Government Frameworks and Regulations for Insider Threats
Government offices deal with sensitive information all the time. In fact, they deal with the most sensitive kinds of information—classified information, data assets requiring security clearance, or other kinds of classified material subject to additional government requirements.
So how do governments deal with insider threats?
The federal government has established some pretty extensive and detailed policies to keep data safe.
What is the NITTF?
The National Insider Threat Task Force was established by President Barack Obama in 2011 under Executive Order 13587.
That same executive order also established the Classified Information Sharing and Safeguarding Office, or CISSO. The task force is working under the joint leadership of the Attorney General’s office and the office of the Director of National Intelligence.
In addition, in November 2012, the federal government issued something called the National Insider Threat Policy and the Minimum standard that further spells out how to improve government protection of data.
This document states the following key goals:
· Establishing common expectations
· Institutionalizing executive branch best practices
· Enabling flexible implementation across the executive branch
In terms of policy, the document calls for “an executive branch program for the deterrence, detection and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise or other unauthorized disclosure.” The NITP is another guiding force in the battle to keep hackers from exploiting important government data resources. NITP also spells out aspects of employee awareness training and other goals like:
- Recognition of insider threat behaviors (across the entire org chart)
- Developing a reporting structure for threats
- Informing employees of all applicable policies
These tasks lay the cornerstone for better use of UAM tools and technologies. Part of this involves education and awareness: since the release of the executive orders in question, the relevant government agencies have continued to try to protect systems against social engineering attacks by making government workers more informed. But the tracking also extends to inside observation that is meant to catch incipient threats and neutralize them.
What is CNSSD 504?
CNSSD 504 is a standard that sets role-based access controls for privileged users as a way of protecting data.
The standard also addresses user activity monitoring or UAM, which it defines as “the technical capability to observe and record the actions and activities of an individual.” The standard also spells out that any of these activities can be monitored at any time, on any device, in order to detect insider threats.
How CNSSD 504 Defines User Activity Monitoring
In terms of CNSSD 504 and activity monitoring, the NITTF provides a definition that suggests each of the five above components: keystroke monitoring, full application monitoring, screen capture, file shadowing and user identification.
The NITTF also refers to user activity monitoring as a consistent and formal process. Reporting plays a central role, as does assessment. Then, the NITTF suggests, companies can act on threat information, whether that means revoking credentials, hardening a part of a system, or something else.
Components of CNSSD 504
Keystroke monitoring – obviously, keystroke monitoring is one of the most robust ways to track data activity. The tool that is performing the keystroke monitoring gets a full stream of every key pressed by a user, which can help in showing a more robust picture of what someone is doing in a digital space. This then delivers critical clues for spotting insider threats.
Full application monitoring – Full application monitoring is another principle of CNSSD 504 that allows for more integrated types of UAM and tracking. The idea with full application monitoring is that everything from the endpoint to the core of the network is tracked by the same tools and resources. Full application monitoring strategy has been described as “the all-in-one combination of front end, real user, synthetic, infrastructure, application stack” monitoring, and compares to the idea of a “full stack professional” who has experience with all of the elements of a complex computer science architecture. For instance, a full application monitoring program may use the same umbrella to track various components of email and chat broadcasts and exchanges. That continuous tracking could be the key to foiling an insider threat as it lurks in the architecture.
Screen capture – This type of live user session reporting is also critical for understanding what someone is doing in a given user session. The screen captures can show all of the status activity at a given moment. Even better, some tools deliver video recording of a user session. Security people can go back over the ‘footage,’ looking for signs that an insider threat may be in the making.
File shadowing – with file shadowing, the trackers are creating backups of key data assets. In the context of standard content inspection, systems can be tracking file types and name changes, so that there’s more of a persistent labeling of user activity. As the monitoring moves with the data through a system, it gives evaluators more crucial intelligence about where risks and threats may lie.
Comprehensive user identification – This cornerstone of CNSSD 504 goes along with the full application monitoring, which presents the idea that an individual’s activity should be traceable across the entire system or architecture of a given agency’s network. CNSSD 504 applies to every part of the executive branch where classified national security information or networks are relevant. But comprehensive user identification also means consistency in tracking a user through a whole life cycle in terms of digital workflows. It means there is, again, a coordinated and segmented way to track people, to make sure that what they are doing is not contributing to either a negligent or a malicious threat.
Strategies for Insider Threat Governance
Prevention – a lot of the above strategies esure insider threats don’t manifest on a network at all. Front-loading a lot of the security work helps government offices to avoid enormous liabilities later.
Mitigation – the mitigation strategy is all about doing damage control. Government offices may seek to limit dwell time, which is the length of time that an insider threat exists in the system undetected. Zero-day responses are ideal.
Reporting – government agencies will have to report insider threats to be compliant with standards. They’ll also use many of the above tools and guidelines to improve how they deal with insider threats in general.
More Government Standards and Policies
These additional resources show more of how government offices are directed to prevent insider threats:
Executive Order 14028
This government order was made in May of 2021. It covers various components of government office cybersecurity including:
· Zero trust architecture – by making systems “default-secure,” engineers and stakeholders seal out the activity that could constitute a threat. This in turn provides a real standard for making sure that insider threats, as they emerge, are sealed out.
· Multifactor authentication – getting a real-time code from a secondary device stops all kinds of fraudulent activity in its tracks. The combination of access protocols makes it far less likely that a hacker can impersonate someone else, or ‘skate’ into a network in an illegitimate way.
· File transparency – seeing into a file system in a more extensive way can give the security team a valuable heads-up, by showing where everything is, and what’s inside each “data bucket.” That helps planners and security people to know whether sensitive data sets are vulnerable or whether they are being accessed (or subject to access attempts.)
· Event logging – in looking at user events, the team may be able to spot something suspicious, and turn that into actionable threat intelligence. The data that is gleaned is important and actionable for cybersecurity.
The EO also requires that vendors share data about user activity. EO 14028 also suggests setting up a review board to look at insider threats and their risk for systems.
NIST SP 800-53
This standard is also often invoked in the context of government cybersecurity operations. NIST provides additional guidance in the form of a cybersecurity framework (NIST CSF).
One recommendation of the NIST SP 800-53 protocol is the establishment of a ‘control catalog spreadsheet’ that will show various components of best practices, including:
· Executive orders
The control catalog spreadsheet will make a difference in cybersecurity, in some of the same ways as a few of the other guidelines above, including file transparency. By knowing where the assets are, security pros can build better protection strategies.
The standard also calls for mapping of some privacy controls in order to implement a better insider threat policy. NIST calls it a “proactive and systemic approach” for government departments.
NISTIR 7874 Guidelines for Access Control System Evaluation Metrics
This NIST resource (NISTIR stands for NIST internal reports) relates to identity and access management, with the goal to, in the words of internal report writers, “help access control experts improve their evaluation of the highest security AC systems.”
In contemplating access control systems, NISTIR 7874 Guidelines for Access Control System Evaluation Metrics delivers some of the actionable concepts used by security pros. It presents three ‘abstracts’ useful in access control design: policies, models and mechanism. There’s also an XACML language based on XML that’s useful in setting up cybersecurity protocols.
As an XML-based standard set, XACML helps to provide a flexible structure for rules and policies that can micromanage complex and distributed environments. That feeds back into the area of IAM (Identity and Access Management) and other key aspects of network optimization.
With policy work, ontologies and more, NISTIR 7874 plays a role in helping offices to evolve their handling of data.
Governments and companies share the need to combat insider threats, but government offices do this within their own unique context. The above strategic resources help to shape the response to a full range of insider threats that arrive over the global Internet (or, occasionally, by other means). Knowing more about the policies, protocols and standards involved will make career pros into better cybersecurity experts with valuable skill sets for the digital age.