Cybersecurity and fighting the insider-threat

Cybersecurity Discussion Part 1: The Biggest Insider Threats

wfedstaff | June 3, 2015 9:21 am

Download audio

By Suzanne Kubota
Senior Internet Editor
FederalNewsRadio.com

When you think of protecting your computer systems, how often do you think of insiders — you know, like the person sitting in the office next to you? Or maybe that disgruntled worker you had to let go? And if there is a threat, what’s the best way to stop it?

We’re trying to answer those questions in a Federal News Radio Discussion: Meeting Mission Goals Through Technology.

Advertisement

Joining us for the discussion were Jerry Davis, the chief information security officer for NASA; Elaine Newton, Identity Management Systems Program Manager at the National Institute of Standards and Technology; and Bobbie Stempfley, Director, National Cybersecurity Division at Homeland Security.

Here are some of the topics, questions and excerpts from the responses of the panel:

Part 1: The Biggest Insider Threats

    Davis: At NASA, said Davis, the threats seem to have leveled off to “kind of 50/50″ between insider and outsider. He stressed the insider threat he sees most often is not a “malicious insider threat, but really a non-intentional type person” who clicks on things they shouldn’t, which he said “comes down to training.” Increased awareness should be focused on training “to alleviate or mitigate that risk”.

    Stempfley: Expanding on Davis’ point, Stempfley emphasized training should be a “multifaceted approach,” saying “it has to involve things like training of end users,” “technology components that will help offset any particular area”, and “procedures and mechanisms and overall user awareness.”

    Newton: Beyond training, Newton stressed the importance of authentication of identity and of privileges.

Part 2: Best Practices for Preventing Insider Threats

    Stempfley: DHS, said Stempfley, has expanded beyond online training to a more “experiential” mode. “So you have to give the users an example of what it might look like and how they might be able to recognize it in practice because the environment changes rapidly.” Best practices, said Stempfley include “monitoring your environment, managing your edge devices, managing your infrastructure, asset understanding and awareness. We talked about standards for configuration baselines – all of that, as well as perimeter defenses and other mechanisms as well.” With those in place, said Stempfley, “then, in any particular situation you can make a decision to either turn something on or turn something off.”

    Davis: “It comes down to a risk-based decision,” said Davis to determine the level of security. He suggests monitoring outbound data traffic in addition to inbound. “Somebody may be shipping something” out of the agency. Most importantly, said Davis, “at the end of the day there has to be some level of trust with your people because we’re not in a zero defect environment. You are going to lose data at some point.”

Part 3: Authentication Issues

    Newton: NIST Special Publication 800-63, said Newton, “lays out different levels of risk for doing authentication” requiring different levels of assurance “that somebody is who they claim to be.” Most users are familiar with usernames and passwords, but said Newton, “that’s not necessarily commensurate with the risk that you’re taking online.” People doing online banking would probably like to have more assurance that their personal information is secure. NIST, said Newton, would like to advance that kind of technology, especially in the private sector and consumer services.

    Stempfley: To accomplish that, Stempfley mentioned the “just completed interagency process for the National Strategy for Trusted Identities in Cyberspace” which includes focus on online transactions. “So how do we know people are who they say they are and that the transaction is occuring in the way that is supposed to be occuring to the end that we want.”

    Davis: To get implementation started, Davis said infrastructure and interoperability have to be considered. For example, if you’re going to use a PIV card to log onto a desktop, “you also want to be able to log in, at the same time” to multiple applications that you may have access to. So while the user is being authenticated, the system would also be determining the user’s level of access to everything, including timecards that may be on a legacy system.

    Newton: If you’d like to learn more about what “colleagues and other agencies are doing, there is an event that’s being sponsored through a subcommittee of the CIO council,” called ICAM Information Sharing Day. Register is required in advance by August 2nd.

Part 4: FISMA Issues

    Stempfley: Continuous monitoring is DHS is concentrating, said Stempfley. OMB has issued a memo that put DHS in the role of setting measures for what reporting will be. They’ll be looking at “assets, where are they, how are they configured as we go” forward.

    Davis: “The problem I’ve always had,” said Davis, “was the implementation of FISMA from agency to agency. Implementation, I always felt, was very poor.” Davis said that under FISMA, as far as certification and accreditation, “we weren’t managing our risks very well at all.” He said it didn’t make sense to check security controls every three years, or a third of them once a year. “It’s about knowing what our threats are,” said Davis, in real time. So he started to monitor in real time and produce a risk score card for each NASA center. “It just so happened that that’s where it looks like the trend is where the federal government is going.”

    Stempfley: Agreed that’s where the federal government is headed. “This really gives us, as a government, more levers to turn in a particular situation. If I have more understanding of where I am now, I also have the mechanism to say…I can turn this on, I can turn this off, I can change the environment.”

Part 5: Roadmap

    Newton: In order to bring interagency efforts together, Newton encouraged everyone to join ICAM so “people don’t have to keep trying to do the same thing, recreating the wheel in each department and agency.” More information can be found at idmanagement.gov about different workgroups available.

    Stempfley: The issue, and the future, said Stempfley, is “about recognizing your user base, what technologies you use to get your mission accomplished, and then what risk profile you have based on the mission that you have. Going and looking at the standards in that environment and bringing all of that together in a strategy for your organization that then can be supplemented by those capabilities that the federal government provides either through DHS or other organizations into that holistic multifaceted approach.”

Check out all of Federal News Radio’s coverage of cybersecurity issues here.