25 February 2012

RSA Conference: CSO Insomnia Over Insider Risk...

Next week in the U.S. there will be thousands of risk management and security professionals invading the RSA Conference in San Francisco. The myriad of topics, education and case studies are worth examining to see what is on the mind of these thought leaders and practitioners who are also designated speakers. You can even look to the popular press to see what the vibe is on what this years biggest worries will be:

  1. Mobile Devices
  2. Advanced Persistent Threat
  3. Big Data Privacy
  4. Hacktavists

However, if you spend some time to drill down on each of these topic areas and really look at the actual presentations of the presenters, some are based upon real cases and research and others are not. The one presentation that caught our eye and continues to be what some savvy CSOs would say keeps them sleeping with one eye open each night, is their insomnia over the "Insider Threat." That person or organized group of unidentified subjects that are there to recruit vulnerable people into initiating or perpetuating crimes against the organization.

Dawn Cappelli runs the Insider Threat Center at the Software Engineering Institute and highlights these areas of concern from their research and analysis of real cases:

The CERT Top 10 List for Winning the Battle Against Insider Threats

Dawn M. Cappelli Director, CERT Insider Threat Center CERT Program, Software Engineering Institute Carnegie Mellon University

  • 10. Learn from past incidents
  • 9. Focus on protecting the crown jewels
  • 8. Use your current technologies differently
  • 7. Mitigate threats from trusted business partners
  • 6. Recognize concerning behaviors as a potential indicator
  • 5. Educate employees regarding potential recruitment
  • 4. Pay close attention at resignation / termination!
  • 3. Address employee privacy issues with General Counsel
  • 2. Work together across the organization
  • 1. Create an insider threat program NOW!


Number Three on the list is certainly on the top third and for good reason. Employees and the policy decisions on what data is owned by the company and owned by the employee is of grave concern these days in the United States. Now after so many years it looks as if this issue is going to get more heated and see the light of day from a congressional point of view. Yet the CSO must feel that the ability for the safeguards necessary to keep the organization safe and secure are not in place yet. Catherine Dunn of ALMs Corporate Counsel sheds more light on this:

According to a new White House report on consumer data privacy protection, trust is worth a lot of money to U.S. businesses—users have to know their data will be protected if the economic engine of digital innovation is to keep roaring. Ergo, the U.S. needs a privacy framework that’s “flexible” enough to accommodate industry innovation, and comprehensive enough that consumers will feel safe—and keep clicking.

But trust between consumers and companies in the U.S. is only part of the equation. There’s another important element, too: how compatible U.S. safeguards are with those of the rest of the world, and particularly Europe. This new proposal arrives a month ahead of a conference on data protection between E.U. and U.S. officials in Washington, D.C., leading to questions about whether Europe and the U.S. are any closer to getting on the same page when it comes to data privacy.

The answer not only depends on who you ask, but also what section of the White House’s report you’re looking at. The white paper lists seven principles and stresses that these principles should form the basis of voluntary codes of conduct adopted by industry. Once adopted, the Federal Trade Commission would have the power to enforce compliance to those codes. The paper also includes a call for Congress to pass legislation based on these principles, and devotes a section to “international interoperability”—which considers how data can be sent across international borders without violating laws on either side of the transaction.

This is where we need to make sure we understand the difference between what privacy issues have to do with a company employee and the privacy associated with just a U.S. consumer, who is not an employee but perhaps a member, client or customer of the organization.

If we go back to the big worries at RSA and combine this with the employees who are operating at the "Speed of Business" in your enterprise, you begin to see the difference. Actually, if you think about it some more, every employee of the organization has a duty to care for the information inside the organization, in order to better protect the assets of the enterprise but simultaneously the assets of the consumer.

The consumer assets are their "Personal Identifiable Information" (PII) and this represents in many cases what the organized criminals are after in the first place. This is where the outside recruitment threat starts to have its nexus. However, even the highly trained and state sponsored agents who are inside the enterprise to steal corporate or national security secrets are far and few these days. That may be surprising to some, but if you look at how the exfiltration of data is taking place it's almost all automated. No human intervention is required.

If that is the case, then what is Dawn Cappelli and the Insider Threat Team at CERT so concerned about from their research insights:

Criminal enterprises mask their fraud by involving multiple insiders who often work in different areas of the organization and who know how to bypass critical processes and remain undetected. In several cases, management is involved in the fraud. Those insiders affiliated with organized crime are either selling information to these groups for further exploitation or are directly employed by them. Ties to organized crime appear in only 24 cases in the CERT insider threat database and are characterized by multiple insiders and/or outsiders committing long-term fraud.
All of the insiders involved with organized crime attacked the organization for financial gain. The insiders usually were employed in lower level positions in the organization, were motivated by financial gain, and were recruited by outsiders to commit their crimes. The average damages in these cases exceed $3M, with some cases resulting in $50M in losses.


Now you know why your CSO is headed to the RSA Conference this week and why they are sleeping with one eye open these days.