Government agencies in the United States have been encouraged to create ‘insider threat' programmes to find disgruntled workers who could leak state secrets.
A memo published by NBC revealed that agencies are being encouraged to ‘assess what your agency has done or plans to do to address any perceived vulnerabilities, weaknesses or gaps on automated systems in the post-WikiLeaks environment'.
It also encouraged agencies to ‘assess all security, counterintelligence and information assurance policy and regulatory documents that have been established by and for your department or agency' and asks several questions about what secure transmission of documents is being practised.
In its ‘initial agency self-assessment program for user access to classified information in automated systems', the fourth section is named ‘deter, detect, defend against employee unauthorised disclosures'. It asks if an agency has an insider threat program or has the foundation for such a program and are there efforts to fuse together disparate data sources to provide analysts early warning indicators of insider threats.
It also asks what, if anything have agencies implemented to detect behavioural changes in cleared employees who do not have access to automated systems and what metrics do agencies use to measure ‘trustworthiness' without alienating employees.
Speaking to SC Magazine at the end of last year, Matthijs van der Wel, managing principal forensics EMEA at Verizon Business, said that if data is lost internally a company will want to find out who was responsible and if an insider has a long list of minor policy violations, they may be worth keeping an eye on.
“I am not saying that they are tomorrow's criminal, but if you suspect someone you should have people pay attention to what data they have access to,” he said.
Noa Bar-Yosef, senior security strategist at Imperva, said: “Overall, this is an excellent memo and anyone in security should read it carefully. The memo asks good questions to help government agencies and private companies assess the threat of a possible insider.
“However, to help identify insider threats, there are two elements: awareness and automation. This memo largely focuses on raising awareness to help spot insiders, that's a very good thing but awareness is only part of the solution. Being aware only part time is not good enough.
“For that matter, the government needs to assume that insiders don't sleep either. What the memo fails to recommend and force readers to consider is automation. An automated scanning capability would have caught this peculiar behaviour and overall, automated scanning (and monitoring) should help identify excessive downloads and access to data and documents that simply are not supposed to see the light of day.
“If government employees know they are being monitored, they will behave differently just like drivers slow down when they know the highway patrol is in the next lane.”