The professor has return this assiegnment to me wants to fix it if i don’t she will give me a bad grade
i need it to be fix it or write another one
the prevouis tutor did not do well
Do anything to fix it
word doc is attached
UE DATE FOR ENTERPRISE/EMPLOYER RISK MANAGEMENT THREAT ANALYSIS- 11 OCT. 20. (A prototype is posted under Course Documents.) Please note this is NOT a template or a format, simply a sample as to how to approach this paper. More guidance will follow. 6-8 pages range, double-spaced typed, exclusive of charts or references, to be posted in your assignment folder.
(professor email)
there is a major assignment due shortly per the syllabus, your risk management analysis. 6-8 pgs double spaced, plus sources. Legal focus as well as a threat assessment applicable to your workplace or critical infrastructure, e.g. hospital, bank. Dont be late!
(prototype)
cyber Policy, Law, & Criminal Investigation Insider Threat Risk Management PROTOTYPE AND SAMPLE ONLY Memorandum Date: To: Chief Operating Officer | EC | Thru: Chief Information Officer | ISTS | General Counsel | OGC | From: Senior IT Analyst | IT | Subject: Insider Threat Risk Management and Recommendations In light of the Executive Announcement issued on September 21st 2018 and concern expressed by General Gene , I was tasked by the executive committee to propose a risk management strategy to address insider threats to the agency. For your consideration, this proposal includes recommendations to the Executive Committee and General Council concerning the current risk management program as well as the possible legal ramifications and executive actions needed in wake of recent events. We are known for independent nonpartisan values and its reputation , among the American people, and throughout the globe. It is imperative to combat any forces attempting to damage or discredit the organization through leaking sensitive information, maliciously manipulating reports , and or placing our clients and fellow agencies at risk of compromise. The Office of the Director of National Intelligence’s National Insider Threat Task Force, under joint leadership of the Attorney General and the Director of National Intelligence, defines insider threat as “a threat posed to U.S. national security by someone who misuses or betrays, wittingly or unwittingly, their authorized access to any U.S. Government resource. This threat 2 can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.â€1 In 2017, insider threat events made up one in five incidents and are deemed more costly than those committed by outsiders.2 While industry statistics for insider threat events, the organization has personally seen an influx of insider threat incidents in recent years with 3 notable cases: Event: 2013 Healthcare.gov Security Controls Assessment Leak More specifically, we experienced a leak of a Confidential Security Controls Assessment obtained, stored, and maintained by us for a review on the Department of Health and Human Services’ (HHS) healthcare exchange known as Healthcare.gov in support of the Affordable Care Act passed in 2010.3 Protocols policy states, “we will grant clients, upon their written request, access to its audit documentation .†However, to accommodate more than 15 signatories, we hosted an event on the Hill to allow members to review the requested SCA. According to congressional staff, a member of congress leaked the results of the SCA to the media in an effort to allegedly advance a political agenda to discredit the federal healthcare exchange effort and the passing of ACA. It was confirmed in the November 2013 hearing by multiple congressional staff as well as the head of 1 Office of the Director of National Intelligence. National Insider Threat Task Force Mission Fact Sheet. Retrieved from https://www.dni.gov/files/NCSC/documents/products/National_Insider_Threat_Task_Force_Fact_Sheet.pdf 2 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University. The 2017 U.S. State of Cybercrime Survey. 3 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on HealthCare.gov Security.†Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270. 3 .4 The investigation concluded on November with no identified source and no policy changes . The unauthorized disclosure of the SCA violates Executive Order 13526 sections 4.1 and 5.4, which calls for organizations to ensure safeguards and restrictions on access to prevent unauthorized disclosure of information within the federal classification schema. The lapse in document control, could lead to a compromise in HHS systems as the report detailed the specific vulnerabilities in the Healthcare.gov system. This places HHS at risk of violating the Federal Information Security Modernization Act; The Privacy Act of 1974, as amended at 5 U.S.C. 552a; the HHS Privacy Act regulations, as well as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While a congressional staff member leaked the document to the media, we face risks to one of our core values, reliability. If government agencies are unable to trust the document control measures we have in place when interacting with congressional committees, then a longstanding issue of obtaining documentation will become a major roadblock for the organization. While we must prevent insiders within the organization, we must also help limit insider threats within our clients as it impacts our operations and values. Event: Malicious Insider Project Veritas Additionally, in September 2018, a deemed conservative activist group Project Veritas released a 14-minute video on Google’s platform YouTube depicting a current GAO employee contributing to the Democratic Socialists of America (DSA) during work hours with the intent to influence GAO work products provided to the U.S. Congress.5 The individual submitted a federal 4 U.S. Congress “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on HealthCare.gov Security.†Congressional Transcript . November 19, 2013. pp. 218, 22–23, 270. 5 Project Veritas. “Deep State Unmasked, U.S. GAO Auditor Admits ‘I Break Rules Every Day.’†Project Veritas Deep State Unmasked, 20 Sept. 2018, www.projectveritas.com/2018/09/20/breaking-deep-state-unmasked-u-s-gaoemployee- admits-i-break-rules-every-day/. 4 independence form, however, he did not provide specifics on his extracurricular activism work. This not only violates our conflict of interest policies, but he also intentionally misled the federal government and defrauded the U.S. taxpayers. Event: Disgruntled Employee Most notably, in October 2018 preliminary reports from the Office of the Inspector General indicate that an analyst leaked a preliminary report and extracted more than 2.3 terabytes of classified documents from our internal document management system for monetary gain including materials concerning Department of Defense weapons systems, National Reconnaissance Office satellite protection systems, vulnerabilities on the U.S. electric grid, and the Department of Energy’s National Nuclear Security Agency security protocols, and HHS’s infectious disease lab security results from NIH. This is a direct violation of policy, the Computer Fraud and Abuse Act as well as the Espionage Act. Insider Threat Risk Management Analysis As tasked by the executive committee, the details below address each insider threat event through a risk management perspective. This will form the basis of an insider threat program for your consideration. The NIST Risk Management framework is an effort to implement the provisions outlined in the Federal Information Security Modernization Act. The insider threat risk management approach captured below takes in account the results of the completed 2018 risk assessment report executed to fulfill Phase 4 of the NIST Risk Management Framework model. A detailed analysis on insider threat is attached in Appendix I. NIST notes that the risk assessment identifies “risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, 5 and the Nation, resulting from the operation of an information system.â€6 This includes the threat vulnerability analysis associated with the system. Additionally, Executive Order 13587 and the National Policy on Insider Threat calls for agencies to establish an insider threat program for handing classified information, which can be extended to ensure additional security for all our work products. Additionally, OMB memo M17- 25 calls for agencies to establish an Insider Threat Program to protect the federal network and its data. This effort is based on implementing PM-12 of NIST’s 800-53 Revision 4 standard and in alignment with the Risk Management Framework and best practices from Carnegie Mellon’s Software Engineering Institute. Below details the top 3 risk management steps to safeguard against the insider threat based on the organization’s current posture: Learn, Detect/Prevent, and Respond. Learn GAO’s insider threat program must be able to identify potential indicators of insider threats based on previous events, list known characteristics as identified in the risk assessment attached in Appendix I, identify the target assets within the organization and possible mens rea. The identified characteristics from Appendix I are a combination of identified elements with those identified by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. 7 Based on the insider events captured above, I identified four main actors with the associated characteristics to create an insider threat profile with the targeted organizational asset and intent. These profiles include: 6 NIST Risk Management Framework 7 https://www.us-cert.gov/sites/default/files/publications/Combating%20the%20Insider%20Threat.pdf 6 • Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure • Internal Staff | Human Error | N/A • Malicious Insider | Activism | Manipulation of Report • Disgruntled Employee | Financial Gain | Data Exfiltration While this is not inclusive of all potential combinations, the four profiles captured above adhere to the first of three critical elements of an insider threat program. Further, as a result of the risk assessment captured in Appendix I, the results revealed that the insider threat places us at a moderate risk level. Under a moderate risk level, exploitation of vulnerabilities within the organization (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. This aligns with the NIST Risk Management Framework, as organizations must first understand the threats and risks facing the organization prior to selecting controls. This step was adapted for the insider threat program in Appendix I. Detect & Prevent Given the three insider events we faced, there are several best practices that could have been instrumental to detecting and preventing insider threats. These include activities associated with stakeholders at all levels throughout the organization such as HR, Infrastructure, Public Affairs, and within our mission teams. Human Resources Software Engineering Institute’s best practices include: monitor and respond to suspicious or disruptive behavior, develop a comprehensive employee termination procedure, and anticipate and manage negative issues in the work environment. These best practices would directly address the following insider threat actors: Disgruntled 7 Employee and Malicious Insider. While our currently policies call for automatic removal of access rights in the event of employee termination, our procedures do not link employee satisfaction with insider threat notification. Our employee feedback survey within the IT mission team indicates that Band 2Bs are the most unsatisfied among the staff due to promotion availability. Given this, HR should work with IT to deploy adaptive analytics on access rights and user activity among groups with a certain level of authorization. Threat actor: Disgruntled Employee was a Band 2B seeking financial gain. Public Affairs In regards to the Malicious Insider, our annual independence review process failed to identify an employee associated with the DSA. This is where social media monitoring capabilities within our Office of Public Affairs can make a direct impact. The privacy concerns associated with this effort are moderate as it must remain within the public domain. The individual was engaged in political activity during work through social media. This effort by OPA would extend the reach of the independence policy and actively engage in identifying conflicts of interest beyond a federal document. Infrastructure Lastly, detection falls on the Infrastructure department’s security control mechanisms captured in NIST’s 800-53 Revision 4. The organization must raise its Integrity baseline and implement high integrity security controls identified by NIST to ensure that the integrity of the data is not compromised from an insider. Additionally, intrusion detection capabilities must be expanded in order to baseline normal behavior on the network and 8 then detect anomalous behavior such as accessing social media, emailing multiple documents outside of the organization, and saving files on an external drive. Given these best practices, the three threat events identified can be addressed through the following mechanisms: • Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure o Action: Prohibit mobile phones during closed sessions with sensitive documents o Action: Intentionally insert typos in each version of the document to identify a source of a leak o Action: Invite agency representatives to administer and collect sensitive documents at the conclusion of the session to redirect the risk o Benefit: Limits mode of exfiltration, detects source of the leak, and shifts liability to data owner (HHS) • Internal Staff | Human Error | N/A o Action: Apply additional document control requirements when handling files outside of the document management system o Action: Limit the number of files a single person is responsible for and assign an accountability officer for each set of files o Benefits: Adds oversight to reduce likelihood of human error • Malicious Insider | Activism | Manipulation of Report o Action: Increase Integrity security controls to NIST 800-53 standards o Action: Increase social media monitoring efforts and align with annual independence attestation o Action: Re-baseline intrusion detection system to include insider threat detection o Benefits: Improves security posture, proactively detects conflicts of interest, and increases technical capabilities for anomalous employee behavior. • Disgruntled Employee | Financial Gain | Data Exfiltration o Action: Share employee satisfaction results with IT for adaptive analytics o Action: Re-baseline intrusion detection system to include insider threat detection o Action: Implement new policies regarding external media, email attachments, and remote access after work hours 9 o Benefits: Improves security posture, proactively detects conflicts of interest, and increases technical capabilities for anomalous employee behavior. Respond CMU’s 2017 study on U.S. Cybercrime surveyed more than 500 organizations across the country regarding insider intrusions. According to the study, the number of events handled internally without legal action or law enforcement stayed the same from 2016 to 2017 at 76%.8 Additionally, the top 3 reasons included: • Could not identify the individual(s) responsible • Damage level insufficient to warrant prosecution • Lack of evidence/not enough information to prosecute 8 Forcepoint, CSO, U.S. Secret Service, and CERT Division of Software Engineering Institute at Carnegie Mellon University. The 2017 U.S. State of Cybercrime Survey. 10 All three justifications could be addressed through applying additional logging and auditing controls as recommended by NIST-800-53 Rev 4, which I prescribe for our internal systems through its high Integrity categorization. While unauthorized disclosures could call for legal action depending on its nature, the availability of evidence is essential to respond with any legal action. In regards to the 3 insider events : • Congressional Partners | Political Motivation/Agenda | Unauthorized Disclosure o Response Reported: None o Reason: Lack of evidence; Could not identify individual o Potential Legal Response: Violation of congressional policies; If compromised: Computer Fraud and Abuse Act, Privacy Act violation; • Internal Staff | Human Error | N/A o Response Reported: None o Reason: Damage level insufficient; No malicious intent o Potential Legal Response: None; internal policy violation • Malicious Insider | Activism | Manipulation of Report o Response Reported: System access rights terminated; Suspension pending investigation from the OIG. o Reason: Damage level insufficient due to quality control processes o Potential Legal Response: Internal policy violation; Making false statements (18 U.S.C. § 1001), Fraud • Disgruntled Employee | Financial Gain | Data Exfiltration o Response Reported: System access rights removed; Employee terminated and incident handled with legal action o Reason: Involved Classified information posing threat to national security o Potential Legal Response: Computer Fraud and Abuse Act, Espionage Act Section 793 11 Next Steps We are the first line of defense when it comes to insider threat. This includes all departments within the organization and each individual analyst. Take action by implementing the short-term measures outlined in the memo followed by a comprehensive insider threat program in FY19 in accordance with OMB M-17-25. 12 APPENDIX I: INSIDER THREAT RISK ASSESSMENT REPORT (RAR) Document Management October 2018 Record of Changes: Version Date Sections Modified Description of Changes 1.0 October 2018 Initial RAR Scope The risk management process is based on the general concepts presented in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments, along with the principles and practices in NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems and is consistent with the policies presented in Office of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Resources. The scope of this risk assessment is focused on the system’s use of resources and controls to mitigate vulnerabilities exploitable by threat agents (internal and external) identified during the RMF control selection process, based on the system’s categorization. This initial assessment will be a Tier 3 or “information system level†risk assessment. Assumptions: • A preliminary analysis informed the identified insider threat agents • This assessment is based on a FY17 security controls assessment and agency-wide external threat analysis. Purpose This risk assessment is being conducted in order to determine the impact of an insider threat on the organization and its business processes to form the basis of a managed insider threat program maturity. Identifying the impact is a preliminary step in building a robust insider threat program to safeguard GAO and its materials from unauthorized disclosure. This document is to supplement existing risk assessments performed on the organization and update the existing risk profile of the organization and information system. Risk Assessment Approach This initial risk assessment was conducted using the guidelines outlined in the NIST SP 800-30, Guide for Conducting Risk Assessments. A quantitative and qualitative approach will be utilized for this assessment. Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to mission. 13 The following table is provided as a list of insider threat characteristics as identified by the Department of Homeland Security. Table 1: Insider Threat Characteristics Characteristics of Insiders at Risk of Becoming a Threat Financial Need Motive for Political Gain Activism Workplace Grievance Behavioral Limitations: Compulsive and Destructive Behavior Entitlement Ethical “flexibility†Minimizing their mistakes or faults Reduced loyalty Self-perceived value exceeds performance Pattern of frustration and disappointment Lack of empathy No Accountability or Integrity Intolerance of criticism Potential Threat Actions: • Assault on an employee • Blackmail • Browsing of proprietary information • Computer abuse • Fraud and theft • Information bribery • Input of falsified, corrupted data • Interception • Malicious code (e.g., virus, logic bomb, Trojan horse) • Sale of personal information • System bugs • System intrusion • System sabotage • Unauthorized system access 14 The following tables from the NIST SP 800-30 were used to assign values to likelihood, impact, and risk: Risk Level Matrix: The final determination of mission risk is derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and impact of an exploited vulnerability after consideration of in place controls. Table 2 below shows how the overall risk ratings might be determined based on inputs from the threat likelihood and threat impact categories. The determination of these risk levels or ratings may be subjective. The rationale for this justification can be explained in terms of the probability assigned for each threat likelihood level and a value assigned for each impact level. For example: • The probability assigned for each threat likelihood level is 5 for High, 3 for Moderate, 1 for Low. • The value assigned for each impact level is 5 for High, 3 for Moderate, 1 for Low. • The matrix below is a 3 x 3 matrix of threat likelihood (High, Moderate, and Low) and threat impact (High, Moderate, and Low). Table 2: Assessment Scale – Level of Risk (Combination of Likelihood and Impact) Threat Likelihood IMPACT LOW (1) MODERATE (3) HIGH (5) HIGH (5) LOW 5 X 1= 5 MODERATE 5 X 3= 15 HIGH 5 X 5= 25 MODERATE (3) LOW 3 X 1= 3 MODERATE 3 X 3= 9 MODERATE 3 X 5= 15 LOW (1) LOW 1 X 1=1 LOW 1 X 3= 3 LOW 1 X 5= 5 Magnitude of Impact Impact Definition High Exploitation of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury. Page 15 Moderate Exploitation of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury. Low Exploitation of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest. Risk Assessment Results: Disgruntled Employee / Insider Penetration / Unauthorized Use Vulnerabilities / Predisposing Characteristics Likelihood Impact Risk Inadequate Security policy High Moderate Moderate Inadequate System Administration High Moderate Moderate Inadequate User Account Management High Moderate Moderate Inadequate Personnel Management High Low Low Inadequate Warning Banners High Moderate Moderate Use of Replayable I&A High Moderate Moderate Sharing of ID or Passwords High Moderate Moderate Inadequate Audit Log High Moderate Moderate Inadequate Audit Analysis High Moderate Moderate Inconsistent Physical Perimeter Definition High Moderate Moderate Inadequate Facilities High Low Low Data Unavailability High Low Low Weak Rules of Behavior High Moderate Moderate Untrained Users High Moderate Moderate No Individual Accountability High High High No System Change Control High Moderate Moderate No Software Change Control High Moderate Moderate Page 16 No Separation of Duties High Moderate Moderate Unlimited User Privileges High High High Poor Patch Management High Moderate Moderate Interconnection Weaknesses High Moderate Moderate Copyright Protection Violations High Moderate Moderate Poor Logical Access Controls High Moderate Moderate Weak Passwords/No Passwords High High High Unprotected Networks High Moderate Moderate Weak Integrity Verification High Moderate Moderate Unknown Vulnerabilities High High High Risk Score: The insider threat agent poses a MODERATE risk to the organization. Page 17
0 comments