Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/13/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.

Kelly’s words ring especially true today with respect to the murky underworld of cybercrime and insider threats. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. More frightening still is the fact that over a third of insider attacks target the personally identifiable information (PII) of either employees or customers.

Those facts alone are cause for concern. But it gets worse. The statistics cited above apply only to malicious insiders. Mounting evidence indicates the magnitude of risks realized due to unwitting insider threat actors. Unwitting insider threats are trusted persons who fail to exercise good cyber hygiene. This can range from failing to follow good patch management practices to opening email attachments and clicking on links found in communications from untrusted sources.

The impact of the unwitting insider threat is large. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing or spear phishing attacks. Put another way, half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors.

It’s worth noting that these are just the costs that can be quantified economically. The impact to national security of cyber attacks occasioned through the actions of either malicious or unwitting insiders is impossible to fully quantify. Perhaps the words of Executive Order 13526, which describes certain information as being so sensitive that its unauthorized disclosure can reasonably be expected to “cause exceptionally grave damage to the national security,” best illustrates the point.

Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. Thankfully, that state of affairs is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.

Specifically, Conforming Change 2 will require all cleared US government contractors to establish an insider threat program that gathers, integrates, and reports relevant information on insider threat activity in accordance with Executive Order 13587. Additionally, contractors will be required to designate a senior official to manage the insider threat program to ensure that it has the necessary levels of executive authority within the organization.

Conforming Change 2 requires contractors to maintain, and be prepared to provide, records pertinent to insider threat information, including:

  • Counterintelligence and security records
  • Network data
  • Personnel records

Importantly, Conforming Change 2 also requires that contractor personnel be properly trained with respect to insider threats within 30 days of hiring or before being granted access to classified information. The training must cover:

  • Counterintelligence and security fundamentals including applicable legal issues
  • Procedures for conducting insider threat response actions
  • Laws and regulations on gathering, integrating, retaining, safeguarding, and using records and data and on the consequences of misuse of such information
  • Legal, civil liberties, and privacy policies
  • Detecting and reporting insider threats

Perhaps the most effective component of the change is that contractors will now be required to monitor activity on classified networks to detect insider threat indicators. While implementation details are not specified, monitoring mechanisms must adhere to guidance issued by the Cognizant Security Agency (CSA) and federal systems requirements as specified by FISMA, NIST, CNSS, and others.

Is Conforming Change 2 a silver bullet with respect to the insider threats? No. But it does provide sorely needed regulatory teeth to address a problem that has long plagued both industry and government. And DSS taking steps toward that end is indisputably a good thing.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:09:29 AM
Re: A good start or too little too late?
Good point. That is at least something....Thx!
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 9:07:58 AM
Re: A good start or too little too late?
So as not to conflate POST Snowden with PRE Snowden, it's worth noting that at the very least, internal government networks are being significantly fortified with respect to security in the POST Snowden era.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:06:10 AM
Re: A good start or too little too late?
I'm actually surprised that in all the hand-wringing and finter-pointing in the wake of the  Edward Snowden leaks, the goverment didn't try to put in place more stringent technical safegards.. I guess that is the nature of bureaucracy..
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 8:55:15 AM
Re: A good start or too little too late?
Hi Marilyn,


I think such rules would have been a good start.  However, like most rules of that sort, they are deliberately vague as to implementation details in order to give organizations the maximum amount of flexibility.  I think that prevention of such a data loss would have required very specific technical safeguards to have been in place.  That being said, this rulemaking provides important impetus (and is a great step in overcoming organizational inertia) toward that goal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:27:06 AM
A good start or too little too late?
Good article, Adam. But I[m curious. Do you think having insider threat rules in place pre-Snowden could have prevented his leaking of classified NSA docs? 
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.