CMU Team Tries To Fight Cyber Threats From The Inside Out

Mar 7, 2017

With the recent indictment of former National Security Agency employee Harold Martin for allegedly stealing 50 terabytes of top-secret NSA reports, the world of cyber security is once again turning its attention to inside threats. 

However, experts at Carnegie Mellon University have been trying to fight insider threats for more than a decade.

Every few years, the Computer Emergency Response Team, or CERT, at CMU updates its report titled “The Common Sense Guide to Mitigating Insider Threats.” Technical director of the Insider Threat Center at CERT, Randy Trzeciak, said the team has recorded 1,300 incidents.  

“From that we try to analyze and develop the risk indicators, which are either technical risk indicators or behavioral risk indicators of an individual that may be doing something to cause harm to organizations,” Trzeciak said.

The CERT Report focuses in on 20 key areas
Credit CERT

Trzeciak is one of the lead authors on the recently released fifth edition of the guide. He said some of the investigations are launched following media reports of breaches. At other times, the FBI and other law enforcement agencies tip off the center.

Threats look very different depending on the type of business being hacked, Trzeciak said. While banks might worry about money being stolen, hospitals need to keep an eye on personal data and a tech company could lose its intellectual property.

Technical solutions help protect the data, but Trzeciak said that only watches the files, not the people.

“We found with the insider threat research that we’ve done, that there’s a significant amount of behavioral information that may be available well before the technical aspects of the incident tend to be available to organizations,” he said. “You know, what would motivate someone to steal their intellectual property.”

For that reason, CERT consults with psychologists as it investigates insider incidents. Trzeciak said 70 percent of all internal data theft occurs within 30 days of an employee announcing they are leaving a company.

But not all internal threats are nefarious. This edition is the first to include guidance on unintentional threats.

“Those could be in the form of someone who unintentionally sends information through email,” Trzeciak said. “(They) didn’t intend to send it outside the network but the email address went outside the organization. Someone who gets that spear phishing email and downloads or clicks on the attachment. They don’t intend to cause harm but there is still impact to the organization.”

Getting a firm handle on the economic impact of insider threats is difficult because many crimes go un-reported, Trzeciak said. However published reports put the number near $40 billion a year in the U.S.

CERT recommends companies train employees to mitigate internal threats and that individuals from upper management, human resources and legal join with the IT department in creating a policy.

Greg Porter, founder of the information security consulting firm Allegheny Digital, said it’s not unusual for companies of all sizes to build threat mitigation plans without even considering threats from insiders.

Knowing when a company needs an insider threat detection system is less about the size of the company and more about what the business does, Porter said.

“What data are you storing processing or transmitting?” he said. “Are there sensitivities around the organizations that you’re working with?”

Porter said the answers to those questions can help companies determine guidelines.

Porter said the CERT report is a great place to start the conversation. It’s purposely written in a way that non-IT professionals can understand. 

Trzeciak said, despite the CERT findings, companies shouldn’t assume they can’t trust their employees.

“Can (internal losses) be 100 percent prevented? That’s debatable, but early detection would minimize the impact to organizations,” Trzeciak said.

The team at CMU has already started gathering new case studies to prepare for the sixth edition sometime in the future.

In this week’s Tech Headlines:

  • A university of Pittsburgh-led team of engineers and surgeons has been awarded a $2.35 million NIH grant to develop a wearable artificial lung for children. The devices would be used while a child waits for a transplant. Other devices used as a bridge between lung failure and a transplant require the child to be linked to an immovable device. If successful, it would allow the child to continue to be mobile, which, according to the researchers, could lead to better post-transplant outcomes. William J. Federspiel, professor in the Swanson School’s Department of Bioengineering, will serve as the Program Director and Principal Investigator.
  • Uber is using technology to thwart authorities who have tried to fine or shut down its ride-hailing service. Unlike Pittsburgh, many cities and states do not allow the ride-sharing drivers to legally operate within their borders. The company acknowledged that it identified undercover government agents and then using a fake version of its app canceled rides. The company said it uses a similar system to identify riders who want to harm the drivers or competitors looking to disrupt. 

The Associated Press contributed to this report. 

(Photo via Timothy Vollmer/Flickr)