IS‐0915: Protecting Critical Infrastructure Against Insider Threats FEMA Training - liabilityissue/Information-Assurance GitHub Wiki

DISCLAIMER THIS INFORMATION CAME DIRECTLY FROM THE FEMA WEBSITE FOR THE CONTINUITY TRAINING. IT HAS BEEN EDITED TO AN EXTENT

Insider Threat Definition

“The insider threat to critical infrastructure is one or more individuals with the access or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.”
A person who takes advantage of access or inside knowledge in such a manner commonly is referred to as a “malicious insider.”

The Scope of Insider Threats

Physical or information-technology sabotage: Modification or damage to an organization’s facilities, property, assets, inventory, or systems with the purpose of harming or threatening harm to an individual, the organization, or the organization’s operations
Theft of intellectual property: Removal or transfer of an organization’s intellectual property outside the organization through physical or electronic means (also known as economic espionage)
Theft or economic fraud: Acquisition of an organization’s financial or other assets through theft or fraud
National security espionage: Obtaining information or assets with a potential impact on national security through clandestine activities

Threats to Critical Infrastructure Sectors

Insider threats to critical infrastructure can occur over many years and have devastating consequences.
Malicious insider incidents have occurred throughout the critical infrastructure sectors.

Protecting Your Intellectual Property

The theft of intellectual property is an increasing threat to organizations, and can go unnoticed for months or even years.
Intellectual property theft can seriously compromise our ability to protect ourselves from outside attack, as shown in the examples that follow.

Common Characteristics and Traits

Obviously unhappy or extremely resentful.
Having financial, performance, or behavioral problems.
At risk (or perceived to be) for layoff or termination.
Not all malicious insiders fit this characterization. Insiders involved in national security espionage, for example, may exhibit few outward signs. In the majority of cases, however, management and/or human resources personnel were well aware of the employees and their issues prior to an incident.

Insider Activities and Behavior

Insider threats may be detected through particular activities and behavior on the part of the insider. This portion of the course identifies those indicators. These activities and behaviors often will appear unusual or suspicious.
Keep in mind there may be several explanations for a particular activity or behavior identified here, but when combined with other factors, certain activity or behavior points toward a possible insider threat. A combination or confluence of indicators should not be ignored.

What Managers Can Do: Employee Actions

Using appropriate screening processes to select new employees.
Educating employees about security or other protocols.
Encouraging and providing non-threatening, convenient ways for employees to report suspicions in a confidential manner.
Becoming familiar with behavior and activities associated with malicious insiders.
Documenting and evaluating incidents of suspicious or disruptive behavior.
Ensuring that both physical and cyber access is immediately shut down for employees who leave the organization.
Clearly communicating and consistently enforcing security policies and controls.
Ensuring that proprietary information and materials are adequately, if not robustly, protected.
Routinely monitoring computer networks for suspicious activity.
Ensuring security (to include computer network security) personnel have the tools they need.
Consulting with legal and law enforcement experts as needed to ensure compliance with the law.

Security and Vigilance

Be familiar with and follow your organization’s security policies and procedures, including those related to information security.
Protect information and resources entrusted to you by your organization.
Be vigilant for anything unusual at the workplace that could threaten the organization.
Refrain from confronting a potential malicious insider directly, if not a trained security professional

Reporting

Be aware of the options—such as reporting confidentially and/or anonymously—to report suspicious behaviors and activities within the organization.
Report the activities and behaviors that might indicate a possible insider threat to the appropriate personnel, such as supervisors, security, or human resources/capital personnel.
Focus on reporting evidence of possible insider threats and avoid predications concerning the guilt of the possible insider.
When feasible, and where personal risk is not a factor, provide contact information to allow the appropriate personnel to follow up on your report.

Unauthorized Access

Unauthorized access to locations, materials, or information may include the following:
Without need or authorization, taking proprietary or other material home.
Inappropriately seeking or obtaining:
Access to unauthorized locations or restricted areas. These locations can be both physical locations and cyber locations.
Proprietary or restricted information on subjects not related to work duties. Unnecessarily copying material, especially if it is proprietary or restricted.

Examples of Unauthorized Access