Redefining the Insider ThreatTaking a Holistic Approach to Security
What is an insider threat?
Randy Trzeciak has an answer, but he and his colleagues at Carnegie Mellon University's CERT Insider Threat Center are working to broaden the definition of the insider threat to incorporate not just the risk to information and technology but to facilities and people, too.
The CERT Insider Threat Center, part of CMU's Software Engineering Institute, defines insiders as those who pose a substantial threat by virtue of their knowledge of, and access to, their employers' systems and databases. Insiders - current and former employees, contractors and trusted business partners - can bypass existing physical and electronic security measures through legitimate means.
But as processes and tools used to safeguard the physical and logical world converge, a common lexicon needs to be developed so organizations can take a holistic approach to the insider threat.
"Right now, we're not to the point across many organizations where we have a common way to describe the insider threat," says Trzeciak, technical manager of the CERT enterprise threat and vulnerability management team. "If we can describe the threat consistently, hopefully, we'll have a better chance of addressing or mitigating the threat across organizations. ... Without a consistent way to define those threats, it would be hard to focus on what you're trying to protect and from whom."
What needs to be defined in the insider-threat ontology? The threat, vulnerabilities, impacts and a common approach to mitigate the risk in the physical and virtual arenas.
"Assuring that organizations are secure and resilient, and that they will continue operations in the face of adversity, you do need to protect the people, the facilities as well as your information and technology," he says. "Many organizations would not be able to operate if one of those four key critical assets were compromised or unavailable."
The idea of combining physical and virtual security isn't new. Sony Chief Information Security Officer Phil Reitinger championed the synergy between the two when he served as the top cybersecurity official at the Department of Homeland Security a few years back.
Speaking the Same Language
"The private sector speaks the language of all hazards, they worry about risk ... whether it's from a cyber-attack or a back hoe," Reitinger testified at a congressional hearing. "We, in government, need to step to that, and speak their same language if we want to influence how they behave in an all-hazards way, in a risk-based way, and if something bad happens, physical or cyber, to be able to address it seamlessly."
The Center for Internet Security, the not-for-profit group that runs the Multistate Information Sharing and Analysis Center, recently created a new unit - the Integrated Intelligence Center - to help local and state governments to jointly address physical and cyber threats (see Formalizing Cyber-Physical Security).
Physical security and cybersecurity can no longer be looked at separately because an attack on an organization's systems can cause physical infrastructure to fail, says the new unit's executive director, Richard Licht. "Those two domains really are integrated in a way that you need to understand the threat complexities that each face in order to be as secure as you can be."
It's a theme picked up by Kshemendra Paul, who manages the federal government's National Strategy for Information Sharing and Safeguarding (see Linking Cyber, Physical Threat Data). "Something that goes on in the physical world may give you clues on what's going on in the cyberworld and vice versa," Paul says. "There is a nexus there, so that is why people want to look at it in an integrated way."
Such moves demonstrate a critical need for the insider threat ontology CERT is creating. Trzeciak says a draft of the document should be available in the coming months.