CERT Insider Threat Center Releases Top Ten Strategies for Fighting Insider Threat
April 18, 2012 • Article
To complement its detailed research on insider threat and provide organizations a quick reference to what they could be doing now to mitigate the problem, the CERT Insider Threat Center has published The CERT Top 10 List for Winning the Battle Against Insider Threats. Since 2001, SEI’s CERT® Program has conducted empirical research and analysis to develop and transition socio-technical solutions to combat insider threats. These solutions explore not only technical approaches to the problem, but approaches based on close examination of human resources and management practices and policies, legal policies, physical security, and other non-technical indicators. The goal of this work is to help organizations prevent, detect, and respond to malicious insider activity.
“We developed the Top 10 list because we frequently are asked for the top things an organization should do to mitigate insider threat risk,” said Dawn Cappelli, technical manager of the CERT Enterprise Threat and Vulnerability Management Team. Cappelli and fellow researchers Andrew P. Moore, CERT Insider Threat Center lead researcher, and Randall F. Trzeciak, technical lead of insider threat research, recently authored the book The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (Addison-Wesley Professional, 2012). The team derived the top 10 mitigation strategies from the research summarized in their book. The list presents each of the 10 strategies, provides a thumbnail sketch of what some organizations have done to implement the strategy, and notes important details organizations should consider.
“It seemed like the appropriate time to publish this list,” said Trzeciak. “It serves to mark the 10th year of our work in insider threat and provides organizations a quick and useful doorway into our research.” Moore added that the list “applies across the organization. It consists of socio-technical solutions—a holistic approach based on both technical and non-technical (social) behaviors.”
Among the mitigation strategies recommended by the CERT team are the following:
- Number 10: Learn from past incidents. Past incidents suggest areas of vulnerability likely to be exploited again.
- Number 9: Focus on protecting the crown jewels. Organizations should dedicate the most effort to securing the most valuable organizational assets and intellectual property against insider threat.
- Number 8: Use your current technologies differently. Most organizations have implemented technologies to detect network intrusions and other threats originating outside the network perimeter. These same technologies can be used to detect potential indicators of malicious insider behavior inside the network.
- Number 7: Mitigate threats from trusted business partners. Contractors and outsourced organizations should be subject to the same security controls, policies, and procedures as your own employees.
The CERT Top 10 List for Winning the Battle Against Insider Threats includes six additional strategies, which build to the most important. In addition to the top ten mitigation strategies, the list provides pointers to a number of useful resources organizations can tap to gain a better understanding of the insider threat problem and measures they can begin taking to develop a comprehensive mitigation strategy.
To download a copy of the full Top 10 List presentation, visit http://www.cert.org/archive/pdf/CERT-InsiderThreat-RSA2012.pdf.
For more information about the CERT Program’s research on insider threat, visit http://www.cert.org/insider_threat/.