Skip to content

Cyber Warriors: A Frank Discussion at FedSMC – Part II

April 13, 2011

How real – or imagined – are the risks associated with these new technologies?

During the second portion of eIQ’s information security panel at FedSMC this week, our panelists – including Theresa Payton (former CIO of the White House), Dr. Ron Ross (Senior Computer Scientist at NIST), and Vernon Bettencourt (former CIO of the U.S. Army G-6) – discussed some of the key problems that insider threats pose to federal agencies.

While it’s clear that regulations, best practices and standards build a good framework for establishing the risk security controls (within the context of a risk-based framework, of course), the fact is that some insider threats, such as the infamous Wikileaks issue, are not so easy to detect.  Why?  Because in the case of a Wikileaks-style data exfiltration, the attacker is usually not breaking any technical security controls. They have access to the data, and they should to have that access in order to do their jobs — but they abuse their privilege by copying data and exfiltrating via e-mail, IM, removable media, or other methods.  This is a problem for agencies that have built their security monitoring around traditional, alert-based systems like SIEM that are triggered by violations of security controls, such as failed logons, or unauthorized attempts to access data.  In this case, traditional log-based monitoring is completely blind, because no security controls are being violated.

So, how real and pervasive is this problem? According to Dr. Ross, NIST’s estimate is that there’s about a 3:1 ratio between external versus internal threats in the federal space.  Even if those numbers are off by a factor or two, it’s clear that insider threats – both intentional, malicious, Wikileaks-style attacks and abuse of privilege, as well as accidental and unintentional exfiltrations caused by phishing, social engineering, and other attacks – are a significant problem for federal agencies.  Something needs to be done — and soon – before the next public disclosure of private data occurs.

Next Up: What federal agencies can do to mitigate accidental and intentional threats

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: