Posted in Cyber ThreatsNews & Events by Derek Smith on April 14, 2015
It is fair to say that when it comes to digital technology, the federal government has a mixed record. While many agencies and departments have indeed made significant strides toward adapting to meet the demands and take advantage of new technologies, others have struggled to keep pace. In some cases, this has created inefficiencies and subpar performance. In other, more serious instances, such failures have led directly to data breaches and other cyber security incidents. 

In order to address these issues, and particularly the evolving cyber threats that agencies face every day, the federal government will need to make cyber security talent recruitment and retention a key priority in 2015, as Federal News Radio recently reported.

"The government now possesses more raw data than ever."

Experts needed
The news source highlighted several factors which are driving cyber security talent needs within the federal government. First and most obviously, the government now possesses more raw data than ever, with a growing amount of information coming in every day. A tremendous amount of this data could prove useful to a range of cyber attackers, from state-sponsored hackers to financially-driven cyber criminals.

At the same time, hackers are growing in number and becoming increasingly sophisticated in their efforts. Consequently, the federal government – and virtually every other high-profile organization – needs to embrace proactive policies to stay one step ahead of cyber threats.

Accompanying these trends is a top-level focus on cyber security throughout the government. The source pointed out that President Barack Obama has earned the nickname the "Cyber War President." As a result of the president and other federal leader's efforts, the U.S. Cyber Command will soon see its manpower increase fivefold, while federal law enforcement agencies are focusing more on bringing cyber security experts into their ranks.

Recruiting and retaining talent
As Federal News Radio emphasized, though, these efforts alone are not sufficient to solve the federal government's cyber security talent shortage. To this end, new policies are needed.

For example, the source predicted that agencies will do more to recruit younger cyber security professionals. Currently, millennials comprise only 16 percent of the federal workforce, while almost half of workers are nearing retirement, according to an Office of Personnel Management report. These younger workers have the potential to improve federal cyber security not just now, but for years to come. However, for this to be the case, agencies will need to offer these individuals possible career paths, rather than jobs with little to no room for advancement. 

The government must offer cyber security pros career advancement opportunities.
These developments have significant implications for cyber security professionals. The federal government's growing commitment toward attracting and retaining cyber security talent opens up a wide array of new opportunities for qualified personnel in this space. As The Wall Street Journal recently highlighted, the government's cyber security woes are due not just to an insufficient focus on this issue, but also a lack of available talent. Clearly, then, those who have the requisite skills and credentials will find themselves heavily in demand for promising federal positions in 2015 and beyond.

To learn more about cyber security training and education, visit Excelsior College's website today.

Posted in Awareness Month 2014Cyber Threats by Derek Smith on October 21, 2014
Insider Threat Best Practices from Industry

Hello, this is Derek A. Smith, Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College. Thanks for taking the time to visit our new insider threat blog. Insider threat is often not given the same attention as threats from the outside, but can cause tremendous damage to an organization. The purpose of this particular blog is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider’s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve an organizations chances of survivability and resiliency should they be burdened with insider threat attacks. With the insider threat landscape changing so quickly, we at NCI believe a blog is an effective vehicle for addressing current issues as they relate to the insider threat in a timely manner.

Let’s begin by talking about some best practices an organization can enact as they relate to the insider threat. Below are ideas that have proved effective for combating the insider threat. .

Insider Threat Incident Management

  1. Build upon security awareness training program to manage insider threat risk.
    • Many organizations already have a security awareness training program that teaches employees how to recognize and handle potential security problems in the workplace. The organization can enhance this program by ensuring that it includes insider threat indicators. Be sure to include the best ways to report insider threat issues.
  2. Let your employees know you are monitoring their activity.
    • Let employees and contractors know that activities are being monitored consistently across the organization and will be used to identify potential insider threats as part of the organization’s risk management program. The knowledge that they may be monitored is often a good deterrent to potential inside attackers.
    • Some organizations have had success with letting all employees know when someone has been caught violating an organizational policy. Informing employees may deter others from malicious behavior.

  1. Organizations should monitor in order to better understand the environment and to further enhance audit capabilities
    • When someone resigns, activate additional auditing that allows for monitoring what information they are accessing. Be sure to work with the legal, IT, and human resources teams to establish a clearly defined policy that protects employee privacy and legal issues
    • Set up controls that log, monitor, and report when a large number of files are accessed in a short period of time. This could be an indication of someone gathering documents from an internal site.
    • Monitor for system access while an employee is on leave or during odd hours. This could indicate an inside threat or that someone else is improperly using that employees credentials.
  2. Consider setting up a honey pot or honey net to detect malicious insiders. These are specially configured servers or networks used to detect rogue employees. They contain information that might tempt malicious insiders such as:
    • Bogus company documents.
    • Accounts that appear to have special meaning or functions.
    • An appearance that the server performs some critical business function.
  3. Organizations should especially monitor privileged account holders. These individuals have much more access than the average user and know how to by past the security measures the organization has in place.
Finally, should an insider attack occur and an investigation ensues, be sure to conduct an incident after action review after the investigation is over. Use the after action review to determine what enabled the incident to occur and enact countermeasures to ensure it is not possible for it to occur again.

These are just a few strategies that organizations can use to identify and respond to insider threats. If you have other suggestions, please email and let us know.

Posted in Workforce Development by Derek Smith on January 15, 2015

Prompted by online attacks against such companies as Target and Sony, the demand for cyber security experts is increasing at 3.5 times the pace of the overall IT job market according to a study by Burning Glass International Inc., a Boston-based company that uses artificial intelligence to match jobs and job seekers. According to the study, the demand for cyber security experts is growing at 12 times the overall job market, making it one of hottest fields for jobs in the country. Burning glass CEO stated that “Few job categories can match the explosive growth in demand for cyber security talent.”

According to Burning Glass, due to organizations increasing concerns about the vulnerability of their networks, the demand for cyber security experts increased 73% from 2007 to 2014. In comparison, the demand for all computer jobs only increased 20%, still a great growth rate, and the demand for all jobs grew just 6%. Cyber security expert’s salaries averaged $101,000, based on advertised salaries. That was much more than the $89,000 offered for the average IT job.

The study demonstrated that cyber security managers command the highest salary at around $107,000, followed by cyber security engineers at about $100,000. Cyber security specialists make about $80,000—still a great salary. Having a credential such as the Certified Information Systems Security Professional can add a few thousand dollars per year to those salary figures.

The major hubs of cyber security activity include Atlanta, where job growth was more than 100% during the last five years. But the greater Washington DC region had the largest growth rates with five-year gains of more than 250% in Richmond, VA, gains of nearly 150% in Baltimore, MD and growth of almost 50% in Washington, D.C. itself. Significant growth has also been realized in other major cities such as Chicago, New York, Dallas, Denver and San Diego.

If you are interested in learning these ‘in demand’ skills, Excelsior college offers 6 cybersecurity degree and certificate programs to help prepare you for what will very likely be a lucrative cybersecurity career.


Rosenbush, S. (2013, March 4). Demand for cyber security jobs is soaring.

Posted in Cyber Threats by Derek Smith on January 14, 2015

Insider threats do not seem to get the same press as a breach at Target or Sony, but as the Robert Hanssen and Edward Snowden cases demonstrated, they are equally as important. The following are 5 ways organizations can improve upon their insider threat defenses:

  1. Recognize that insider threats are not hackers.
  2. Often people think of the most dangerous insiders are hackers who are running special technology tools on internal networks. But that simply is not the case. When dealing with the inside threat you are often dealing with users who are authorized to use the system, but are doing so with malicious intent. In fact, most inside attacks do not run hacking tools or escalate their privileges for purposes of espionage. They do simple attacks using the authorization they have. According to the FBI, just less than a quarter of insider incidents tracked on a yearly basis come from accidental insiders. However, the FBI’s insider threat team spends 35 percent of their time dealing with these problems.

  3. Recognize that insider threat is not a technical or cybersecurity issue alone.
  4. Unlike many other issues in cybersecurity, the risk from insider threat is not a technical problem; it is a people-centric problem requiring a people-centric solution. As people are multidimensional, organizations have to take a multidisciplinary approach to solving the insider threat dilemma. This means that responsible parties within an organization must focus their efforts on examining and monitoring internal people and the data that would be at risk. This entails understanding who the people really are from three important informational aspects: cyber, contextual, and psychosocial. The combination of these three things is what’s most powerful about this methodology. Responsible parties must work with their legal and managerial departments to figure out what works best within the limitations of the organizational environment.

  5. A good insider threat program should focus on deterrence, not detection.
  6. Organizations need to come up with powerful tools to stop inside threats before they can do damage within the organization. Such measures as better hiring practices may ferret out potential violators, such as Snowden. Rather than getting wrapped up in prediction or detection, organizations should start first with deterrence. This means creating an environment in which it is really difficult or uncomfortable to commit insider attacks. Additionally, organizations must constantly remind users of the policies in place and that their interaction with data is being monitored.

  7. Detection of insider threats has to use behavioral-based techniques.
  8. The idea behind behavioral-based techniques is to detect insider bad behavior right before a good employee is about to turn bad. This entails observing how employees operate on the network and how they look contextually. By this observation one can build baselines and look for anomalies in employee behavior. It is recommended that a minimum of six months of baseline data is collected prior to attempting any detection analysis.

  9. The science of insider threat detection and deterrence is in its infancy.
  10. The science of insider detection and deterrence is still in its infancy. One of the issues with its slow growth is that much of the existing research just focuses on looking at data from the bad guys. Organizations must really try to push this diagnostic approach of collecting data from and comparing it between a group of known bad and a group of assumed good (insiders) and try to apply that methodology to those three realms (cyber, contextual and psychosocial).

Organizations can try to elicit this information from other avenues: observation, behavioral manifestations, making supervisors more aware of the insider threat problem, and creating an environment where people may be more willing to report some of these things as they see them.

Posted in Cyber ThreatsThreat Intelligence by Derek Smith on February 4, 2015
Understanding the various levels of insider threat can assist companies in their efforts to implement the proper security controls within the organization. There are four levels of insider threat, and they all depend upon the levels of access someone has to the information within your organization.

In this week’s blog on insider threat we will learn about two of these threat levels—pure insider threat and insider associate. In next week’s blog, we will learn about the two other levels—insider affiliate and outside affiliate.

Pure Insider Threat

The first level of insider threat is the pure insider, which is an employee who has all the rights and access associated with being an employee. This employee usually has keys or a badge that allow them into the organization and user IDs and passwords that allow them access to the company’s network. This is known as authorized ‘privileged’ access. The pure insider is the most dangerous type as they can cause the most damage to the organization based on their access.

There is an even more dangerous level of pure insider. This is the elevated pure insider. This person is considered ‘elevated’ because they have additional privileges to access the company’s systems. This category includes such people as system administrators, who have root, or administrator access, on the network. They have and maintain this additional access in order to do their jobs. The problem is that in many cases they are given too much access; more than they actually need to conduct their duties.

When trying to detect the pure insider threat, there are three things you can do:

1. One solution to the pure insider threat is the principle of least privilege, which means giving this employee, the pure insider, access to the least amount of information needed to do their job.

2. A second solution is to monitor employee behavior. Based on my years as an investigator of insider threat I can assure you that in almost every case there was some behavioral change that if noticed, could have tipped off this insider threat behavior. If a certain employee has been complaining about financial challenges and a few months later is driving a new Mercedes, you may want to pay closer attention. The person either inherited money, won the lottery, or could be selling your secrets.

3. The third, money, continues to build upon the example in solution 2. Many people who perpetrate insider threat crimes have financial problems. An average employee would not commit insider threat, but if you add in stress from financial issues and someone offers enough money, there is a chance that the person may be tempted.

Insider Associate

Insider associates are people such as contractors, the cleaning crew, or security guards who have limited authorized access to your facility or network. They are not company employees and don’t need full access to your network. While these folks do not have access to the company’s network, they often have limited access that will give them contact with important company information. Many of these people have access to your facility at night and could actually read – or worse – copy, sensitive information that employees often leave out on their desk or unlocked computers. Even if you left this information on your desk and then locked your doors, the security guards and cleaning crew often have a master key that will get them through most locked doors. Employees have to remember that there are other people who can gain access to their offices and therefore, sensitive information should always be secured.

In order to minimize damage that could be caused by an insider associate, companies need to increase user awareness and control access to information. Raising awareness will assist in changing behavior and controlling access will prevent the unauthorized from obtaining the data.

Read next week’s blog to find out about the other two categories of insider threat facing us today—insider affiliate and outside affiliate

Cole, E., and Ring, S. (2006). Insider threat, protecting the enterprise from sabotage, spying and theft. Rockland: Syngress.

Posted in Cyber ThreatsThreat Intelligence by Derek Smith on February 10, 2015

Last week’s blog discussed two of the four levels of insider threat. I wrote about pure insider threat and insider associate levels. This week, I will discuss the other two levels of insider threat – inside affiliate and outside affiliate – and go over how they differ. Remember, understanding these various levels can assist your organization in its efforts to implement the proper security controls within your organization.

To recap last week’s first two levels of insider threat, pure insider threat is an employee who has all the rights and access associated with being an employee and is the most dangerous level as they can cause the most damage based on their access. Also from last week’s blog is the insider associate level. These are individuals such as contractors, cleaning crew, or security guards who have limited authorized access to your organization’s facility or network, which gives them contact with important company information.

The last two levels of insider threat are inside affiliate and outside affiliate.

Inside Affiliate

An insider affiliate is a spouse, child, friend or client of an employee who uses an employee’s credentials to gain access. This can be as simple as a client coming to visit an employee and obtaining a badge that gives that person access to the facility. If the person goes to use the rest room and on the way wanders around looking at what is on people’s desks or computers, he/she could glean some sensitive information.

To prevent insider affiliate threats, the best measure is to implement policies and procedures that will control affiliate activities. Once these policies are in place, they should be explained to employees, and employees should be required to sign off that they understand them. Never assume that employees will always to the right thing. Improper behavior may not be intentional, but it can still be devastating.

Outside Affiliate

Outside affiliates are non-trusted outsiders who use open access, such as wireless service, to gain access to a company’s resources. If the company happens to have an unprotected access point, and the outside affiliate is sitting across the street at a coffee shop, he/she could connect to the company’s wireless connection. Although this may seem obvious, many companies still overlook this threat.

To protect against the outside affiliate threat, a company needs to ensure it has proper access controls in place for all types of access, including virtual and physical.

The key thing to remember when dealing with these four types of insider threat is that they have access and in most cases will exploit the weakest link that gives them the greatest chance of access to your sensitive information, while minimizing the chances of being caught. It is the company’s job to ensure proper controls are in place to minimize these threats.

Cole, E., and Ring, S. (2006). Insider threat, protecting the enterprise from sabotage, spying and theft. Rockland: Syngress.

Posted in Threat Intelligence by Derek Smith on January 29, 2015

Many organizations believe that once they hire a new employee or contractor, the person is automatically part of a trusted group of people within the organization. This new hire is given access to sensitive company information that an ordinary person would never have. But why do they suddenly trust this person? Many organizations don’t perform background checks or reference checks and as long as this prospective employee is liked by the hiring manager, they are hired.

The problem with this is that many people may not be who they say they are or who you think they are. Not adequately validating these individuals’ backgrounds can end up being a costly, if not devastating mistake for your company. These people being hired are complete strangers, yet they are given access to your critical business information.

Think about it—if a competitor really wanted to do damage to your business, steal critical secrets, or even run you out of business, all they have to do is find one of your job openings, prep someone to pass your screening process, have that person get hired, and they are inside your business. The fact that it is this easy should scare the daylights out of hiring managers.

Do you think this is far-fetched? Let me inform you that according to Dr. Eric Cole and Sandra Ring, authors of Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft, this is a common practice among some foreign governments. They will plant a spy against a nation or organization and use their knowledge of the company’s hiring criteria to prep the “spy” for employment. Even if the potential employee has to pass a polygraph exam, he or she can be prepped to pass that, too. Once hired, this individual becomes a trusted insider and can cause serious damage to your organization.

So what can you do to prevent this type of activity within your organization? Examine your hiring practices! Your organization’s approach to reducing this kind of insider threat should start with your hiring process. Background checks should be conducted to reveal previous criminal convictions. Additionally, a credit check should be performed, and credentials and past employment should be verified. When verifying past employment, don’t just get verification that the prospective employee worked there: if possible, include discussions with prior employers regarding the individual’s abilities and approach to dealing with workplace issues.

Prior to conducting background checks, ensure that you consider your particular legal requirements, such as the Equal Employment Opportunity Commission’s (EEOC’s) best practices and state and local regulations limiting the use of criminal or credit checks.

The bottom line is that organizations should require background checks for all potential employees as well as contractors and subcontractors, and they should be investigated thoroughly as a preventative measure for insider threats.

Cole, E., & Sandra, R. (2006). Insider threat: Protecting the enterprise from sabatage and spying and theft. Rockland: Syngress.

While the insider threat in government agencies and large companies is a known problem, less is known about the insider threat to critical US infrastructure, such as water purification or nuclear power plants. To illustrate the nature of the threats, here are two examples from a Department of Homeland Security report – the Insider Threat to Utilities report.

In April 2011, a lone water treatment plant employee is alleged to have manually shut down operating systems at a wastewater utility in Mesa, Arizona, in an attempt to cause a sewage backup to damage equipment and create a buildup of methane gas. Automatic safety features prevented the methane buildup and alerted authorities who apprehended the employee without incident.

In January 2011, an employee recently fired from a US natural gas company allegedly broke in to a monitoring station of his former employer and manually closed a valve, disrupting gas service to nearly 3,000 customers for an hour.

One has to question if there is a risk that similar and more dangerous incidents will happen in the near future?

The United States Computer Emergency Readiness Team (CERT) conducted 53 onsite assessments of critical infrastructure facilities across the United States to identify vulnerabilities and three major vulnerabilities have been identified. Following are the vulnerabilities and how they can be fixed.

The first and most common problem is that there is a lack of segmentation of internal networks along with deficiencies in perimeter protections for virtual and physical enclaves. To alleviate this problem, security professional should adopt network segmentation, which is splitting a computer network into subnetworks, each being a network segment or network layer which makes internal resources far less accessible from the outside.

The second vulnerability is the lack of boundary protections in internal networks, meaning that there are too few or no firewalls between zones, and the firewall rule sets are minimal and lack auditing/verification. Implementing more firewalls with proper rule sets and effective auditing procedure place can alleviate this problem.

The third is that remote access has been identified as a primary entry point for attacks due to a bad choice and design of remote access protocols. Implementing VPN tunnels and a restricted security zone (DMZ) for connections can eliminate this risk.

In conclusion, these vulnerabilities are well known and appropriate countermeasures and protocols must be implemented to ensure critical infrastructure. We can only hope that those in charge are taking the appropriate actions.

Brdiczka, O. (2014, November 4). Insider threats in critical US infrastructure – “Let me blow you up!”



    I am an expert on cyber security and business leadership with doctoral level training.  I am also an author, speaker and trainer.


    April 2015


    Cyber Security

    View my profile on LinkedIn