By Randy Trzeciak
Senior Member of the Technical Staff
The CERT Program

According to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, researchers at the CERT Insider Threat Center have documented incidents related to malicious insider activity. Their sources include media reports, the courts, the United States Secret Service, victim organizations, and interviews with convicted felons. From these cases, CERT researchers have identified four models of insider threat behavior: (1) information technology (IT) sabotage, (2) fraud, (3) national security/espionage, and (4) theft of intellectual property (IP). Using those patterns, our researchers have developed network monitoring controls that combine technological tools with behavioral indicators to warn network traffic analysts of potential malicious behavior. While these controls do not necessarily identify ongoing cyber crimes, they may identify behaviors of at-risk insiders that an organization should consider for further investigation. This blog posting, the second in a series highlighting controls developed by the CERT Insider Threat Center, explores controls developed to prevent, identify, or detect IT sabotage.

Read more...

By Randy Trzeciak,
Senior Member of the Technical Staff
The CERT Program

According to the 2011 CyberSecurity Watch Survey, approximately 21 percent of cyber crimes against organizations are committed by insiders. Of the 607 organizations participating in the survey, 46 percent stated that the damage caused by insiders was more significant than the damage caused by outsiders. Over the past 11 years, CERT Insider Threat researchers have collected incidents related to malicious activity by insiders obtained from a number of sources, including media reports, the courts, the United States Secret Service, victim organizations, and interviews with convicted felons. From these cases, four patterns of insider threat behavior have been identified: (1) information technology (IT) sabotage, (2) fraud, (3) national security/espionage, and (4) theft of intellectual property (IP). From those patterns, our researchers developed controls that combine technological tools with behavioral indicators to identify employees at risk for committing cyber crimes. These tools and indicators provide those who monitor networks a better warning of potential anomalous behavior. This blog posting—the first in a series highlighting controls developed by the CERT Insider Threat Center—explores controls developed to prevent, identify, or detect IP theft.

Read more...

By Will Casey
Senior Researcher
CERT

Through our work in cyber security, we have amassed millions of pieces of malicious software in a large malware database called the CERT Artifact Catalog. Analyzing this code manually for potential similarities and to identify malware provenance is a painstaking process. This blog post follows up our earlier post to explore how to create effective and efficient tools that analysis can use to identify malware.

Read more...

By David French,
CERT Senior Researcher

Malware, which is short for “malicious software,” is a growing problem for government and commercial organizations since it disrupts or denies important operations, gathers private information without consent, gains unauthorized access to system resources, and other inappropriate behaviors. A previous blog post described the use of  “fuzzy hashing” to determine whether two files suspected of being malware are similar, which helps analysts potentially save time by identifying opportunities to leverage previous analysis of malware when confronted with a new attack.  This posting continues our coverage of fuzzy hashing by discussing types of malware against which similarity measures of any kind (including fuzzy hashing) may be applied.

Read more...

By Julia Allen,
Principal Researcher
CERT Program

The SEI has devoted extensive time and effort to defining meaningful metrics and measures for software quality, software security, information security, and continuity of operations. The ability of organizations to measure and track the impact of changes—as well as changes in trends over time—are important tools to effectively manage operational resilience, which is the measure of an organization’s ability to perform its mission in the presence of operational stress and disruption. For any organization—whether Department of Defense (DoD), federal civilian agencies, or industry—the ability to protect and sustain essential assets and services is critical and can help ensure a return to normalcy when the disruption or stress is eliminated. This blog posting describes our research to help organizational leaders manage critical services in the presence of disruption by presenting objectives and strategic measures for operational resilience, as well as tools to help them select and define those measures.

Read more...