WIXLIB

Training and Awareness Programs. You musttrain and exercise your workforce to recognizeand report potential risk indicators. It is a bestpractice to require personnel to complete initialand annual insider threat awareness training. Youcan also maintain workforce awareness of insiderthreats and employee reporting responsibilitiesyear-round by instituting a vigilance campaign.Insider threat programs can also conduct internalevaluations. These are small exercises used totest your workforce’s knowledge of insider threatindicators and reporting requirements. Theseexercises do not have to be elaborate but shouldhelp you gauge the effectiveness of your program.You may use information from these evaluationsto adjust your training and awareness programto ensure effectiveness. See the Resourcessection on page 13 for access to free training andawareness materials.Reporting Procedures. Your insider threatprogram must establish reporting proceduresfor the general workforce. Those who witnesspotential indicators should know exactly when,where, and how they can report the information.Prepare procedures for "walk-ins" or those whomay want to report their information face toface. Procedures should also include hotlines ordedicated email addresses. Individuals should beencouraged to self-report any issues they may beexperiencing. One of the goals of an insider threatprogram is to deter adverse actions by pointingthose asking for assistance to resources thatcan help them. The challenge is to have peoplesee the insider threat program as a resourcerather than a punitive element. You can buildthis rapport by informing the workforce of yourprogram, the mission, and its goals; by respectingprivacy and civil liberties; and by deployingappropriate insider threat mitigation responses.Organizational Justice. As a best practice, insiderthreat programs should consider the conceptof organizational justice. Organizational justicerefers to employee perceptions of fairness inthe workplace. Labor relations can have anoverall effect on the number of insider threatincidents you see. The worse the labor relationsare, the more incidents you may encounter.Counterproductive workplace environments have6consequences that can lead to disgruntlement.Organizational leadership that develops a positiveworkplace environment keeps the workforceengaged and productive. This same conceptapplies to the insider threat program. Ensuringappropriate mitigation response options andthe protection of privacy and civil liberties in theconduct of your duties will minimize negativeoutcomes from maladaptive responses. Beingresponsive to workforce concerns is a great wayto build rapport with personnel; encourage futurereporting; and ultimately mitigate risk.Instituting User ActivityMonitoringUser Activity Monitoring (UAM) is the technicalcapability to observe and record the actionsand activities of an individual operating onyour computer networks to detect potential riskindicators and to support mitigation responses.Logging, monitoring, and auditing of informationsystem activities can lead to early discovery andmitigation of behavior indicative of insider threat.UAM also plays a key role in prevention, assistance,and response to acts of violence. As such, UAMdevelopment should include consideration ofpotential acts of violence against organizationalresources, including suicidal ideation.Implementation will be specific to your location,but as a best practice your organizations should: Define what will be monitored Indicate how monitoring will be instituted Inform users of monitoring actions viabanners Identify indicators that require review(e.g., trigger words, activities) Protect user activity monitoring methodsand results Develop a process for verification and reviewof potential issues Establish referral and reporting proceduresEstablishing baseline user behaviors will makedeviations or anomalies stand out from normalactivities. It will also help determine what your useractivity monitoring triggers, also known as internalsecurity controls, should be. Once a “NormalInsider Threat Programs for the Critical Manufacturing Sector Implementation Guide

Activity” baseline is established, internal securitycontrols help us identify deviations. For example,user activity monitoring could help identify a rash ofIT system misuses that suggest an employee needssome re-training. Another example would be accesscontrol logs indicating an employee is workingirregular hours or has unexplained absences fromwork. UAM can help identify potential risk indicatorsthat can be evaluated during your risk managementand mitigation process.Insider Threat Programs for the Critical Manufacturing Sector Implementation GuideFor more information, access the Insider ThreatIndicators in User Activity Monitoring job aid t-Indicators-in-UAM.pdf.Now that you’ve established an insider threatprogram, it’s time to employ risk management andmitigation strategies. Your insider threat programshould be able to identify and mitigate many issuesbefore they escalate into negative behavior andrespond appropriately when preventative actions arenot feasible. Access the Insider Risk ManagementStrategy section on page 9 to learn more.7

8Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide

3 Insider Risk Management StrategyRisk AnalysisRisk-based analysis allows the insider threatprogram to manage risk in a complex threatenvironment. The process of identifyingassets, assessing threats and vulnerabilities,evaluating risk, and identifying countermeasurescan help determine the risks most closelyassociated with trusted insiders in the criticalmanufacturing sector and the best methodsto deter and mitigate them. It also allows yourorganization to differentiate between exigent threatsto your enterprise and less pressing matters.Identify Critical AssetsThe most basic function of an insider threatprogram is to protect the assets that provideyour organization with a competitive advantage.According to ISO 55000, an asset is somethingwith potential value to an organization and forwhich the organization has a responsibility (Riso2012). We further elaborate on this definitionby stating that a critical asset can be thoughtof as something of value that, if destroyed,altered, or otherwise degraded, would impactthe confidentiality, integrity, or availability andhave a severe negative effect on the ability of theorganization to support essential missions andbusiness functions.Critical assets can be both physical and logicaland can include facilities, systems, equipment,and technology. An often overlooked aspect ofcritical assets is intellectual property. This mayinclude proprietary software, customer data forvendors, schematics, and internal manufacturingprocesses. The organization must keep a closewatch on where data is at rest and in transport.Current technology allows more seamlesscollaboration than ever, but also allows theorganization’s sensitive information to be easilyremoved from the organization.A complete understanding of critical assets(both physical and logical) is invaluable indefending against attackers who will often targetInsider Threat Programs for the Critical Manufacturing Sector Implementation Guidethe organization’s critical assets. The followingquestions help the organization to identify andprioritize the protection of its critical assets: What critical assets do we have? Do we know the current state of each criticalasset? Do we understand the importance of eachcritical asset and explain why it is critical toour organization? Can we prioritize our list of critical assets? Do we have the authority, money, andresources to effectively monitor our criticalassets?The role of the program manager is to work withall of those across all areas of the organizationto answer the questions above. Once thosequestions are answered within each division,input from senior-level management shouldbe obtained to prioritize protection across theorganization. Once critical assets are identifiedand prioritized, the organization must identifythose high-risk users who most often interactwith the critical systems or data. This will helpthe organization to identify the best approaches tosuccessfully identify potential insider threats.Conducting a Risk AssessmentThe Risk Management ProcessRisk management is an eight step process thatprovides a framework for collecting and evaluatinginformation to: Identify assets (identify value of asset) Assess threats (intent and capability ofadversaries) Assess vulnerabilities (identification andextent of vulnerabilities) Assess risk (determine the likelihood that athreat will exploit your vulnerabilities) Determine impact of loss, damage, orcompromise of asset9

Develop countermeasures (securitycountermeasure options that can reduce ormitigate risks cost effectively) Apply countermeasures Monitor and re-evaluateFor more information on risk management, html.You may also consider implementing the RiskManagement Framework (RMF) for informationsystems. More information on RMF is availablefrom the National Institute of Standards andTechnology at -Management-Framework(RMF)-Overview. You can also access free trainingon the topic at Risk MitigationTo be effective, insider threat programs mustbe on the lookout for potential issues beforethey pose a threat. In most cases, proactivemitigation responses provide positiveoutcomes for both the organization andthe individual. This allows you to protectinformation, facilities, and personnel and retainvaluable employees as well as offers interventionto help alleviate the individual’s stressors.Your insider threat programs responses aresituationally dependent, but may includerecommendations such as: Suspending access to information Taking personnel actions such as counseling,referral, or terminationOne of the major difficulties facingorganizations is being able to rank and scoreaccurately the different critical assets providedto the decision-makers. Our experienceshows us that many stakeholders within anorganization will often state “the asset theyknow about and control” is in their opinion themost critical. Instead of providing subjectiveand biased ranking of critical assets, wesuggest using various metrics and discussingthem internally with various employees of theorganization.When attempting to rank and score the potentialpool of critical assets, we suggest leveraging astatistical tool known as Pairwise Rankings. Thisapproach will essentially allow a group to performthe ranking by comparing two critical assets ata time and giving each a numerical rating. Thenumerical ratings are then added up and sorted inascending order to show the most critical asset.10 Organizational responses that may requirechanges to policy or procedures Increased or additional trainingHuman Resources insider threat program teammembers can assist with counseling referralsor prescribed human resource interventionsthat may be corrective in nature. They deal withEmployee Assistance Programs for resources infinancial counseling, lending programs, mentalhealth, and other well-being programs.Insider threat program team members from thevarious security disciplines, whether cyber/IT,personnel, information, or physical, can assist withmitigation response options such as updatingsecurity protocols, adjusting UAM or otherinspections, and providing basic security trainingand awareness to the workforce. Some insiderthreat incidents may warrant external referralsto counterintelligence or law enforcementauthorities. Have a plan in place for referringInsider Threat Programs for the Critical Manufacturing Sector Implementation Guide

these actions and consult with your legal counsel toensure that proper protocols are followed.Your program should create a record of theincident outcome. You may also create orcoordinate with other elements within yourorganization to develop a “Damage Assessment”or “After Action” Report that explains the damageto the organization, personnel, facilities, or otherresources. You may need to work with the legal teamand any other contributing elements to ensure thereport is stored and retained appropriately. A sampleMemorandum of Activity Report is included in theResources section on page 19.Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide11

12Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide

4 Insider Threat ResourcesSample Forms Insider Threat Program Plan (Page 18) Insider Threat Program Memorandum of Activity (Page 19)Training for Insider Threat Programs CDSE - https://www.cdse.edu/catalog/insider-threat.html DHS - https://www.dhs.gov/training-awarenessAwareness Materials mlCase Studies licies and Best Practices porting Organizations Department of Homeland gation National Insider Threat Task work/ncsc-nittf Defense Counterintelligence and Security Agency—http://www.dss.mil/ Center for Development of Security Excellence—CDSE Federal Bureau of y/insider threat brochure.pdf/viewCritical Manufacturing Sector-Specific Agency Contacts Email: criticalmanufacturing@cisa.dhs.gov Website: ctorInsider Threat Programs for the Critical Manufacturing Sector Implementation Guide13

14Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide

Glossary: Insider Threat Case StudiesCASE STUDYDDoS attack at a medical facility via HVACA hospital facility employed the insider, acontractor, as a security guard. The insider wasextensively involved with the Internet undergroundand was the leader of a hacking group. The insiderworked for the victim organization only at night andwas unsupervised. The majority of the insider’sunauthorized activities involved a heating, ventilation,and air conditioning (HVAC) computer. This HVACcomputer was located in a locked room, but theinsider used his security key to obtain physicalaccess to the computer. The insider remotelyaccessed the HVAC computer five times over atwo-day period. In addition, the insider accessed anurses’ station computer, which was connected toall of the victim organization’s computers and storedmedical records and patient billing information.The insider used various methods to attack the organization, including password-cracking programsand a botnet. The insider’s malicious activities caused the HVAC system to become unstable, whicheventually led to a one-hour outage. The insider and elements of the Internet underground were planningto use the organization’s computer systems to conduct a distributed-denial-of-service (DDoS) attackagainst an unknown target. A security researcher discovered the insider’s online activities. The insiderwas convicted, ordered to pay 31,000 restitution, and sentenced to nine years and two months ofimprisonment followed by three years of supervised release.This case illustrates how a single computer system can cause a great amount of damage to anorganization. In this case, the damage could have been life threatening because the attack took place ata hospital facility. Modifying the HVAC system controls and altering the organization’s environment couldhave affected temperature-sensitive drugs and supplies and patients who were susceptible to temperaturechanges. With additional steps to bypass security, the insider could have potentially modified and impairedpatient records, affecting treatment, diagnoses, and care. It is critical that management and informationsecurity teams work with other departments within an organization to identify critical systems. In this case,the HVAC computer was located in a locked room, not a data center or server room, which would haveafforded the system additional protections and may have prevented the insider from manipulating the system.In addition, the insider was able to access a nurses’ station computer, which had access to other criticalorganizational systems. If the organization had fully understood the potential impact a compromisedworkstation could have on other parts of the organization, it could have implemented additional layers ofprotection that would have prevented this type of attack.Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide15

CASE STUDYInsider Intellectual Property TheftA chemical manufacturing company employeda senior research scientist working on a multimillion-dollar project related to chemicals usedin the production of a new electronic technology.During the month after this insider announced hisresignation, he emailed a document detailing theproprietary chemical procedure to his account at thebeneficiary organization. After the victim organizationexamined his company laptop and returned it, hedownloaded more than 500 documents from thelaptop to an external storage device. Even thoughthe organization consistently responded to requeststo transfer data (indicating that the transfer requiredapproval), the insider asked the IT department how toperform the transfer and falsely stated that it had beenapproved.In addition to observing the insider’s behavioral indicators and suspicious activities, the victimorganization had procedures in place to review and approve any transfer of information from companycomputers. The victim organization also tracked download activity on a regular basis and performed aforensic examination on the insider’s computer, a standard practice for transferring employees.The victim organization’s mitigation actions in place, such as approval requirements prior to transferringdata, illuminated the insider’s suspicious behavior in repeatedly inquiring about transferring data to thevictim organization’s foreign branch. The reporting and investigating mechanisms enabled the company toidentify the suspicious activity and confront the insider about downloading confidential documents and hisconnection to the beneficiary organization. Further investigation discovered that he copied the documentsto his personal computer, with evidence that he transferred information to his personal online email account.The victim organization was able to detect and investigate the incident before the information could beshared with the beneficiary organization.16Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide

CASE STUDYAwareness in ActionWen Chyu LiuEspionage Indicators Research Scientist 1965-1992 Unexplained Affluence Age at Convi

Insider Threat Programs for the Critical Manufacturing Sector Implementation Guide 3. 1. Understanding the Insider Threat. What is an Insider Threat? Anyone with authorized access who uses that . access to wittingly or unwittingly harm the . organization and its resources. Insiders can include employees, vendors, partners, suppliers, and others