Cybersecurity and fighting the insider-threat

Friday - 7/30/2010, 11:00am EDT

Cybersecurity Discussion Part 1: The Biggest Insider Threats

Download mp3

Cybersecurity Discussion Part 2: Best Practices for Preventing Insider Threats

Download mp3

Cybersecurity Discussion Part 3: Authentication Issues

Download mp3

Cybersecurity Discussion Part 4: FISMA Issues

Download mp3

Cybersecurity Discussion Part 5: Roadmap

Download mp3

By Suzanne Kubota
Senior Internet Editor

When you think of protecting your computer systems, how often do you think of insiders -- you know, like the person sitting in the office next to you? Or maybe that disgruntled worker you had to let go? And if there is a threat, what's the best way to stop it?

We're trying to answer those questions in a Federal News Radio Discussion: Meeting Mission Goals Through Technology.

Joining us for the discussion were Jerry Davis, the chief information security officer for NASA; Elaine Newton, Identity Management Systems Program Manager at the National Institute of Standards and Technology; and Bobbie Stempfley, Director, National Cybersecurity Division at Homeland Security.

Here are some of the topics, questions and excerpts from the responses of the panel:

Part 1: The Biggest Insider Threats

    Davis: At NASA, said Davis, the threats seem to have leveled off to "kind of 50/50" between insider and outsider. He stressed the insider threat he sees most often is not a "malicious insider threat, but really a non-intentional type person" who clicks on things they shouldn't, which he said "comes down to training." Increased awareness should be focused on training "to alleviate or mitigate that risk".

    Stempfley: Expanding on Davis' point, Stempfley emphasized training should be a "multifaceted approach," saying "it has to involve things like training of end users," "technology components that will help offset any particular area", and "procedures and mechanisms and overall user awareness."

    Newton: Beyond training, Newton stressed the importance of authentication of identity and of privileges.

Part 2: Best Practices for Preventing Insider Threats

    Stempfley: DHS, said Stempfley, has expanded beyond online training to a more "experiential" mode. "So you have to give the users an example of what it might look like and how they might be able to recognize it in practice because the environment changes rapidly." Best practices, said Stempfley include "monitoring your environment, managing your edge devices, managing your infrastructure, asset understanding and awareness. We talked about standards for configuration baselines - all of that, as well as perimeter defenses and other mechanisms as well." With those in place, said Stempfley, "then, in any particular situation you can make a decision to either turn something on or turn something off."

    Davis: "It comes down to a risk-based decision," said Davis to determine the level of security. He suggests monitoring outbound data traffic in addition to inbound. "Somebody may be shipping something" out of the agency. Most importantly, said Davis, "at the end of the day there has to be some level of trust with your people because we're not in a zero defect environment. You are going to lose data at some point."

Part 3: Authentication Issues

    Newton: NIST Special Publication 800-63, said Newton, "lays out different levels of risk for doing authentication" requiring different levels of assurance "that somebody is who they claim to be." Most users are familiar with usernames and passwords, but said Newton, "that's not necessarily commensurate with the risk that you're taking online." People doing online banking would probably like to have more assurance that their personal information is secure. NIST, said Newton, would like to advance that kind of technology, especially in the private sector and consumer services.

    Stempfley: To accomplish that, Stempfley mentioned the "just completed interagency process for the National Strategy for Trusted Identities in Cyberspace" which includes focus on online transactions. "So how do we know people are who they say they are and that the transaction is occuring in the way that is supposed to be occuring to the end that we want."

    Davis: To get implementation started, Davis said infrastructure and interoperability have to be considered. For example, if you're going to use a PIV card to log onto a desktop, "you also want to be able to log in, at the same time" to multiple applications that you may have access to. So while the user is being authenticated, the system would also be determining the user's level of access to everything, including timecards that may be on a legacy system.

    Newton: If you'd like to learn more about what "colleagues and other agencies are doing, there is an event that's being sponsored through a subcommittee of the CIO council," called ICAM Information Sharing Day. Register is required in advance by August 2nd.

Part 4: FISMA Issues