Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
74 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings on a computer network, personnel can set up a blind mail box. Some employees might prefer a toll-free telephone number to call in their concerns. Also, supervi- sors should be trained and made avail- able as a direct reporting channel. How- ever, some might prefer to go directly to "security." If your vessel or the port has a security offce, it should certainly be a channel as well. Cybersecurity is critical if a sizeable por- tion of the port's workforce or ship's crew has access to the network. For purposes of this discussion, we are concerned with employees who have authorized access to the networks and systems, not hack- ers from outside. Obviously, such internal cyber threats can be cataclysmic from the standpoint of systems sabotage (includ- ing denial of service); theft of critical data or information (not "just" national security data); and theft of goods and ser- vices (fraud). Password use, certifcates, controlled access, and network audits are some of the tools necessary for success. Insider threat monitoring and analysis is becoming a more important component of a holistic insider threat program for those entities reliant on computer networks for mission success (that would be most organizations today). There are powerful tools available for all kinds of monitoring, and they must be able to identify anomalous activity. The key here is to understand the rhythm of the organization and its focus on employee behavior (not the employee's back- ground). There are great challenges here regarding data collection, storage, and retrieval. However, once those are overcome, the key then is in quality analysis, for it is analytic judgment, not a computer, which ultimately determines whether an employee's behavior requires further inquiry. Supply chain risk threats are an often overlooked source of insider threat. An insider can introduce malicious hardware or software to the ship or port with insidious results. There is also a risk posed to the ship from offshore manufacturing processes that can be subverted if not strictly controlled. Once installed, they pose a unique kind of insider threat. To counter this, all hardware and software must be appro- priately vetted and the people and processes that acquire or purchase them should be as well. Technical threats should not be overlooked either. Most people carry around various forms of media that have the 2 Have programs and activities aimed at rigorous and continuous vetting. Most insider threats come from employees whose attitudes and predisposition toward the organization change after she or he has worked there for a time. 3 Have programs that allow nuance in background and experience. Detection Insider threat awareness and training should be the corner- stone of any program. As employees are an organization's most valuable assets, they are also the frst line of defense to detect potential threats from within. More than man- agement, the workforce knows what is going on around it. People sense trouble, they observe it, but they often do not report it — or at least they don't report it to the right person in time to prevent malicious activity. With Americans, it is a cultural thing. We don't like snitches. However, a good awareness program will explain the need and the desir- ability of reporting suspicious activity or persons, for the good of all. Insider threat reporting is the next piece. A climate that pro- vides a way for employees to easily and discreetly report sus- picious activity 24/7 is essential. An organization's culture should be taken into account. If the culture works primarily The Long Pole in the Tent The cyber aspects of an insider threat program are necessarily the most complex and costly, but also the most efective and important component in an age where most employees have access to your network, at least part of the time. The responsibilities in the cyber arena are usually split between those responsible for network security and the element responsible for insider threat detection (normally counterintelligence and/or security). Decide who is responsible for enterprise audit and continuous monitoring. This restricts and controls activities on the network. Within the maritime domain, this might be as simple as preventing deck or navigational crew from accessing engineering fles and systems. Conversely, it might be prudent to prevent engineering crew members from accessing navigational fles and systems. User activity monitoring (also called user behavior monitoring), is distinct and diferent from enterprise audit and continuous monitoring. It refers to audit data collection strategies that leverage hardware and/or software trig- gers to detect, monitor, and analyze anomalous user computer behavior for indicators of misuse or insider threat concern. This is normally handled by an organization's counterintelligence element or its security element, if there is no counterintelligence function. In some cases, there could be a distinct insider threat element that performs this function.