The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)
- By Dawn M. Cappelli, Andrew P. Moore, Randall F. Trzeciak
- Published Jan 24, 2012 by Addison-Wesley Professional. Part of the SEI Series in Software Engineering series.
- Copyright 2012
- Dimensions: 7" x 9-1/8"
- Pages: 432
- Edition: 1st
- ISBN-10: 0-321-81257-3
- ISBN-13: 978-0-321-81257-5
Register your product to gain access to bonus material or receive a coupon.
Product Author Bios
Dawn M. Cappelli, CISSP, is Technical Manager of the Insider Threat Center and CERT's Enterprise Threat and Vulnerability Management team at Carnegie Mellon's Software Engineering Institute (SEI). She is adjunct professor at Heinz College of Public Policy and Management, and Vice-Chair of CERT's Computer Security Incident Handler Certification Advisory Board. Andrew P. Moore, Sr. Member of Technical Staff at CERT, researched high assurance system development for Naval Research Laboratory. Randall F. Trzeciak, Sr. Member of Technical Staff for SEI's Networked Systems Survivability (NSS) program, serves on a CERT team studying insider threats with the US Secret Service, DOD, and CMU's CyLab.
Since 2001, the CERT® Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute (SEI) has collected and analyzed information about more than seven hundred insider cyber crimes, ranging from national security espionage to theft of trade secrets. The CERT® Guide to Insider Threats describes CERT’s findings in practical terms, offering specific guidance and countermeasures that can be immediately applied by executives, managers, security officers, and operational staff within any private, government, or military organization.
The authors systematically address attacks by all types of malicious insiders, including current and former employees, contractors, business partners, outsourcers, and even cloud-computing vendors. They cover all major types of insider cyber crime: IT sabotage, intellectual property theft, and fraud. For each, they present a crime profile describing how the crime tends to evolve over time, as well as motivations, attack methods, organizational issues, and precursor warnings that could have helped the organization prevent the incident or detect it earlier. Beyond identifying crucial patterns of suspicious behavior, the authors present concrete defensive measures for protecting both systems and data.
This book also conveys the big picture of the insider threat problem over time: the complex interactions and unintended consequences of existing policies, practices, technology, insider mindsets, and organizational culture. Most important, it offers actionable recommendations for the entire organization, from executive management and board members to IT, data owners, HR, and legal departments.
With this book, you will find out how to
- Identify hidden signs of insider IT sabotage, theft of sensitive information, and fraud
- Recognize insider threats throughout the software development life cycle
- Use advanced threat controls to resist attacks by both technical and nontechnical insiders
- Increase the effectiveness of existing technical security tools by enhancing rules, configurations, and associated business processes
- Prepare for unusual insider attacks, including attacks linked to organized crime or the Internet underground
By implementing this book’s security practices, you will be incorporating protection mechanisms designed to resist the vast majority of malicious insider attacks.
6 of 7 people found the following review helpful
Definitive resource on insider threats,
This review is from: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) (Hardcover)While Julius Caesar likely never said "Et tu, Brute?" the saying associated with his final minutes has come to symbolize the ultimate insider betrayal.
In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them.
The book is based on work done at the CERT Insider Threat Center, which has been researching this topic for the last decade. The data the threat center has access to is unparalleled, which in turn makes this the definitive book on the topic. The threat center has investigated nearly 1,000 incidents and their data sets on the... Read more
6 of 8 people found the following review helpful
A very very important topic for all those in IT,
This review is from: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) (Hardcover)Working as a Software Architect one of the main concerns we always have is Security. At an application level that can usually be easily implemented if you are up to speed with the latest industry standards and best practices for the technology you are working in.
Working as an Enterprise Architect, security becomes a much broader subject. Insider threats become part of the picture and there is no cookie cutter solution for them. I have seen plenty of potential issues thwarted, and over the years working as a consultant I have witnessed plenty of successful insider attacks.
One of my first experiences with insider threat was when I was still in the engineering field. We used an email product called Pega eMail. A few of us discovered that no password was required to log into another person's email if it was done in a certain way. We would do goofy stuff like rename each other's folders to stupid names. We got bored with it in about a day and forgot about it. As... Read more
2 of 3 people found the following review helpful
Timely and Pertinent,
This review is from: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering) (Hardcover)The CERT Insider Threat Research center [...] has done a fantastic job of presenting relevant material with this book.
When I started reading the case studies, I had a hard time putting the book down. This is far from dry reading. I think it is great foundational reading for anyone who works in IT - new or seasoned. The threat landscape is an ever-changing landscape. I enjoyed reading the case studies and examples. Putting the reader in the shoes of the person committing the crime provides unique perspective that will help the reader identify and head off attacks.
The CERT Insider Threat Center has a very informative on its website (above). You can learn a lot by persuing the site. I like having the book as it puts everyting in a format I can take with me and the chapter layout makes sense.
Regardless of data classification, every company is at risk of sabotage or other threats, and I feel this book addressed the topics well.
› See all 8 customer reviews...
Online Sample Chapter
Table of Contents
Chapter 1: Overview 1
True Stories of Insider Attacks 3
The Expanding Complexity of Insider Threats 6
Breakdown of Cases in the Insider Threat Database 7
CERT’s MERIT Models of Insider Threats 9
Overview of the CERT Insider Threat Center 13
Timeline of the CERT Program’s Insider Threat Work. 16
Caveats about Our Work 20
Chapter 2: Insider IT Sabotage 23
General Patterns in Insider IT Sabotage Crimes 28
Mitigation Strategies 46
Chapter 3: Insider Theft of Intellectual Property 61
General Patterns in Insider Theft of Intellectual Property Crimes 68
The Entitled Independent 69
The Ambitious Leader 78
Theft of IP inside the United States Involving Foreign Governments or Organizations 83
Mitigation Strategies for All Theft of Intellectual Property Cases 88
Mitigation Strategies: Final Thoughts 97
Chapter 4: Insider Fraud 101
General Patterns in Insider Fraud Crimes 106
Insider Fraud Involving Organized Crime 115
Organizational Issues of Concern and Potential Countermeasures 120
Mitigation Strategies: Final Thoughts 126
Chapter 5: Insider Threat Issues in the Software Development Life Cycle 129
Requirements and System Design Oversights 131
System Implementation, Deployment, and Maintenance Issues 136
Programming Techniques Used As an Insider Attack Tool 139
Mitigation Strategies 142
Chapter 6: Best Practices for the Prevention and Detection of Insider Threats 145
Summary of Practices 146
Practice 1: Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments 151
Practice 2: Clearly Document and Consistently Enforce Policies and Controls 155
Practice 3: Institute Periodic Security Awareness Training for All Employees 159
Practice 4: Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process 164
Practice 5: Anticipate and Manage Negative Workplace Issues 168
Practice 6: Track and Secure the Physical Environment 171
Practice 7: Implement Strict Password- and Account-Management Policies and Practices 174
Practice 8: Enforce Separation of Duties and Least Privilege 178
Practice 9: Consider Insider Threats in the Software Development Life Cycle 182
Practice 10: Use Extra Caution with System Administrators and Technical or Privileged Users 187
Practice 11: Implement System Change Controls 191
Practice 12: Log, Monitor, and Audit Employee Online Actions 195
Practice 13: Use Layered Defense against Remote Attacks 200
Practice 14: Deactivate Computer Access Following Termination 203
Practice 15: Implement Secure Backup and Recovery Processes 207
Practice 16: Develop an Insider Incident Response Plan 211
References/Sources of Best Practices 214
Chapter 7: Technical Insider Threat Controls 215
Infrastructure of the Lab 217
Demonstrational Videos 218
High-Priority Mitigation Strategies 219
Control 1: Use of Snort to Detect Exfiltration of Credentials Using IRC 220
Control 2: Use of SiLK to Detect Exfiltration of Data Using VPN 221
Control 3: Use of a SIEM Signature to Detect Potential Precursors to Insider IT Sabotage 223
Control 4: Use of Centralized Logging to Detect Data Exfiltration during an Insider’s Last Days of Employment 231
Insider Threat Exercises 239
Chapter 8: Case Examples 241
Sabotage Cases 241
Sabotage/Fraud Cases 256
Theft of IP Cases 258
Fraud Cases 262
Miscellaneous Cases 269
Chapter 9: Conclusion and Miscellaneous Issues 275
Insider Threat from Trusted Business Partners 275
Malicious Insiders with Ties to the Internet Underground 286
Final Summary 293
Appendix A: Insider Threat Center Products and Services 299
Appendix B: Deeper Dive into the Data 307
Appendix C: CyberSecurity Watch Survey 319
Appendix D: Insider Threat Database Structure 325
Appendix E: Insider Threat Training Simulation: MERIT InterActive 333
Appendix F: System Dynamics Background 345
Glossary of Terms 351
About the Authors 365
Download the sample pages (includes Chapter 3 and Index)
Book + eBook Bundle
Book Price $39.99
eBook Price $14.00
eBook formats included
This book includes free shipping!
This book includes free shipping!
Includes EPUB, MOBI, and PDF
About eBook Formats
This eBook includes the following formats, accessible from your Account page after purchase:
EPUBThe open industry format known for its reflowable content and usability on supported mobile devices.
MOBIThe eBook format compatible with the Amazon Kindle and Amazon Kindle applications.
PDFThe popular standard, used most often with the free Adobe® Reader® software.
This eBook requires no passwords or activation to read. We customize your eBook by discretely watermarking it with your name, making it uniquely yours.
Get access to thousands of books and training videos about technology, professional development and digital media from more than 40 leading publishers, including Addison-Wesley, Prentice Hall, Cisco Press, IBM Press, O'Reilly Media, Wrox, Apress, and many more. If you continue your subscription after your 30-day trial, you can receive 30% off a monthly subscription to the Safari Library for up to 12 months. That's a total savings of $199.