The Federal Bureau of Investigation (FBI) in 2008 arrested a former loan officer suspected of downloading nearly 20,000 customers’ personal data and selling that information to third parties for approximately $70,000. In 2009, news media reported that a former product engineer with an automobile manufacturer in the United Kingdom was arrested for stealing proprietary design documents worth millions of dollars.

More frequently, media outlets are reporting the loss of proprietary information, customer personal identification, and financial information at the hands of current or former employees, contractors, or business partners who have or had authorized access to their organizations’ systems and networks. These individuals are most familiar with internal policies, procedures, and technology, and can exploit that knowledge to bring down an organization.

Northrop Grumman Corporation (NGC) is a global security company with 126,000 employees. As a system integrator of global security solutions, NGC takes security seriously. Responding to the question of how he perceives the risk of insider threats, Tim McKnight, NGC’s chief information security officer notes, “We know it’s important. It’s a significant threat to the nation and our industry. The nation is bleeding intellectual property; the U.S. dollar is suffering. We must avoid the short-term mindset in evaluating these threats and the risks they present. The cumulative impact to our economy will not fully materialize for years; therefore, we don’t recognize it in quarterly market reports.”

When NGC wanted to benchmark where the information security business unit was in the prevention of insider threat, the company turned to CERT and its Insider Threat team for guidance. Christopher Barnett, cyber threat manager in NGC’s information security business unit and the company’s technical liaison, says that NGC wanted to understand short-term risks, address those risks, and develop a long-term strategy: “NGC wanted to take advantage of CERT’s expertise and its insider threat vulnerability assessment tool to help us safeguard our critical infrastructure and data.”

“We need to detect the release of proprietary information as it happens so that it can be recovered, and we need to detect malicious code as it is planted on our network, not after,” says Barnett. “CERT’s assessment enabled us to configure tools and address organizational policy measures to better mitigate those risks.”

Dawn Cappelli, technical lead for insider threat at CERT, says the assessment tool was created because organizations were looking for a quick solution—a checklist—on what to do to prevent insider threat. “But insider threat is a much more complex issue. There is no equivalent to a vulnerability scanner for insider threats. We needed to provide something that would help organizations take a comprehensive look at the tools, policies, and practices they are using to determine how they could best prevent and detect threats,” she says.

CERT has researched hundreds of insider threat cases since 2002. The team has worked with the U.S. Secret Service, the U.S. Department of Defense, and corporations on activities that include interviewing white-collar criminals and victim organizations. The culmination of their work to date is an insider threat vulnerability assessment tool. The tool comprises six workbooks developed and organized based on hundreds of cases. Using the workbooks, CERT conducted confidential, scenario-based interviews over three days with NGC staff and management exploring six areas of concern: physical security, software engineering, IT/information security, data management, human resources, and legal.

Barnett says the assessment provided NGC with the areas of concern, responsible personnel, policy and security measures, policy-practice gaps, and suggested countermeasures. The report also mapped the risk areas to actual cases in terms of scale of damage and scope of threat. Based on the findings, NGC is taking a range of important steps from developing a more comprehensive insider threat strategy to augmenting its defenses by leveraging existing technology with very little investment. “CERT provided us with realistic and achievable security goals to protect those assets deemed critical to our mission from both external and internal threats,” says Barnett.

Barnett says that NGC’s highly skilled information security staff, which uses the latest enterprise security management tools, is only one piece of the puzzle. He says the company learned that while information security in NGC is efficient and proactive, effective information sharing among the various components of a large enterprise is critical to identify and prevent illicit or illegal activity within a company.

“We need to detect the release of proprietary information as it happens so that it can be recovered, and we need to detect malicious code as it is planted on our network, not after,” says Barnett. “CERT’s assessment enabled us to configure tools and address organizational policy measures to better mitigate those risks.”

Cappelli also learned from the assessment, and she plans to incorporate those lessons into future research. “Gaps in existing technology are better understood by our team now,” says Cappelli. “That knowledge will enable us to work with other organizations and solutions providers to improve the state of the practice of insider threat mitigation.”