|Page 1 2 All||Next >|
Expert Reactions: Thomas Chandler, Principal
Michael addresses a couple of issues that are critical to our ability to detect and mitigate threats from insiders. The first is the importance of education and awareness, particularly related to accidental insiders. All the awareness training in the world is not going to stop a malicious insider, but it will contribute to decreasing the number of accidental events simply because people will be more aware of incidents that can cause problems on networks. The second is the importance of modeling behavior in order to identify when someone does something outside the expected norms. No doubt, modeling expected behaviors will help reduce the number of false positives in our quest to identify insider threats. However, I would expect modeling behavior to be more significant in detecting malicious insiders because “accidental” events are normally a violation of a security policy.
Expert Reactions: Anuj Soni, Lead Associate
Tom hits on one of the key issues when considering the accidental insider: the most important exploit in compromises, such as the one he mentions, is not the technical attack against a user’s browser or other client software, but the exploitation of a user’s trust. Those who would do us harm will continue to discover zero-day exploits that take advantage of previously unknown vulnerabilities, and this motivates technology companies to create more secure software and better systems to detect and respond to threats. At the same time, organizations must be motivated to develop more creative and effective approaches to educate their users about the risks they take each time they interact with e-mails and other network resources. Individuals often think twice about walking down a dark alleyway alone, but for many people, clicking on a link in a potential phishing e-mail still doesn’t justify a moment’s pause. Efforts to address a problem where people play a critical role cannot be solved without a solution that helps those people.
Read More and Comment
Expert Reactions: Timothy Tinker, Senior Associate
Angela McKay’s four-part approach of prevention, detection, containment, and response provides a useful corollary for examining the interactive effects of an organization’s operational response with their communications response. It also provides a flexible framework for improving current approaches to urgent and emergent communication during all phases of cyber incidents. When optimally combined, the operations-communications dyad can increase situational awareness and create a common operating picture that reflects the demands of a cyber incident as the event unfolds, media coverage intensifies, and public trust and reaction fluctuate depending on the effectiveness of the organization’s response. As an integral component to the broader operations response, the role of communications is to ensure that:
The government and industry spend billions of dollars a year protecting networks from outside penetrations and exploitation, yet leave the back door wide open to insider threats. While recent efforts are focused on the malicious insider, recent studies have concluded that a majority of security leaks occur due to “accidental” security breaches, inadequate access, and misuse of information by employees. Since network security is only as good as its weakest link, a “defense in depth” or “holistic” argument demands attention when it comes to security countermeasures that includes the accidental insider.
Preventing insider threats is not a “one size fits all” proposition. Government agencies and industry have different challenges and requirements. Insider threat detection should be tailored to the organization; however, the overall framework for insider threat detection is no different for malicious or accidental insiders. Triggers may vary, but the key difference between the two types of insiders is “intent.” The following steps are critical in establishing a framework to identify insider threat activity and then distinguish between the two.
|Page 1 2 All||Next >|