Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/13/2014
10:00 AM
Adam Firestone
Adam Firestone
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

The Enemy Who Is Us: DoD Puts Contractors On Notice For Insider Threats

New rule requires US government contractors to gather and report information on insider threat activity on classified networks.

In June 1953, American cartoonist Walt Kelly wrote about human frailty in the introduction to The Pogo Papers, a compilation of his cartoon strip, Pogo:

There is no need to sally forth, for it remains true that those things which make us human are, curiously enough, always close at hand. Resolve then, that on this very ground, with small flags waving and tinny blasts on tiny trumpets, we shall meet the enemy, and not only may he be ours, he may be us.

Kelly’s words ring especially true today with respect to the murky underworld of cybercrime and insider threats. According to a 2012 financial services sector study by the Software Engineering Institute (SEI), the impact of insider attacks is considerable. Each attack, which, on average, remains undetected for 32 months, costs the victim between $382,750 and $479,000. More frightening still is the fact that over a third of insider attacks target the personally identifiable information (PII) of either employees or customers.

Those facts alone are cause for concern. But it gets worse. The statistics cited above apply only to malicious insiders. Mounting evidence indicates the magnitude of risks realized due to unwitting insider threat actors. Unwitting insider threats are trusted persons who fail to exercise good cyber hygiene. This can range from failing to follow good patch management practices to opening email attachments and clicking on links found in communications from untrusted sources.

The impact of the unwitting insider threat is large. According to a report published by the Ponemon Institute in December 2013, the costs to remediate damage caused by an advanced persistent threat (APT) attack run as high as $18 million ($9.4 million in reputational damage, $3.1 million in lost user productivity, $3 million in lost revenue and business disruption, and $2.5 million in technical support costs). Approximately 50% of known APT attacks are initiated through phishing or spear phishing attacks. Put another way, half of successful APT attacks succeed because of users with poor cyber hygiene habits, or unwitting insider threat actors.

It’s worth noting that these are just the costs that can be quantified economically. The impact to national security of cyber attacks occasioned through the actions of either malicious or unwitting insiders is impossible to fully quantify. Perhaps the words of Executive Order 13526, which describes certain information as being so sensitive that its unauthorized disclosure can reasonably be expected to “cause exceptionally grave damage to the national security,” best illustrates the point.

Despite the prevalence and potential consequences of cyber attacks originating from insider threats, there have been few, if any, regulatory attempts to mitigate the problem within the national security space. Thankfully, that state of affairs is about to change with the upcoming issuance of Conforming Change 2 of the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense through the Defense Security Service (DSS). The NISPOM establishes standards, procedures, and requirements for all government contractors who have access to or manage classified information.

Specifically, Conforming Change 2 will require all cleared US government contractors to establish an insider threat program that gathers, integrates, and reports relevant information on insider threat activity in accordance with Executive Order 13587. Additionally, contractors will be required to designate a senior official to manage the insider threat program to ensure that it has the necessary levels of executive authority within the organization.

Conforming Change 2 requires contractors to maintain, and be prepared to provide, records pertinent to insider threat information, including:

  • Counterintelligence and security records
  • Network data
  • Personnel records

Importantly, Conforming Change 2 also requires that contractor personnel be properly trained with respect to insider threats within 30 days of hiring or before being granted access to classified information. The training must cover:

  • Counterintelligence and security fundamentals including applicable legal issues
  • Procedures for conducting insider threat response actions
  • Laws and regulations on gathering, integrating, retaining, safeguarding, and using records and data and on the consequences of misuse of such information
  • Legal, civil liberties, and privacy policies
  • Detecting and reporting insider threats

Perhaps the most effective component of the change is that contractors will now be required to monitor activity on classified networks to detect insider threat indicators. While implementation details are not specified, monitoring mechanisms must adhere to guidance issued by the Cognizant Security Agency (CSA) and federal systems requirements as specified by FISMA, NIST, CNSS, and others.

Is Conforming Change 2 a silver bullet with respect to the insider threats? No. But it does provide sorely needed regulatory teeth to address a problem that has long plagued both industry and government. And DSS taking steps toward that end is indisputably a good thing.

Adam Firestone is President and General Manager of Kaspersky Government Security Solutions Inc. He is responsible for providing world-class cybersecurity intelligence and systems engineering services as well as innovative product solutions to meet the needs of government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:09:29 AM
Re: A good start or too little too late?
Good point. That is at least something....Thx!
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 9:07:58 AM
Re: A good start or too little too late?
So as not to conflate POST Snowden with PRE Snowden, it's worth noting that at the very least, internal government networks are being significantly fortified with respect to security in the POST Snowden era.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/18/2014 | 9:06:10 AM
Re: A good start or too little too late?
I'm actually surprised that in all the hand-wringing and finter-pointing in the wake of the  Edward Snowden leaks, the goverment didn't try to put in place more stringent technical safegards.. I guess that is the nature of bureaucracy..
firestonea
50%
50%
firestonea,
User Rank: Author
11/18/2014 | 8:55:15 AM
Re: A good start or too little too late?
Hi Marilyn,


I think such rules would have been a good start.  However, like most rules of that sort, they are deliberately vague as to implementation details in order to give organizations the maximum amount of flexibility.  I think that prevention of such a data loss would have required very specific technical safeguards to have been in place.  That being said, this rulemaking provides important impetus (and is a great step in overcoming organizational inertia) toward that goal.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:27:06 AM
A good start or too little too late?
Good article, Adam. But I[m curious. Do you think having insider threat rules in place pre-Snowden could have prevented his leaking of classified NSA docs? 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...