Michael C. Theis Workplace Violence and IT Sabotage: Two Sides of the Same Coin? - PowerPoint Presentation

Michael C. Theis Workplace Violence and IT Sabotage: Two Sides of the Same Coin? HUM-W02F Assistant Director for Research CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University

Notices Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0004065

What is the CERT Insider Threat Center? Center for insider threat expertise Began working in this area in 2001 with the U.S. Secret Service Our Mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio-technical solutions to combat insider threats.

Identify and Analyze Observable Artifacts

Project’s Research Objective & Approach Objective: Determine if coherent, integrated, and validated indicators for Insider Workplace Violence (WPV) and Insider Cyber Sabotage (ICS) can be identified. Reason: If there are common indicators organizations may be able to develop socio-technical controls that prevent, detect, and help respond to both threats without identifying which crime will eventually be committed. Approach: Collect, code, and analyze cases of WPV and compare them to cases of ICS in the CERT Insider Threat Center’s corpus.

WPV & ICS Incident Pathway Problematic Organizational Responses Concerning Behaviors Stressors Personal Predispositions Hostile Act Demotion without changing access Visiting internet underground Lack of resources to do job well Hacker Execution of malicious code Active shooter Loss/Suspension of Rights and Privileges Verbal threats to cause physical harm Perceived harassment by coworkers Resolving conflict by physical means Key: WPV ICS CERT, 2006

Hypothesis: Common Path Before Divergence

Multiple Approaches for Coding and Analysis 8 Measurement of Cyber and Physical Aggression Five point scale vs seven point scale Used operational definitions from Buss & Parrot as foundation Coding of concerning behaviors by time periods Coding of observable stressors Originally categorized as either personal or professionalRefined into six categories: Personal, Relationship, Financial, Mental Health, Work, and Work Relationships

Aggregation of Stressors

Stressors by ICS & WPV

Distinguishing the WPV and ICS Pathways

Next Steps for CERT 12 Produce a casual loop diagram for workplace violence Compare the models for overlap Develop candidate controls that can apply to both WPV & ICS Develop training for the new controls Identify effective data points and the data sources for accurately measuring work stressors and work relationship stressors Update the mitigation best practices (future version of CERT’s Common Sense Guide to Mitigating Insider Threats)

ICS Causal Loop Diagram

1 - Know and protect your critical assets. 11 - Institute stringent access controls and monitoring policies on privileged users. 2 - Develop a formalized insider threat program. * 12 - Deploy solutions for monitoring employee actions and correlating information from multiple data sources. * 3 - Clearly document and consistently enforce policies and controls. 13 - Monitor and control remote access from all endpoints, including mobile devices. 4 - Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior. * 14 - Establish a baseline of normal behavior for bot h networks and employees * 5 - Anticipate and manage negative issues in the work environment. * 15 - Enforce separation of duties and least privilege. 6 - Consider threats from insiders and business partners in enterprise-wide risk assessments. 16 - Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities. 7 - Be especially vigilant regarding social media. 17 - Institutionalize system change controls. 8 - Structure management and tasks to minimize unintentional insider stress and mistakes. 18 - Implement secure backup and recovery processes. 9 - Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. * 19 - Close the doors to unauthorized data exfiltration. 10 - Implement strict password and account management policies and practices. 20 - Develop a comprehensive employee termination procedure. * CERT Common Sense Guide Edition 5 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=484738 * Best practices from the edition 5 that can be equally applied to ICS and WPV

Quick Wins and High Impacts 15 30 Day Goals Establish a formalized Insider Threat Program Look for the common predispositions during the hiring process Incorporate insider threat awareness into periodic security training 60 Day Goals Identify data sources that can reveal workplace stress and work relationship stressEstablish a baseline of normal behavior for both networks and employeesLong TermDeploy solutions for monitoring employee actions and correlating information from multiple data sourcesBegin collection and analysis of workplace stress indicators and work relationship stress indicators and then develop stress reduction strategies

The Three Pillars of a Robust Strategy Accurately Trust Right-Size Permissions Effective Monitoring

Poi n t of Cont a ct Micha e l C. TheisAssistant Direct or for R e se a rch CE R T Insider Thre at Centermctheis@cert.org Software Engi neering Institute (an FFRDC ) Carn egi e Me llo n Un iversity 45 00 Fif th Avenu ePittsbu rg h , PA 1 5 2 1 3 - 3890 http:/ / ww w .cert . or g/insider-threat/

Backup Slides

A Cyber-Physical Scale for Assessing Observables* * Note: combined cyber-physical observables may be broken down into their constituent components for measurement. See the Reality- Virtuality Continuum for a loosely related construct applied to virtual reality technologies. https://en.wikipedia.org/wiki/Reality%E2%80%93virtuality_continuum

Aggression – intentional behaviors that can cause significant harm to a victim (person or organization) who wishes to avoid the act. (note: definition excludes desired harm (sadomasochism, going to dentist) and unintentional harm (stepping on foot)) Direct Aggression – person-to-person interactions (but not necessarily face-to-face) in which the perpetrator is easily identifiable by the victim (e.g., Active: Shooting, email a threat; Passive: intentionally not write a letter of recommendation and harming victim’s application for new job). Indirect Aggression– circuitous interactions in which the perpetrator may remain unindentified, possibly to avoid accusation, direct confrontation, and/or counterattack by the victim (e.g., Active: (anonymously) spreading false rumors; Passive (rare): (anonymously) not coming to the defense of someone being criticized).Active Aggression– an act of commission by the perpetrator, which involves active engagement in harming the victim (e.g., Direct: shooting; Indirect: (anonymously) spreading harmful rumors)Passive Aggression – an act of omission by the perpetrator, which involves a lack of active responding that causes harm to the victim (e.g., Direct: intentionally not write a letter of recommendation and harming victim’s application for new job; Indirect (rare): (anonymously) not coming to the defense of someone being criticized)Physical - intentional acts involving personal or interpersonal interaction that does not involve cyberCyber - intentional acts involving interaction with computers, computer networks, or electronic media Operational Definitions (from Buss and Parrot)

Hasan, Fort Hood – 2009 : Concerning Behaviors Major Period Sub-Period Direct-Active Cyber Aggression (-3) Indirect Active Cyber Aggression (-2) Passive Cyber (Indirect or Direct)(-1)Center of Scale(0) Passive Physical (Indirect or Direct)(+1)Indirect Active Physical Aggression (+2) Direct Active Physical Aggression (+3) Sub-Period Concerning Behaviors (non-zero) Major Period Concerning Behaviors (non-zero) ‘92-97 0 0 0 1 2 0 3 ‘98-0300 00101‘04-09 230 1 53 14 Sub-Periods of Last Major Period ‘04-05 00 0 0 2 0 2 ‘06-07 0 0 0 0 2 0 2 ‘08-09 2 3 0 1 1 3 10 Major Period Totals 2 3 0 28318

Alexis, WNY – 2013 : Concerning Behaviors Major Period Sub-Period Direct-Active Cyber Aggression (-3) Indirect Active Cyber Aggression (-2) Passive Cyber (Indirect or Direct)(-1)Center of Scale(0) Passive Physical (Indirect or Direct)(+1)Indirect Active Physical Aggression (+2) Direct Active Physical Aggression (+3) Sub-Period Concerning Behaviors (non-zero) Major Period Concerning Behaviors (non-zero) 3/04-3/07 0 0 0 1 0 2 3 4/07-12/10002 1014’1/11-9/1300 01 30 4 Sub-Periods of Last Major Period 2011 00 0 0 0 0 2012 0 0 0 0 0 0 2013 0 0 0 1 3 0 4 Major Period Totals 0 0 2 3 3 3 11

7-Point Scale Analysis of Results 30 20 10 0 Physical Aggression Cyber Aggression Hasan Alexis Wells Lopez ICS1 Key: WPV: ICS: ICS3 ICS4 ICS5 ICS2