Running head: MINIMIZING INSIDER THREATS

Minimizing Insider Threats Cues from Edward Snowden Kevin Lindbeck MSA 585 Emergency, Disaster, & Contingency Planning December 16, 2013 Dr. Paul Baker Southwestern College Professional Studies

MINIMIZING INSIDER THREATS Abstract Recent revelations concerning the amount of data being collected on Americans and the methods that were employed to harvest the colossal amount of data by the National Security Agency (NSA) touched off a firestorm of criticism from both opponent and proponents of national security. A short time later, the names and the purpose of several highly classified NSA programs such as PRISM, XKeyscore, Tempora and Bullrun were also released to the public,

only to fan the flames of public opinion higher. The leaked information did not come from some foreign spy or some double-agent like in the movies, it came from a 30 year old American kid who had worked for several American government agencies in a short seven years. Edward Snowden was a self-proclaimed computer wizard who was hired by the Central Intelligence Agency to maintain computer network security in Switzerland, then left to work for Dell who had a NSA contract in Japan. He eventually left Dell for a job working for Booz Allan Hamilton in Hawaii, where he started his unauthorized downloading of Top Secret NSA documents. Over the next year, Snowden would download an estimated 1.7 million highly classified and highly sensitive NSA documents for the sole purpose to expose the NSAs duplicity concerning the collection of data on Americans within the United States. Why was the NSA not aware of his nefarious actions earlier? Were there signs that something was not right at the NSA? How was a single person allowed so much unfretted access to a vast array of highly classified programs? This paper will examine ways a private sector company can protect themselves from the other Edward Snowdens of the world.

MINIMIZING INSIDER THREATS Introduction Edward Snowdens release of top secret National Security Agency (NSA) documents to the world has placed a renewed effort and efficiencies on security management, security awareness, security protection and security training. Were there not measures already in place that eliminated, if not, at least alerted someone of a possible impending security breach? Were audit trails not actively collected, reviewed and reported to the necessary authorities to stem off such a colossal violation? Were policies and procedures in place and were they followed as directed and what was the policy for violating those policies and procedures? Who is being held accountable for such a catastrophe and what did they know about this individual prior to his hiring and prior to most recent assignment? It will take years to get any of these questions answered, if their answers are even

releasable to the public. What will be the lessons learned from this tragic episode of reality? We, as a society and a nation still do not know will be the ramifications for such revelation to our enemies, allies and potential future allies. Information concerning the methods that were employed by the NSA, how they circumvented laws, bent other laws, withheld information or intent to the Foreign Intelligence Surveillance Act (FISA) courts and outright lied to Congress and the American public are still being made public on an almost daily basis, with no end in sight. The latest guestimates hint that Snowden had acquired about 1.7 million documents from the NSA, of which he has only released between 50,000 and 200,000 documents according to NSA chief, General Keith Alexander in an October interview (The Christian Science Monitor, 2013). While many think of Edwin Snowden as patriot for releasing the documents to bear witness to the American public and world how our government truly operates, there are just as

MINIMIZING INSIDER THREATS many that oppose what Snowden had done and label him as a traitor, liking his acts as those of Benedict Arnold during the American Revolution. Whatever side of the fence one is on, no one can say that Edwin Snowden is stupid by any means. He was able to dupe NSA personnel into

divulging their passwords in order to gain access to sensitive programs he had not been read into or did not have a need to know. Snowden was also able to surreptitiously copy 1.7 million topsecret documents onto an encrypted device to take the documents out of the Sensitive Compartmented Information Facility (SCIF) where he worked for the NSA, where he then uploaded his cache to a secured email service. Edward Snowden has publicly stated that he has what is called a dead mans switch, which means if anything were to happen to him the remaining 1.5 million documents would be automatically released to the general public. Snowden can be called many things; stupid is not one of those. How in this ever expanding digital age, do governments and the private sector protect themselves from future Edward Snowdens? Mitigating and eliminating future breaches can be achieved but it takes smart policies and procedures, system and network surveillance and neverending vigilance are just a few steps that will aid in reducing the chances of a rogue employee selling out his or her employer. The following steps are meant with the private sector in mind, but most steps could also be used for local, state and federal government agencies. Smart Policies and Procedures The first step to mitigating and eliminating future breaches is to have smart and effective policies and procedures in place. These policies and procedures dictate what is acceptable and what is not acceptable in the workplace, from entering the facility to logging on to company computers, to how documents are saved and stored to the separation of different programs. By thoroughly defining a companys policies and procedures little wiggle room is left for non-

MINIMIZING INSIDER THREATS compliant employees to claim ignorance and sends a stronger message to all employees concerning what is and what is not tolerated (Lim, 2005). Policies and procedures need to be static for the most part rather than dynamic, as a

continuously changing policy or procedure would simply confuse everyone who fell under those policies and procedures. Dynamic policies and procedures can also setup personnel for failure and frustration as they could be following different parts of previous policies and procedures due to misperceptions and mix-ups. While policies and procedures should be reviewed periodically and revised when needed, it should not be something that happens in a routinely fashion. Designated individuals charged with reviewing and revising policy documents follow designated procedures for reviewing and revising along placing the effective date visibly on it. New or revised policies would be circulated organization wide and should be easily accessible to all that fall under them. Accurate employee documentation needs to also be addressed as this the companys evidence that their employees have been adequately apprised with the companys policies and procedures. This also would include the consequence the employee can expect for failing to adhere to such policies and procedures, such as warnings, admonishments, disciplinary actions and or termination. When consequences are spelled out to employees, they are more apt to follow the rules given to them. At the same time, when a violation of policy or procedure does happen, the appropriate response needs to address quickly, thoroughly and consistently. Inconsistencies set bad policies, confuses employees and managers, and can lead to animosity between co-workers and leadership. When termination is warranted because of gross or habitual violations, the remaining employees need to know and understand why their co-worker no longer works for the company.

MINIMIZING INSIDER THREATS This can be done by either having the department manager informal gather their workforce and explain what happened, how it was handled, why termination was warranted and finally once again reinforce the companys policies and procedures to the workforce. Do not give out personal information or critical details, just enough information for workforce to get the picture of what happened, also in case there is an ongoing investigation because of the employees actions. Scrutinize Employees through Employment Screenings and Background Investigations For an employer to truly know what they are getting by way of an applicant, they must judiciously scrutinize what the possible future employee has put to paper. Doing so, ensures the employer is getting exactly what they are looking for and not someone who knows how to write a catchy resume` or someone who has falsified their application. While there are local, state and federal control some of the background process, there are several avenues an employer can

choose to verify the applicant is not only who they are; but also they have done everything that is on their application. Applicants with shady backgrounds are possible liabilities and/or can be litigations down the road, so the employer needs to make sure they have exhausted every means possible with these types of applicant or not consider the applicant at all. Some of the avenues that employers have at their disposal are: Federal Fair Credit Reporting Act This enables employers to use third-party entities such as investigators and law firms to investigate potential employees without the need to notify them. Employee Polygraph Protection Act This opportunity is for companies that deal with government employees, security firms and drug companies, otherwise law prohibits the use of polygraph for pre-employment.

MINIMIZING INSIDER THREATS Criminal Arrest and Conviction Records While there are certain regulations and laws that must be adhered to when utilizing arrest and conviction records, they can be used to determine employment when several requirements are met. Employment Physical and Substance Abuse Screening While there are a myriad of different laws and statutes that regulate how an employer can use this avenue. This is a useful tool to choose, especially when substance abuse can gravely affect not only the applicant but other employees, equipment and/or resources. Some of the avenues that employers have at their disposal in the area of public records are: Criminal Courts: They can provide a priceless source of information, from minor infractions to major felonies; these records are public and available to anyone.

Civil Courts: These records are separated by plaintiff and defendant; include civil actions the applicant has been a party of, as well as judgments, notices of default and any unlawful detainers will be discovered. Department of Motor Vehicles: This is a great avenue to discover substance abuse as all convictions for driving under the influence have been recorded here. Secretary of State: This where corporations and other legal entities such as LLCs and PLCs are registered. These records list the names of all officers and directors of said entities, which is especially useful for an applicant that is corporate officer or suspected of being one. Licensing boards are available at the state level for doctors, nurses, contractors, teachers, hairstylists and private investigators. Federal Bankruptcy Court: All bankruptcies are handled in federal court and contain valuable information about how someone handles their financial affairs.

MINIMIZING INSIDER THREATS While this is not a complete listing of places an employer can look to find or even verify

information on a future employee, it is a starting point. I believe this to be a salient point because in this day and age of uncertainty, especially with a huge pool of educated and unemployed people to choose from employers need to be more and more pernickety when it comes to selecting new employees (Springer, 2003). There is no law that says employers must hire people with criminal records, so why would an employer even entertain the possibility of hiring anyone convicted of a crime, no matter how small or big. Another avenue an employer can pursue is the applicants Facebook page, as this can be a treasure trove of information right at the employers fingertips! Does the applicant engage in work gossip on their Facebook page or speak ill or poorly of their employer and/or co-workers? Are they post pictures of their weekend binge drinking adventures? Do not expect anything productive from them on Mondays. Eliminate the Bring-Your-Own-Device Mentality Computer crime investigations are both expensive to pursue and costly in monetary losses, especially when compared against the same crime that does not included computers. In fact, according to Ferraro (2010), the costs between the crime of embezzlement between manually perpetrated and computer perpetrated is 25 fold. We, as a population and as a business, are highly reliant upon computer for almost all of our needs; from everyday communications, to financial transactions, from production to quality control. Computers are present everywhere and we must keep reminding ourselves that while they make our everyday lives easier, they can also be the bane of our existence, as identity theft, malware, viruses and Trojan horses are constantly on the rise. There are a plethora of ways, means and frauds to execute computer crimes on everyday cyber-citizens and businesses, from email hoaxes, spearfishing scams, spam, copyright

MINIMIZING INSIDER THREATS

infringement, malware, denial of service attacks and cyber stalking are but a few. Spearfishing is way of ascertaining personal information through nefarious activities such as posing as an individuals bank and attempting to verify personal information connected with their bank account. Once a perpetrator has gathered enough personal data from a potential victim, they make their move to attempt to drain their financial assets. Malware can perform a similar act by working in the background of computer collecting login and passwords for the different websites an individual visits, this can include financial institutions. Malware can also perform functions such as turning unsuspecting computers into zombie computers using botnets that can perform denial of service attacks or used for other illegal activities. Hackers use Trojan horses and viruses to spread malware and the alike to millions of unsuspicious individuals all for their personal greed and enjoyment. Viruses, worms, and Trojan horses oh my! These cyber villains are becoming more and more sophisticated as hackers attempt to refine their skills and methods on their relentless pursuit to gain not only financially, but also increase their notoriety among their peers. While we hear about most of these criminals being usually teenagers from countries like Romania, Russia, Hungary, China and Iran some countries have entered into the realms of cybercriminal activity. China is constantly attempting to breach vital infrastructures within the US via Cyber on a daily basis. In fact, in a report written by Northrop-Grumman, released last year said, The U.S. telecommunications supply chain is particularly vulnerable to cyber-tampering and an attack could result in a "catastrophic failure" of U.S. critical infrastructure (Gorman, 2012). The same report also stated that if a conflict between the US and China happened the Chinese would most certainly mount a Cyber-attack against the US and the Americas response would be uncertain do to an absence in policy that states the appropriate response to any cyber-attack. Chinas cyber

MINIMIZING INSIDER THREATS

10

warfare seems to be state-sponsored and is relentless in their pursuit of American technology and intellectual property. Computer crime investigation is usually triggered by one of the following three events; 1) discovering data have been lost, stolen or corrupted, 2) employee, customer and/or vendor complaints, or 3) accounting, banking or business processing irregularities suggesting a computer crime or the use of computers to commit the crime (Ferraro, 2012, p. 425). Nevertheless, the impact can be disturbing and befuddling with the first reaction to most likely surface will be an alarming response to the situation. Clearer heads must prevail in instances where this happens as determining how it happened is at the forefront of the situation along with mitigating and/or eliminating the risk from happening again. This is where the computer crime investigation is necessary to answer these crucial questions. Upon these discoveries, one must do the following to ensure evidence is not loss, compromised or corrupted. One way to mitigate and potentially eliminate these types of incidents is to eliminate the use of personal devices within your business, to include the use of cellular and smart phones. Allowing personal devices to be plugged into corporate computers and infrastructure is asking for viruses, malware, stolen data or worse bringing down the entire infrastructure. From flash drives to external drives, from iPods and other MP3 players, to the non-intrusive plugging in cell phone or device for the mere purpose of charging the device. Juniper Networks surveyed more than 4,000 mobile-device users and professionals and found that 41% who use their own device for work do so without permission from the company (Rose, 2012). This can be accomplished via company policy and procedures. Designate that all cell and smart phone devices cannot be taken past the lobby by anyone to include management and leadership. This accomplishes two things at one time; first it

MINIMIZING INSIDER THREATS

11

eliminates a potential avenue for stealing and storing data and second it eliminates the additional wasted man-hours from employees texting and performing personal actions on company time. Another avenue to shore up possible data leaks and viruses is to disable all USB ports on computers connected to the network and or intranet. This can potentially hinder even the most surreptitious individual from attempting to download unauthorized data from the network or intranet. Limiting Virtual Private Network (VPN) activity is another way to reduce data theft within a company. VPN access should only be for those whose primary duties for the company is traveling on behalf of the company or perform their duties away from the company more than fifty percent of the time. Their access should be limited to only of that which they need to perform their duties. Any additional access should require authorization from the manager of that data, where they can make the determination that access can be granted. Again, this can be accomplished via company policy and procedures, but most also be monitored through active system and network surveillance, which will be discussed in detail later in this paper. Document Access Policies In today's modern and high-tech world, a company's most important resource is often its intellectual property, and a company's success or failure can depend on the protection of their proprietary materials (DuBoff, 2003). All too often companies offer their employees unnecessarily privileged access to sensitive documents and data and of course with greater access come greater risk. This is where enforcing a need to know policy, where employees are limited to the least number of documents required to satisfactorily do their job, which can result in a greater reduction of an insider breach. Determine which documents are in the most need of safeguard, then limit access to them. All sensitive documents should be password protected at the very least.

MINIMIZING INSIDER THREATS

12

This is where managers need to play an active role in determining who needs access, how much access and when access is no longer needed. This means limiting access to data that is read only which cannot be altered or modified except by those who have been granted authority to do so. Data such a financial, budgetary, trade secrets or proprietary in nature, should always be restricted, password protected and heavily guarded. Control printing and actively enforce a machine limit, this kind of policy is imperative in preventing an internal data breach. Once employees are limited to the minimal number of documents required to do their job, enforce a need to print policy. Printing sensitive documents opens a business up to a world of vulnerabilities, if the printer does not also print employee unique identification number on all of the pages being printed, then unauthorized copies cant be traced back to the employee that printed the documents. By applying watermarks, the company can ensure the traceability of sensitive documents by key metadata, such as the username, date, time, and location of printing, to any printed copies. Restrict printer access to the employees work center only; there is no need for unfretted access to all printers. Trusting Employees with Too Much All businesses want their employees to as productive as possible, which is why the term multitasking came about, someone apt at juggling several tasks at one time. Does a company really want one or two people with the keys to the kingdom, I think not. Most employees are people pleasers by nature, they want to show those in management and authority that they not only a good employee, but a valuable one at that. When this trait is displayed, management slowly gives them more and more responsibility to help and shape the individual for potential growth within the company or the corporate ladder. As time go by, the employee gains greater knowledge, responsibility and access to company files, departments and different programs.

MINIMIZING INSIDER THREATS Although this shows the individual has demonstrated the traits for being a valuable and trusted employee for the company, it also highlights the enormous access one individual has across a

13

potential huge spectrum. Access control is concerned with determining the permissible activities of authentic users, negotiating every attempt by a user to access a resource in the system. Separation of duties is a safety mechanism where the theory is that no user should be given enough privileges to misuse the system. For example, the person authorizing a paycheck should not also be the one who can prepare it (Hu, 2006). Separation of duties can be prescribed either statically by defining conflicting roles or dynamically by prescribing the control at access time. There are various types of separation of duties; an important one is a history-based separation of duties that regulates, for example, that the same subject (role) cannot access the same object a certain number of times (Hu, 2006). By enforcing a two-person rule to accessing highly sensitive documents can further thwart rogue employees. The two-person rule specifies that, 1) there must be two individuals who need to act in concert in order to perform some action, and 2) each individual should have comparable knowledge and skill in order to detect attempts at subversion initiated by the other (Oracle, 2005). This rule could also be passed on to system administrators as they have all of the keys to the kingdom by merely assuming superuser on the system. Most companies have more than one system administrator, so this can be a practical option, but the company needs to make that determination. Of course, before handing over the keys to the kingdom a thorough background check should always be accomplished. Hiring a Hacker In today's global economic situation business enterprises are heavily depend on the Internet and Information Technology to showcase their expertise, products, and solutions.

MINIMIZING INSIDER THREATS

14

Technology is growing by leaps and bounds which leaves many enterprises in a constant state of upgrading to faster servers that provide a smaller footprint than last years model. Faster processing times, faster connection speeds, quadruple the connections a second and more agile and robust software, means more customers can access a business expertise, products, and solutions. A majority of these small and medium businesses feel that Information Security is not a high priority in their business strategy and therefore it takes a backseat to other precedences (Sangani, 2012). Proactive measures need to be addressed before these businesses fail to secure their trade secrets, their financial data and or their customers data because they did not understand this technology, their network or infrastructure. One way to determine if your company system and network infrastructure is secured from would be hackers is actually to do penetration testing against it. Penetration testing allows for the discovery of vulnerabilities, exploits and risks to the companys system and network and your networks ability to withstand an attack from cybercriminals. This type of testing helps to ensure the security of your assets. Not all system administrators (sysad) know how to properly perform penetration testing and the ones that do, may not perform penetration testing on a consistent basis and therefore may not know of new techniques, exploits or software. This is where hiring a Hacker makes sense since Hackers are up-to-date on penetrating networks using the latest and the greats techniques, exploits or software available. Some of the advantages of employing a Hacker is they are out-of-the-box thinkers, forward thinkers, innovative, resourceful, and in touch with the latest trends. Their knowledge of exploiting network vulnerabilities and weaknesses, also gives them the knowledge of how to defend a companys network and system shortcomings. Businesses can no longer work under the adage of if its not

MINIMIZING INSIDER THREATS broke, dont fix it. Businesses need operate in a constant proactive state, keeping abreast of latest trends in both technology and cyber vulnerabilities (Sangani, 2012). Hackers thing like hackers and other cybercriminals so why not leverage their knowledge and expertise for the good of the company, by looking for other vulnerabilities and

15

risks that could potentially be exploited by others within the company. An insider is an employee of the company who has established trust with the organization and has been granted access to resources, data or assets. The inside threat can do more damage to a business than a hacker on the outside could possible do, so it is imperative that this threat be eliminated or at least mitigated. While sysads can do just about everything the hacker can do as far identifying and protecting the organizations assets, monitor file sharing over the network, detect physical access, and limiting access to databases, they may not of some of the other tricks of the trade hackers or cybercriminals employ to gain access to an organizations assets. The hired hacker should be sitting side saddle with a competent sysad during the entire time they are on an organizations system. This is a dual purpose requirement, first it gives the organizations sysad greater insight into the hackers world, their knowledge and how they think and second if guarantees the hacker does not have unsupervised access to the organizations systems and network and guarantees the hacker does not attempt to install a backdoor to be used by the hacker at a later time, off site. Active System and Network Vigilance Active system and network vigilance allows a business to breathe easier because they know their sysads are constantly monitoring their assets and resources and doing everything within their power to rectify any situation they discover. Active system monitoring means the organizations sysads are aggressively reading bulletins put out by the makers of the software

MINIMIZING INSIDER THREATS that resides on the organizations computers and they are actively patching vulnerabilities and eliminating exploits that could leave the organization susceptible to outside threats. A stagnant system is a vulnerable system and this is what cybercriminals are depending on, a complacent business. Like active system monitoring, network vigilance is the constant monitoring of the business network for latency, broken routers and switches, network congestion and network

16

vulnerabilities. Networking equipment manufactures also put out new firmware versions for their equipment at any given time. These firmware updates usually address bug fixes, patch vulnerabilities, present new features or a new interface. Some of the other measures that can be employed to keep both the companys systems and network secure are: Intrusion Prevention & Intrusion Detection Systems (IPS/IDS) are network security appliances that examine network and or system activities for mischievous activity. The main functions of IPS/IDS is to protection of critical systems or functions, and mitigation of expected types of attacks as well as zero day threats, identify malicious activity, log information about this activity, attempt to block or stop it, and report it to network administrators. Security Event Management (SEM/SEIM) a computerized tool used on network to consolidate logs generated by other software running on the network, that accurately detects and mitigates security threats in real-time. The tool can be tailored to look for anomalies such as network access after work hours or tracking when SuperUser is invoked on the system. Web Application Firewall (WAF) is an appliance that applies a set of rules to an HTTP conversation, such as rules that cover common attacks such as Cross-site Scripting and SQL Injection. Customizing the rules to your application, many attacks can be identified and blocked; this is why it is vital that network administrators stay on top of the different types of exploits that are being used to gain illicit access to network systems.

MINIMIZING INSIDER THREATS

17

Web Filtering & Proxy Solutions are solutions that protect users from downloading malicious files, control what websites workers can go to, eliminates online blind spots and allows for the monitoring workers online activities, thereby leading to greater overall productivity. Eliminate access to outside email exchanges such as Google Mail, Yahoo and others by forcing employees to only use only the companys email for all corresponds. This allows the company to monitor all email and attachments that go in and out the organization, mitigating corporate theft of company resources such as trade secrets and proprietary information. Anti-Spam & Anti-Virus software that protects against the latest e-mail, web page, and attachment based security threats, by eliminating the needless drain on bandwidth and system resources by removing threats before they hit the network. Active system and network vigilance has the potential to increase profit and productivity of any organization. By eliminating avenues that waste resources and revenue guarantees the organization will have an infrastructure that is up and ready when it is needed the most. Audits Another opportunity for detecting malicious or surreptitious active is the computer audit trail, which is kind of like a computer forensic tool for sysads to use. Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications and can aide in detecting security violations, performance problems, and potential flaws in applications. To put it another way, an audit is a formal inspection and verification to check whether a Standard or set of Guidelines is being followed, that Records are accurate, or that Efficiency and Effectiveness targets are being met (Suduc, 2010). A computer system may have several audit trails; each dedicated to a specific type of activity. Auditing is the review and examination of management, operational, and technical controls, which allows the

MINIMIZING INSIDER THREATS auditor valuable information about activity on a computer system from the audit trail. They are

18

usually just saved off at regular intervals and then reviewed when needed such as after a system outage or that the system or resources have not been harmed by hackers, insiders, or technical problems (NIST, 2003). Some of the benefits that audit trails can provide are individual accountability, intrusion detection, reconstruction of events and problem analysis. To guarantee compliance of an organizations security policy and to determine the minimum set of controls required to mitigate the risks to an acceptable level, the security audits should be conducted periodically. Because vulnerabilities and threats change with time and environment security audits should be performed at regular intervals, random intervals and during non-office hours. These audits may reveal users that have accessed or attempted access data that is not part of their job or responsibility, or it may expose a user that has illicitly or maliciously elevated their account privileges in order to gain access to restricted data or information. An audit trail may uncover a user that has gained SuperUser access, which can potentially allow the fraudster unrestricted access to the organizations data, information and assets. Although audit trails are generally used to determine system crashes and core dumps after the fact, it can be used to discover other activity that might have went undetected otherwise. Conclusion No company wants to lose their data or have their trade secrets or proprietary information released to the public, especially their competitors. Employers have a plethora of highly effective tools at their disposal to mitigate and potentially eliminate any insider threat to the company. The effective use of company policies and procedures can simply eradicate non-compliant users without spending a dime on technology, but the key is to have clear and concise directives that

MINIMIZING INSIDER THREATS spell out the dos and donts, and also spell out the consequences for failing to abide. Another key aspect of employing company policies and procedures is quick, concise and consistent execution of disciplinary actions when employees fail to adhere to standards.

19

Scrutinize employees through employment screenings and background investigations is another opportunity employers have when determining who they want working for them. With high unemployment these last few years, employers now have a bigger pool of potential employees at their disposal. Coupled with the amount of highly educated and highly experienced personnel in that same pool, employers can set the standards bar higher when it comes to selecting employees. Effective screenings and background investigations all but guarantee the employer will be getting the cream of the crop. A common trend in just about all sectors of the workforce is the bring-your-own-device (BYOD) fad. While it might be innocuous to most businesses, it can be the bane of other business existence. Having unfretted access to an employers system, network and potential infrastructure is just bad business, period. The potential for data theft or infecting the companys network with a virus or malware is just not worth the pain and suffering the company will feel once it happens. Bestowing unlimited access to company documents is another avenue employers will want to curb. Instituting a need-to-know policy can eliminate the potential for sensitive documents and data to be seen and handled by employees how have no business with these documents in the first place. The same thing can be said as it pertains to giving a select few access to everything because they do so much for the company or they are great multi-taskers. All it takes for an employee who holds all of the keys to the kingdom to become disgruntled

MINIMIZING INSIDER THREATS and they have the power to bring the organization to its knees though unregulated access to the companys core assets, resources and data.

20

Although the hiring of a hacker can be a scary thought and perhaps maybe some kind of negative connotation with it, it is by no means a stupid thought for an organization that feels they have security issues that are beyond their sysads abilities. If an organization is wholeheartedly considering this option, they need to do a lot of research and discussion between leadership and their sysads to make sure they have a good idea where, perhaps, the problem(s) lie. Without due diligence, they may make matters worse. Active system and network vigilance should be one of the primary tasks of any organizations infrastructure, because it is the primary way most tasks are completed; via a computer attached to a network. Most organizations core assets, resources and financial data is also available through this conveyance, so it wise to make sure it is always secure; both inside of the organization and from outside the organization. And finally, audits. These digital paper trails are available on every computer and server within any organization. While primarily used by sysads to determine why a system or server crashed, they provide a treasure trove of data within them; from the names of the users on the different systems to the times they modified, copied or deleted a file or program. They can also reveal if a user is accessing files during off duty hours. Although most enterprises or organizations will not have an Edward Snowden hiding amongst their workforce, attempting to steal trade secrets or crucial data, there is no reason for an enterprises or organization to be complacent with their assets or security measures. No matter what side of the fence you stand with regard to what Snowden did with his colossal cache of top secret NSA data, you have to wonder how someone was able to easily acquire so much data

MINIMIZING INSIDER THREATS without raising any alarms. Whether a company makes wrapping paper or houses the secret formula to Coca-Cola, they all have something to lose and most of the time it is financial. Utilizing a few of the steps listed within this paper can greatly mitigate the chances of having a potential disgruntled employee turning rogue and presenting an imminent insider threat to an enterprises or organization.

21

MINIMIZING INSIDER THREATS References DuBoff, L. D. (2003). Copyright and You: Protecting Your Intellectual Property. TechTrends, 12-14. Ferraro, E. F. (2012). Investigations in the workplace. Boca Raton: CRC Press. Gorman, S. (2012, March 8). US report to warn on cyberattack threat from china. Retrieved from Wall Street Journal:

22

http://online.wsj.com/article/SB10001424052970203961204577267923890777392.html Hu, V. C. (2006). Assessment of Access Control Systems. Gaithersburg: National Institute of Standards and Technology. Lim, E. T. (2005). Managing user acceptance towards enterprise resource planning (ERP) systems - understanding the dissonance between user expectations and managerial policies. European Journal of Information Systems, 135-149. NIST. (2003). NIST Special Publication 800-12, Introduction to Computer Security. Gaithersburg: National Institute of Standards and Technology. Oracle. (2005). Enforcing the two-person rule via role-based access control in the oracle solaris 10 operating system. Palo Alto: Sun Microsystems, Inc. Rose, C. (2012). BYOD: An Examination Of Bring Your Own Device In The Enterprise. Las Vegas International Academic Conference (p. 5). Las Vegas: The Clute Institute. Sangani, N. K. (2012, February). Cyber Security Scenarios and Control for Small and Medium Enterprises. Informatica Economica, pp. 58-71. Springer, A. D. (2003). Background checks: When the past isn't past. American Association of University Professors, 110. Suduc, A.-M. B. (2010). Audit for Information Systems Security. Informatica Economica, 43-48.

MINIMIZING INSIDER THREATS The Christian Science Monitor. (2013, December 17). Amnesty for Edward Snowden? Might depend on what secrets he's got left. Retrieved 2013, from The Christian Science Monitor: http://www.csmonitor.com/World/Security-Watch/2013/1217/Amnesty-forEdward-Snowden-Might-depend-on-what-secrets-he-s-got-left

23