Recently, an Executive Memo was released addressing the vexing issue of insider threat within departments and agencies of the federal government. This presidential memorandum,“National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs,” was issued on Nov. 21, 2012. The text of the memo is captured below:

This Presidential Memorandum transmits the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs (Minimum Standards) to provide direction and guidance to promote the development of effective insider threat programs within departments and agencies to deter, detect, and mitigate actions by employees who may represent a threat to national security. These threats encompass potential espionage, violent acts against the Government or the Nation, and unauthorized disclosure of classified information, including the vast amounts of classified data available on interconnected United States Government computer networks and systems.

The Minimum Standards provide departments and agencies with the minimum elements necessary to establish effective insider threat programs. These elements include the capability to gather, integrate, and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of all personnel.

The resulting insider threat capabilities will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security.

SIGNED: BARACK OBAMA

For such a brief memo, it has not been without controversy. Some pundits have stated that it will put a chill on whistleblowers while others have argued that such a statement indicates that “Big Brother” has landed. I just don’t see it that way.

The ability to monitor employee interactions with company data has long been available in the private sector. Organizations regularly monitor access to critical or protected information–and if they aren’t, they should be. Insider threats, abuse and misuse of data, and malfeasance are common in companies all around the globe. Why should we expect the same is not true in our federal, state, and local governments. I, for one, feel safer with a “trust but verify” approach for the data we all share with federal agencies.

The business risks—financial loss, failed audits, regulatory fines, and brand damage—of insider threats to your corporate data are too devastating to ignore. Here’s how learning from industry best practices can help you prevent these threats, including fraud and information leakage, and protect your business:

Demand 100% visibility so nothing gets missed
Capturing data in logs is a traditional method of understanding system activity but it doesn’t go far enough. Modern business intelligence tools tap into a hidden, information-rich data layer by capturing a complete, real-time, over-the-shoulder view of user activity across multiple data channels. This data should include queries and other read-only transactions that typically do not leave any traces in corporate databases or logs. This way, internal auditors, investigators and line of business managers can visually replay user actions screen by screen, keystroke by keystroke, just as if they were looking over the user’s shoulder. Not only can they see everything, but they can also place it into context.

Leading organizations use this data in a number of ways. Let’s explore a few of them:

Take a pre-emptive approach to eradicate risk
Most solutions address insider threats after the user has already gained access to the target information and is trying to transfer it out of the organization. Network-level solutions work by looking for sensitive data created in outbound messages (e.g., emails and instant messages). Desktop-level solutions look in media created at the desktop (e.g., via printing, writing to USB flash disks, or writing to CDs).

These approaches are highly problematic. Once sensitive data is displayed on a user’s screen, it can be transferred in undetectable ways—e.g., copied down on paper or photographed with a cell phone camera. At this point, it’s already too late.

Leading next generation detection technologies takes a different approach, working at the application level to address threats before they occur. More specifically, these solutions monitor application usage so that you know exactly when sensitive information is being displayed on the user screen. When applications are monitored pro-actively, the fraudulent behavior that occurs prior to a leak can be detected. The leak can then be prevented at the point of data access—regardless of the strategy for leaking the data.

Use real-time alerts to trigger fast action
The powerful analytical engines in the modern detection solutions track user behavior in real time, detecting cross-channel patterns and activities. In this way, it can pinpoint suspicious actions—based on business rules and weighted scores that you’ve defined—and generate real-time alerts related to questionable behavior. For example, here’s how Luminet does it:

A bank clerk who excessively searches for high- profile customer information, by customer name, much more than other clerks.
A user who displays 500 customer accounts on a specific day, spending only a few seconds with each account, while on average he accesses only 100 customer accounts per day.

Alerts can be sent to internal auditors, who can use them to zero in on anomalies, eliminate false positives, and facilitate after-the-fact investigations. When these solutions are integrated with an operational system, the alerts can also trigger automatic actions—for example, the initiation of a “suspend user” process in the operational system.

Faster, Easier Audit Prep
Your auditors expect precise and detailed information about how the thousands of people across your enterprise are accessing sensitive information on hundreds of applications each day. This often amounts to tens of thousands of screens of data and log entries. They also expect to see this information presented in a format that aligns with their unique regulatory requirements. With the next generation of business insight and compliance software, this information can be easily indexed, analyzed and distilled into meaningful reports–often at the click of a button.

——————————————————————————–

Real life examples. Real results.

Tax Collection Agency Cuts Investigation Time by 76%A large tax collection agency, which manages tax collection for more than 110 million citizens, wanted to gain visibility into the nonlogged activities of trusted insiders and respond to new scrutiny around data protection. With Luminet, the agency has reduced fraud and prosecuted violators while cutting investigation time by 76%.

——————————————————————————–

Nonprofit Mutual Insurance Firm Demonstrates Compliance with HIPAA and PCI DSS A nonprofit mutual insurance firm, part of a large consortium of health insurance providers, needed a fraud prevention and compliance solution that would help them uncover privacy violations and demonstrate compliance with HIPAA and PCI DSS.

The firm, which serves well over a million members, chose Luminet because of its comprehensive approach to data collection, reporting, and analysis. Luminet provides 100 percent visibility into user activity across all applications. It also triggers real-time alerts for exceptions. And its interactive tools detect the cross-channel patterns and trends of users across diverse departments and applications.

Armed with Luminet, the firm can help catch privacy violations, facilitate regulatory compliance, and reduce expenses related to audits, compliance reporting, and HIPAA-associated fines.

——————————————————————————–

Credit Card Company Immediately Detects Employee Misuse A credit card company employed the Luminet technology for its ability to see, record, and analyze user activity across internal enterprise applications—thereby providing the intelligence needed to take informed action. Corporate IT used business rules available in Luminet to track user behavior patterns and generate real-time alerts on suspicious activity. And their work paid off. Just weeks after installation, the company identified an employee who was misusing his authorized access.

——————————————————————————–

Government Agency Deters Fraud and Prevents Info Leak A government agency with more than 11,000 employees deployed the Luminet technology to view and record all user interactions with internal business applications. Employees and contractors were given fair warning: From now on their application activity would be recorded in real time—screen by screen, keystroke by keystroke—creating a complete audit trail directly from the network.

By capturing a complete over-the-shoulder view of user activity, the agency was able to deter fraud and prevent sensitive info from leaking into the wrong hands.

——————————————————————————–

International European Insurance Company Tracks Privileged Users A European insurance company deployed the Luminet technology to help detect internal fraud. More specifically, one of the company’s objectives was to track the activity of privileged IT users, including database administrators, system administrators, and programmers. Trusted users, with their technical knowledge and authorized access to internal systems and resources, have the potential to devastate an institution.

Using the Luminet technology, the company implemented business rules that generated real-time alerts on questionable activity patterns; e.g., a privileged user’s attempt to update information in a production database using a utility that could not otherwise be traced.

Insider threats—the most challenging for organizations to address—are often difficult to spot and pose huge risks for your organization. While many of the motivations are the same, there are three distinct types of fraudulent insiders. Read part one of our series to understand who commits fraud. Part two will focus on what to look for and how to spot trouble before it starts.

You’re probably familiar with this classic bad-guy image: A disgruntled employee enters a building in secret under cloak of night and begins to steal trusted information from a business. This image may even have kept you awake at night. In this scenario, the individual in question has privileged access to proprietary data and enough knowledge and intent to defraud the organization.
As widespread as this image is, the true risks from insiders come from a few different areas and are often far less dramatic.

The policy violator
Despite the commonly accepted vision we all have of nefarious actors within our systems, individuals misusing company resources are, for the most part, not doing so with the intent to harm. Frequently, they are motivated to “just get the job done.” In this way, good employees may be breaking policies and creating risk without ever meaning to.
Consider, for example, the well-meaning employees who exploit a back door in a legacy system in an effort to move through their workflow more efficiently. Surely they mean no harm, but without visibility to those actions, these employees may be introducing risk that not only threatens data integrity but also leaves no trace. That activity could go undiscovered until the day something goes dramatically wrong.
Making internal actors aware of these risks is an important part of mitigating insider misuse. Gaining visibility into such activity, especially at the application layer, is essential. Taking steps to reduce misuse and error has the added benefit of protecting against more harmful insider threats as well.

The low and slow fraudster
The most common type of fraud today is not the headline-grabbing theft of millions of credit card records. It’s the small crimes of opportunity that occur quietly, steadily, and repeatedly at the hands of your most trusted insiders—your employees, vendors, consultants, and contractors. This type of fraud occurs daily, and often goes undetected for weeks or months at a time.
When it comes to actual fraud inside an organization, businesses might be surprised at the profile of the typical fraudster. According to research conducted by the CERT Insider Threat Center of Carnegie Mellon University’s Software Engineering Institute, on average, insiders are on the job for more than five years before they start committing fraud and that it takes nearly three years for their employers to detect their crimes. They are often trusted employees or managers who experience a life-changing event.

This study, funded by the Department of Homeland Security Science and Technology Directorate, examined 80 fraud cases that occurred between 2005 and 2012 to identify technical and behavioral patterns. The result? The study found that those individuals that operated “under the radar” escaped detection for longer periods of time and cost the target organization an average of $382,000 or more depending on how long they were able to operate without detection.

Commenting on the study, Randy Trzeciak, the technical lead of the Insider Threat Research Team, stated, “We also found that nearly 93% of fraud incidents were carried out by someone who did not hold a technical position within the organization or have privileged access to organizational systems.” In short, anyone in the organization has the potential to do harm.
So, how do you address the issue of good employees gone bad? Again, visibility is the key. By being able to baseline an employee’s behavior over time and identify changes or spikes in activity that is different, you can spot this type of fraudster. Correlating this data over time and across multiple data channels can be difficult for humans. In these cases, where you need to manipulate “big data,” technology purpose-built for fraud and anomaly detection can give you an edge.

The imposter
Insider threat committed by imposters is a reality. Every organization has a mix of employees, consultants, management, partners, and complex infrastructure and that makes finding and handling insider threats a challenge. Motivated by money or revenge, these insiders do commit fraud and steal valuable information. To make matters worse, these individuals do not want to be found. In an effort to operate undetected, they will often steal credentials and operate as if they were someone else. In short, you’ve just met the imposter. The problem is, you might not recognize her.
An individual using someone else’s credentials can be very difficult to discover, track, and ultimately shut down. Their activity can remain hidden or even besmirch the reputation of a valued and honest employee. With all the machine data rattling around in the system, you may find the wolf. But could you tell if it was cloaked in sheep’s clothing?
What if you could correlate data from multiple sources and compare the results to create a more comprehensive user profile. In an instant you could correlate access data with other sources. Imagine using technology to draw out these answers. Why is Janie at work? She didn’t scan her badge and her payroll record has her marked as taking a sick day, for example. Or, why is Bob accessing unusual data after hours from a machine or IP address that isn’t one he normally uses? Doesn’t that strike you as odd? It might be explainable behavior, but it’s probably worth investigating.

Your reality
Insider threats are hard to detect. The traditional methods of identifying and alerting on outside attacks such as network perimeter security is useless when you are dealing with a privileged user or stolen credentials that permit an attacker to masquerade as something they are not. Even a good layered defense can be vulnerable to insiders if you’re not taking the time to examine the risks from an inside attack.
Think about the levels of control you have in place today. You’ve probably done a good job hardening your defense from the outside in. You likely have policies, procedures, and technical controls to help keep your core assets safe. But without visibility—the ability to see beyond logs and really understand what your machines are telling you—can you really tell the good guys from the bad guys? Can you see the difference between accidental policy violations from persistent fraud? Probably not.

Next time, we’ll show you how some of the world’s leading institutions do it.

Health privacy violations are lethal. They can create reputation management nightmares and generate stiff fines. Even a single HIPAA violation has serious financial consequences. The minimum fine now stands at $50,000, with a maximum penalty per year of up to $1.5 million per each provision of the rules. Since many healthcare privacy breaches involve multiple violations, the cost of not protecting patient privacy can grow very quickly. We’ve even begun to see this demonstrated in the more recent HIPAA compliance enforcement actions. Care providers large and small are feeling the pressure. Even government agencies are not immune.

While headline-grabbing events like the HIPAA fine levied at the State of Alaska are being widely covered, there is another, hidden reality that is far more pervasive: Small-scale snooping is actually far more common than large scale theft or dramatic losses of equipment containing PHI. In fact, in the 2011 Survey of Patient Privacy Breaches*, about 70% of the survey respondents reported that they had experienced a HIPAA breach of some level—with the majority of those violations occurring as a result of snooping activity. Insiders were responsible for the majority of breaches, with 35 percent snooping into medical records of fellow employees and 27 percent accessing records of friends and relatives. More than half of the respondents stated that they lacked the appropriate tools for monitoring inappropriate access to PHI.

Organizations will continue to be held accountable for responding to audit and information requests. There are tools, like Attachmate Luminet, that support HIPAA compliance reporting requirements and Accounting of Disclosure requests are available today. These leading solutions exist to help stop misuse and curtail privacy violations by seeing, recording, and analyzing user activity across all applications. In this way, these solutions can help you address a wide variety of PHI access and policy scenarios. When examining technology of this kind, make sure it can help you answer the following questions:

• Is an employee logged in at multiple locations or accessing systems after hours while on vacation or absent from work?
• Is an employee accessing areas not appropriate for their job or function?
• Are physicians accessing records outside their specialty?
• Are employees accessing high profile or VIP accounts inappropriately?
• Are employees inappropriately accessing PHI within the institution?
• Are employees accessing accounts more than 30 days after the date of service? Has key account information—e.g., address or services rendered—changed?

When evaluating a solution provider, look for the ability to see beyond logs—to capture the query-only activity that happens when staff and care providers only want a “quick peek.” It may seem like harmless curiosity, but it represents a privacy violation that can land an institution into very hot water.

*The 2011 Survey of Patient Privacy Breaches was conducted by Veriphyr.

Government agencies around the globe are at risk from within. Just as in the private sector, more error and misuse occurs from internal employees and partners and suppliers than from anyone else. A recent study from Price Waterhouse Coopers indicates that the problem may be getting worse. According to the consultancy’s latest Global Economic Crime Survey, nearly half of organizations in the public sector have been hit by economic crime in the past 12 months. Cyber crime, employee and supplier fraud in particular are on the rise. The survey also found 46 per cent of respondents had experienced one or more incidents of such crime in the past year. That’s quite a jump from 37 percent in 2009 and considerably higher than the average of 34 per cent across all sectors.
Some of the other key findings from the survey are equally alarming:
• More than two-thirds of the crimes experienced in the past 12 months were committed by public sector employees, compared with just over half in 2009.
• Supplier fraud jumped from 13 per cent to 32 per cent over the same period.
• Over 50% of those surveyed said they had the resources to detect cyber crime, but most lack the forensic capabilities needed to investigate such incidents.
Source: 2011 Global Economic Crime Survey, PWC: http://www.pwc.com/en_GX/gx/economic-crime-survey/assets/GECS_GLOBAL_REPORT.pdf
Further, the study links this rise in activity to the cuts in public sector spending—a trend that is likely to continue and deepen if the current economic reality remains unchanged.
Government agencies are clearly struggling to address internal fraud. Their efforts are complicated by shifting compliance requirements, impaired visibility into user activity, legacy systems that house mission-critical processes, and the limited effectiveness of existing controls and traditional logging capabilities.

Technorarti Verification code: 4T9PS7PC3FNV
Recent reports of sophisticated phishing attacks against natural gas pipeline operators in the United States are highly disturbing. There are approximately 200,000 miles of interstate natural gas pipelines, which supply 25% of the nation’s energy and all of these are potentially at risk. The US Department of Homeland Security has recently disclosed that they have been helping US firms with incidents since March 2012. Commenting on the incidents DHS spokesman Peter Boogaard told CNET on Tuesday, “DHS’s Industrial Control Systems Cyber Emergency Response Team has been working since March 2012 with critical infrastructure owners and operators in the oil and natural gas sector to address a series of cyber intrusions targeting natural gas pipeline companies.”

Boogaard continued to share high-level details regarding the events stating, “The cyber intrusion involves sophisticated spear-phishing activities targeting personnel within the private companies. DHS is coordinating with the FBI and appropriate federal agencies, and ICS-CERT is working with affected organizations to prepare mitigation plans customized to their current network and security configurations to detect, mitigate and prevent such threats.” This active series of cyber intrusions targeting natural gas pipeline sector companies appears to have started in late December 2011 and remains active today.

While the origins of these attacks remain unknown and no negative consequences of the breaches have been disclosed to date, this alarming result raises the importance of continuous monitoring and alerting on changes within the enterprise environment. The specter of malicious activity is real, the potential for damage is high and the ability for an attacker or motivated insider to do damage to critical infrastructure is a risk that should be actively guarded against.

Organizations, governments, utilities and critical business sectors alike should seek out ways to monitor their vital systems from within, alert on change and move immediately to put continuous monitoring systems in place. By following strong security practices, base lining the current environment, and using predictive analytics to identify areas of vulnerability and change, we can all reduce risk across the organization.

These tools exist today. The time to deploy them is now.

The statistics are startling: In April 2012 alone, three major security breaches that hit the Utah Department of Health (UDH), Emory Healthcare and South Carolina’s Department of Health and Human Services accounted for nearly 1.1 million records lost.

And it was the work of insiders.

According to an article entitled “Healthcare Unable to Keep Up with Insider Threats” by Ericka Chickowski on the Dark Reading website, the three incidents are typical of “the types of consequences healthcare organizations face when they fail to address insider threats through improved employee screening, monitoring, data controls, and security awareness training.”.

These insider threats were and are potentially malicious and at the very least inept. In the case of the UDH, records were exposed due to the misconfiguration of a server containing the files. At Emory, human error accounted for the loss of a significant number of patient records when 10 backup disks went missing. In South Carolina, a DHHS employee (who has since been fired and arrested) sent thousands of Medicaid patient records to himself in an email.

The healthcare industry, by and large, “has been notoriously incapable of pinpointing risks in general, let alone those from insiders,” the article offers. Sourcing the problem is difficult because these security holes include loss or theft of portable devices such as laptops, smartphones, external drives and backup tapes; actual theft by data thieves; and simple staff ignorance in terms of security, protocol and training.

With solutions available today, those institutions could easily tell the difference between intentional and non-intentional privacy violations, achieve full regulatory compliance, and pass any audit with real-time user activity log files. As the “insider threat” continues to grow right along with the healthcare industry, major steps will need to be taken to stanch the flow of lost and misappropriated records that can and will lead to increased fraud and identity theft. The time to act is now.

To learn more about Attachmate’s Luminet enterprise fraud management software please visit http://www.attachmate.com/Products/efm/luminet/luminet.htm.

Organizations seeking to understand insider activity often rely on logs to detect or trace back anomalous behavior. As enterprise applications become more distributed and encompass more complex functionality, however, the ability to force traditional logging to function as a modern fraud solution becomes untenable for three reasons:

1. Isolated log entries Like your business processes, fraud is a multistep process that typically involves several applications. A transaction entered in one web application, a change to a department database through another, and a query through a mainframe system may all be part of a critical business process or a complex fraud scheme.

By contrast, traditional logging is typically focused on a single application component, such as a database, application server, or messaging subsystem. Each component creates a different log with different levels of information defined in different formats. Information remains siloed and difficult to access.

Isolated log entries are difficult to correlate with events recorded in other logs. Even a server with an out-of-sync clock can complicate the integration of data from two logs—and damage your audit trail. What’s more, logs do not share common data types or formats, so linking data depends on lucky guessing as much as sound logic.

2. Incomplete information Only a fraction of the activity that occurs between employees and applications is captured by traditional logging—which means that a significant amount of potential evidence is missing from your investigations. For example, many logs fail to capture:
Queries and read-only actions
Most existing logs track only updates and lack crucial access information such and queries and read-only actions.
Comprehensive update information
Let’s say a database trigger logs an account update, recording an original monetary value and a new value. While useful for IT system administration, this update is missing information that is crucial to investigators:
The identity of the user performing the update.
The application module used to initiate the update.
Links to events that occurred prior to and following the update.

Even if application developers wanted to include some of this information, it’s often missing at the database level.

3. Information is spread across disparate systems To create a complete audit trail, you must be able to audit access and usage of all your business systems. For example, let’s say you want to audit a single business process—the process of updating customer accounts. This might require you to gather and correlate separate log data from several applications, including a legacy mainframe app, an internally developed client-server app, and a web-based app.

But these applications were developed at different points in time using vastly different technologies. The logging data they produce is formatted differently, with varying levels of detail. Reconciling the differences and then constructing a cohesive and accurate audit trail is tedious, time-consuming, and sometimes impossible. The problem becomes exponentially more complex when you have to track multiple business processes, each dependent on a new set of applications.

Organizations seeking to understand insider activity must expand their view beyond logging to include user activity and unlogged queries if they want a more complete picture of their systems.

The National Institute of Standards and Technology (NIST) released its update to Special Publication 800-53 Revision 4 earlier today at the 2012 RSA Conference. The update included two new sections pertaining to insider threat and privacy.

As NIST cited, it is a fundamental responsibility of federal agencies to secure information systems and safeguard against unauthorized access and use of private information. Without a solid foundation of information security, it is impossible to protect the privacy of personally identifiable information (PII).

This revision includes a number of privacy controls to provide transparency, accountability and risk management to mitigate the unauthorized access to PII by those inside and outside the organization.

There often is no way to enforce policies. However, with this update, NIST has demonstrated a maturity in thinking about the issues and provided guidance to make the protection of privacy actionable for government. The new guidance requires federal agencies to evaluate and report on the effectiveness of their information system privacy practices, and should enhance public confidence in the government’s ability to protect and ensure the integrity of PII.

To mitigate the risk of insider threat and potential privacy breaches, agencies should conduct a gap analysis to identify areas for improvement. Then, using technology – such as Attachmate Luminet – agencies should address weaknesses to ensure compliance.

Earlier this month, we noted three actions organizations can take to start securing their information systems. Attachmate makes it easy to mitigate insider threat and privacy issues while becoming compliant with information security policies. Learn more about our enterprise fraud management solution.

-Christine Meyers, senior product marketing manager, Attachmate Luminet

Stratfor specializes in “strategic intelligence on global business, economic, security and geopolitical affairs,”

It appears Stratfor failed to encrypt any of its credit card information, despite promises “to maintain safeguards to protect the security of these servers and your personally identifiable information,” according to its privacy policy.”

http://www.scmagazine.com/anonymous-shreds-intelligence-firm-stratfor-in-latest-hack/article/220781/?DCMP=EMC-SCUS_Newswire

I just wonder when will corporations and their executives start being held criminally liable for such egregious security blunders? Until then, there is very little reason for many of them to change….just my two pennies. Sales point is that no one is safe and all should at least entertain a conversation with you about your security solutions, right?

Happy New Year.