#RSAC

SESSION ID: HUM-W02F

Workplace Violence and IT Sabotage: Two Sides of the Same Coin?

Michael C. Theis Assistant Director for Research CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University #RSAC Notices

Copyright 2016 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0004065 #RSAC What is the CERT Insider Threat Center?

Center for insider threat expertise

Began working in this area in 2001 with the U.S. Secret Service

Our Mission: The CERT Insider Threat Center conducts empirical research and analysis to develop & transition socio- technical solutions to combat insider threats. #RSAC Identify and Analyze Observable Artifacts #RSAC Project’s Research Objective & Approach

Objective: Determine if coherent, integrated, and validated indicators for Insider Workplace Violence (WPV) and Insider Cyber Sabotage (ICS) can be identified. Reason: If there are common indicators organizations may be able to develop socio-technical controls that prevent, detect, and help respond to both threats without identifying which crime will eventually be committed. Approach: Collect, code, and analyze cases of WPV and compare them to cases of ICS in the CERT Insider Threat Center’s corpus. #RSAC WPV & ICS Incident Pathway

Key: WPV Execution of ICS Active shooter malicious code Hostile Act

Demotion without Problematic Loss/Suspension of changing access Organizational Rights and Privileges Responses Visiting internet Verbal threats to underground Concerning Behaviors cause physical harm

Lack of resources Perceived harassment to do job well Stressors by coworkers

Resolving conflict by Hacker Personal Predispositions physical means

CERT, 2006 #RSAC Hypothesis: Common Path Before Divergence #RSAC Multiple Approaches for Coding and Analysis

Measurement of Cyber and Physical Aggression Five point scale vs seven point scale Used operational definitions from Buss & Parrot as foundation Coding of concerning behaviors by time periods Coding of observable stressors Originally categorized as either personal or professional Refined into six categories: Personal, Relationship, Financial, Mental Health, Work, and Work Relationships

8 #RSAC Aggregation of Stressors

Stressors

16% 19%

10%

7%

9% 39%

Personal Work Financial Relationship Mental Health Work Relationship #RSAC Stressors by ICS & WPV

Stressors for ICS Stressors for WPV 12% 12% 21% 31% 13%

8% 0%1% 5% 51% 10% 36%

Personal Work Personal Work Financial Relationship Financial Relationship Mental Health Work Relationship Mental Health Work Relationship #RSAC Distinguishing the WPV and ICS Pathways #RSAC Next Steps for CERT

Produce a casual loop diagram for workplace violence Compare the models for overlap Develop candidate controls that can apply to both WPV & ICS Develop training for the new controls Identify effective data points and the data sources for accurately measuring work stressors and work relationship stressors Update the mitigation best practices (future version of CERT’s Common Sense Guide to Mitigating Insider Threats)

12 #RSAC ICS Causal Loop Diagram #RSAC CERT Common Sense Guide Edition 5 http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=484738

1 - Know and protect your critical assets. 11 - Institute stringent access controls and monitoring policies on privileged users. 2 - Develop a formalized insider threat program. * 12 - Deploy solutions for monitoring employee actions and correlating information from multiple data sources. * 3 - Clearly document and consistently enforce policies and controls. 13 - Monitor and control remote access from all endpoints, including mobile devices. 4 - Beginning with the hiring process, monitor and respond to suspicious or 14 - Establish a baseline of normal behavior for both networks and employees* disruptive behavior. * 5 - Anticipate and manage negative issues in the work environment. * 15 - Enforce separation of duties and least privilege.

6 - Consider threats from insiders and business partners in enterprise-wide risk 16 - Define explicit security agreements for any cloud services, especially assessments. access restrictions and monitoring capabilities.

7 - Be especially vigilant regarding social media. 17 - Institutionalize system change controls.

8 - Structure management and tasks to minimize unintentional insider stress 18 - Implement secure backup and recovery processes. and mistakes. 9 - Incorporate malicious and unintentional insider threat awareness into 19 - Close the doors to unauthorized data exfiltration. periodic security training for all employees. * 10 - Implement strict password and account management policies and 20 - Develop a comprehensive employee termination procedure. * practices.

* Best practices from the edition 5 that can be equally applied to ICS and WPV #RSAC Quick Wins and High Impacts

30 Day Goals Establish a formalized Insider Threat Program Look for the common predispositions during the hiring process Incorporate insider threat awareness into periodic security training 60 Day Goals Identify data sources that can reveal workplace stress and work relationship stress Establish a baseline of normal behavior for both networks and employees Long Term Deploy solutions for monitoring employee actions and correlating information from multiple data sources Begin collection and analysis of workplace stress indicators and work relationship stress indicators and then develop stress reduction strategies

15 #RSAC The Three Pillars of a Robust Strategy

Accurately Trust

Right-Size Permissions

Effective Monitoring #RSAC Point of Contact

Michael C. Theis Assistant Director for Research CERT Insider Threat Center [email protected]

Software Engineering Institute (an FFRDC) Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA 15213-3890 http://www.cert.org/insider-threat/ #RSAC

Backup Slides #RSAC A Cyber-Physical Scale for Assessing Observables*

* Note: combined cyber-physical observables may be broken down into their constituent components for measurement. See the Reality-Virtuality Continuum for a loosely related construct applied to virtual reality technologies. https://en.wikipedia.org/wiki/Reality%E2%80%93virtuality_continuum #RSAC Operational Definitions (from Buss and Parrot)

Aggression – intentional behaviors that can cause significant harm to a victim (person or organization) who wishes to avoid the act. (note: definition excludes desired harm (sadomasochism, going to dentist) and unintentional harm (stepping on foot)) Direct Aggression – person-to-person interactions (but not necessarily face-to-face) in which the perpetrator is easily identifiable by the victim (e.g., Active: Shooting, email a threat; Passive: intentionally not write a letter of recommendation and harming victim’s application for new job). Indirect Aggression– circuitous interactions in which the perpetrator may remain unindentified, possibly to avoid accusation, direct confrontation, and/or counterattack by the victim (e.g., Active: (anonymously) spreading false rumors; Passive (rare): (anonymously) not coming to the defense of someone being criticized). Active Aggression– an act of commission by the perpetrator, which involves active engagement in harming the victim (e.g., Direct: shooting; Indirect: (anonymously) spreading harmful rumors) Passive Aggression – an act of omission by the perpetrator, which involves a lack of active responding that causes harm to the victim (e.g., Direct: intentionally not write a letter of recommendation and harming victim’s application for new job; Indirect (rare): (anonymously) not coming to the defense of someone being criticized) Physical - intentional acts involving personal or interpersonal interaction that does not involve cyber Cyber - intentional acts involving interaction with computers, computer networks, or electronic media #RSAC Hasan, Fort Hood – 2009 : Concerning Behaviors

Sub- Major Direct- Indirect Passive Passive Indirect Direct Period Period Active Active Cyber Center of Physical Active Active Concernin Concernin Major Sub-Period Cyber Cyber (Indirect Scale (Indirect Physical Physical g g Period Aggression Aggressio or Direct) (0) or Direct) Aggression Aggressio Behaviors Behaviors (-3) n (-2) (-1) (+1) (+2) n (+3) (non-zero) (non-zero)

‘92-97 0 0 0 1 2 0 3

‘98-03 0 0 0 0 1 0 1

‘04-09 2 3 0 1 5 3 14

Sub- ‘04-05 0 0 0 0 2 0 2 Periods of Last ‘06-07 0 0 0 0 2 0 2 Major Period ‘08-09 2 3 0 1 1 3 10 Major Period Totals 2 3 0 2 8 3 18 #RSAC Alexis, WNY – 2013 : Concerning Behaviors

Passive Sub-Period Major Direct- Indirect Passive Indirect Direct Physical Concernin Period Active Active Cyber Center of Active Active Major (Indirect g Concernin Sub-Period Cyber Cyber (Indirect Scale Physical Physical Period or Behaviors g Aggression Aggression or Direct) (0) Aggressio Aggression Direct) (non-zero) Behaviors (-3) (-2) (-1) n (+2) (+3) (+1) (non-zero) 3/04- 0 0 0 1 0 2 3 3/07 4/07- 0 0 2 1 0 1 4 12/10 ’1/11- 0 0 0 1 3 0 4 9/13 Sub- 2011 0 0 0 0 0 0 Periods of Last 2012 0 0 0 0 0 0 Major Period 2013 0 0 0 1 3 0 4 Major Period Totals 0 0 2 3 3 3 11 #RSAC 7-Point Scale Analysis of Results

30 Key: WPV: Hasan ICS:

20 Alexis Wells ICS1 ICS2 10 ICS3 Lopez ICS4 ICS5 0 Cyber Aggression Physical Aggression