Identifying the Insider Threat presented at BSidesSeattle 2014

by Duane Blanchard,

Summary : Some 97% of people are going to behave prosocially just because they're well adjusted, or paid attention through kindergarten, or don't have the skills to get away with something (and know they don't).
What about the remainder? How can one reliably determine who the inside threat is, or who is on the path to becoming a threat agent?
This short-format talk presents the different flavors of insider threats (self-motivated [acting out of perceived injustice, seeking adventure, impatient for promotion], externally motivated [recruited, coerced, ideological], and ), a few landmark case studies (Robert Hansen, ), and some recent ones (Ricky Joe Mitchell [Enervest, Home Depot], Timothy Lance Lai [school keylogging ring], Hieu Minh Ngo [Experian]), then describe the common patterns, potential tells, and possible interventions that might have obviated the threats in the case studies, and can mitigate the threats in our own environments.
These include, most importantly, deterrence, as well as heuristic behavior analysis, anomoly detection, the OODA loop, file integrity monitoring, permissions auditing, and mandatory time off.
The talk concludes with best practices in creating an insider threat program, and presents resources for implementation from Carnegie Melon University, the FBI, and other sources.
Note: this talk does not classify employees who are simply lazy, loose-lipped, technically inept, or otherwise act poorly without malicious intent as insider threats. There are compelling arguments against this; they will be presented, and refuted. Such "Trusted Unwitting Insiders" may cause great harm to an organization, but the strategies for identifying such employees are considerably different, and the potential harm is typically more tightly constrained.