The professor has return this assiegnment to me wants to fix it if i don’t she will give me a bad gradei need it to be fix it or write another onethe prevouis tutor did not do wellDo anything to fix itword doc is attachedUE DATE FOR ENTERPRISE/EMPLOYER RISK MANAGEMENT THREAT ANALYSIS- 11 OCT. 20. (A prototype is posted under Course Documents.) Please note this is NOT a template or a format, simply a sample as to how to approach this paper. More guidance will follow. 6-8 pages range, double-spaced typed, exclusive of charts or references, to be posted in your assignment folder.(professor email)there is a major assignment due shortly per the syllabus, your risk management analysis. 6-8 pgs double spaced, plus sources. Legal focus as well as a threat assessment applicable to your workplace or critical infrastructure, e.g. hospital, bank. Dont be late!(prototype)cyber Policy, Law, & Criminal Investigation
Insider Threat Risk Management PROTOTYPE AND SAMPLE ONLY
Memorandum
Date:
To: Chief Operating Officer | EC |
Thru: Chief Information Officer | ISTS |
General Counsel | OGC |
From: Senior IT Analyst | IT |
Subject: Insider Threat Risk Management and Recommendations
In light of the Executive Announcement issued on September 21st 2018 and concern
expressed by General Gene , I was tasked by the executive committee to
propose a risk management strategy to address insider threats to the agency. For your
consideration, this proposal includes recommendations to the Executive Committee and
General Council concerning the current risk management program as well as the possible legal
ramifications and executive actions needed in wake of recent events.
We are known for independent nonpartisan values and its reputation ,
among the American people, and throughout the globe. It is imperative to combat any forces
attempting to damage or discredit the organization through leaking sensitive information,
maliciously manipulating reports , and or placing our clients and
fellow agencies at risk of compromise.
The Office of the Director of National Intelligence’s National Insider Threat Task Force,
under joint leadership of the Attorney General and the Director of National Intelligence, defines
insider threat as “a threat posed to U.S. national security by someone who misuses or betrays,
wittingly or unwittingly, their authorized access to any U.S. Government resource. This threat
2
can include damage through espionage, terrorism, unauthorized disclosure of national security
information, or through the loss or degradation of departmental resources or capabilities.â€Â1
In 2017, insider threat events made up one in five incidents and are deemed more costly
than those committed by outsiders.2 While industry statistics for insider threat
events, the organization has personally seen an influx of insider threat incidents in recent years
with 3 notable cases:
Event: 2013 Healthcare.gov Security Controls Assessment Leak
More specifically, we experienced a leak of a Confidential Security Controls
Assessment obtained, stored, and maintained by us for a review on the Department of Health
and Human Services’ (HHS) healthcare exchange known as Healthcare.gov in support of the
Affordable Care Act passed in 2010.3 Protocols policy states, “we will
grant clients, upon their written request, access to its audit documentation .â€Â
However, to accommodate more than 15 signatories, we hosted an event on the Hill to allow
members to review the requested SCA. According to congressional staff, a member of
congress leaked the results of the SCA to the media in an effort to allegedly advance a political
agenda to discredit the federal healthcare exchange effort and the passing of ACA. It was
confirmed in the November 2013 hearing by multiple congressional staff as well as the head of
1 Office of the Director of National Intelligence. National Insider Threat Task Force Mission Fact Sheet. Retrieved
from https://www.dni.gov/files/NCSC/documents/products/National_Insider_Threat_Task_Force_Fact_Sheet.pdf
2 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon
University. The 2017 U.S. State of Cybercrime Survey.
3 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on
HealthCare.gov Security.†Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270.
3
.4 The investigation concluded on November with no identified
source and no policy changes .
The unauthorized disclosure of the SCA violates Executive Order 13526 sections 4.1
and 5.4, which calls for organizations to ensure safeguards and restrictions on access to
prevent unauthorized disclosure of information within the federal classification schema. The
lapse in document control, could lead to a compromise in HHS systems as the report detailed
the specific vulnerabilities in the Healthcare.gov system. This places HHS at risk of violating the
Federal Information Security Modernization Act; The Privacy Act of 1974, as amended at 5
U.S.C. 552a; the HHS Privacy Act regulations, as well as the Health Insurance Portability and
Accountability Act of 1996 (HIPAA). While a congressional staff member leaked the document
to the media, we face risks to one of our core values, reliability. If government agencies are
unable to trust the document control measures we have in place when interacting with
congressional committees, then a longstanding issue of obtaining documentation will
become a major roadblock for the organization. While we must prevent insiders within the
organization, we must also help limit insider threats within our clients as it impacts our
operations and values.
Event: Malicious Insider Project Veritas
Additionally, in September 2018, a deemed conservative activist group Project Veritas
released a 14-minute video on Google’s platform YouTube depicting a current GAO employee
contributing to the Democratic Socialists of America (DSA) during work hours with the intent to
influence GAO work products provided to the U.S. Congress.5 The individual submitted a federal
4 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on
HealthCare.gov Security.†Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270.
5 Project Veritas. “Deep State Unmasked, U.S. GAO Auditor Admits ‘I Break Rules Every Day.’†Project Veritas Deep
State Unmasked, 20 Sept. 2018, www.projectveritas.com/2018/09/20/breaking-deep-state-unmasked-u-s-gaoemployee-
admits-i-break-rules-every-day/.
4
independence form, however, he did not provide specifics on his extracurricular activism work.
This not only violates our conflict of interest policies, but he also intentionally misled the
federal government and defrauded the U.S. taxpayers.
Event: Disgruntled Employee
Most notably, in October 2018 preliminary reports from the Office of the Inspector
General indicate that an analyst leaked a preliminary report and extracted
more than 2.3 terabytes of classified documents from our internal document management
system for monetary gain including materials concerning Department of Defense weapons
systems, National Reconnaissance Office satellite protection systems, vulnerabilities on the
U.S. electric grid, and the Department of Energy’s National Nuclear Security Agency security
protocols, and HHS’s infectious disease lab security results from NIH. This is a direct violation of
policy, the Computer Fraud and Abuse Act as well as the Espionage Act.
Insider Threat Risk Management Analysis
As tasked by the executive committee, the details below address each insider threat
event through a risk management perspective. This will form the basis of an insider threat
program for your consideration. The NIST Risk Management framework is an effort to
implement the provisions outlined in the Federal Information Security Modernization Act. The
insider threat risk management approach captured below takes in account the results of the
completed 2018 risk assessment report executed to fulfill Phase 4 of the NIST Risk
Management Framework model. A detailed analysis on insider threat is attached in Appendix I.
NIST notes that the risk assessment identifies “risks to organizational operations (including
mission, functions, image, reputation), organizational assets, individuals, other organizations,
5
and the Nation, resulting from the operation of an information system.â€Â6 This includes the threat
vulnerability analysis associated with the system.
Additionally, Executive Order 13587 and the National Policy on Insider Threat calls for
agencies to establish an insider threat program for handing classified information, which can be
extended to ensure additional security for all our work products. Additionally, OMB memo M17-
25 calls for agencies to establish an Insider Threat Program to protect the federal network
and its data. This effort is based on implementing PM-12 of NIST’s 800-53 Revision 4 standard
and in alignment with the Risk Management Framework and best practices from Carnegie
Mellon’s Software Engineering Institute. Below details the top 3 risk management steps to
safeguard against the insider threat based on the organization’s current posture: Learn,
Detect/Prevent, and Respond.
Learn
GAO’s insider threat program must be able to identify potential indicators of insider threats
based on previous events, list known characteristics as identified in the risk assessment
attached in Appendix I, identify the target assets within the organization and possible mens rea.
The identified characteristics from Appendix I are a combination of identified elements with
those identified by the Department of Homeland Security’s National Cybersecurity and
Communications Integration Center. 7 Based on the insider events captured above, I identified
four main actors with the associated characteristics to create an insider threat profile with the
targeted organizational asset and intent. These profiles include:
6 NIST Risk Management Framework
7 https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat.pdf
6
•
Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure
•
Internal Staff | Human Error | N/A
•
Malicious Insider | Activism | Manipulation of Report
•
Disgruntled Employee | Financial Gain | Data Exfiltration
While this is not inclusive of all potential combinations, the four profiles captured above adhere
to the first of three critical elements of an insider threat program.
Further, as a result of the risk assessment captured in Appendix I, the results revealed
that the insider threat places us at a moderate risk level. Under a moderate risk level,
exploitation of vulnerabilities within the organization (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or
interest; or (3) may result in human injury. This aligns with the NIST Risk Management
Framework, as organizations must first understand the threats and risks facing the organization
prior to selecting controls. This step was adapted for the insider threat program in Appendix I.
Detect & Prevent
Given the three insider events we faced, there are several best practices that
could have been instrumental to detecting and preventing insider threats. These include
activities associated with stakeholders at all levels throughout the organization such as HR,
Infrastructure, Public Affairs, and within our mission teams.
Human Resources
Software Engineering Institute’s best practices include: monitor and respond to
suspicious or disruptive behavior, develop a comprehensive employee termination
procedure, and anticipate and manage negative issues in the work environment. These
best practices would directly address the following insider threat actors: Disgruntled
7
Employee and Malicious Insider. While our currently policies call for automatic
removal of access rights in the event of employee termination, our procedures do not
link employee satisfaction with insider threat notification. Our employee feedback survey
within the IT mission team indicates that Band 2Bs are the most unsatisfied among the
staff due to promotion availability. Given this, HR should work with IT to deploy adaptive
analytics on access rights and user activity among groups with a certain level of
authorization. Threat actor: Disgruntled Employee was a Band 2B seeking financial
gain.
Public Affairs
In regards to the Malicious Insider, our annual independence review process
failed to identify an employee associated with the DSA. This is where social media
monitoring capabilities within our Office of Public Affairs can make a direct impact. The
privacy concerns associated with this effort are moderate as it must remain within the
public domain. The individual was engaged in political activity during work through
social media. This effort by OPA would extend the reach of the independence policy
and actively engage in identifying conflicts of interest beyond a federal document.
Infrastructure
Lastly, detection falls on the Infrastructure department’s security control mechanisms
captured in NIST’s 800-53 Revision 4. The organization must raise its Integrity baseline
and implement high integrity security controls identified by NIST to ensure that the
integrity of the data is not compromised from an insider. Additionally, intrusion detection
capabilities must be expanded in order to baseline normal behavior on the network and
8
then detect anomalous behavior such as accessing social media, emailing multiple
documents outside of the organization, and saving files on an external drive. Given
these best practices, the three threat events identified can be addressed through the
following mechanisms:
•
Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure
o
Action: Prohibit mobile phones during closed sessions with sensitive documents
o
Action: Intentionally insert typos in each version of the document to identify a
source of a leak
o
Action: Invite agency representatives to administer and collect sensitive
documents at the conclusion of the session to redirect the risk
o
Benefit: Limits mode of exfiltration, detects source of the leak, and shifts liability
to data owner (HHS)
•
Internal Staff | Human Error | N/A
o
Action: Apply additional document control requirements when handling files
outside of the document management system
o
Action: Limit the number of files a single person is responsible for and assign an
accountability officer for each set of files
o
Benefits: Adds oversight to reduce likelihood of human error
•
Malicious Insider | Activism | Manipulation of Report
o
Action: Increase Integrity security controls to NIST 800-53 standards
o
Action: Increase social media monitoring efforts and align with annual
independence attestation
o
Action: Re-baseline intrusion detection system to include insider threat detection
o
Benefits: Improves security posture, proactively detects conflicts of interest, and
increases technical capabilities for anomalous employee behavior.
•
Disgruntled Employee | Financial Gain | Data Exfiltration
o
Action: Share employee satisfaction results with IT for adaptive analytics
o
Action: Re-baseline intrusion detection system to include insider threat detection
o
Action: Implement new policies regarding external media, email attachments, and
remote access after work hours
9
o
Benefits: Improves security posture, proactively detects conflicts of interest, and
increases technical capabilities for anomalous employee behavior.
Respond
CMU’s 2017 study on U.S. Cybercrime surveyed more than 500 organizations across the
country regarding insider intrusions. According to the study, the number of events handled
internally without legal action or law enforcement stayed the same from 2016 to 2017 at 76%.8
Additionally, the top 3 reasons included:
•
Could not identify the individual(s) responsible
•
Damage level insufficient to warrant prosecution
•
Lack of evidence/not enough information to prosecute
8 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon
University. The 2017 U.S. State of Cybercrime Survey.
10
All three justifications could be addressed through applying additional logging and auditing
controls as recommended by NIST-800-53 Rev 4, which I prescribe for our internal systems
through its high Integrity categorization. While unauthorized disclosures could call for legal
action depending on its nature, the availability of evidence is essential to respond with any legal
action. In regards to the 3 insider events :
•
Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure
o
Response Reported: None
o
Reason: Lack of evidence; Could not identify individual
o
Potential Legal Response: Violation of congressional policies; If compromised:
Computer Fraud and Abuse Act, Privacy Act violation;
•
Internal Staff | Human Error | N/A
o
Response Reported: None
o
Reason: Damage level insufficient; No malicious intent
o
Potential Legal Response: None; internal policy violation
•
Malicious Insider | Activism | Manipulation of Report
o
Response Reported: System access rights terminated; Suspension pending
investigation from the OIG.
o
Reason: Damage level insufficient due to quality control processes
o
Potential Legal Response: Internal policy violation; Making false statements
(18 U.S.C. § 1001), Fraud
•
Disgruntled Employee | Financial Gain | Data Exfiltration
o
Response Reported: System access rights removed; Employee terminated and
incident handled with legal action
o
Reason: Involved Classified information posing threat to national security
o
Potential Legal Response: Computer Fraud and Abuse Act, Espionage Act
Section 793
11
Next Steps
We are the first line of defense when it comes to insider threat. This includes all departments
within the organization and each individual analyst. Take action by implementing the short-term
measures outlined in the memo followed by a comprehensive insider threat program in FY19 in
accordance with OMB M-17-25.
12
APPENDIX I: INSIDER THREAT RISK ASSESSMENT REPORT (RAR)
Document Management
October 2018
Record of Changes:
Version Date Sections Modified Description of Changes
1.0 October 2018 Initial RAR
Scope
The risk management process is based on the general concepts presented in National Institute
of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for
Conducting Risk Assessments, along with the principles and practices in NIST SP 800-18,
Guide for Developing Security Plans for Information Technology Systems and is consistent with
the policies presented in Office of Management and Budget (OMB) Circular A-130, Appendix III,
Security of Federal Automated Information Resources.
The scope of this risk assessment is focused on the system’s use of resources and controls to
mitigate vulnerabilities exploitable by threat agents (internal and external) identified during the
RMF control selection process, based on the system’s categorization. This initial assessment
will be a Tier 3 or “information system level†risk assessment.
Assumptions:
•
A preliminary analysis informed the identified insider threat agents
•
This assessment is based on a FY17 security controls assessment and agency-wide
external threat analysis.
Purpose
This risk assessment is being conducted in order to determine the impact of an insider threat on
the organization and its business processes to form the basis of a managed insider threat
program maturity. Identifying the impact is a preliminary step in building a robust insider threat
program to safeguard GAO and its materials from unauthorized disclosure. This document is to
supplement existing risk assessments performed on the organization and update the existing
risk profile of the organization and information system.
Risk Assessment Approach
This initial risk assessment was conducted using the guidelines outlined in the NIST SP 800-30,
Guide for Conducting Risk Assessments. A quantitative and qualitative approach will be utilized
for this assessment. Risk will be determined based on a threat event, the likelihood of that threat
event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to
mission.
13
The following table is provided as a list of insider threat characteristics as identified by the
Department of Homeland Security.
Table 1: Insider Threat Characteristics
Characteristics of Insiders at Risk of Becoming a Threat
Financial Need Motive for Political Gain
Activism Workplace Grievance
Behavioral Limitations: Compulsive and
Destructive Behavior
Entitlement
Ethical “flexibility†Minimizing their mistakes or faults
Reduced loyalty Self-perceived value exceeds performance
Pattern of frustration and disappointment Lack of empathy
No Accountability or Integrity Intolerance of criticism
Potential Threat Actions:
•
Assault on an employee
•
Blackmail
•
Browsing of proprietary information
•
Computer abuse
•
Fraud and theft
•
Information bribery
•
Input of falsified, corrupted data
•
Interception
•
Malicious code (e.g., virus, logic
bomb, Trojan horse)
•
Sale of personal information
•
System bugs
•
System intrusion
•
System sabotage
•
Unauthorized system access
14
The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact,
and risk:
Risk Level Matrix:
The final determination of mission risk is derived by multiplying the ratings assigned for threat
likelihood (e.g., probability) and impact of an exploited vulnerability after consideration of in
place controls. Table 2 below shows how the overall risk ratings might be determined based on
inputs from the threat likelihood and threat impact categories. The determination of these risk
levels or ratings may be subjective. The rationale for this justification can be explained in terms
of the probability assigned for each threat likelihood level and a value assigned for each impact
level. For example:
•
The probability assigned for each threat likelihood level is 5 for High, 3 for Moderate,
1 for Low.
•
The value assigned for each impact level is 5 for High, 3 for Moderate, 1 for Low.
•
The matrix below is a 3 x 3 matrix of threat likelihood (High, Moderate, and Low) and
threat impact (High, Moderate, and Low).
Table 2: Assessment Scale – Level of Risk (Combination of Likelihood and Impact)
Threat Likelihood
IMPACT
LOW (1) MODERATE (3) HIGH (5)
HIGH (5)
LOW
5 X 1= 5
MODERATE
5 X 3= 15
HIGH
5 X 5= 25
MODERATE (3)
LOW
3 X 1= 3
MODERATE
3 X 3= 9
MODERATE
3 X 5= 15
LOW (1)
LOW
1 X 1=1
LOW
1 X 3= 3
LOW
1 X 5= 5
Magnitude
of Impact
Impact Definition
High Exploitation of the vulnerability (1) may result in the highly costly loss of
major tangible assets or resources; (2) may significantly violate, harm, or
impede an organization’s mission, reputation, or interest; or (3) may result
in human death or serious injury.
Page 15
Moderate Exploitation of the vulnerability (1) may result in the costly loss of tangible
assets or resources; (2) may violate, harm, or impede an organization’s
mission, reputation, or interest; or (3) may result in human injury.
Low Exploitation of the vulnerability (1) may result in the loss of some tangible
assets or resources or (2) may noticeably affect an organization’s
mission, reputation, or interest.
Risk Assessment Results:
Disgruntled Employee / Insider Penetration / Unauthorized Use
Vulnerabilities / Predisposing
Characteristics
Likelihood Impact Risk
Inadequate Security policy High Moderate Moderate
Inadequate System Administration High Moderate Moderate
Inadequate User Account Management High Moderate Moderate
Inadequate Personnel Management High Low Low
Inadequate Warning Banners High Moderate Moderate
Use of Replayable I&A High Moderate Moderate
Sharing of ID or Passwords High Moderate Moderate
Inadequate Audit Log High Moderate Moderate
Inadequate Audit Analysis High Moderate Moderate
Inconsistent Physical Perimeter
Definition
High Moderate Moderate
Inadequate Facilities High Low Low
Data Unavailability High Low Low
Weak Rules of Behavior High Moderate Moderate
Untrained Users High Moderate Moderate
No Individual Accountability High High High
No System Change Control High Moderate Moderate
No Software Change Control High Moderate Moderate
Page 16
No Separation of Duties High Moderate Moderate
Unlimited User Privileges High High High
Poor Patch Management High Moderate Moderate
Interconnection Weaknesses High Moderate Moderate
Copyright Protection Violations High Moderate Moderate
Poor Logical Access Controls High Moderate Moderate
Weak Passwords/No Passwords High High High
Unprotected Networks High Moderate Moderate
Weak Integrity Verification High Moderate Moderate
Unknown Vulnerabilities High High High
Risk Score: The insider threat agent poses a MODERATE risk to the organization.
Page 17
