examining insider threat risk at the us citizenship and immigration
TRANSCRIPT
-
Department of Homeland Security Office of Inspector General
Examining Insider Threat Risk at the U.S.
Citizenship and Immigration Services
(Redacted)
OIG-11-33 January 2011
-
Examining Insider Threat Risk at the
U.S. Citizenship and Immigration Services
PreparedforDepartmentofHomelandSecurity
OfficeofInspectorGeneral
bytheSoftwareEngineeringInstituteatCarnegieMellonUniversity
Insider Threat Center at CERT
December 2010
-
NOWARRANTY
THISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIAL ISFURNISHEDONAN"ASIS"BASIS.CARNEGIEMELLONUNIVERSITYMAKESNO WARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTER INCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEOR MERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIAL. CARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITH RESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENT.
Useofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsof thetrademarkholder.
-
TableofContents
ExecutiveSummary................................................................................................................... 1
Recommendation#2:Incorporateinsiderthreatriskmitigationstrategiesintothe
Recommendation#3:Centralizerecordsofmisconductandviolationstobetterenablea
Background ............................................................................................................................... 2
Objective ................................................................................................................................... 3
Scope......................................................................................................................................... 3
AssessmentProcess/Methodology........................................................................................... 5
ResultsofAssessment............................................................................................................... 7
Organizational ....................................................................................................................... 7
HumanResources ................................................................................................................. 9
PhysicalSecurity.................................................................................................................. 11
BusinessProcesses.............................................................................................................. 12
IncidentResponse............................................................................................................... 14
SoftwareEngineering.......................................................................................................... 15
InformationTechnology...................................................................................................... 16
Recommendation#1:Instituteanenterpriseriskmanagementplan................................ 22
Transformationeffort ......................................................................................................... 22
coordinatedresponsetoinsiderthreats ............................................................................ 22
Recommendation#4: ...................................................................... 23
Recommendation#5:Considerseparationofdutiesforcriticalbusinessprocessesand theirrelatedinformationsystems ...................................................................................... 23
Recommendation#7:Employconsistentphysicalsecuritypoliciesforfieldofficesand
Recommendation#9:ExamineHRscreeningproceduresforhighriskpositionsandFSNs
Recommendation#10:Ensurethatphysicalandcomputeraccessisterminatedinatimely
Recommendation#11:Enforcearequirementforindividualaccountsoncriticalsystems
Recommendation#6:ConductauditofPICSandFSNaccountsforUSCISsystems........... 23
servicecenters,includingthephysicalcasefiles................................................................ 23
Recommendation#8:Consistentlyenforceexitprocedures.............................................. 24
............................................................................................................................................ 24
fashion................................................................................................................................. 24
............................................................................................................................................ 25
CERT | SOFTWARE ENGINEERING INSTITUTE | i
-
Recommendation#12: ........... 25
Recommendation#13:Reducethenumberofprivilegedaccountsforcriticaldatasystems ............................................................................................................................................ 25
Recommendation#14: ............................................................................................................................... 25
Recommendation#15:Implementproceduralandtechnicalcontrolstopreventsource codeunderdevelopmentfrombeingreleasedwithoutappropriatereview..................... 25
Recommendation#16: ......................... 26
Recommendation#17: ................................................................................................................ 26
Recommendation#18:Periodicsecurityrefreshertrainingshouldberegularlyconducted andrequiredforallemployees........................................................................................... 26
AppendixH:Acronyms.......................................................................................................... 107
AppendixI:ManagementCommentstotheDraftReport ................................................... 109
AppendixJ:ContributorstothisReport ............................................................................... 110
AppendixK:ReportDistribution ........................................................................................... 111
ManagementCommentsandOIGAnalysis ............................................................................ 27
Appendixes.............................................................................................................................. 28
AppendixA:Organizational .................................................................................................... 30
AppendixB:HumanResources............................................................................................... 37
AppendixC:PhysicalSecurity ................................................................................................. 42
AppendixD:BusinessProcesses ............................................................................................. 48
AppendixE:IncidentResponse............................................................................................... 62
AppendixF:SoftwareEngineering.......................................................................................... 69
AppendixG:InformationTechnology..................................................................................... 75
CERT | SOFTWARE ENGINEERING INSTITUTE | ii
-
ExecutiveSummary
TheU.S.DepartmentofHomelandSecurity,OfficeofInspectorGeneralengagedtheInsider ThreatCenteratCERT,oftheSoftwareEngineeringInstituteatCarnegieMellonUniversity toconductaninsiderthreatassessmentofU.S.CitizenshipandImmigrationServices.The objectiveoftheassessmentwastodeterminehowU.S.CitizenshipandImmigrationSer viceshastakenstepstoprotectitsinformationtechnologysystemsanddatafromthe threatsposedbyemployeesandcontractors.TheassessmentevaluatedU.S.Citizenship andImmigrationServicesagainstapproximately400realinsiderthreatcompromisesdocu mentedintheCERTInsiderThreatCasedatabase.Thesecases,allprosecutedintheUnited States,includefraud,sabotage,andtheftofintellectualproperty.
Theassessmentteamperformedfieldworkinthenationalcapitalregion,VermontService Center,andU.S.CitizenshipandImmigrationServicesBurlingtonoffices.Duetothelimited scopeoftheassessment,systemsreviewed,andlocationsvisited,CERTwasnotabletover ifytheinstitutionalizationandenforcementofanyU.S.CitizenshipandImmigrationSer vicespoliciesorrenderanoverallopinionoftheeffectivenessofU.S.CitizenshipandImmi grationServicesinsiderthreatposture.TheOfficeofInspectorGeneraldidnotrequest CERTtoconductacomprehensiveinformationsystemstechnicalsecuritycontrolsreviewor vulnerabilityassessmenttodeterminethesusceptibilitytointernalthreats.TheOfficeof InspectorGeneralmayperformanindepthfollowupreviewtorenderanoverallopinionof theeffectivenessofU.S.CitizenshipandImmigrationServicesinsiderthreatposture.
U.S.CitizenshipandImmigrationServiceshasmadeprogressinimplementingelementsof aneffectiveinsiderthreatprogram.Specifically,ithasestablishedaConvictionTaskForce toreviewformeremployeesconvictedofcriminalmisconductwithinthescopeoftheirdu ties;performsriskmanagementforinformationtechnologyandfinancialmanagement;de velopedexitproceduresforemployees;improvedprotectionofitsfacilitiesandassets;and adherestoformalizedprocessesforsomesystems.Inaddition,itisimplementingHome landSecurityPresidentialDirective12forphysicalandelectronicaccountmanagement.
Whiletheseeffortshaveresultedinsomeimprovements,U.S.CitizenshipandImmigration Serviceshasopportunitiestoimproveitssecuritypostureagainstthreatsposedbyemploy eesandcontractors.Forexample,itcaninstituteanenterpriseriskmanagementplanand incorporateinsiderthreatriskmitigationstrategiesintoitsnewbusinessprocesses.Itcan alsocentralizerecordsofmisconductandviolations;institutealoggingstrategytopreserve systemactivities;implementseparationofdutiesforadjudicativedecisions;conductaudits ofnonU.S.CitizenshipandImmigrationServicesaccounts;employconsistentpoliciesfor physicalsecurity;andconsistentlyenforceemployeeexitprocedures.
Theassessmentteamismaking18recommendationstotheDirectorofU.S.Citizenshipand ImmigrationServicestostrengthenthedepartmentssecuritypostureagainstmaliciousin siderthreats.USCISconcurredwithallofourrecommendationsandhasalreadybegunto takeactionstoimplementthem.Thedepartmentsresponseisincluded,initsentirety,as appendixI.
CERT | SOFTWARE ENGINEERING INSTITUTE | 1
-
Background
TheU.S.DepartmentofHomelandSecurity(DHS),OfficeofInspectorGeneral(DHSOIG) engagedtheCERTprogramintheSoftwareEngineeringInstituteatCarnegieMellonUniver sitytoconductaninsiderthreatvulnerabilityassessmentofU.S.CitizenshipandImmigra tionServices(USCIS).Theprojectapproachestheinsiderthreatproblemontwoprimary fronts:
Thehumanbehavioralcomponent
Thetechnologicalsolutionforautomatingpreventionanddetectioncapabilitiesto identify,measure,monitor,andcontrolinsiderthreatvectors
Insiderscanbecurrentorformeremployees,contractors,orbusinesspartnerswhohaveor hadauthorizedaccesstotheirorganization'ssystemandnetworks.Theyarefamiliarwith internalpolicies,procedures,andtechnologyandcanexploitthatknowledgetofacilitate attacksandevencolludewithexternalattackers.CERTsresearch,conductedsince2001, hasfocusedongatheringdataaboutactualmaliciousinsideracts,includinginformation technology(IT)sabotage,fraud,theftofconfidentialorproprietaryinformation,espionage, andpotentialthreatstoourNation'scriticalinfrastructures.
CERTdevelopedaninsiderthreatvulnerabilityassessmentinstrumentforevaluatingvulner abilitiestoinsiderthreatbasedonresearchtodate.Becauseofthecomplexityofthein siderthreatprobleminvolvingsecurityofficers,informationtechnology,informationsecu rity,management,dataowners,softwareengineering,andhumanresourcesorganizations needassistanceinmergingthewealthofavailableguidanceintoasingle,actionableframe work.CERTadvisesorganizationstousethisassessmentinstrumenttohelpsafeguardtheir criticalinfrastructure.
CERTbuilttheassessmentbasedonresearchofapproximately400insiderthreatcasesin theCERTInsiderThreatCasedatabase.1Thesecasesareacollectionofrealinsiderthreat compromisesprimarilyfraud,sabotage,andtheftofintellectualpropertythathavebeen prosecutedintheUnitedStates.Startingin2002,CERTcollaboratedwithU.S.SecretSer vicebehavioralpsychologiststocollectapproximately150actualinsiderthreatcasesthat occurredinU.S.criticalinfrastructuresectorsbetween1996and2002,andexaminedthem frombothatechnicalandabehavioralperspective.Sincethatoriginalstudy,CERThascon tinuedtoaddcases,withfundingfromCarnegieMellonsCyLab2,bringingthecaselibraryto atotalofapproximately400cases.Theinstrumentencompassestechnical,behavioral, process,andpolicyissues,andisstructuredaroundinformationtechnology,information security,humanresources,physicalsecurity,businessprocesses,legalandcontracting, management,andorganizationalissues.
1Notethatthedatabasedoesnotcontainnationalsecurityespionagecasesinvolvingclassifiedin formation. 2http://www.cylab.cmu.edu/
CERT | SOFTWARE ENGINEERING INSTITUTE | 2
http:2http://www.cylab.cmu.edu/
-
Objective
TheobjectiveoftheinsiderthreatvulnerabilityassessmentwastodeterminehowUSCIShas takenstepstoprotectitsITsystemsanddatafromthethreatposedbyemployeesandcon tractors.Thisassessmentwasbasedonbehavioralaswellastechnicalexperienceanditis intendedtoassistUSCISinsafeguardingitscriticalinfrastructure.Theassessmentwill:
EnableUSCIStogainabetterunderstandingofitsvulnerabilitytoinsiderthreatand provideanabilitytoidentifyandmanageassociatedrisks
Identifytechnical,organizational,personnel,businesssecurity,andprocessissues intoasingle,actionableframework
Identityshorttermcountermeasuresagainstinsiderthreats
HelpguideUSCISinitsongoingriskmanagementprocessforimplementinglong term,strategiccountermeasuresagainstinsiderthreats
Scope
USCISemploysapproximately18,000governmentemployeesandcontractorslocatedat250 officesthroughouttheworld.3Theinsiderthreatvulnerabilityassessmentisintendedto focusoncriticalsystemsandhighriskareasofconcernthatcanbeassessedina3to5day timeframe.Therefore,atapreassessmentwalkthroughmeeting,USCISstaffidentified3 systemsofthe96systemsusedbytheagencyascriticaltoitsoverallmission:
VerificationInformationSystem(VIS)thispublicfacingsystemiscomposedoffive differentapplications.Thepurposeofthesystemistoprovide
o Immigrationstatusinformationtogovernmentbenefitgrantingorganiza tionstohelpthemdeterminetheeligibilityofalienswhoapplyforbenefits
o Ameansforprivateemployerstoperformemploymenteligibilityverifica tionofnewlyhiredemployees
ComputerLinkedApplicationInformationManagementSystem(CLAIMS)Thissys temprovidesthefollowingfunctions:
3http://www.uscis.gov/portal/site/uscis/menuitem.eb1d4c2a3e5b9ac89243c6a7543f6d1a/?vgnextoi d=2af29c7755cb9010VgnVCM10000045f3d6a1RCRD&vgnextchannel=2af29c7755cb9010Vgn VCM10000045f3d6a1RCRD
CERT | SOFTWARE ENGINEERING INSTITUTE | 3
-
o CLAIMS3LocalAreaNetwork(C3LAN)wasoriginallydevelopedtotrack thereceiptingofapplicantorpetitionerremittancesandtoproducenotices documentingtheremittance.C3LANnowincludesadjudication,archive, cardproduction,casehistory,casetransfer,ondemandreports,electronic filetracking,imagecapture,productionstatistics,statusupdate,andelec tronicingestofapplicationdatacapturedthroughtheEFilingwebapplica tionandtheDepartmentofTreasurysponsoredlockboxoperations.
o C3mainframesupportsprocessingofUSCISapplicationsandpetitionsfor variousimmigrantbenefits(e.g.,changeofstatus,employmentauthoriza tion,andextensionofstay).
FraudDetectionandNationalSecurityDataSystem(FDNSDS)Thissystemwasde velopedtoidentifythreatstonationalsecurity,combatbenefitfraud,andlocate andremovevulnerabilitiesthatcompromisetheintegrityofthelegalimmigration system.
Itisimportanttonotethattheinsiderthreatvulnerabilityassessmentislimitedtoareasof concernobservedinthehundredsofcasesintheCERTInsiderThreatdatabase.People, technology,andorganizationsareconstantlychanging,andmaliciousinsiderscontinueto comeupwithnewavenuesofattackinordertodefeatapreviouslyeffectivecountermea sure.However,manyofthecountermeasuressuggestedinthisreportareapplicabletoa multitudeofattackvectors.
ItisalsoimportanttonotethatCERTsinsiderthreatresearchhasonlyexploredintentional insidercrimes.Accidentaldataleakageisanareaofsignificantconcernfororganizations; however,CERThasnotyetexploredthataspectofinsiderthreat.Inaddition,thefocusof theresearchtodateistodescribehowtheinsiderthreatproblemevolvesovertime.CERTs longtermresearchdoesincludemeasuringtheeffectivenessofmitigationstrategies.
CERT | SOFTWARE ENGINEERING INSTITUTE | 4
-
AssessmentProcess/Methodology
AnentranceconferencewasconductedbytheDHSOIG,CERT,andUSCISonFebruary23, 2010.TheentranceconferenceintroducedUSCIStotheCERTassessmentteam.Following theentranceconference,apreassessmentwalkthroughwasheldatUSCISheadquarterson March10,2010.Atthatmeeting,theCERTassessmentteamandtheDHSOIGteamex plainedtheassessmentprocesstorepresentativesofUSCIS.USCISprovidedsomedocu mentationtotheassessmentteamatthattimeandmoredocumentsthroughouttheas sessment;thosedocumentswerereviewedtoprovidesubstantiationforfindingsinthis report.
USCISidentified96systemsituses.Followingtheinitialmeeting,USCISleadershipandthe assessmentteamchosetheVIS,CLAIMS,andFDNSDSsystemsbecausetheywerecriticalto theoverallmissionofUSCIS.Thesethreesystemswerethefocusofthe5dayonsiteas sessment.
Atthepreassessmentwalkthrough,USCISindicatedthatithadcreatedaConvictionsTask Forcetoreviewtheactivitiesof10formeremployeesconvictedofcriminalmisconduct withinthescopeoftheirofficialduties.Thepurposeofthetaskforceistoidentifyissues theseemployeesexploitedtocommittheircrimes.Thetaskforceintendedtodevelopfind ingsandrecommendationsaimedatpreventingsimilarcrimesinthefuture.Itgraciously extendedaninvitationtotheCERTandDHSOIGteamstoparticipate.Asaresult,theteams observed,orreviewedtranscriptsof,alltelephoneconferencesconductedbythetaskforce. Thesefindingsarereflectedinthisreport.
TheCERTinsiderthreatteamandtheDHSOIGliaisonwereonsiteatvariousUSCISloca tionsinthenationalcapitalregion(NCR)fromMarch30throughApril1,2010.
TheDHSOIGliaisonswerepresentatallinterviews.TheDHSOIGattendedtheseinterviews asanobserverandassistedCERTasneeded.
Facetofaceinterviewswereconductedwithapproximately58representativesintheNCR, followedby32representativesintheVermontServiceCenterandUSCISBurlingtonoffices. Inaddition,telephoneconferenceswereheldwithstafffromtheOfficeofSecurityandIn tegrity(OSI)InvestigationsDivisionandtheSecurityNetworkOperationsCenter(SNOC). Intervieweesrepresentedthefollowingareas:
DataOwners(VIS,CLAIMS,andFDNSDS) ComputerSciencesCorporation(CSC)(softwareengineeringandoperationalsup
portforVIS,CLAIMS,andFDNSDS)
CERT | SOFTWARE ENGINEERING INSTITUTE | 5
-
OSI(PhysicalSecurity,RegionalSecurity,Investigations,PersonnelSecurity,Counter intelligence)
HumanCapitalandTraining(Training,HumanResourcesOperationsCenter,Labor EmployeeRelations)
OfficeofInformationTechnology(OIT)(ITSecurity,ComputerSecurityIncidentRe sponseTeam,SecurityandNetworkOperationsCenter,AccountManagement,En terpriseOperations)
Legal(ProcurementLaw) VermontServiceCenter(adjudicators,dataentryclerks,supervisor,directors,OIT,
softwareengineering)
Allinterviewswereconsideredconfidential;norecordofparticipatingemployeesisincluded inthisreportorinsubsequentbriefings.Findingsareattributedonlytoagroupordepart mentinterviewed,adocument,theConvictionsTaskForcetelephoneconferences,ordirect observation.
CERT | SOFTWARE ENGINEERING INSTITUTE | 6
-
CERT | SOFTWARE ENGINEERING INSTITUTE | 7
-
AcriticalissueforUSCISisensuringthattheentireorganizationisriskaware,andimple mentingaformalriskmanagementprocesstoaddressriskconsistentlyandcontinually acrosstheenterprise.Theredoesnotappeartobeaconsistentunderstandingofthebroad spectrumofrisksfacingUSCIS.Theassessmentteamwastoldthereisnoenterprisewide riskmanagementprogramatUSCIS.OITperformsriskmanagementforInformationTech nology(IT),andFinancialManagementperformsriskmanagementforfinancialmatters,but noonewasawareofanyenterprisewideefforts.Inaddition,eachfieldofficeandservice centerappearstooperatefairlyindependently.Itisimportantforthoseorganizationsto worktogethertoidentify,prioritize,andaddressrisk.Ongoingcommunicationbetweenall componentsofUSCISwillhelpensurethatnewthreats,attackvectors,andcountermea suresarecommunicatedandhandledeffectivelybyall.
Inaddition,USCISemployeesandcontractorsholdthekeystooneoftheworldsmostcov etedkingdomsU.S.citizenship.Thismakesemployeesandcontractorsattractivetargets forrecruitment.BecauseofthesensitivenatureofUSCISmission,someofitsemployees andcontractorshavebeentargetsforrecruitmentfortheftorunauthorizedmodificationof USCISdata.Allemployeesshouldbeawareoftheconsequencesofparticipatinginfraud againstUSCIS.Theyshouldalsobeinstructedonhowtoreportsolicitationsmadetocom mitfraud.
Transformation
TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerservice,workflowautomation,frauddetection,andnationalsecurity issues.USCISisrelyingheavilyonTransformationtocorrectmanyoftheproblemsresulting fromlegacysystems.Thisrelianceonasingleeffortmakesitseffectivenessveryimportant. TheteamfoundtheTransformationefforttobeamassiveundertakingthatappearstobe implementingaverydetailedprojectplan.
Basedontheteamsreviewoftherequirementsforfrauddetectionandnationalsecurity issues,itappearstherearenorequirementstoaddressinsiderthreats.Theassessment teamreviewedfivecomprehensiveTransformationdocumentsaspartofthisassessment. Thedocumentsdescribesystemrequirementsindetail.Frauddetectionreferstodetection offraudperpetratedbyapplicantsandpetitioners;nationalsecurityissuesfocusonthe handlingofinvestigationswithinUSCISthatinvolvenationalsecurityissues.
Again,anenterpriseriskmanagementapproachshouldbeconsideredwhendefiningre quirementsforTransformation.InsidersatUSCIShaveperpetratedfraudinthepast,asevi dencedbytheConvictionsTaskForce.Inaddition,USCISinsidersarecapableofgranting legalresidencyorcitizenshipstatustosomeonewhoposesanationalsecurityrisktothe UnitedStates.
CERT | SOFTWARE ENGINEERING INSTITUTE | 8
-
TrainingandAwareness
Itisessentialthatsecurityawarenesstrainingisconsistentlyprovidedtoallemployeesto ensuresecuritypoliciesandpracticesareinstitutionalizedthroughoutanorganization. Manytimes,coworkersandsupervisorsarethefirstpeopletoobserveconcerningbehavior exhibitedbymaliciousinsiders.Failuretoreportconcerningbehaviorbycoworkersoroth ersinanorganizationwasaprimaryreasoninsidersintheCERTInsiderThreatCasedata basecontinuedtosetuporcarryouttheirattacks.
USCISshouldcontinuetoprovidesecurityawarenesstrainingtoallemployeesandcontrac torsacrosstheglobe.Thistrainingshouldbeconsistentlyappliedtoeachsite,withaconsis tentmessageofsecurityofUSCISpeople,systems,anddata.ItisimperativethatallUSCIS employeesberesponsibleforachievingthemissionofUSCISandprotectingthecriticalas setstothehighestextentpossible.
HumanResources
Anorganizationsapproachtoreducinginsiderthreatshouldfocusonproactivelymanaging employeeissuesandbehaviors.Thisconceptbeginswitheffectivehiringprocessesand backgroundinvestigationstoscreenpotentialcandidates.Organizationsshouldalsotrain supervisorstomonitorandrespondtobehaviorsofconcernexhibitedbycurrentemploy ees.SomecasesfromtheCERTInsiderThreatdatabaserevealedthatsuspiciousactivity wasnoticedintheworkplacebutnotactedupon.Organizationsmustestablishawell organizedandprofessionalmethodforhandlingnegativeemploymentissuesandensuring thathumanresourcepolicyviolationsareaddressed.
Organizationalissuesrelatedtofunctionssharedbyhumanresources(HR)andsecurityper sonnelareattheheartofinsiderriskmanagement.Employeescreeningandselectionis vitaltopreventingcandidateswithknownbehavioralriskfactorsfromenteringtheorgani zation;or,iftheydo,ensuringthattheserisksareunderstoodandmonitored.Clearpolicy guidelines,addressingbothpermittedandprohibitedemployeebehavior,arevitaltorisk detectionandmonitoring.Clearrequirementsforensuringemployeesknowledgeofthese guidelinesarealsoessentialtotheirsuccess.Inaddition,reportsofpolicyquestionsand violationsneedtobesystematicallyrecordedsothatmanagement,HR,andsecurityper sonnelcanapproachcasedecisionswithcompletebackgroundinformation.
Analysisofthesereportsacrossindividualsanddepartmentscansupplyvitalknowledgeof problemareasbeyondindividualcases.RelationshipsinwhichHR,security,andmanage mentpersonnelcollaborateaseducatorsandconsultantsarevitaltoearlydetectionand effectivemanagementofemployeesposinganinsiderrisk.Theneedforclearpolicies,
CERT | SOFTWARE ENGINEERING INSTITUTE | 9
-
completepersonnelriskdata,andclosemanagementHRsecuritycollaborationisrarely greaterthanwhenhandlingemployeeterminationissues,whethervoluntaryorinvoluntary.
ScreeningandHiringPractices
SeveralpersonnelscreeningandhiringpracticesposearisktoUSCISsystemsanddata.
USCISdoesnothaveaconsistentprocedurefordecidingwhethertoconductafacetoface interviewpriortohiringanapplicantbeingscreenedforgovernmentemployment.There wasanimpressionatUSCISheadquartersthatnearly100%ofthoseemployeeshiredby managersareinterviewed,butrepresentativesinBurlington,Vermonttoldusotherwise. Thisgapbetweenperceptionandreality(thereisnotapolicystatingthatthismustbedone) isaconcern.USCISshouldrequireinterviewsforallpositions.Theinterviewsneedtobe conductedbysomeoneinvolvedinthedaytodaysupervisionofthepositiontobefilled.
Ifapersonalissue(e.g.,substanceabuse,relativelylargefinancialindebtedness)arisesdur ingPersonnelSecuritys(PERSECs)screening,PERSECmayissuealetterofadvisementto thecandidateandclearthatpersonforhire.PERSECishesitanttosharenegativeinforma tionaboutapplicantswithUSCISbecauseofprivacyconcerns.Becauseoftheseconcerns,a managermaynotknowthatsomeoneiscomingintoapositionwithahistoryofalcohol and/ordrugabuse,financialindebtedness,etc.TheprivacywallbetweenPERSECandfield personnelconcernedwithhiringistroubling.ItisdifficultforPERSECrepresentativestoin dicatetheirconcernsaboutpotentialhiresiftheyhaveriskfactorsthatdonotcrossadjudi cationguidelinesfordisqualification.
ForeignServiceNational(FSN)employees,whoworkatU.S.embassiesandconsulates abroad,haveaccesstoUSCIScriticalsystemsanddatainsomecases.Inordertobehired andgrantedaccesstoanyofthosesystems,FSNsarevettedbytheU.S.Departmentof State.AlthoughtheaccesstoUSCISsystemsmustbeapprovedbythechiefsecurityofficer (CSO)andchiefinformationofficer(CIO)forDHS,USCIShasverylittlevisibilityintothe screeningprocessforFSNs.
ExitProcedures
Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretires,re signsorisfired,transferred,orputonaleaveofabsence.TheseproceduresforUSCIShave beenrecentlydevelopedand,insomecases,arestillunderdevelopment.USCISexpectsto releasemoreformalizedproceduresinthenext3months,butthereisnotacommonun derstandingoftheproperprocedures.Itappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerorContract ingOfficersTechnicalRepresentative(COTR).Italsoappearsdifferentmanagersfollow
CERT | SOFTWARE ENGINEERING INSTITUTE | 10
-
differentprocedurestoensurethataccessisdisabledandequipmentisreturnedasem ployeesandcontractorsleaveUSCIS.Thisgapmaymanifestitselfintheinconsistentcollec tionofbadges,laptops,mobiledevices,andotherUSCISequipment,andimproperdisabling orterminationofaccess.
PhysicalSecurity
SomeinsidersdocumentedintheCERTInsiderThreatCasedatabaseexploitedphysicalse curityvulnerabilities.Somewereabletogainaccesstoorganizationfacilitiesoutsideof normalworkinghourstostealcontrolledinformationortoexactrevengeontheorganiza tionbysabotagingcriticaloperations.Physicalsecuritycanprovideanotherlayerofdefense againstterminatedinsiderswhowishtoregainphysicalaccesstoattack.Justaswithelec tronicsecurity,however,formeremployeeshavebeensuccessfulinworkingaroundtheir organizationsphysicalsecuritymeasures.Itisimportantfororganizationstomanage physicalsecurityforfulltime,parttime,andtemporaryemployees,contractors,andcon tractlaborers.
USCISPhysicalSecurityhasmadesignificantprogressprotectingUSCISfacilitiesandassetsin theNCRsinceJanuary2008,whenitstoodupanewphysicalsecurityprogram.Although physicalsecurityintheNCRisconsistentlydirectedandenforcedbyPhysicalSecurity,each fieldofficesetsitsownpoliciesandaccesscontrols.
Finally,issuescon cerningthesecurityofapplicantsphysicalcasefilesshouldbeconsideredaspartofaUSCIS riskmanagementstrategybyUSCIS.
ControllingandMonitoringProperAccessAuthorization
USCIShandlesthephysicalsecurityandaccessauthorizationoffacilitiesdifferentlydepend ingonwherethefacilityislocated.ThephysicalsecurityofNCRfacilitiesishandledbyone groupofUSCISpersonnel,butthephysicalsecurityoffieldofficesfallsundertheFieldSecu rityDivision(FSD).Insomecases,aphysicalsecurityrepresentativeisnotlocatedinafield officeatall.Whenthisisthecase,theresponsibilityfallsonothermanagementpersonnel whomaynotbeequippedtohandletheseissuesproperlyandreporttheminatimelyman ner.
In10casesdocumentedin
CERT | SOFTWARE ENGINEERING INSTITUTE | 11
-
theCERTInsiderThreatCasedatabase,theinsiderwasabletocommitacrimefollowing terminationbecauseoffailuretonotifysecurity,employees,andbusinesspartnersofthe termination.TocontrolaccesstoUSCISfacilities,itisimportantforUSCIStocomparecur rentemployeesandcontractorstotheauthorizedaccesslistineachfacilitysaccesscontrol system.Disablingphysicalaccesstofacilitieswhenemployeesandcontractorsterminateis essentialtoprotectingUSCISemployeesandfacilities.
SecurityofPhysicalCaseFiles
AttheVermontServiceCenter,theassessmentteamobservedphysicalcasefilesofbenefit applicantsstackedincratesinthehallways.Casefilesareassumedtobesecureoncethey arecontainedwithinaServiceCenter,buttheycouldbephysicallyalteredorstolenbyany onewithphysicalaccesstothefacility.Oneintervieweestatedthatadjudicatorstypically have50to100filesscatteredaroundtheirofficesordesks.Somearetrackedandsome maynotbe.Adjudicatorsconductinterviewswithapplicantsintheirofficesandtheymay leaveapplicantsunescortedintheirofficeswiththecasefileswhen,forinstance,making copiesorattendingtootherUSCISbusiness.Accordingtothesameinterviewee,inonefield office,naturalizationcertificates,passports,andcreditcardinformationhavebeenfoundin garbagecansinthehallway.ThirteeninsidersdocumentedintheCERTdatabasestole physicalpropertybelongingtotheirorganization.
BusinessProcesses
AvarietyofcasesfromtheCERTInsiderThreatCasedatabasedocumentinsiderattacksin whichgapsinbusinessprocessesprovidedapathwayforattack.Enforcingseparationof dutiesandtheprincipleofleastprivilegeareprovenmethodsforlimitingauthorizedaccess byinsiders.Ideally,organizationsshouldincludeseparationofdutiesinthedesignofkey businessprocessesandfunctionsandenforcethemviatechnicalandnontechnicalmeans. Accesscontrolbasedonseparationofdutiesandleastprivilege,inboththephysicaland virtualenvironment,iscrucialtomitigatingtheriskofinsiderattack.Theseconceptsalone willnoteliminatethethreatposedbyinsiders;theyare,however,anotherlayerinthede fensivepostureofanorganization.
BecauseofthesensitivenatureoftheUSCISmission,someofitsemployeesandcontractors havebeentargetsforrecruitmentfortheftorunauthorizedmodificationofUSCISdata. TwentyninepercentoftheinsidersdocumentedintheCERTdatabasewererecruitedby outsiderstocommittheircrimes.Mostoftheseinsiderscommittedtheircrimesforfinan cialgain.CriticalUSCISbusinessprocessesshouldincludetechnicalcontrolstoenforce separationofdutiesanddualcontroltoreducetheriskofinsiderfraud.Inaddition,poten tialvulnerabilitiessurroundtheuseoftheICEPasswordIssuanceandControlSystem(PICS) forauthorizationforcriticalUSCISsystems.AlthoughPICSisoutsidethecontrolofUSCIS,
CERT | SOFTWARE ENGINEERING INSTITUTE | 12
-
CERTrecommendsthatUSCISexplorethepossibilityofauditingandcontrollingauthoriza tionsinPICSforcriticalUSCISsystems.Finally,accountmanagementissuesrelatedtocriti calsystemsshouldbeconsidered.
VerificationInformationSystem
TheVerificationInformationSystem(VIS)providesimmigrantstatusinformationtoboth governmentagenciesandprivateemployersinordertoverifybenefitandemploymenteli gibility.BecausethesefunctionsrequiregrantingVISaccesstopartiesexternaltoUSCIS, USCISmustissueaccountsandrequirethatthoseaccountsbeusedproperly.Twentyfour (6%)oftheinsidersdocumentedintheCERTdatabasewereabletocarryouttheircrimes becauseinsiderssharedaccountandpasswordinformation,oftentomaketheirjobseasier andtoincreaseproductivity.
ModificationsbyVISuserstocriticaldataarelogged,
CLAIMS3LAN
Currently,alldeniedbenefitsapplicationsarereviewedbyasupervisor;onlyasubsetofap provedapplicationsarereviewed.Adiscrepancyaroseduringinterviews:adjudicatorssaid thatsupervisorsstoppedlookingatalldenialsbecausetheyaretoobusy.Supervisorsalso receiveareportofalladjudicationdecisionsenteredbyanadjudicatorforaformtypethat theadjudicatordoesnotnormallyapprove.Whenadjudicatorsareintraining,whichtakes placeforatleast6monthsonaspecifictypeofcase,theyareunder100%review.Aquality assurance(QA)processisalsoinplace.OnepartofQAinvolvesasupervisorpulling10 casespermonthperadjudicatortoreview.Thesupervisorexaminesadjudicativedecision, security,andproceduralissues.InanotheraspectoftheQA,othersisterUSCISService Centersreviewarandomselectionofcases.TheprimarypurposeofQAistoidentifythe needforremedialtrainingratherthandeliberatefraud.Auditingeverydeniedrequestindi catesthatthebiggestrisktoUSCISistoincorrectlydenyabenefittoanapplicantrather thantograntabenefittosomeonewhodoesnotdeserveit.
FDNSDS
CERT | SOFTWARE ENGINEERING INSTITUTE | 13
-
IncidentResponse
Throughcaseanalysis,CERThasnotedthatproceduresforrespondingtopotentialinsider incidentspresentuniquechallenges;anincidentresponseplanforinsiderincidentsdiffers fromaresponseplanforincidentscausedbyanexternalattacker.Inaddition,inadequate detectionandresponsetosecurityviolationscouldemboldentheinsider,makingtheor ganizationevenmorevulnerabletoaninsidercrime.Infact,in18ofthecasesdocumented intheCERTInsiderThreatCasedatabase,theorganizationexperiencedrepeatinsiderinci dentsofasimilarnature.Insiderincidentmanagementshouldleverageexistingsecurity policiesandformalproceduresforhandlingpolicyviolations.Someofthecasesfromthe CERTInsiderThreatCasedatabaseillustrateinsiderattacksinwhichanorganizationslackof incidentresponseprocedureslimiteditsabilitytomanageitsresponseeffort,sometimes evenresultinginmultiplecriminalactsbythesameinsider.
Furthermore,81oftheinsidersdocumentedintheCERTInsiderThreatCasedatabasedis playedconcerningbehaviorsintheworkplacepriorto,orwhilecarryingout,theircriminal activitiesonline.Supervisorsandemployeesshouldbetrainedtorecognizeandrespondto indicatorsofriskforviolence,sabotage,fraud,theftandothermaliciousinsideracts.Evenif itisnotpossibletorequirenonsupervisorstoreportconcerns,thistrainingmayincreasethe frequencyofreportingandthedeterrenceofinsideractions.
IncidentManagement
USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting, tracking,investigating,andfollowinguponemployeemisconduct.Organizationsinvolved includetheOfficeofInvestigationswithintheOSI,LaborandEmployeeRelations(LER),HR, ComputerSecurityIncidentResponseTeam(CSIRT),PERSEC,Counterintelligence(CI), COTRs,OIT,DHSOIG,PhysicalSecurity,supervisors,andpossiblydataownersandISSOs. Manydifferentpartiesexplainedhowtheymightbeinvolvedinoneaspectofanincident, butnosingledepartmentcoordinatestheseactivitiesorconductsaholisticriskanalysisof individualswhohavecommittedviolations.Thiscomplexandwidelydistributedbusiness processhasresultedinasituationinwhichitisverydifficulttoobtainacompletepictureof anindividualsinsiderthreatrisklevel.Consequently,anyefforttocoordinateaproactive
CERT | SOFTWARE ENGINEERING INSTITUTE | 14
-
programforinsiderthreatmitigationwouldhavetocrosssignificantbureaucraticbounda rieswithinthesemyriaddepartmentsofUSCIS.
SoftwareEngineering
CodeReviews
SomeUSCISsystemsadheretoaformalizedprocessofsoftwareengineering,usingcontrac torswithaspecifiedlevelofprocessmaturity(i.e.,capabilitymaturitymodelintegration (CMMI)level3),
Therewasevenadocumentedcaseinwhichsourcecodecontainedsomethinginap propriateandwasonlydiscoveredonlyafterthecodewasturnedoverfromonecontractor toanother.
CERT | SOFTWARE ENGINEERING INSTITUTE | 15
-
Insidersinsertedmaliciouscodeintoanoperationalsystemin33casesdocumentedinthe CERTInsiderThreatCasedatabase,andintosourcecodein10cases.Thesetypesofcrimes canhaveseriousresults,enablinginsiderstoconcealtheiractionsoveranextendedperiod oftime.Theseactionshavebeenusedtocreatemechanismsforcommittingfraudwithout detectionandtosetupfutureITsabotageattacks.
Codereviewscanbeverytimeconsuming,butmostmaliciousinsidersinsertmaliciouscode intoproductionsystemsoncetheyarestableandinthemaintenancephase,whenchanges arelessfrequentandlesssubstantial.
InformationTechnology
AccountManagement
Researchhasdemonstratedthatifanorganizationscomputeraccountscanbecompro mised,insidershaveanopportunitytocircumventmanualandautomatedcontrolmecha nismsintendedtopreventinsiderattacks.Effectivecomputeraccountandpasswordman agementpoliciesandpracticesarecriticaltoimpedeaninsidersabilitytousethe organizationssystemsforillicitpurposes.InavarietyofcasesdocumentedintheCERTIn siderThreatCasedatabase,insidersexploitedpasswordvulnerabilities,sharedaccounts, andbackdooraccountstocarryoutattacks.Itisimportantfororganizationstolimitcom puteraccountstothosethatareabsolutelynecessary,usingstrictproceduresandtechnical controlsthatfacilitateattributionofallonlineactivityassociatedwitheachaccounttoan individualuser.Furthermore,anorganizationsaccountandpasswordmanagementpolicies mustbeappliedconsistentlyacrosstheenterprisetoincludecontractors,subcontractors, andvendorswhohaveaccesstotheorganizationsinformationsystemsand/ornetworks.
Insomeareas,computeraccountsaremanagedfairlywellatUSCIS.Itisimplementing HomelandSecurityPresidentialDirective12(HSPD12)forphysicalandelectronicaccount management.Inaddition,mostsharedaccountsarecontrolledandallactionsperformed usingthoseaccountscanbeattributedtoasingleuser.However,someaccountmanage mentliesoutsidethecontrolofUSCIS.Thispresentsahighdegreeofrisk.Firstofall,ac countsandaccessforFSNsshouldbeconsideredcarefullybyUSCIS.AlthoughFSNsmust submitpaperworkthroughproperchannels,whichrequiresauthorizationbytheCSOand CIOofDHS,suchpaperworkwasnotsubmittedconsistentlypriorto2007.Asaresult,there maybeactiveaccountsforwhichthereislittletonoaccountingforthecreationoftheac count.
Althoughaccountnamingconventionsaredictatedby DHSandtheU.S.DepartmentofState,USCIScouldrequestanamingconventiontodiffer entiatebetweenFSNandU.S.citizenfederalemployeeaccounts.Inaddition,USCISshould consistentlytracktheauthorizationandcreationofallUSCISaccounts.Todetermineifun
CERT | SOFTWARE ENGINEERING INSTITUTE | 16
-
authorizedorlegacyaccountsexist,USCISshouldconsiderconductinganaccountauditwith theassistanceofU.S.DepartmentofStatepersonneltovalidateallexistingFSNaccounts.
Second,accesstosomecriticalUSCISsystemsiscontrolledbythePasswordIssuanceand ControlSystem(PICS).ThepurposeofPICSistofacilitatetheadministrationofusernames andpasswordstocertainICEandUSCISinformationsystems.Oneareaofconcernregard ingPICSisthatitisadministeredbyICE,andtherearemorethan2,000LocalPICSOfficers (LPOs)acrossvariouscomponentsofDHS.TheseLPOsusePICStograntauthorizedaccess toICEandUSCISsystemsforthepersonnelattheirrespectivesiteoragency,suchaslocal sheriffs,petitioners,CustomsandBorderPatrol(CBP),DepartmentofJustice(DOJ),Trans portationSecurityAdministration(TSA),TerrorismTaskForce,andDHSOIG.EachLPOcan grantaccesstoanysystemcontrolledbyPICS.Inotherwords,LPOsthroughoutUSCISand ICEcangrantaccessforanyoftheirstafftoanyUSCISsystem.Furthermore,
Giventhedistributednatureofaccountadmini stration,itisverydifficultforUSCISdataownersandOITstafftomanageauthorizationof useraccountstoUSCIScriticalsystems.Finally,theprocessforcommunicatingchangesin employeestatusanddisablingaccountsvarieswidelyamongindividualfieldoffices,Service Centers,andofficesintheNCR.
TheapplicationofaccountmanagementpracticesunderthecontrolofUSCISisinconsistent. Forexample,disablingorterminatingaccountsforemployeesisnotalwayscompletedina timelymannerupontheemployeeschangeinstatus.Thislackofconsistencyismade worsewhendecentralizedLPOsacrossUSCISdonotfollowthesameprocedures.Inother cases,employeesareretainingaccessafteratransferwhentheyshouldnot,whichrequires thelosingandgainingsupervisorstonotifyproperaccountmanagementpersonnel.
AccessControl
Anorganizationslackofsufficientaccesscontrolmechanismswasacommonthemein manyoftheinsiderthreatcasesexaminedbyCERT.Insidershavebeenabletoexploitex cessiveprivilegestogainaccesstosystemsandinformationtheyotherwisewouldnothave beenauthorizedtoaccess.Additionally,insidershavebeenknowntouseremoteaccess afterterminationtoattackanorganizationsinternalnetwork.Organizationsshouldensure networkmonitoringandloggingisenabledforexternalaccess.Monitoringofnetworkactiv ityisextremelyimportant,especiallyintheperiodbetweenemployeeresignationandter mination.
GiventhedistributednatureofaccessauthorizationviaPICS,ICE,andtheU.S.Department ofState,nonUSCISemployeesandcontractorscouldbegrantedaccesstoUSCIScriticalsys tems.ItispossiblethatthenonUSCISemployeesandcontractors,particularlythose
CERT | SOFTWARE ENGINEERING INSTITUTE | 17
-
grantedaccessthroughtheU.S.DepartmentofStateforaccessfromembassiesoverseas, havenotbeenthroughtherigorouspreemploymentscreeningrequiredofUSCISemploy eesandcontractors.USCISshouldconsidertherisktheseinsidersposetotheprotectionof thecriticalUSCISdataandsystems,andimplementprotectionmechanismstolimitthe damagethattheseinsidersmightcause.
OtheraccesscontrolissuesthatshouldbeconsideredbyUSCISincludeunrestrictedaccess tosomecriticalsystemsbyOITstaff,lackofconsistentprocessesformanagingemployee accessastheymovefromonedepartmenttothenextwithinUSCIS,abilitytousepersonal computersforUSCISwork,andlackofmonitoringandcontrolsforsomecriticalsystemad ministrationfunctions.
ProtectionofControlledInformation
Protectingcontrolledinformation(i.e.,informationthatisclassified,sensitivebutunclassi fied,orproprietary)iscriticaltomitigatingtheinsiderthreatrisktoorganizations.Avariety ofinsiderthreatcasesstudiedbyCERTrevealedcircumstancesinwhichinsiderscarriedout anattackthroughtheunauthorizeddownloadofinformationtoportablemediaorexternal storagedevices.Insomeinstances,maliciousinsidersusedemailtoplantheirattacksorto communicatesensitiveinformationtocompetitorsorconspirators.Organizationsmusten surethatemployeesunderstandpoliciesregardingwhatconstitutesacceptableuseofcom panyresources,includinginformationassets,andenforcecompliancethroughtechnical means.Theunauthorizedexfiltrationofcontrolledinformationbymaliciousinsiderscan havedevastatingeffectsonanorganization.Protectingcontrolledinformation(i.e.,infor mationthatisclassified,sensitivebutunclassified,orproprietary)iscriticaltomitigatingthe insiderthreatrisktoorganizations.
USCIShasimplementednetworkmonitoringstrategiesthatwoulddetectlargeamountsof datadownloadedorananomalousincreaseinnetworktraffic,eitherbytotalvolumeor typeoftraffic(e.g.,byportorprotocol).Thoughmonitoringnetworktrafficmayhelppro tectcontrolledinformation,
CERT | SOFTWARE ENGINEERING INSTITUTE | 18
-
Logging/Auditing/Monitoring
InsiderthreatresearchconductedbyCERThasshownthatlogging,monitoring,andauditing employeeonlineactionscanprovideanorganizationtheopportunitytodiscoverandinves tigatesuspiciousinsideractivitybeforemoreseriousconsequencesensue.Organizations shouldleverageautomatedprocessesandtoolswheneverpossible.Moreover,network auditingshouldbeongoingandconductedrandomly,andemployeesshouldbeawarethat certainactivitiesareregularlymonitored.Thisemployeeawarenesscanpotentiallyserveas adeterrenttoinsiderthreats.
Thepreventionofinsiderattacksisthefirstlineofdefense.Nonetheless,effectivebackup andrecoveryprocessesneedtobeinplaceandoperationallyeffectivesothatifacompro miseoccurs,businessoperationscanbesustainedwithminimalinterruption.Inonecase documentedintheCERTInsiderThreatCasedatabase,aninsiderwasabletomagnifythe impactofhisattackbyaccessinganddestroyingbackupmedia.Organizationsneedtocon sidertheimportanceofbackupandrecoveryprocessesandcaremustbetakenthatback upsareperformedregularly,protected,andtestedtoensurebusinesscontinuityinthe eventofdamagetoorlossofcentralizeddata.
TechnicalSecurityVulnerabilities
Proactivelyaddressingknownsecurityvulnerabilitiesshouldbeapriorityforanyorganiza tionseekingtomitigatetheriskofinsiderthreatsaswellasexternalthreats.Casestudies haveshownthatmaliciousinsiders,followingtermination,willsometimesexploitknown technicalsecurityvulnerabilitiesthattheyknowhavenotbeenpatchedtoobtainsystem accessandcarryoutanattack.Organizationsshouldhaveaprocesstoensurethatoperat ingsystemsandothersoftwarehavebeenhardenedorpatchedinatimelymannerwhen possible.Failuretoaddressknownvulnerabilitiesprovidesaninsiderampleopportunity andpathwaysforattack,makingitmoredifficultforanorganizationtoprotectitself.
CERT | SOFTWARE ENGINEERING INSTITUTE | 19
-
ThereisaprimaryconcerninthisareaatUSCIS.USCISshouldconsiderthefrequencywith whichitscansitssystemsfortechnicalsecurityvulnerabilities.
ThereisalsoanotherconcerninthisareaatUSCIS.
ConfigurationManagement
Effectiveconfigurationmanagementhelpsensuretheaccuracy,integrity,anddocumenta tionofallcomputerandnetworksystemconfigurations.AwidevarietyofcasesintheCERT InsiderThreatCasedatabasedocumentinsiderswhoreliedheavilyonthemisconfiguration ofsystems.Theyhighlighttheneedforstronger,moreeffectiveimplementationofauto matedconfigurationmanagementcontrols.Organizationsshouldalsoconsiderconsistent definitionandenforcementofapprovedconfigurations.Changesordeviationsfromthe approvedconfigurationbaselineshouldbeloggedsotheycanbeinvestigatedforpotential maliciousintent.Configurationmanagementalsoappliestosoftware,sourcecode,andap plicationfiles.Organizationsthatdonotenforceconfigurationmanagementacrosstheen terpriseareopeningvulnerabilitiesforexploitbytechnicalinsiderswithsufficientmotiva tionandalackofethics.
TheOIThasaconfigurationmanagementpolicythatprovidesbaselinesoftwareconfigura tionsforUSCISdesktopsandlaptops.TheOITscansforincorrect,outdated,orunpatched versionsofsoftwareontheapprovedsoftwarelist.TheOITkeepstrackofdifferentbase linesfordifferentcontracts.Despitetrackingandarigorousconfigurationmanagementpol icy,
Roguesoftwareormalwareisoftendiscoveredthroughadeliberatemanual scan,ratherthanthroughanautomatedprocess.Tomakethistaskmoredifficult,USCIS employeeswithseniorityorinfluencehavebeenabletouselocaladministratorprivilegesto installsoftwareforthesakeofconvenience.Concernsregardingconfigurationmanagement surroundthedifficultyfortheOITtoadequatelyprevent,detect,andrespondtorogue softwareormalwareusingitscurrentprocedures.Wesuggestsomeconsiderationsforlev
CERT | SOFTWARE ENGINEERING INSTITUTE | 20
-
eragingexistingdeploymentsandmodifyingincidentresponsepracticestoincreaseeffec tiveness.
CERT | SOFTWARE ENGINEERING INSTITUTE | 21
-
Recommendations
Thefollowing18recommendationspresentactionablestepsthatwillenableUSCIStoim proveitspostureagainstmaliciousinsiderthreats.Thesehighlevelstrategiesshouldbe plannedandimplementedwiththeassistanceofthemanydiversedepartmentswithin USCIS.Appendixescontainmorespecificrecommendationsthatpertaintoaparticularde partment(e.g.,OITandHR).TheappendixesalsolisttherelevantpartiestoassistUSCISin reviewingeachissuemoregranularlyandtodecidewhetherUSCIShasresourcestoimple mentaparticularrecommendation.
Recommendation#1:Instituteanenterpriseriskmanagementplan USCISmustensurethattheentireorganizationisriskawareandimplementaformalrisk managementprocesstoaddressriskconsistentlyandcontinuallyacrosstheenterprise. Theredoesnotappeartobeaconsistentunderstandingofthebroadspectrumofrisksfac ingUSCIS.TheOITperformsriskmanagementforIT,andFinancialManagementperforms riskmanagementforfinancialmatters,butnoonewasawareofanyenterprisewideefforts. Inaddition,eachfieldofficeandservicecenterappearstooperatefairlyindependently.Itis importantforthoseorganizationstoworktogethertoidentify,prioritize,andaddressrisk. OngoingcommunicationbetweenallcomponentsofUSCISwillhelpensurethatnew threats,attackvectors,andcountermeasuresarecommunicatedandhandledeffectivelyby all.
Recommendation#2:Incorporateinsiderthreatriskmitigation strategiesintotheTransformationeffort TransformationisalargebusinessprocessreengineeringeffortinUSCISprimarilyfocused onimprovedcustomerservice,workflowautomation,frauddetection,andnationalsecurity issues.RiskmanagementiswithinthescopeofTransformation,butonlyasitpertainsto automatedriskscoringofapplicantsandtoworkflowmanagementtooptimizeadjudicator workload.USCISshouldincorporatecomprehensiveinsiderthreatriskmitigationrequire mentsintotheTransformationeffort.
Recommendation#3:Centralizerecordsofmisconductandviola tionstobetterenableacoordinatedresponsetoinsiderthreats USCISisacomplexorganizationwithmanydifferentcomponentsinvolvedindetecting, tracking,investigating,andfollowinguponemployeemisconduct.Thiscomplexandwidely distributedbusinessprocesshasresultedinasituationinwhichitisverydifficulttoobtaina completepictureofanindividualsinsiderthreatrisklevel.USCISshouldcreateacentral repositoryofemployeeandcontractormisconduct,securityviolations,SignificantIncident Reports(SIRs),andothersuspiciousactivityreportssorepeatoffenderscanbeeasilyidenti
CERT | SOFTWARE ENGINEERING INSTITUTE | 22
-
CERT | SOFTWARE ENGINEERING INSTITUTE | 23
-
storesphysicalfilesforbenefitapplicantsintheVermontServiceCenterwithnophysical protectionbeyondtheexteriorbuildingandguardcontrols.USCISshouldevaluatecurrent physicalaccessprocedurestodetermineiftheyadequatelyaddressriskandiftheyareen forcedconsistentlyacrosstheenterprise.
Recommendation#8:Consistentlyenforceexitprocedures Exitprocedurestypicallydetailthestepsthatmustbetakenwhenanemployeeretires,re signsorisfired,transferred,orputonaleaveofabsence.TheseproceduresforUSCIShave beenrecentlydevelopedand,insomecases,arestillunderdevelopment.USCISexpectsto releasemoreformalizedproceduresinthenext3months,butthereisnotacommonun derstandingoftheproperprocedures.Itappearstheresponsibilityforensuringthatem ployeesandcontractorsareproperlyterminatedrestssolelywiththemanagerandCOTR.It alsoappearsthatdifferentmanagersfollowdifferentprocedurestoensurethataccessis disabledandequipmentisreturnedasemployeesandcontractorsleaveUSCIS.Thisgap maymanifestitselfintheinconsistentcollectionofbadges,laptops,mobiledevices,and otherUSCISequipment,andimproperdisablingorterminationofaccess.USCISshould adoptanenterprisewideexitproceduretoensureconsistentterminationofallemployees andcontractors.
Recommendation#9:ExamineHRscreeningproceduresforhighrisk positionsandFSNs ChangesshouldbemadetotheUSCIShiringprocessesforselect,highriskpositions.For example,USCISshouldconsideradditionalscreeningforadjudicators.USCISshouldbe moreinvolvedindecidingwhoisgrantedauthorizedaccessbecauseofthesensitivenature ofthesystemsanddatathatUSCISmanages.
Recommendation#10:Ensurethatphysicalandcomputeraccessis terminatedinatimelyfashion
USCISshouldautomatetherevocationofemployeeandcontractorphysicalaccesswhena terminationoccurs.TheterminationchecklistshouldincludeanotificationtoPhysicalSecu ritysophysicalaccesscanbedisabledinatimelymanner.USCISshouldalsoreviewaccount managementprocedurestoensurethatthestepstakentoremoveoralteraccountaccess arecomplete,understoodbyallrelevantparties,andconsistentlyfollowed.
CERT | SOFTWARE ENGINEERING INSTITUTE | 24
-
Recommendation#11:Enforcearequirementforindividualaccounts oncriticalsystems
Insomecases,USCISisawareofaccountsharingtakingplaceatthirdpartyemployerswho useUSCISsystemstoverifyimmigrationstatus.Toconsistentlyidentifymaliciousinsider activity,allactionsmustbeattributabletooneandonlyoneindividual.USCISshouldcon siderincreasingtheconsequencesforinfractions,andpossiblyimplementstrongerauthen ticationtomakesharingofaccountsmoredifficult.
Recommendation#12:
Recommendation#13:Reducethenumberofprivilegedaccountsfor criticaldatasystems Somedatasystems,includingFDNSDS,haveahighnumberofprivilegedusers.Manyof theseusersdonotneedtheescalatedaccesstocompletetheirjobresponsibilities.USCIS shouldaudittheprivilegeduseraccountsandreducethoseaccountscommensuratewith jobresponsibilities.
Recommendation#14:
Recommendation#15:Implementproceduralandtechnicalcontrols topreventsourcecodeunderdevelopmentfrombeingreleased withoutappropriatereview USCISshouldconsiderimplementingproceduralandtechnicalcontrolstoenforcesepara tionofdutiesbetweensoftwareengineersandthesystemadministratorsresponsiblefor
CERT | SOFTWARE ENGINEERING INSTITUTE | 25
-
releasingchangesintoproductionsystems.USCISshouldconsideridentifyinghighrisk, criticalsoftwaremodulesthatcouldbeusedtocarryoutillicitactivity.Inaddition,formal softwaredevelopmentpracticesshouldbefollowed,
Recommendation#16:
Recommendation#17:
Recommendation#18:Periodicsecurityrefreshertrainingshouldbe regularlyconductedandrequiredforallemployees USCISshouldreinforcesecuritypracticesandproceduresforallemployees,especiallythose assignedtosecurityroles,throughInformationAssurancerefreshertraining.Thoughannual refreshertrainingismandated,ithasnotbeencompletedinatimelymannerforallroles. USCISshouldensurethatthistrainingisadaptedtospecificroles,regularlyconductedand tracked,andconsequencesimposedforthosewhohavenotcompletedthetraining.
CERT | SOFTWARE ENGINEERING INSTITUTE | 26
-
ManagementCommentsandOIGAnalysis
WeobtainedwrittencommentsonadraftofthisreportfromtheUSCISDeputyDirector. Wehaveincludedacopyofthecomments,initsentirety,inappendixI.
USCISconcurredwithourfindingsandrecommendationsandindicatedthatthereportwill beofgreatassistanceastheyseektofurtherstrengtheninternalcontrolsinthisarea.Inthe writtencomments,USCISdidnotprovideinformationonhowitintendstoaddressourrec ommendations.Therefore,weconsiderourrecommendationsunresolvedandopenpend ingourreviewofUSCIS'correctiveactionplans.
CERT | SOFTWARE ENGINEERING INSTITUTE | 27
-
Appendixes
ThefollowingpagescontainappendixesAthroughGthatcontainacomplete,detailedlistof findingsfromtheassessment.
Theappendixesareorganizedintothefollowingsections:
AppendixA:Organizational AppendixB:HumanResources AppendixC:PhysicalSecurity AppendixD:BusinessProcess AppendixE:IncidentResponse AppendixF:SoftwareEngineering AppendixG:InformationTechnology AppendixH:Acronyms AppendixI:ManagementCommentstotheDraftReport AppendixJ:ContributorstothisReport AppendixK:ReportDistribution
EachsectioninappendixesAGcontainsabriefintroduction,summaryofthefindingsfor thatarea,andatablelistingdetailedfindings.Thetablesarestructuredasfollows:
Areaof Responsible Policyand/orSecu PolicyorPrac SuggestedCounter Concern Personnel rityMeasure ticeGaps measures
Eachrowrepresentsauniqueareaofconcern.ResponsiblePersonnelliststhegroups withinUSCISthatwouldberesponsibleforimplementingsuggestedcountermeasuresfor thatarea.Policyand/orSecurityMeasurelistsinformationrelatedtothatareaofconcern specifictoUSCISobtainedininterviews.Ifthatcolumnwasintentionallyleftblank,itindi catesthatnoevidencewasprovidedfortheexistenceofapolicyand/orsecuritymeasure. PolicyorPracticeGapsdescribesgapsidentifiedbyintervieweesorgapsnotedbyCERT staff.Finally,SuggestedCountermeasuresdescribescountermeasuresthatUSCIScouldim plementtoaddressaparticularvulnerability.
Itisimportanttonotethatallsuggestedcountermeasuresmustbeconsideredinthecon textofabroaderriskanalysis.Itisnotpracticalformostorganizationstoimplement100% protectionagainsteverythreattoeveryorganizationalresource.Therefore,itisimportant toadequatelyprotectcriticalinformationandotherresourcesandnotdirectsignificantef forttowardprotectingrelativelyunimportantdataandresources.Arealisticandachievable
CERT | SOFTWARE ENGINEERING INSTITUTE | 28
-
securitygoalistoprotectthoseassetsdeemedcriticaltotheorganizationsmissionfrom bothexternalandinternalthreats.
Riskisthecombinationofthreat,vulnerability,andmissionimpact.Somecountermeasures inthisreportareintendedtohelpUSCISrecognizeandunderstandtheinsiderthreat.Oth ersfocusonclosinggapsthatleaveUSCISmorevulnerabletoinsiderattack.Missionimpact cannotbeadequatelyassessedbyCERTthroughthisexercisebecauseitwillvarydepending onthecriticalityofsystemsandinformation.
Theresultsofthisinsiderthreatvulnerabilityassessmentshouldbeusedtodeveloporre finetheorganizationsoverallstrategyforsecuringitsnetworkedsystems,strikingthe properbalancebetweencounteringthethreatandaccomplishingtheorganizationalmis sion.
Manyofthefindingsinthisreportincludetherelativefrequencyoftheissueraisedinthe CERTInsiderThreatCasedatabase.Atthetimethisreportwaswritten,therewere386 casesofmaliciousinsideractivityagainstwhichthesuggestedcountermeasurepercentage iscalculated.So,ifaparticularactivitywasseenin38ofourcases,wemayindicatethatit wasseenin10%ofthecasesintheInsiderThreatCasedatabase.
CERT | SOFTWARE ENGINEERING INSTITUTE | 29
-
Ap
pen
dix
A:O
rgan
izat
ion
al
Risk
Man
agem
ent
/Co
mm
unic
atio
n/
Secu
rity
Pro
cess
Impr
ovem
ent
USC
ISis
ina
diff
icul
tpos
ition
.Pa
rto
fits
mis
sion
isto
pro
vide
cus
tom
ers
ervi
ceto
thos
ese
ekin
gim
mig
ratio
nan
dci
tizen
ship
ben
efits
from
the
U.S
.Gov
ernm
ent.
How
ever
,iti
sch
alle
ngin
gto
opt
imiz
ebu
sine
ssp
roce
sses
for
cust
omer
ser
vice
whi
lea
tthe
sam
etim
eim
plem
entin
gpr
otec
tiv
em
easu
res
toc
ount
erth
eri
skp
osed
by
gran
ting
thos
eve
ryb
enef
its.
Man
yU
SCIS
em
ploy
ees
inte
rvie
wed
for
this
ass
essm
enti
dent
ified
the
orga
niza
tion
spr
imar
yri
ska
sal
low
ing
the
next
terr
oris
tto
live
and
wor
kle
gally
inth
eU
nite
dSt
ates
.Th
eyd
esir
ehe
lpin
iden
tifyi
nga
ndim
ple
men
ting
inte
rnal
con
trol
sto
cou
nter
that
ris
k.S
ome
ofth
ein
terv
iew
ees,
how
ever
ev
ens
ome
ofth
eIS
SOs
and
data
ow
ners
fo
cuse
don
leak
ag
eof
PII
asth
eir
prim
ary
conc
ern.
Aft
erd
elvi
ngin
toth
em
atte
rw
ithth
eas
sess
men
ttea
m,t
hey
cam
eto
und
erst
and
the
risk
pos
edb
yex
po
sure
or
mis
use
ofc
ritic
ald
ata
asth
egr
eate
str
isk
face
dby
USC
IS,p
rim
arily
bec
ause
suc
ha
secu
rity
bre
ach
coul
dre
sult
ina
llow
ing
ate
rror
isti
nto
the
coun
try.
Ac
ritic
alis
sue
for
USC
ISis
ens
urin
gth
een
tire
orga
niza
tion
isr
isk
awar
e,a
ndim
plem
entin
ga
form
alr
isk
man
agem
entp
roce
ssto
add
ress
ris
kco
nsis
tent
lya
ndc
ontin
ually
acr
oss
the
ente
rpri
se.
Ther
edo
esn
ota
ppea
rto
be
aco
nsis
tent
und
erst
andi
ngo
fthe
bro
ads
pect
rum
ofr
isks
faci
ng
USC
IS.
The
asse
ssm
entt
eam
was
told
ther
eis
no
ente
rpri
sew
ide
risk
man
agem
entp
rogr
ama
tUSC
IS.
OIT
per
form
sri
skm
anag
emen
tfor
ITa
nd
Fina
ncia
lMan
agem
entp
erfo
rms
risk
man
agem
entf
orfi
nanc
ialm
atte
rs,b
utn
oon
ew
asa
war
eof
any
ent
erpr
ise
wid
eef
fort
s.I
nad
ditio
n,e
ach
field
off
ice
and
serv
ice
cent
era
ppea
rsto
ope
rate
fair
lyin
depe
nden
tly.
Itis
impo
rtan
tfor
thos
eor
gani
zatio
nsto
wor
kto
geth
erto
iden
tify,
pri
or
itize
,and
add
ress
ris
k.O
ngoi
ngc
omm
unic
atio
nbe
twee
nal
lcom
pone
nts
ofU
SCIS
will
hel
pen
sure
that
new
thre
ats,
att
ack
vect
ors,
and
cou
nte
rmea
sure
sar
eco
mm
unic
ated
and
han
dled
eff
ectiv
ely
bya
ll.
Ina
dditi
on,U
SCIS
em
ploy
ees
and
cont
ract
ors
hold
the
keys
too
neo
fthe
wor
lds
mos
tcov
eted
kin
gdom
sU
.S.c
itize
nshi
p.T
his
mak
ese
mpl
oy
ees
and
cont
ract
ors
attr
activ
eta
rget
sfo
rre
crui
tmen
t.B
ecau
seo
fthe
sen
sitiv
ena
ture
ofU
SCIS
mis
sion
,som
eof
its
empl
oyee
san
dco
ntra
ctor
s
CERT | SOFTWARE ENGINEERING INSTITUTE | 30
-
have
bee
nta
rget
sfo
rre
crui
tmen
tfor
thef
tor
unau
thor
ized
mod
ifica
tion
ofU
SCIS
dat
a.A
llem
ploy
ees
shou
ldb
eaw
are
ofth
eco
nseq
uenc
eso
fpa
rtic
ipat
ing
infr
aud
agai
nstU
SCIS
.Th
eys
houl
dal
sob
ein
stru
cted
on
how
tor
epor
tsol
icita
tions
mad
eto
com
mit
frau
d.
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sEn
terp
rise
Ris
kM
anag
emen
t
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
Indi
vidu
alo
rgan
izat
ions
with
inU
SCIS
do
ris
km
anag
emen
trel
ated
toth
eir
part
icul
ard
omai
n.F
orin
stan
ce,I
Tdo
esr
isk
man
agem
entf
rom
an
IT
pers
pect
ive,
and
the
Fina
ncia
lMan
ag
emen
tdoe
sfin
anci
alr
isk
man
ag
emen
t.
USC
ISp
erso
nnel
sta
ted
ther
eis
no
ente
rpri
ser
isk
man
agem
entp
roce
ss
for
anal
yzin
gth
eor
gani
zatio
ns
over
al
lris
k.
We
sugg
estt
hatU
SCIS
inst
itute
an
ent
erpr
ise
risk
man
agem
ent
prog
ram
.W
ithou
tac
omm
on
visi
onfo
rri
skm
anag
emen
t,th
eIS
SOs
and
allo
rgan
izat
ions
w
ithin
USC
ISc
anno
teff
ectiv
ely
unde
rsta
ndth
eri
ske
nvir
onm
ent
and
wor
kto
geth
erto
eff
ectiv
ely
miti
gate
ris
k.
Inin
terv
iew
s,s
ome
USC
ISs
taff
,in
clud
ing
som
eIS
SOs,
dat
aow
ners
,an
dO
ITs
taff
,see
med
tov
iew
loss
of
PIIa
sth
em
osti
mpo
rtan
tins
ider
th
reat
ris
k.A
llof
the
asse
ssm
ent
ques
tions
wer
ean
swer
edin
the
con
text
ofl
oss
ofP
II.
Whe
nw
eas
ked
spec
ifica
llyw
hatt
hey
see
asth
ebi
gges
tins
ider
thre
atr
isk,
ev
eryo
nes
eem
edto
agr
eeit
isc
rea
tion
ofr
ealc
itize
nshi
pdo
cum
ents
for
peop
lew
hos
houl
dno
thav
eth
em.
In
fact
,int
ervi
ewee
sat
the
Verm
ont
Serv
ice
Cent
erc
ateg
oriz
edth
efu
nc
tions
cha
ract
eriz
edb
yth
ehi
ghes
tris
kas
follo
ws:
1)
Unl
awfu
lalie
nin
the
Uni
ted
Stat
es
gran
ted
non
imm
igra
nts
tatu
s
2)S
omeo
new
ithn
onim
mig
rant
st
atus
gra
nted
per
man
entr
esid
ency
,w
hich
mea
nsh
eor
she
can
live
and
w
ork
inde
finite
lyin
the
Uni
ted
Stat
es
Aga
in,a
nen
terp
rise
ris
km
an
agem
entp
rogr
amw
ille
nsur
eth
ate
very
one
acro
ssU
SCIS
is
wor
king
toge
ther
tom
itiga
teth
ehi
ghes
tpri
ority
ris
ks.
Ther
ear
ere
gula
tions
and
law
ssu
rrou
nd
ing
prot
ectio
nof
PII,
but
focu
sin
gpr
imar
ilyo
nth
atis
sue
can
lead
toa
fals
ese
nse
ofs
ecur
ity
ifot
her
mor
eim
port
antr
isk
ar
eas
are
give
nle
ssa
tten
tion.
CERT | SOFTWARE ENGINEERING INSTITUTE | 31
-
Area
ofC
once
rn
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
san
dal
soc
anp
etiti
onfo
rre
lativ
es
The
Verm
ontS
ervi
ceC
ente
ris
im
plem
entin
gse
para
tion
ofd
utie
sfo
rpe
rfor
min
gfu
nctio
ns#
1an
d#2
ab
ove
(gra
ntin
gno
nim
mig
rant
st
atus
and
mov
ing
som
eone
from
no
nim
mig
rant
sta
tus
top
erm
anen
tre
side
ncy)
so
that
one
USC
ISa
djud
ica
tor
alon
eca
nnot
take
an
appl
ican
tfr
omu
nlaw
fult
ope
rman
entr
esi
dent
.Th
ese
two
func
tions
will
be
perf
orm
eda
tdiff
eren
tphy
sica
lloc
atio
ns2
9m
iles
apar
t.
The
Verm
ontS
ervi
ceC
ente
rhas
not
ha
dan
adj
udic
ator
who
per
form
ed
both
func
tions
#1
and
#2fo
rth
esa
me
appl
ican
t.
This
dec
isio
nde
mon
stra
tes
that
le
ader
ship
att
heV
erm
ontS
er
vice
Cen
terr
ecog
nize
sth
esi
gni
fican
tris
kof
cre
atin
gle
gal
citiz
ensh
ipd
ocum
ents
fori
llega
lal
iens
and
ista
king
ste
psto
m
itiga
teth
atr
isk.
How
ever
,our
in
side
rth
reat
ass
essm
enth
as
unco
vere
dot
her
issu
esth
at
coul
dbe
add
ress
edto
miti
gate
th
atr
isk.
Aga
in,a
form
alr
isk
anal
ysis
wou
lde
nabl
eU
SCIS
to
thor
ough
lye
xam
ine
the
issu
es
and
prio
ritiz
eco
unte
rmea
sure
sus
ing
afo
rmal
pro
cess
.Fo
rex
am
ple,
an
alte
rnat
ive
toth
eph
ysic
alm
ove
coul
dbe
toim
pl
emen
tan
audi
tmec
hani
smto
lo
okfo
rad
judi
cato
rsw
hop
er
form
edb
oth
func
tions
#1
and
#2
for
the
sam
eap
plic
ant.
Ente
rpri
seW
ide
Com
mun
icat
ion
USC
ISL
eade
rshi
p
No
evid
ence
pro
vide
d
Ther
eis
no
cons
iste
ncy
ofc
ontr
ols
from
one
ser
vice
cen
ter
toth
ene
xt.
We
wer
eto
ldth
eye
ach
oper
ate
fair
ly
inde
pend
ently
.
USC
ISw
ould
ben
efit
from
ong
oin
gco
mm
unic
atio
nsa
bout
ris
kba
sed
issu
esb
etw
een
the
ser
vice
cen
ters
.Fo
rin
stan
ce,
com
mun
icat
ions
con
cern
ing
prob
lem
s,e
ffec
tive
coun
ter
mea
sure
s,m
odifi
catio
nsto
CERT | SOFTWARE ENGINEERING INSTITUTE | 32
-
Area
ofC
once
rn
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sbu
sine
ssp
roce
sses
,or
idea
sfo
rco
unte
ring
incr
ease
dri
skc
ould
le
adto
an
impr
oved
ris
kpo
stur
efo
rth
een
tire
USC
ISe
nter
pris
e.
Cont
inua
lSec
urit
yPr
oces
sIm
prov
em
ent
USC
ISL
eade
rshi
p IS
SOs
Dat
aO
wne
rs
Info
rmat
ion
Tech
nolo
gy
The
USC
ISC
onvi
ctio
nsT
ask
Forc
eis
an
exc
elle
ntfo
rum
for
anal
yzin
gpa
st
crim
inal
cas
esa
ndd
eter
min
ing
mea
sure
sth
ats
houl
dbe
inst
itute
dto
pre
vent
sim
ilar
crim
esin
the
fu
ture
.
Ther
eis
no
proc
ess
for
follo
win
gup
on
ac
ase
afte
rthe
Off
ice
ofS
peci
al
Inve
stig
atio
n(O
SI)f
inis
hes
anin
vest
iga
tion.
Th
eCo
nvic
tions
Tas
kFo
rce
isth
eon
ly
proc
ess
we
foun
dfo
rfor
mal
trac
king
,an
alys
is,a
ndp
roce
ssim
prov
emen
tba
sed
ona
ctua
linc
iden
ts.
The
as
sess
men
ttea
ma
sked
var
ious
gro
ups
ifth
ere
isa
nyfo
llow
up
toin
cide
nts,
fo
rin
stan
ceim
plem
entin
gau
tom
ated
sc
ript
sor
con
trol
sto
det
ectt
hes
ame
inci
dent
inth
efu
ture
.Th
ete
amc
ould
no
tfin
da
sing
lep
erso
nw
hok
now
sof
su
cha
nac
tivity
.
Man
yex
ampl
eso
fem
ploy
eem
isco
ndu
ctc
ited
toth
eas
sess
men
ttea
m
coul
dea
sily
hav
ebe
end
etec
ted
or
even
pre
vent
edv
iaa
utom
ated
con
tr
ols.
In
add
ition
,the
reis
no
mec
hani
smfo
rco
mm
unic
atin
gis
sues
out
side
ofa
In
nea
rly2
5%(9
1)o
fthe
cas
esin
th
eCE
RTIn
side
rTh
reat
Cas
eda
taba
se,t
hein
side
rw
asa
ble
to
carr
you
tthe
cri
me
beca
use
of
inad
equa
tea
uditi
ngo
fcri
tical
pr
oces
ses;
in2
8of
thes
eca
ses,
it
was
bec
ause
ofi
nade
quat
eau
ditin
gof
irre
gula
rpr
oces
ses.
In
29
ofth
eca
ses,
the
orga
niza
tio
nha
dre
peat
edin
cide
nts
ofa
si
mila
rna
ture
.A
utom
ated
sc
ript
sar
ean
exc
elle
ntm
echa
ni
smfo
rde
tect
ing
susp
icio
us
tran
sact
ions
as
wel
las
hone
st
mis
take
s.U
SCIS
sho
uld
cons
ider
a
form
alp
roce
ssfo
ran
alys
iso
fth
eO
SIs
find
ings
and
the
deve
lop
men
tofa
utom
ated
che
cks
impl
emen
ted
natio
nally
.
CERT | SOFTWARE ENGINEERING INSTITUTE | 33
-
Area
ofC
once
rn
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sgi
ven
serv
ice
cent
er.
U
SCIS
Em
ploy
ees
are
Pote
ntia
lTar
ge
tsfo
rRe
crui
tm
ent
Hum
anR
esou
rces
Ph
ysic
alS
ecur
ity
No
evid
ence
pro
vide
d
Som
eU
SCIS
em
ploy
ees
inte
rvie
wed
ha
ver
ecei
ved
are
ques
tfor
ass
ista
nce
from
afr
iend
,rel
ativ
e,o
rst
rang
er
seek
ing
top
rom
ote
aca
sefo
rso
me
form
ofa
pplic
ant.
One
adj
udic
ator
sa
idh
edo
esn
otte
llot
hers
who
he
wor
ksfo
r.H
owev
er,t
hed
istin
ctiv
egr
een
park
ing
stic
ker
onh
isc
arc
ould
,in
as
mal
ltow
nlik
eBu
rlin
gton
,VT,
re
veal
the
iden
tity
ofh
ise
mpl
oyer
.U
SCIS
per
sonn
ela
reth
eref
ore
unus
ual
lyv
ulne
rabl
eto
sol
icita
tion
byo
ut
side
rs.
Twen
tyn
ine
perc
ento
fthe
in
side
rsin
the
CERT
Insi
der
Thre
at
Case
dat
abas
ew
ere
recr
uite
dby
ou
tsid
ers
toc
omm
itth
eir
crim
es.
USC
ISs
houl
dco
nsid
er
incr
easi
ngth
ese
curi
tya
war
ene
sstr
aini
ngp
rovi
ded
toU
SCIS
em
ploy
ees
and
cont
ract
ors.
The
tr
aini
ngs
houl
dbe
con
tinuo
us,
incl
udin
gpo
rtio
nsin
tend
edto
ra
ise
awar
enes
sof
the
pote
ntia
lta
rget
that
USC
ISe
mpl
oyee
spr
esen
t.A
llem
ploy
ees
shou
ld
bea
war
eof
the
cons
eque
nces
of
par
ticip
atin
gin
frau
dag
ains
tU
SCIS
as
wel
las
how
tor
epor
tso
licita
tions
mad
eto
com
mit
frau
d.
Tran
sfor
mat
ion
USC
ISL
eade
rshi
p D
ata
Ow
ners
In
form
atio
nTe
chno
logy
H
uman
Res
ourc
es
Tran
sfor
mat
ion
isa
larg
ebu
sine
ss
proc
ess
reen
gine
erin
gef
fort
inU
SCIS
th
atis
pri
mar
ilyfo
cuse
don
impr
oved
cu
stom
ers
ervi
cea
ndfr
aud
dete
ctio
n.F
ore
xam
ple,
the
asse
ssm
ent
team
was
told
that
Tra
nsfo
rmat
ion
will
aut
omat
ical
lyv
alid
ate
data
in
CLA
IMS
agai
nsto
ther
ext
erna
lsys
te
ms
(e.g
.,IC
Ean
dFB
I),a
ndth
at
secu
rity
req
uire
men
tsa
ndc
ontr
ols
Tran
sfor
mat
ion
was
men
tione
din
m
osti
nter
view
sfo
rth
isa
sses
smen
t.
Ita
ppea
rsth
atU
SCIS
isr
elyi
ngh
eavi
ly
upon
Tra
nsfo
rmat
ion
toc
orre
ctm
any
ofth
epr
oble
ms
resu
lting
from
lega
cy
syst
ems.
How
ever
,iti
sun
clea
rw
heth
erin
tern
alp
erso
nnel
sec
urity
an
din
form
atio
nse
curi
tyc
once
rns
will
bein
clud
edin
this
pro
gram
.
This
rel
ianc
eon
as
ingl
eef
fort
m
akes
the
effe
ctiv
enes
sof
this
ef
fort
ver
yim
port
ant.
USC
IS
shou
ldc
onsi
der
the
Tran
sfor
ma
tion
proj
ectf
rom
an
ente
rpris
ew
ide
pers
pect
ive.
Iti
sim
port
ant
for
itto
use
afo
rmal
req
uire
m
ents
gat
herin
gpr
oces
sin
or
der
toe
ffec
tivel
ym
itiga
teb
oth
inte
rnal
and
ext
erna
lthr
eats
.
CERT | SOFTWARE ENGINEERING INSTITUTE | 34
-
Area
ofC
once
rn
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sha
veb
een
iden
tifie
dby
cur
rent
C3
LAN
dat
aow
ners
.
Read
ing
the
Tran
sfor
mat
ion
requ
ire
men
tsd
ocum
enta
tion,
itis
not
cle
ar
that
insi
ders
are
con
side
red
inth
ese
curi
tyr
equi
rem
ents
for
prev
entio
nan
dde
tect
ion
offr
aud
orn
atio
nal
secu
rity
inU
SCIS
sys
tem
s.
Pers
onne
lsec
urity
sho
uld
be
incl
uded
,as
wel
las
info
rmat
ion
secu
rity
,to
ensu
reth
atth
eap
pr
opri
ate
inte
rnal
con
trol
sar
ein
pl
ace
tor
educ
eth
eri
skp
osed
by
mal
icio
usin
side
rs.
CERT | SOFTWARE ENGINEERING INSTITUTE | 35
-
Trai
ning
and
Aw
aren
ess
Itis
ess
entia
ltha
tsec
urity
aw
aren
ess
trai
ning
be
cons
iste
ntly
pro
vide
dto
all
empl
oyee
sto
ens
ure
that
sec
urity
pol
icie
san
dpr
actic
esa
rein
stitu
tio
naliz
edth
roug
hout
an
orga
niza
tion.
Man
ytim
es,c
owor
kers
and
sup
ervi
sors
are
the
first
peo
ple
too
bser
vec
once
rnin
gbe
havi
ore
xhib
ited
by
mal
icio
usin
side
rs.
Failu
reb
yco
wor
kers
or
othe
rsin
an
orga
niza
tion
tor
epor
tcon
cern
ing
beha
vior
was
ap
rim
ary
reas
onin
side
rsin
the
CERT
In
side
rTh
reat
Cas
eda
taba
sew
ere
able
tos
etu
por
car
ryo
utth
eir
atta
cks.
USC
ISs
houl
dco
ntin
ueto
pro
vide
sec
urity
aw
aren
ess
trai
ning
toa
llem
ploy
ees
and
cont
ract
ors
acro
ssth
egl
obe.
Thi
str
aini
ngs
houl
dbe
con
sis
tent
lya
pplie
dto
eac
hsi
te,w
itha
con
sist
entm
essa
geo
fsec
urity
ofU
SCIS
peo
ple,
sys
tem
s,a
ndd
ata.
Iti
sim
pera
tive
that
all
USC
ISe
mpl
oyee
sbe
re
spon
sibl
efo
rac
hiev
ing
the
mis
sion
ofU
SCIS
and
pro
tect
ing
the
criti
cala
sset
sto
the
high
este
xten
tpos
sibl
e.
Are
aof
Con
cern
Resp
onsi
ble
Pers
onne
l
Polic
yan
d/or
Sec
urit
yM
easu
re
Polic
yor
Pra
ctic
eG
aps
Sugg
este
dCo
unte
rmea
sure
sTr
aini
ngo
rSk
ills
Requ
ired
ofT
hose
in
App
oint
edS
ecu
rity
Rol
es
USC
ISL
eade
rshi
p
USC
ISh
asa
trai
ning
pro
cess
thro
ugh
anin