Common Sense Guide to Prevention and Detection of Insider Threats - CERT (88 pages)
This report is written for a diverse audience, outlining practices that should be implemented by
organizations to prevent insider threats. Each practice is described briefly in terms of why it should
be implemented and one or more case studies illustrate what could happen if it is not implemented, and
how the practice could have prevented an attack or facilitated early detection.
Insider Risk Management Guide
- Gideon T. Rasmussen
The threat posed by authorized personnel is well documented by research and court cases. According to ACFE,
U.S. organizations lose an estimated $652 billion to fraud annually. Unfortunately, insider threat is not
limited to fraud. There is also sabotage, negligence, human error and exploitation by outsiders to consider.
If you have not taken a hard look at insider threat controls in your organization, now is the time.
DoD Insider Threat Mitigation (67 pages)
This report provides an explicit set of recommendations for action to mitigate the insider threat to DoD
information systems. The report results from the actions of an Insider Threat Integrated Process Team
(IPT). The Team's charter was "to foster the effective development of interdependent technical and
procedural safeguards" to reduce malicious behavior by insiders.
ISACA Segregation of Duties Matrix
The segregation of duties control matrix is not an industry standard, but a guideline indicating
which positions should be separated and which require compensating controls when combined. The
matrix is illustrative of potential segregation of duties issues and should not be viewed or used
as an absolute, rather it should be used to help identify potential conflicts so proper questions
may be asked to identify compensating controls.
The Insider Threat to
U.S. Government Information Systems - NSTISSC (47 pages)
This NSTISSAM focuses on the insidera nd the potential damage that such an individual could cause when
targeting today's IS. It points out the various weaknesses (vulnerabilities) in today's IS an insider
might exploit and highlights approaches to solving these problems. In taking corrective action, it is
necessary to consider technical and procedural steps in deterring the insider. Finally, we propose, in
priority order, recommendations that mitigate the threat posed by the insider. Our approach is not to
provide an exhaustive list, but rather offer recommendations that could have the greatest immediate
return against this serious threat.
Insider Threat Study:
Computer System Sabotage in Critical Infrastructure Sectors - CERT & U.S. Secret Service (45 pages)
Research for this report found that the majority of the insiders who committed acts of sabotage were
former employees who had held technical positions with the targeted organizations. As a result of
their involvement in the incidents reviewed for this study, almost all of the insiders were charged
with criminal offenses. The majority of these charges were based on violations of federal law.
Insider Threat Study:
Illicit Cyber Activity in the Banking and Finance Sector - CERT & U.S. Secret Service (25 pages)
This report reviewed 23 incidents of insider threat in the banking and finance sector. It examines
insider incidents across critical infrastructure sectors in which the insiderís primary goal was to
sabotage some aspect of the organization (for example, business operations, information/data files,
system/network, and/or reputation) or direct specific harm toward an individual.
System Dynamics Maps of the Insider Cyber-threat Problem - CERT (36 pages)
This paper discusses the preliminary system dynamic maps of the insider cyber-threat.
Trustworthy Refinement Through
Intrusion-Aware Design (TRIAD) - CERT (97 pages)
This report proposes an intrusion-aware design model called trustworthy refinement through intrusion-aware
design (TRIAD). TRIAD helps information system decision-makers formulate and maintain a coherent,
justifiable, and affordable survivability strategy that addresses mission-compromising threats for
their organization. The goals of a survivability strategy are to provide a documented response to the
primary threats to the mission; to provide a justification for and the limitations of the system design;
to support the design and implementation of the desired system behavior across multiple systems and
multiple development teams; and to support maintenance and evolution as the system operations and threat
environment evolve over time.
Research on Mitigating
the Insider Threat to Information Systems - Rand (126 pages)
This report details R&D initiatives to mitigate and thwart the insider threat to critical U.S. defense and
infrastructure information systems. The three main focus areas were long-term (2-5 year) research
challenges and goals toward mitigating the insider threat; developing insider threat models; and
developing near-term solutions using commercial off-the-shelf (COTS) and government off-the-shelf (GOTS)
products. The long-term research recommendations stressed the need to develop an underlying system
architecture designed explicitly with security and survivability in mind (unlike essentially all operating
systems and network architectures in use today). Other topics included R&D needed on differential access
controls, means of recording and saving the provenance of a digital document, and dealing with the
increasing use of mobile code (e.g., in the form of applets, viruses, worms, or macros) in complex
information systems. The report also contains a number of recommendations regarding the purposes and
design of models of insider behavior, and near-term recommendations for helping to prevent, discover,
and mitigate the threat ofinsider misuse of information systems.
Insider Threat - Rand (137 pages)
The format of this document included four groups: (1) Intelligence Community (IC) System Models, (2)
Vulnerabilities and Exploits, (3) Attacker Models and (4) Event Characterization. It brought together
members of the IC with specific knowledge of IC document management systems and IC business practices;
persons with knowledge of insider attackers, both within and outside the IC; and researchers involved
in developing technology to counter insider threats.
A Target-Centric Formal
Model For Insider Threat and More - University at Buffalo (17 pages)
In this paper, we propose a target-centric modeling methodology motivated by the fact that insiders
typically pursue lucrative targets to cause damage or gain leverage. It is based on a higher level
description of an organization's infrastructure and less detail-intensive as compared to the attack
Analysis and Detection of Malicious Insiders - MITRE (6 pages)
This paper summarizes a collaborative, six month ARDA NRRC challenge workshop to characterize and create
analysis methods to counter sophisticated malicious insiders in the United States Intelligence
Community. Based upon a careful study of past and projected cases, we report a generic model of
malicious insider behaviors, distinguishing motives, (cyber and physical) actions, and associated
Insider Threat Group - Yahoo
The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed
by authorized personnel. Those interested in learning more about insider threat will benefit from
the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic.