Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1
January 2009 • White Paper
Dawn Cappelli, Andrew P. Moore, Randall F. Trzeciak, Timothy J. Shimeall
In this paper, the authors present findings from examining insider crimes in a new way and add new practices that were not present in the second edition.
Software Engineering Institute
In 2005, the first version of the Common Sense Guide to Prevention and Detection of Insider Threats was published by Carnegie Mellon University's CyLab. The document was based on the insider threat research performed by CERT, primarily the Insider Threat Study conducted jointly with the U.S. Secret Service. It contained a description of twelve practices that would have been effective in preventing or detecting malicious insider activity in 150 actual cases collected as part of the study. The 150 cases occurred in critical infrastructure sectors in the U.S. between 1996 and 2002.
A second edition of the guide was released in July of 2006. The second edition included a new type of analysis – by type of malicious insider activity. It also included a new section that presented a high-level picture of different types of insider threats: fraud, theft of confidential or proprietary information, and sabotage. also In addition, it contained new and updated practices based on new CERT insider threat research funded by Carnegie Mellon CyLab and the U.S. Department of Defense Personnel Security Research Center. Those projects involved a new type of analysis of the insider threat problem focused on determining high-level patterns and trends in the cases. Specifically, those projects examined the complex interactions, relative degree of risk, and unintended consequences of policies, practices, technology, insider psychological issues, and organizational culture over time.
This third edition of the Common Sense Guide once again reflects new insights from ongoing research at CERT. CyLab has funded the CERT Insider Threat Team to collect and analyze new insider threat cases on an ongoing basis. The purpose of this ongoing effort is to maintain a current state of awareness of the methods being used by insiders to commit their attacks, as well as new organizational issues influencing them to attack. This version of the guide includes new and updated practices based on an analysis of approximately 100 recent insider threat cases that occurred from 2003 to 2007 in the U.S.
In this edition of the guide, CERT researchers also present new findings derived from looking at insider crimes in a new way. These findings are based on CERT’s analysis of 118 theft and fraud cases, which revealed a surprising finding. The intent of the research was to analyze cases of insider theft and insider fraud to identify patterns of insider behavior, organizational events or conditions, and technical issues across the cases. The patterns identified separated the crimes into two different classes than originally expected:
- Theft or modification of information for financial gain – This class includes cases where insiders used their access to organization systems either to steal information that they sold to outsiders, or to modify information for financial gain for themselves or others.
- Theft of information for business advantage - This class includes cases where insiders used their access to organization systems to obtain information that they used for their own personal business advantage, such as obtaining a new job or starting their own business.
It is important that organizations recognize the differences in the types of employees who commit each type of crime, as well as how each type of incident evolves over time: theft or modification for financial gain, theft for business advantage, IT sabotage, and miscellaneous (incidents that do not fall into any of the three above categories). This version of the guide presents patterns and trends observed in each type of malicious activity. There have been minor updates to the IT sabotage information in this guide; however, the most significant enhancements in this edition were made to the theft and modification sections.
Some new practices were added in this edition that did not exist in the second edition. In addition, every practice from the second edition has been modified—some significantly, others to a lesser degree—to reflect new insights from the past year’s research at CERT. Case examples from the second edition were retained in this edition for the benefit of new readers. However, a Recent Findings section was included for all updated practices. It details recent cases that highlight new issues not covered in the previous edition of this guide.