter was promoted to hisjob. It was a young company and had made a lot ofmoney quickly. The CEO was an ideas man and hetrusted Peter to look after the money side of things.Ten months after Peter took over as CFO regulationschanged and five new businesses entered the market.Peter informed the CEO and executive that, although stillprofitable, the company’s profits were likely to be underthe forecast. Some people noticed that Peter was drivingan expensive new car.Four months later, Peter left the company suddenly. Withindays, the CEO was told that the company was in deepfinancial trouble. Twenty staff were made redundant thatday, with the remaining 110 told their future was shaky. Aconsulting accountant quickly found that Peter had stolennearly two million dollars from the company and had hungon to the very last minute before it all came crashingdown. The matter was referred to the police.Peter could not be tracked down, but police soon foundthat he had given a false name to the company whenhe was recruited and most of the details on his CV wereeither misleading or false. Police discovered his trueidentity but unfortunately Peter had left the country.check identitycheck qualificationsnotice significant unexplained changes in anemployee’s circumstanceTHE INSIDER THREAT TO BUSINESS PAGE 7

National criminal history checkIf you conduct a criminal history check you should beclear about what convictions would preclude a personfrom employment.You should be aware of the provisions of the relevantjurisdictional spent conviction scheme. You should alsobear in mind that just as a criminal conviction is notnecessarily a bar to employment, neither does a cleanrecord guarantee that a person will not present an insiderthreat to your business.If you choose to do a criminal history check, it should beundertaken by either the relevant police service or anauthorised agency. You will need the applicant to completea consent form to have the check undertaken.Financial background checksYou may consider conducting a financial background check orrequest details of an applicant’s financial position. As with allpre-employment checks, the applicant should be advised ofthe reason for the check.Financial background checks can be conducted by a creditchecking agency. Again, you will need the applicant tocomplete a consent form to have the check undertaken.Document securityIn the case of any pre-employment check, you shouldensure that all documentation is securely held and madeavailable only to those who can demonstrate a need toaccess the information.If an applicant fails to meet the standards that your business(and/or legislation) has set and their application is rejected,they should be advised of the grounds for rejection andinformed of any available avenues of appeal.Ongoing personnel securityAccess controlsAccess controls, manual or automated, protect yourbusiness from unauthorised access to its physical,human or electronic assets. Giving appropriate access tothose you trust is an important element of your personnelsecurity framework.Security passes are the most common form of physicalaccess control. Most passes today contain a photograph andcould also include information about the level of access andsecurity clearance held by the bearer. This could be colourcoded to help other staff determine whether a person isauthorised to be in a certain area or access certain material.You should issue passes from one single location ordepartment to reduce the possibility of duplication orconfusion.Protective monitoringYour physical access controls should have a system thatenables you to monitor any breaches or attempted breaches.For particularly sensitive areas you may choose to use asystem that provides real-time alerts about unauthorisedaccess. You may choose to install more intensive monitoring,such as security staff or closed circuit television (CCTV) atcertain access points.The more layers of security you add the more likely you willidentify unusual behaviour.Security cultureCountering manipulationThere may be signs that an employee is vulnerable tobecoming an insider.It is important to note that these signs are of generalstress and do not necessarily indicate a propensity tobecome an insider:PAGE 8 THE INSIDER THREAT TO BUSINESS appearing intoxicated or affected by a substance at work increased nervousness or anxiety decline in work performance extreme and persistent interpersonal difficulties extreme or recurring statements demonstrating a level ofbitterness, resentment or vengeance creditors calling at work sudden and unexplained wealth, and/or inappropriate interest in sensitive or classified information. benefit of the doubt: in many cases there may be a simpleexplanation for a security breach, so where possible givethe employee the opportunity to explain. Where this is notpossible, you should consider when to inform the employeethey are the subject of an investigation criminality: report any suspected criminal activity to thepolice as soon as possible legality: handle all internal investigations legally, and morale: be aware that an investigation, even one handledwell, can have an adverse impact on employees.Your employees should be educated in recognising the signsof insider behaviour. They also need to be made aware ofthe potential that they could be recruited by someone fromoutside the business who may: ask seemingly innocent questions about the organisation ina piecemeal way, or ask colleagues to overlook small security breaches,such as being in an unauthorised area or not wearing asecurity pass.Although each activity may seem insignificant, they may behighly valuable to an adversary when put together.Reporting and investigationSuspected breaches of any personnel security measurescould be reported in a number of ways.You may choose to use existing lines of reporting, or you mayconsider establishing an alternative mechanism such as aninformal network or a reporting hotline. In either case reportsshould be investigated quickly to ensure confidence in yourpersonnel security measures is maintained.If you conduct an in-house investigation you should followsome general principles: guidelines: establish guidelines (if they do not already exist)about how an investigation will run, how evidence will begathered, how witnesses will be approached and who willrun the investigationTHE INSIDER THREAT TO BUSINESS PAGE 9

Ongoing checksSCENARIO 3George, 24, worked for a large company in the resourcessector. He had been in Australia for six months, fromEurope. Although quiet initially, he soon started talkingabout starving people and weather changes that wouldcause massive tsunamis that would drown half the world.George’s workmates wondered why he worked for thecompany; he didn’t seem interested in the good wagesand he didn’t seem to approve of digging into the groundfor valuable resources. This wasn’t something theythought much about, but they did notice their supervisortreated George’s talk with derision.One morning George’s colleagues arrived to find thecompanies equipment spray painted, its tyres slashedand engines clogged with sand. They also foundGeorge and two friends chained to a mine entrance,with what they said were bombs in their backpacks.George demanded the company cease operationsimmediately and give 80 per cent of last year’s profitsto charity. He said the company was committingenvironmental terrorism.After hours of negotiation the police removed George andhis friends. While they discovered the bombs were crudehoaxes, the company lost over 4 million in damagedequipment and lost operating time. The company thenspent 1.25 million on an immediate upgrade to itssecurity and lost 4 per cent of its share value as investorsPAGE 10 THE INSIDER THREAT TO BUSINESSlost confidence in management. George and his friendswere each tried, convicted and sentenced. During thecourse of the trial it was revealed that George was awell-known environmental activist in his homeland andhad sought to work at the company with the intention ofsabotaging its operations.Employers might also want to think about whether they wouldlike to repeat any of the pre-employment checking stageswhen an employee applies for a promotion or at regularintervals while in their employment.ContractorsContractors pose additional challenges, however theyshould be included in your personnel security frameworkto the extent possible.Where you are unable to carry out background checks to thesame level as employees because of time constraints, or lackof full information, you should be aware of the associatedrisks and know what you need to do to manage these risks.If you have identity and/or access control passes it is a goodidea to have an identifier to indicate a contractor. It will bevery important to ensure that once the contract has finishedthe contractor returns all access cards.check identitynote strongly held views that seem to contradictthe purpose of the businessmanagers should demonstrate respect fortheir employees’ views (unless they arediscriminatory) even if at the same time holdingand expressing concerns to other managerscheck whether all employees need afterhours accessSCENARIO 4Jane had been working as a system administrator for alarge company for several months. She was competentand considered a hard worker.During a corporate restructure, Jane’s roles werechanged. Jane started to voice her objections tothe changes, and the quality of her work started todeteriorate. During office relocations, Jane was movedfrom a desk within the centre of her work area tothe edge. Shortly afterwards Jane resigned from thecompany with little notice, preventing a proper hand overof her duties.Four weeks later staff arrived at work to find that allthe staff records had been deleted. When the IT staffchecked the backup tapes, they found the data hadbeen encrypted and was unusable. The total cost to thecompany in restoring the damaged data was 1.2 millionwhich did not include the cost of lost business.Forensic analysis of the network found evidence thatJane had inserted malicious software into the networkto encrypt the backups and delete the data after a setperiod of time. Further examination showed that Jane’saccess had not been properly removed and she hadbeen able to remotely access the network since herdeparture and prevent earlier detection of her actions.monitor staff moraleensure that staff access is removed quickly afterthey leave, andmonitor and log any changes to the system andreview those logs regularlyTHE INSIDER THREAT TO BUSINESS PAGE 11

INFORMATION AND COMMUNICATIONS TECHNOLOGIESAs businesses become increasingly dependent oninformation and communications technologies (ICT), theconsequence of denial of these technologies increase.An insider’s access and knowledge of the vulnerabilitiesand procedures of a business’ ICT may be used to causesignificant damage to the business’ reputation, productivityor finances.Access controlsFormal policies to disable access when a staff member orcontractor is dismissed or leaves may reduce their ability tocause harm to an organisation.Account management policies and proceduresIn a majority of insider attacks the attacker attempts toconceal their identity. Auditing new accounts, especially thosewith administrative or remote access, will aid in detectingaccounts used by an insider. This auditing should includeverification by the account owners.Delineating ICT roles between administrators and securitypersonnel will increase the monitoring of systems and minimisethe possibility that a malicious change will go undetected.Standard operating environmentThis policy should also include any remote access that theymay have as well as changing the passwords of any sharedaccounts that they may have used. Certificates and tokensused to access the network should be immediately revoked toprevent misuse.The use of malicious software and scripts to delete or corruptan organisation’s data can be difficult to detect. The useof a standard operating environment (SOE) can aid in thedetection of malicious software through periodically checkingthe current configuration of a user’s environment with theSOE, and querying any changes.Shared administrative accountsLogging and monitoringShared administrative accounts should be avoided as theycreate a significant vulnerability to organisations.Monitoring of system logs may allow early detection ofmalicious changes to the network.These vulnerabilities include:System logs need to be protected to preserve their integrity,should be accessible only by security staff, and should bebacked up to allow forensic analysis if there is an incident. rarely having changed passwords having a high level of privilege on the network, and causing a level of ambiguity in forensic analysis.If a shared administrative account is required, its useshould be logged, and when a staff member’s rolechanges or they leave, the account’s password should bechanged to prevent misuse.PAGE 12 THE INSIDER THREAT TO BUSINESSEmployee understanding of the consequencesThe majority of insiders do not consider the consequencesof their actions when undertaking an attack. Educatingemployees on the consequences of such attacks from boththe business and perpetrator’s perspective may act as adeterrent to such attacks. This includes the risk of financiallosses causing retrenchments to other staff as well ascriminal prosecution and jail sentences.

MORE INFORMATIONReporting EventsIn the event of an emergency – dial 000To report possible signs of terrorism phone theNational Security Hotline on 1800 123 400Further InformationNational Security website – www.nationalsecurity.gov.auThe Trusted Information Sharing Network for CriticalInfrastructure Resilience website – www.tisn.gov.auRisk Management and Business Continuity StandardsStandards Australia website – www.standards.org.au Commonwealth of Australia 20105043 Nov 2010ISBN: 978-1-921725-37-1

This booklet deals with one particular threat - the 'insider' - a person committing a malicious act or causing harm. While malicious acts by insiders are rare, the potential level of threat warrants alertness by business. In Australia, insider actions have historically been for personal gain or corporate or

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

Counter-Insider Threat Program Director's vision to integrate the social and behavioral sciences into the mission space. As part of a partnership with the PERSEREC Threat Lab, CDSE provides links to their insider threat resources in the Insider Threat toolkit. This promotes the applied use of research outcomes to the insider threat community.

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

the CERT Division's National Insider Threat Center (NITC) at Carnegie Mellon University's Software Engineering Institute. Serves as the Chair of the Open Source Insider Threat (OSIT) information sharing group for industry insider threat practitioners. Develops detection and mitigation strategies for insider threat programs.

Sep 05, 2019 · The Insider Threat Program Overlay contains common and hybrid security controls specifically implemented by the Insider Threat Program, which are then inheritable by the enterprise. The Insider Threat Program Overlay is based on a system categorization of High Confidentiality,