240 ◾ Security Strategy: From Requirements to Reality
reduce the likelihood of collusion and to highlight suspicious activities. Collusion between insiders
is extremely high in attacks motivated by fi nancial or business advantage. Moving people into dif-
ferent work environments helps break up opportunities for collusion and may provide other ben-
efi ts, including better coverage from cross training and improvement in morale and performance
for employees with tedious or boring jobs. In addition, rotating people facilitates the detection
and correction of misbehaviors because the acts either cease once the person is gone or they follow
the person to his or her next assignment. Rotation is a process-based control objective suitable for
medium to large organizations where suffi cient staff is present to make the practice eff ective or
benefi cial. Supervisors can plan the practice around skills management and security monitoring
requirements and then use regular monitoring to correlate suspicious or unauthorized activities.
Rescreened
e “rescreened” control objective ensures that personnel with highly privileged access or access to
sensitive information continue to have the trustworthiness commensurate with their job position. It
also ensures that the internal resources for moving someone into a position of trust meet all appli-
cable hiring standards. Management oversight is not limited to internal (job-specifi c) performance.
Good supervision means involvement in the social aspects of people’s lives, including events that are
external to the workplace. e vast majority of insider attacks we have examined were associated
with “stressor” events, some of which were internal but many others were external, including divorce,
debt, addiction, and illness. Periodic rescreening provides supervisors with an opportunity to observe
shifts in circumstances, attitudes, or behaviors that may aff ect a person’s trustworthiness.
Forced Leave
e “forced leave” control objective requires that personnel with highly privileged access or access
to sensitive information take leave for a specifi ed duration each year to facilitate the detection of
illicit behavior. Forced leave and rotation have similar control objectives. Forced leave can be used
to facilitate the detection and correction of misbehaviors because the acts cease once the person is
gone and return when they resume their duties. Forced leave is a process-based control objective
suitable for organizations in which staffi ng limitations make rotation impractical. Supervisors may
plan the practice around cross-training and security monitoring goals and then monitor actions to
correlate suspicious or unauthorized activities. e following actions are recommended for com-
petent supervisor control objectives:
1. Improve supervisory skills so that managers are cognizant of issues leading up to insider malfea-
sance and are equipped to take appropriate action before issues result in malicious activities.
2. Incorporate insider malfeasance into employee awareness training.
3. Update employee screening practices to include additional measures for sensitive or high-
privileged positions, including a means to positively identify the applicant and get a complete
criminal history. Improve hiring practices, including the addition of interview questions or
questionnaires to evaluate ethical or moral attitudes. Create specifi c disqualifi cation criteria
when hiring for sensitive and high-privilege positions.
4. Improve the process and scope of account deactivation procedures to ensure a quick,
comprehensive account deactivation upon termination.
5. Improve HR management policies and procedures to refl ect changes in the hiring and
termination processes.
TAF-K11348-10-0301-C012.indd 240TAF-K11348-10-0301-C012.indd 240 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
Keep Your Enemies Closer ◾ 241
6. Update the incident response plan to include procedures for malicious insider activities,
such as procedures for the preservation of evidence on live systems (i.e., step away from your
computer procedures).
7. Improve or initiate supervisory processes to mitigate insider threats, including supervisor
monitoring, consistent policy enforcement, separation of duties, mandatory approvals, man-
datory change control, job rotation, and forced leave.
8. Add insider threat to all audit and assessment criteria.
9. Improve or enable strong accountability controls, including stringent identity management
and evidentiary-based audit trails for systems and applications. Use technologies to enforce
isolation to preserve the content and integrity of log and audit data. Consider outsourcing
log management and analysis to ensure isolation and improve detection and response to
malicious activity.
10. Improve physical security controls and tracking (audit) mechanisms and collate physical and
logical access records to detect suspicious or anomalous activities.
Employee Screening
e previous section touched on employee screening in the hiring process and for ongoing monitor-
ing eff orts; this section covers those attributes in greater detail. Employee screening is used for three
basic scenarios: new hire, internal transfer or promotion, and periodic rescreening. Screening criteria
will vary depending on the access privileges and the sensitivity or value of the data being accessed.
e matrix presented in Table 12.2 is an example of how employee screening might be applied to
various internal positions. Table 12.3 maps employee screening attributes to specifi c baselines.
In this example, all positions are subject to a baseline set of screening criteria; positions with
privileged access or access to sensitive or high-value information are subject to an addition (super-
set) of screening criteria.
Baseline screening for all employees must be completed before they are granted access to com-
pany information systems and assets. Superset screenings should be completed before privileged
or high-value access is granted, although granting access while the screening is completed may be
acceptable for internal promotions.
Background Checks
Although listed as separate attributes, criminal, driving, and credit checks are common compo-
nents of a standard employee background check, which typically includes employment, education,
Table 12.2 Screening Matrix
Scenario Standard Access Privileged Access High Value Access
New hire Baseline All All
Internal transfer or promotion Super set Super set
Temporary to permanent
employee transition
Baseline All All
Periodic rescreening All All
TAF-K11348-10-0301-C012.indd 241TAF-K11348-10-0301-C012.indd 241 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
242 ◾ Security Strategy: From Requirements to Reality
Table 12.3 Control Objectives for Employee Screening
Attribute/Control Type Risk and Requirements
Baseline Screening
Completeness Soft Baseline screening shall be conducted for all new hires,
including temporary employees transitioning to a
permanent position.
Criminal history
check
Soft A criminal history check shall be conducted using local and
regional (state, providence, etc.) police records to verify full
disclosure of criminal history and to identify patterns of
conduct impacting trustworthiness.
Driving history
check
Soft A driving history check shall be conducted using local and
regional (state, providence, etc.) records to identify patterns
of conduct (e.g., recklessness, habitual offense) impacting
trustworthiness.
Credit history
check
Soft A credit history check shall be conducted using a reliable
credit-reporting source to identify patterns of conduct or
fi nancial impropriety impacting trustworthiness.
Employment
verifi cation
Soft Employment history shall be verifi ed, including employment
dates and compensation claims to identify falsifi cations,
omissions, or other facts impacting trustworthiness and to
ensure that the applicant meets the minimum work
experience requirements of the position.
Education
verifi cation
Soft Postsecondary education claims, including degrees and
professional certifi cations, shall be verifi ed to identify
falsifi cations or other facts impacting trustworthiness and to
ensure that the applicant meets the minimum education
requirements of the position.
Eligibility checks Soft Eligibility claims for preferential hiring such as veteran,
disabled, displaced worker, and security clearance shall be
verifi ed to identify falsifi cations or other facts impacting
trustworthiness.
Superset Screening
Completeness Soft Superset screening shall be conducted for all new hires,
internal transfers, promotions, temporary to permanent
employee transitions to positions with privileged access, or
access to sensitive or high-value information such as
fi nancials, intellectual property, and source code.
Disqualifi cation Soft Disqualifi cation criteria shall be developed to assist with the
evaluation of superset screening results.
Identity check Soft
The identity of the applicant shall be verifi ed using the best
possible means to ensure information pertaining to the
trustworthiness of the applicant is not being concealed
behind an alias.
TAF-K11348-10-0301-C012.indd 242TAF-K11348-10-0301-C012.indd 242 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
Keep Your Enemies Closer ◾ 243
and eligibility verifi cations too. Most companies have screening practices that are suffi cient for
positions requiring ordinary user access to company resources. However, these screening stan-
dards are not usually applied to temporary (contracted) staff , vendor, or partner personnel. It is
assumed that the agency or organization supplying the resource has screened them appropriately.
is is a bad assumption; temporary staffi ng agencies do cursory checks at best and no checks at
worst. Vendor-supplying services with high turnover rates (e.g., cleaning and moving) are not
incentivized to conduct background checks. Partner organizations’ screening practices may be
subpar. It is in your organization’s best interest to make sure that all parties requiring access to
your assets meet your minimum screening criteria.
Secondary screening procedures for positions with high-privilege or high-value access are
unusual in most business environments. is situation must be improved upon. Postmortem
reviews of insider malfeasance often reveal criminal histories that were undisclosed and undis-
covered during the hiring process. An additional area of concern is the failure to apply second-
ary screening when transferring or promoting internal employees. Behaviors exhibited in the
current position may point to trust issues that are not acceptable for the new position. Failing
to do secondary screening may promote someone into a position with a greater opportunity to
do harm.
Identity Check
Nearly 12% of all fi ngerprint checks conducted by the FBI for employment and licensing purposes
return names diff erent from the ones provided. People wishing to hide their criminal history, ille-
gal status, or nefarious trade (i.e., terrorist, spy, etc.) often use assumed names or stolen identities.
When hiring to positions requiring high trust, a positive identifi cation is essential. A skilled social
engineer with privileged access can rob a company blind in a matter of days.
Table 12.3 Control Objectives for Employee Screening (continued)
Attribute/Control Type Risk and Requirements
Criminal history
check
Soft A fi ngerprint-based criminal history check shall be
conducted to verify full disclosure of criminal history and
identify patterns of conduct impacting trustworthiness.
Preemployment
testing
Soft Testing, including lie detection and psychological
assessments, may be conducted to supplement or verify
applicant claims and trustworthiness.
Rescreening
Completeness Soft Rescreening shall be conducted at prescribed intervals for
all positions with privileged access, or access to sensitive or
high-value information.
Review Soft Rescreening results shall be evaluated in accordance with
established superset disqualifi cation criteria to confi rm that
the employee meets the trustworthiness standard for the
position he or she holds.
TAF-K11348-10-0301-C012.indd 243TAF-K11348-10-0301-C012.indd 243 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
244 ◾ Security Strategy: From Requirements to Reality
SIDEBAR: HOW I STOLE $30 MILLION
A number of years ago we read a story recounting the assessment of a computer chip manufacturer’s security con-
trols by a penetration testing team. The engagement included “hiring” one of the consultants as a temporary clerk in
the IT department. Within hours of arriving for work, he had set up a number of interviews with department heads
to discuss their security concerns. Posing as a senior security analyst, he charmed his way onto three departmental
servers to “assess” their security controls. He then applied (online) for remote access privileges, which he received
the following day. Using this access and the credentials he had on the departmental servers, a team of penetration
testers went to work compromising a slew of internal systems. Meanwhile, the “temporary clerk” remained late one
evening to walk the building with the CSO and see what he could “discover.” It didn’t take long; entering the offi ce of
one of the senior design engineers, he accessed an engineering workstation that was left logged on. Using a portable
storage device, he then proceeded to download an entire set of engineering plans, at which point the CSO put an end
to the exercise. In a span of three days, someone hired as a temporary clerk had orchestrated the root compromise
of 24 computer systems and the theft of data valued at over $33 million!
Positive identifi cation and full disclosure are essential components of trust and should not be
bypassed or compromised for a position requiring a high level of trustworthiness.
Preemployment Testing
Preemployment testing can be used to supplement or verify applicant claims and trustworthiness.
Drug screening tests are common, lie detectors less so. In between, there are a number of psycho-
logical tests, including tests designed to assess reasoning abilities, personality, and moral sense (eth-
ics). Most are designed to be administered by professionals who can accurately assess the results,
but this is a pretty expensive proposition. e alternative is self-assessment tests. e results for
these tests tend to be broader and less reliable. Results are mapped against information collected
from thousands of other test takers, and conclusions are generally accurate but not specifi c. We do
not oppose the use of psychological testing as a supplemental factor in your trust evaluation; we
only suggest that tests not administered by professionals be weighted appropriately.
Disqualifi cation
Multiple people can look at the same data and come to very diff erent conclusions. is isn’t a par-
ticularly good scenario when you are trying to make hiring decisions for positions of high trust.
A consistent means of evaluation is key to the success of the process. Not only do organizations
need to establish good screening criteria, but they also need to defi ne the metrics associated with
those criteria. Since the process assumes trustworthiness and looks for patterns of conduct impact-
ing that trust, these are, for all practical purposes, disqualifi cation metrics. ese metrics will be
diff erent depending on the organization and business sector. In general, candidates for positions
of high trust who falsify, omit, or misrepresent facts on their application form or résumé would
be disqualifi ed. Egregious criminal or vehicular off enses or a pattern of fi scal irresponsibility are
other disqualifi ers. Defi ning your disqualifi cation criteria assures a consistent screening result and
may help guard against claims of favoritism or prejudice.
Rescreening
Rescreening, as already noted, is a periodic reaffi rmation of an employee’s trustworthiness. It is
usually carried out in the background; that is, it does not require the employee’s participation,
but it is wise to inform the employee that rescreening is taking place. Getting notifi cation that
your company just pulled your credit history can be a little disconcerting if you weren’t expect-
ing it. Rescreening follows the same processes used above to collect and evaluate data except
TAF-K11348-10-0301-C012.indd 244TAF-K11348-10-0301-C012.indd 244 8/18/10 3:11:57 PM8/18/10 3:11:57 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.