The CERT Guide To Insider Threats: How Prevent, Detect, And Respond Information Technology Crimes (Theft, Sabotage, Fraud) 2012 Threats
2012-The%20CERT%20Guide%20to%20Insider%20Threats
User Manual:
Open the PDF directly: View PDF
Page Count: 430 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Contents
- Preface
- Acknowledgments
- Chapter 1. Overview
- True Stories of Insider Attacks
- The Expanding Complexity of Insider Threats
- Breakdown of Cases in the Insider Threat Database
- CERT’s MERIT Models of Insider Threats
- Overview of the CERT Insider Threat Center
- Timeline of the CERT Program’s Insider Threat Work
- 2000 Initial Research
- 2001 Insider Threat Study
- 2001 Insider Threat Database
- 2005 Best Practices
- 2005 System Dynamics Models
- 2006 Workshops
- 2006 Interactive Virtual Simulation Tool
- 2007 Insider Threat Assessment
- 2009 Insider Threat Lab
- 2010 Insider Threat Exercises
- 2010 Insider Threat Study—Banking and Finance Sector
- Caveats about Our Work
- Summary
- Chapter 2. Insider IT Sabotage
- General Patterns in Insider IT Sabotage Crimes
- Mitigation Strategies
- Early Mitigation through Setting of Expectations
- Handling Disgruntlement through Positive Intervention
- Eliminating Unknown Access Paths
- More Complex Monitoring Strategies
- A Risk-Based Approach to Prioritizing Alerts
- Targeted Monitoring
- Measures upon Demotion or Termination
- Secure the Logs
- Test Backup and Recovery Process
- One Final Note of Caution
- Summary
- Chapter 3. Insider Theft of Intellectual Property
- Impacts
- General Patterns in Insider Theft of Intellectual Property Crimes
- The Entitled Independent
- The Ambitious Leader
- Theft of IP inside the United States Involving Foreign Governments or Organizations
- Mitigation Strategies for All Theft of Intellectual Property Cases
- Mitigation Strategies: Final Thoughts
- Summary
- Chapter 4. Insider Fraud
- Chapter 5. Insider Threat Issues in the Software Development Life Cycle
- Chapter 6. Best Practices for the Prevention and Detection of Insider Threats
- Summary of Practices
- Practice 1: Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments
- Practice 2: Clearly Document and Consistently Enforce Policies and Controls
- Practice 3: Institute Periodic Security Awareness Training for All Employees
- Practice 4: Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process
- Practice 5: Anticipate and Manage Negative Workplace Issues
- Practice 6: Track and Secure the Physical Environment
- Practice 7: Implement Strict Password- and Account-Management Policies and Practices
- Practice 8: Enforce Separation of Duties and Least Privilege
- Practice 9: Consider Insider Threats in the Software Development Life Cycle
- Practice 10: Use Extra Caution with System Administrators and Technical or Privileged Users
- Practice 11: Implement System Change Controls
- Practice 12: Log, Monitor, and Audit Employee Online Actions
- Practice 13: Use Layered Defense against Remote Attacks
- Practice 14: Deactivate Computer Access Following Termination
- Practice 15: Implement Secure Backup and Recovery Processes
- Practice 16: Develop an Insider Incident Response Plan
- Summary
- References/Sources of Best Practices
- Chapter 7. Technical Insider Threat Controls
- Infrastructure of the Lab
- Demonstrational Videos
- High-Priority Mitigation Strategies
- Control 1: Use of Snort to Detect Exfiltration of Credentials Using IRC
- Control 2: Use of SiLK to Detect Exfiltration of Data Using VPN
- Control 3: Use of a SIEM Signature to Detect Potential Precursors to Insider IT Sabotage
- Control 4: Use of Centralized Logging to Detect Data Exfiltration during an Insider’s Last Days of Employment
- Insider Threat Exercises
- Summary
- Chapter 8. Case Examples
- Sabotage Cases
- Sabotage Case 1
- Sabotage Case 2
- Sabotage Case 3
- Sabotage Case 4
- Sabotage Case 5
- Sabotage Case 6
- Sabotage Case 7
- Sabotage Case 8
- Sabotage Case 9
- Sabotage Case 10
- Sabotage Case 11
- Sabotage Case 12
- Sabotage Case 13
- Sabotage Case 14
- Sabotage Case 15
- Sabotage Case 16
- Sabotage Case 17
- Sabotage Case 18
- Sabotage Case 19
- Sabotage Case 20
- Sabotage Case 21
- Sabotage Case 22
- Sabotage Case 23
- Sabotage Case 24
- Sabotage/Fraud Cases
- Theft of IP Cases
- Fraud Cases
- Miscellaneous Cases
- Summary
- Sabotage Cases
- Chapter 9. Conclusion and Miscellaneous Issues
- Insider Threat from Trusted Business Partners
- Overview of Insider Threats from Trusted Business Partners
- Fraud Committed by Trusted Business Partners
- IT Sabotage Committed by Trusted Business Partners
- Theft of Intellectual Property Committed by Trusted Business Partners
- Open Your Mind: Who Are Your Trusted Business Partners?
- Recommendations for Mitigation and Detection
- Malicious Insiders with Ties to the Internet Underground
- Final Summary
- Insider Threat from Trusted Business Partners
- Appendix A. Insider Threat Center Products and Services
- Appendix B. Deeper Dive into the Data
- Appendix C. CyberSecurity Watch Survey
- Appendix D. Insider Threat Database Structure
- Appendix E. Insider Threat Training Simulation: MERIT InterActive
- Appendix F. System Dynamics Background
- Glossary of Terms
- References
- About the Authors
- Index