Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

02:00 PM
Thomas Jones
Thomas Jones
Connect Directly
E-Mail vvv

Feds Call on Contractors to Play Ball in Mitigating Insider Threats

It's said that you're only as strong as your weakest player. That's as true in security as it is in sports.

Anyone who has ever played a team sport understands the importance of two key tenets when it comes to winning: practice makes perfect, and your team is only as strong as its weakest player.

The same can be said as they relate to mitigating the insider threat, one of the most pressing IT security and risk management challenges we face today.

Time and time again, we've seen attackers leverage compromise of authorized access to networks, most often granted to third-party contractors, to bypass otherwise effective security defenses. In other cases, unchecked activity on the part of those contractors with access has resulted in cataclysmic security incidents.

High-profile commercial examples of this phenomenon include the massive Target data breach, in which attackers hacked the credentials of an authorized HVAC services provider to make off with millions of customer records. In the government sector, merely citing one name — contractor Edward Snowden — conveys the risk that pertains to malicious activities of a single unmonitored actor.

According to recent research published by security vendors TrendMicro and PhishMe, as much as 90% of all successful cyber attacks leverage some form of user manipulation or phishing. This is typically carried out in the form of tricking someone to click on an infected URL link or open an attachment that carries some form of malware.

To help address the insider threat in the federal government, a recent update to the National Industrial Security Program Operating Manual, or NISPOM — which governs private industry access to classified information — finds regulators communicating to their contractor partners that when it comes to security awareness, it's time to step up.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Under the NISPOM Change 2 Insider Threat Mandate, which went into effect on May 31, federal contractors will be forced to have a much tighter game plan in place; much of this revolves around renewed focus on end-user security training. While the federal government required all cleared personnel to go through insider training in the past, NISPOM 2 dictates that each company must retrain anyone who will handle sensitive data within the next year.

I can see you rolling your eyes, but security training does have a significant impact, even for experienced practitioners. This is where "practice makes perfect" comes in.

According to CyberSecurity Ventures, the CISO at Wells Fargo estimates that his company recently reduced exposure to phishing by 40% through a renewed training program. According to our own data collected from real-world business environments, when employees are called out by their employer, close to 80% make changes and become more security-conscious. This proves that training needs to be an ongoing process — one that's cyclical, not static.

In that sense, NISPOM 2 is a good step forward, although training should be mandated continuously, on an as-policy-violations-happen and at-least-once-a-quarter basis vs. annually, as required now.

In addition to mandated end-user training, NISPOM 2 also requires contractors to have a written insider threat plan in place, and to conduct more frequent self-assessment reviews, ensuring that related policies and practices are effective. In general, I think this approach works because it calls for greater accountability across the board from these contract holders.

In addition to these practical tactics of increased training and more frequent self-review, NISPOM 2 would appear to be an improved strategy for insider threat mitigation as it specifically calls for the involved contractors to increasingly do these three things:

  1. Be aware of the signs of insider threats
  2. Be cognizant of penalties for leaking sensitive information
  3. Know how and to whom to report any suspicious behavior

NISPOM 2 also goes one step further in requiring a minimal level of security around insider threats from other government partners, such as IT systems integrators. In general, the mandate is more thorough and prescriptive than previous efforts to address this range of potential risk factors.

So why is this happening now? This change comes as a direct result of high-profile insider cases such as those of Snowden and Harold Thomas Martin, who both were contractors. It's that simple.

At the same time, the Chinese army's alleged cyber spying unit, known as Unit 61398, actively targets contractors' home systems, in addition to their work systems, to gain access to U.S. government networks.

It would seem safe to assume the other state actors are employing similar tactics. At the end of the day, this is because the perception is that contractors are easier to subvert and therefore make better targets.

By pushing federal contractors to be more aware and focus on mitigating the insider threat, the federal government is taking a purposeful step toward protecting the core of its domain. As a result, this effort is likely to help build a more secure environment across the board.

If you want to win the game, you need to keep at the training and make sure everyone on your team is working together. If you do, you're almost certain to see better results on the playing field.

Related Content:

Thomas Jones is a Federal Systems Engineer at Bay Dynamics, an analytics company that enables enterprises and agencies to continuously quantify the financial impact of cyber-risk based on actual conditions detected dynamically in their environment. With more than 25 years of ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...