creating an insider threat program - pae...ncms june 2015 agenda •introduction •history 101...
TRANSCRIPT
![Page 1: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/1.jpg)
Creating an Insider Threat Program
NCMS June 2015
![Page 2: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/2.jpg)
Agenda
• Introduction
• History 101
• Recent Events
• What is Insider Threat and Why We Need A Program?
• The National Archives Program
• NISPOM Requirements
• What is a Program?
• Sources of Data and the HUB
• Scope and Assets
• Base Line (What is Normal?)
• Implementation
• Case Studies (Data Use)
• Q & A
• Resources…
![Page 3: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/3.jpg)
Samuel Slater (June 9, 1768 – April 21, 1835)
In the UK he was called "Slater the Traitor
![Page 4: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/4.jpg)
What about these?
• Wen Chyu Liu
• Kexue Hauang
• Yaun Li
• Elliot Doxer
• Sergey Aleynikov
• Michael Mitchell
• Shalin Jhaveri
• Hanuajn Jin
• Greg Chung
• Chi Mak
• Conspired with internal employees
• Foreign Travel
• Foreign Contacts• Business• Government
• Download and copied• MBs of data• Thousands of documents and files
![Page 5: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/5.jpg)
Recent Events…..
• Many of the documents leaked by Manning to Wikileaks and Snowden have shown us a new wave of threats by personnel that have access and training that can damage national security.
![Page 6: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/6.jpg)
What is an Insider Threat and Why do We Need A Program?
![Page 7: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/7.jpg)
What is an insider threat?
• It is a threat posed to U.S. national security by someone who has authorized access to classified information but who misuses or betrays that access to provide classified information to another entity not authorized to possess it. That entity could be another government, another individual, or even the media.
![Page 8: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/8.jpg)
Why does the United States need an Insider Threat Programs?
• The exposure of hundreds of thousands of classified and sensitive USG documents by the WikiLeaks internet site demonstrated to the government and the public that current sharing and safeguarding procedures for classified information were inadequate and put our nation’s security at risk.
• In November 2012, after an interagency review of the NITTF’s work products, the President issued the National Insider Threat Policy and the Minimum Standards for Executive Branch Insider Threat Programs via a Presidential Memorandum.
![Page 9: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/9.jpg)
National Archives and Records Administration
![Page 10: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/10.jpg)
Why does the National Archives need an Insider Threat Program?• NARA is responsible for the safety and protection of holdings
which include information classified by every department and agency authorized to do so, as well as electronic systems used as part of our work with those holdings or to otherwise support NARA operations. Hundreds of NARA staff, other agencies' employees, and Federal government contractors have access to this information and these systems every day in the course of their work. It is our responsibility, as directed by the President, to prevent individuals with access to NARA's classified holdings and systems from giving classified information to individuals or organizations not authorized to possess it.
![Page 11: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/11.jpg)
Back Ground NARA
• We have 600 plus Employees and Contractors have access to National Security Information
• We have the most mosaic collection of classified information in the US government.• Presidential Libraries
• Intelligence Community Records
• Department of Defense (Armed Services and Combatant Commands)
• Departments of State, Energy, Commerce, Treasury, etc, etc,
• We have generational media types, disks, tapes, textual, maps, photos, etc, of highly sensitive national security information.
![Page 12: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/12.jpg)
ITP is within the Chief Operating Officers Office
![Page 13: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/13.jpg)
NARA ITP
• Developed Policy NARA 242• On going development of Implementation Guide
• Developed Training
• Hired Staff (1 IT Security Specialist and 1 Program Analyst)
• Currently Base lining our Agency• Gather Data
• Developing Priorities
• Reviewing Policies and Process
![Page 14: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/14.jpg)
The Challenge
• Educating Leadership and Staff on what is and is not the Program is…..
• 46 Locations across the United States plus affiliated Archives and Records Facilities.
• We own the records but NOT the classified information and the records a PERMENANT!
• We do not classify records and most of our classified electronic systems are standalones and LANs.
• Plus we have 100’s of other Federal Employees and Contractors assisting in the review of classified information for declassification.
![Page 15: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/15.jpg)
Economic Impact of the Insider Threat…
“In the last fiscal year alone, economic espionage and theft of trade secrets cost the American economy more than $19 billion…economic espionage and theft of trade secrets are increasingly linked to the insider threat…”
-Christopher Munsey, FBI Counterintelligence Division (2013)
“The average cost per Insider Threat incident is $412,000. Average loss per industry is $14 million/year. Multiple incidents have exceeded $1 billion.”
-Patrick Reidy, FBI CISO, Black Hat Conference (2013)
Source Global Skills Exchange, CORP.
![Page 16: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/16.jpg)
NIPSOM Requirements
![Page 17: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/17.jpg)
What is your Challenge!?
• Establish a program that:• Has a designated Senior Official and Insider Threat Official who will
• Gather, integrate, and report potential or actual insider threat
• Maintain pertinent records to insider threat for when requested and rendering assistance if necessary
• Report events that may indicate the employee poses an insider threat or affect proper safeguarding of classified information
• Training Requirement
![Page 18: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/18.jpg)
Requirements
• Senior Official
• Establish a Program
• Train Staff
• Maintain Necessary Records and Documentation
• Report
![Page 19: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/19.jpg)
What is the Program?
• Proactive
• Behavioral
• Risk Management
• Overlaid onto Existing Programs
• Integrates Data from MULTIPLE sources
• Discrete
![Page 20: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/20.jpg)
Sources of Information
• Information flowing into the HUB can be passive and active. Active information is that information requested when it is believe that a staff member is engaged in malicious behavior. Passive information will feed into the HUB by electronic feeds with no human action.
4/3/2015 DRAFT DRAFT DRAFT 20
![Page 21: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/21.jpg)
Insider Inquiries
Data Sources
Manual or AutomatedProcessing
MetricsLeads
Reports
Insider Threat Hub
ANALYST
4/3/2015 21
FinancialDisclosure
PhysicalSecurity
Foreign Contacts
ForeignTravel
EAM Data
HumanResources
PersonnelSecurity
BehavioralAssessments
UAM Data
![Page 22: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/22.jpg)
Office Stakeholders
• Office of Human Capital• Labor/Employee Relations and Benefits• Staffing and Recruitment
• Business Support Services• Facilities and Property• Security Management
• Information Services• IT Security
• External Owners of Classified Networks• May need an MOU
4/3/2015 22
![Page 23: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/23.jpg)
Labor/Employee Relations and Benefits Staffing and RecruitmentDATA
• Name (First and Last)
• Organization Code, Office Symbol, and Description
• Pay Plan, Occupational Series, Position Title and Grade
• Supervisory Status
• Employees Supervisor
• Location (Physical)
• Employment Status
• Start Date
Other needed Information
• Anniversary Dates
• Termination Date
• Performance Ratings
• Transfers, Promotions, and Details to other Offices that require different access
• Administrative Leave or other Disciplinary Action
• Work Hours, Flex Time, 4/10s etc
• Date in Current Position
4/3/2015 23
![Page 24: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/24.jpg)
Security Management
Information Via Forms
• Foreign Travel, Contacts (name and nationality), official or personal.
• Dates, Destination, and Unusual changes in itinerary
• Clearance Level and Access
• Security Infractions and Violations
• Statement of Personal History SF 86
• Classified Room Access Logs
• Employee financial disclosure reports as appropriate
• Government Official Passport holders
• Requests for Access or Keys to Areas not within Staff Scope of Work
• Staff needing temporary pass
Notifications via E-mail
• Changes in relationship status (divorced, widow, marriage) or cohabitation
• Financial Problems (bankruptcy, garnished wages, or leans)
• Arrests (for any reason), or other involvement with the legal system
• Psychological or Substance abuse counseling does not need reporting if sought on your own initiative.
• Outside Activities or Employment that could create an apparent conflict of interest
• Notification of pending termination or under special watch by Security
• Incident while attempting to leave through baggage checks
4/3/2015 24
![Page 25: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/25.jpg)
IT Security
• Websites visited or repeated attempts
• Downloads from websites or
• Access to E-mail after work areas? Weekend? Holidays?
• Accessing shared drives after hours.
• Downloading off
• Attempting to access unauthorized drives during or after hours
• Attempts to bypass security protocols
• Attempts to encrypt data on drives
• Requests for new user accounts
• Remotely accessing the system and performing task atypical to the individuals responsibilities
• Elevating or assigning administrator roles to unauthorized users or accounts
• Accessing another users computer when left unattended
• Failing to follow policies and controls
• Accessing user’s and administrators accounts after termination of employment.
• Using computer resources to conduct a side business
• Anyone staff member having been recently terminated, disciplined, demoted or changed duties and roles.
4/3/2015 25
![Page 26: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/26.jpg)
SCOPE and Your Assets….
![Page 27: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/27.jpg)
What is the scope of your Insider Threat Program?• Will you only monitor staff that have direct access to classified
national security information?
• Will you monitor “trusted business partners”?
• Will you monitor all system administrators? Unclassified networks?
• Where is your DATA?
• Who has access?
• How soon to new hires get access?
![Page 28: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/28.jpg)
HUB Priorities Highly
Sensitive Information Offices and
Staff
Other Agency Staff and Contractors
Low Risk Offices and
Staff
All New Employees
and Contractor
s
Special Studies and Audits
Moderate Risk Offices
and Staff
High Risk Offices or
Staff
Problem Employees or
Watch List
HUB IT Program
Staff4/3/2015 28
![Page 29: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/29.jpg)
USER
User Activity Monitoring (UAM)
Analyst Workbench
Analytic HUB(Private Enclave)
ANALYST
4/3/2015 29
![Page 30: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/30.jpg)
Baseline
• What is your “normal”?
0
2
4
6
8
10
12
14
16
Foreign Travel
Base Travel 2014 2015
![Page 31: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/31.jpg)
Implementation
• Have a written Policy• And Implementing Guide
• Engage the C Suite• Educate and Inform
• Internal Communication on the Program
• ICN
• Web
• Be Transparent
• Train, Train, and Train staff
• Set Reasonable Goals when beginning
• Document and Record your internal activities
• Stay Current with your organization
![Page 32: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/32.jpg)
Turning on the Switch……
![Page 33: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/33.jpg)
Case Studies
![Page 34: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/34.jpg)
![Page 35: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/35.jpg)
Resources
• FBI• http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-
threat
• CERT• https://www.cert.org/insider-threat/
• NCIX• www.ncix.gov/issues/ithreat/
• DSS• http://www.dss.mil/documents/ci/Insider-Threats.pdf
![Page 36: Creating an Insider Threat Program - PAE...NCMS June 2015 Agenda •Introduction •History 101 •Recent Events •What is Insider Threat and Why We Need A Program? •The National](https://reader035.vdocuments.us/reader035/viewer/2022070900/5f4084d98a6de14e950094f5/html5/thumbnails/36.jpg)
My Contact Information
Neil C. Carmichael, Jr.
Program Manager
Insider Threat Program
National Archives and Records Administration
301-837 3169 (office)
301-502-3704 (bb)
Member NCMS Chesapeake Bay Chapter