Combatting Insider Threat

Convergence technology takes into account a malicious insider

The recent disappearance of Egypt Air Flight MS804 on May 19 has once again highlighted the issues of insider threat at airports. While the cause of this incident remains under investigation, airports around the world are reviewing procedures. You may recall the unfortunate Metro Jet crash widely thought to be the result of an insider incident also originated in the same part of the world. However, this insidious threat is not limited to faraway lands. We all need to realize that it lurks here in the very places we live.

The CERT Division of the Software Engineering Institute (SEI) at Carnegie Mellon Institute defines Insider Threat as follows: “A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.”

Recent incidents both domestic and abroad have immediately galvanized the need and expectation to extend screening and monitoring of trusted individuals within the airport community. Deploying an effective technological platform to tie key airport systems together for credential management and behavior monitoring plays a key role in the overall security response.

Contrary to the impressions many have, airport and aviation leaders, combined with government agencies are taking this threat seriously. In early 2015, in response to weapons smuggling incidents amongst airline baggage handlers at a major U.S. Airport, the Transportation Security Administration (TSA) requested that the Aviation Security Advisory Committee (ASAC) re-evaluate airport employee screening to address risk from employees and contractors. The ASAC work group did respond with recommendations for key improvements to airport security concerning insider threat, advantageous security deployment and disruptive tactical methodologies. However, with the stakes being so high, airports and airlines together need to speed up the adoption of emerging technologies, including software that will help mitigate this threat.

Insider Threat is a vulnerability that has become easy to exploit when much of the focus at airports is to counter external threat. Terrorists and other perpetrators recognize this major loophole to security and are relentlessly pushing the limits of security breaches at airports.

Insider threat comes in many shapes and forms at airports, but the perpetrator is often the same: an intelligent airport employee. In a malevolent attack, this employee will mislead an employer into thinking the employee can be trusted, sometimes with control over an entire physical security system. In an unintentional attack, it is an employee who threatens the critical infrastructure of an organization often via human error or recklessness. Much of the focus at airports (commercial and non-commercial) is to counter external threat. Unbeknownst to many, insider threat poses greater damage to our critical infrastructure, including to our physical, logical and security systems. Insiders have privileged access to airport processes and procedures, access to secured areas, and the inside scoop on an airport’s vulnerabilities.

Airports have continued to spend millions of dollars to employ greater security measures, including tighter security checkpoints, facial recognition software, fullbody scanners, access control systems, intrusion detection systems, alarms, closed circuit monitors/video surveillance and an increase in security personnel. While these measures provide additional layers of security, they only address external physical threats, with minimal protection against threats that arise from within the airport organization. Effective airport security requires a multi-faceted approach to address myriad of threats, both external and internal. It is helpful to explore these facets that comprise the spectrum of true security at airports.

THE TRUTH ON INSIDER THREAT RESPONSE

The Department of Homeland Security (DHS) and TSA have collectively invested a great deal of time, effort and energy in laying the foundation for security of Critical Infrastructure and Key Resources to ensure the safety and security of our nation, including our airports. While efforts to secure our nation and its airports have been successful, the ever-evolving and changing threat landscape and the persistence of ill-willed threat tactics have required airports to incorporate innovative and unique security measures.

Insider threat is a crucial aspect of security that requires a heightened, innovative approach. While airports have made great strides to secure the ‘front door’ at airports through increased passenger screenings and related efforts, the greatest threat to airports remains in limbo. The ever-increasing number of incidents at airports combined with documented studies reinforces this statement. Recent studies and information obtained by DHS, the FBI and other agencies, indicates that insiders are not only utilized by terrorists to gain access to sensitive information and targets, but insider themselves are carrying out their own chain of devastation to critical airport infrastructure.

To effectively respond to insider threat at airports requires dynamic risk management and use of cuttingedge tools and technology. The use of cutting-edge technology for airports produces smarter security and eliminates reliance on manual, siloed (disconnected) and error-prone processes.

INSIDER THREAT AT AIRPORTS HAS EVOLVED

An “insider” can swiftly cause a chain of devastation to airport infrastructure, leaving little trace of potential damage until the devastation manifests. The farreaching effects of insider threat at airports have produced damaging effects to critical physical and logical systems, and resulted in tarnished faith of security to our airports and its citizenry.

Just a couple of months ago, in March 2016, an airline flight attendant was caught trying to smuggle two suitcases loaded with drugs through an airport checkpoint using her insider status as a means of avoiding X-ray screening. Experts are even more concerned that the smuggled contraband could contain far more dangerous materials leading to a potentially tragic outcome.

Such incidents are not a new development. In 2008, an elevator mechanic was arrested for smuggling at least 17 illegal immigrants, including two with criminal records. He was suspected of being part of a larger smuggling ring that used him to gain access to restricted areas at Los Angeles Airport. In September 2009, Najibullah Zazi, a 24-yearold Afghan immigrant and former Denver airport shuttle-van driver, was arrested on federal terrorism conspiracy charges.

In 2010, a customs agent at Atlanta International Airport was accused of using his badge to smuggle guns and drug money in and out of the secured areas of the airport.

At Chicago O’Hare Airport, an owner of a temporary employment agency (a contractor to the airport) was found to have manufactured dozens of fake security badges for her mostly illegally immigrated staff, allowing them to perform duties in the secure area of the airport. While the motive was to enable workers who would not otherwise qualify for a legitimate security badge due to immigration status, to work in the restricted area of the airport, this case highlights the detrimental risks a trusted contractor working for airports can produce.

In another recent case, fraudulent acquisition of security badges by illegal immigrants, highlight a major vulnerability in verifying the actual identity of employees. In this case, a sting operation at a New York airport revealed that 12 employees were charged with using forged immigration documents to verify their identity and thus acquire airport security badges. While this does not constitute a terrorist ring, it does demonstrate the ability for individuals to be granted access to secure areas under the pretense of legitimate means.

The culmination of these incidents, among a multitude of others, highlights the ease of access by insiders to airport infrastructure and the processes by which employees are screened to work at airports. It is apparent that grave loopholes to security lie within the airport landscape which require immediate resolution.

THE NEED FOR A RESOLUTION TO SECURITY APPROACH AND METHODOLOGY

Across the spectrum of airport environments, airports often take on a “manage risk” approach more often than a “prevention” approach. In a manage risk approach, once a threat manifests itself, airport personnel contact respective TSA and other personnel to handle the matter. Many times while a resolution sought is being sought on a matter, staff shut down entire security checkpoints and block of sterile areas, resulting in flight operations and a halt in airport operations. The realization is that with a refined approach, most instances of threat and risk at airports could be prevented.

A proactive prevention approach is the most practical and current approach to resolution of incidents at airports. As technology is increasingly becoming more high-tech, more sophisticated, and more advanced, airports must also keep up with the changing pace of technology as well as the advancements in intelligent insider threat behaviors. For this reason, the methods by which most airports are currently resolving threat issues are outdated, slow, and just not enough to keep up. This is why we need to advocate for change within our airports to take on a more refined, innovative approach to security of our airport infrastructure. Automation marks a key component to this approach.

HOW LIMITED SECURITY MAKES THE NEED FOR AUTOMATION EVIDENTLY CLEAR

The enemy with greatest harm may not be a terrorist organization. Rather, it is an intelligent threat actor within your airport environment. It could be your most reliable, hardworking employee. Many cases of espionage come without notice. Even a background check is unable to predict one’s hidden criminal agenda. Reliance on manual detection of threat, insider or outsider, is no longer a viable and practical solution for airports.

It is evidently clear that the current approaches to preventing and mitigating insider threat at airports, including through the credentialing, badging and vetting processes, are somewhat limited. While the Security Threat Assessments (STA) performed as part of the vetting and credentialing process are a great measure to ensure that an individual’s Criminal History Record Check (CHRC) alongside other checks are performed before authorized credentials are issued, continuous risk monitoring of personnel activities with authorized credentials in combination with continuous vetting is what provides a more comprehensive method of managing insider threat.

A thorough and more comprehensive approach to addressing insider threat management is derived from state-of-the-art advancements in technology. Namely, in solutions and experience from other airports that are monitoring and managing insider threat successfully. This approach goes beyond traditional physical screening and threat profiling methods by employing intelligence and information from existing systems to detect and monitor insider elements with intent to harm. Such a technology solution is inclusive of a risk-based methodology that gives special focus to insider threat behavior with increased risk like high risk flights. An additional capability of this new technological approach is to connect the seemingly unrelated acts of suspicious behavior and analyze data and patterns to uncover emerging threats with a combined ability to manage and mitigate these situations. It is important to mention that no measure, technological or not, will completely eliminate insider threat. However, technology can allow for powerful measures to be put into place to act as a strong deterrent and reduce the probability of terrorism or other activity by an insider.

CHALLENGES AT AIRPORTS

Airports environments are abundant with pain points but the good news is that there are proven, effective methodologies that provide resolution of these pain points. Common pain points experienced by airports include management of multiple identities across the entire airport landscape, document management for critical airport processes and resolution of lost, stolen or expired badges. We’ve addressed some pain points for you below.

Repeat badge swipe attempts, including after hours: The airport environment is abundant with security access doors and vehicle gates with associated assigned access. Situational awareness technology now helps to resolve these issues by detecting repeat denial attempts to access secured areas at the airport. If such an event is detected, an alert will be generated in the System for real-time response to the situation.

Where a badge holder is repeatedly attempting to gain access to a secured area, the System will monitor these access attempts for suspicious behavior. The attempt could be at a single door or vehicle gate, or could be across multiple doors or vehicle gates.

Monitoring of behavior anomalies: Many critical areas of airports are restricted to only those staff, who have been granted specified access but it is not uncommon for employees to attempt to access doors to which they do not have access. The reasons for this could range from finding a shortcut through the airport to believing access also exists for multiple doors to attempts at insider threat activity. Whatever the reason may be, it is important to monitor all types of suspicious behaviors within the airport, from the process standpoint to the actual physical entry attempt standpoint.

Security convergence technology aids in detecting blended threats across all systems and linking these threats to suspicious behavioral patterns. To determine what type of next action or resolution to take when a pattern of suspicious behavior is detected, convergence technology issues real-time automated resolution alerts to security personnel while simultaneously denying access to secured areas.

Resolution of stolen, lost or expired badges across all airport systems. Attempts to use an expired, lost or stolen security badge for a vehicle gate, access door or other access method is not uncommon. What is not common, however, is effective resolution of the discrepancies that exist across PACS systems for such security badges. Due to the number of different PACS systems and logical systems that exist within an airport environment, it is difficult for security staff to manually monitor, across all systems, what badges are stolen, lost, expired, or unreturned.

For instance, the system will proactively monitor badge status for any suspended badge and determine whether such badges are still being used to gain access to unauthorized areas within the airport terminal. If such an event is detected, an alert will be generated for real-time response to the event.

AlertEnterprise offers an automated solution for credible, reliable and immediate detection to insider threat. We have a dual-focused objective: to monitor threat from intelligent actors, thereby significantly reducing the appearance of human error, and to improve the resiliency and stability in your organizational processes.

AN EFFECTIVE RESPONSE TO INSIDER THREAT AND INCIDENT MANAGEMENT

Insider threat is difficult to detect. Staggering numbers of people will not realize the infiltration of insider threat until after the damage is done. This is especially true when individuals rely on manual processes to detect the threat.

The use of state-of-the-art software that can monitor privileged user activity, correlate IT with physical access, and conduct frequent background checks, is key to preventing insider threat. The ability to conduct risk analysis prior to provisioning access is a crucial component to prevention of threat. In addition, immediate removal of physical access to facilities and critical assets upon an employee’s termination is one of the best ways to prevent insider incidents. This state-of-the-art software is the AlertEnterprise Insider Threat Solution.

AlertEnterprise provides for true security against insider threat through unique Situational Awareness and predictive analytics capabilities. To safeguard physical, logical and control systems, AlertEnterprise technology provides powerful risk-modeling and insider threat prevention capabilities to automate access review for all types of risk analysis. The technology delivers situational awareness through situation and incident management, reporting and remediation leveraging multilevel workflow notification across all existing systems.

By analyzing behavior across IT, physical and control systems, the technology enables an airport organization to discover and resolve potential incidents before they evolve into serious threats.

Case study from a large U.S. commercial airport. The AlertEnterprise system deployed at a large U.S. commercial airport identifies behavioral trends and provides statistical information to monitor/manage:

Suspicious behavior – Multiple alerts by the same individual

Criminal activity – Use of revoked/ destroyed cards

Security violations – Piggybacking and unauthorized escorting

Operational and procedural issues – Door and alarm malfunctions

Number of alerts over a daily/weekly/ monthly time period

A key observation from the implementation at this particular airport is that automated monitoring of insider threat produces a record of success in security management, both in terms of reduction in overall threat to airport security and enhanced efficiency in airport processes at U.S. commercial airports.

COSTS OF AUTOMATION

How expensive is it really, to automate your processes? You can provide your own answer to this question by asking yourself what value your airport places on preventing insider threat. Security personnel who have experienced insider threat incidents can tell you that the costs associated with managing the occurrence of an inside threat can by far, negatively outweigh the cost of automation of your critical infrastructure.

The cost of automation for many industries can prove to be a more practical and feasible approach than managing an insider threat incident after it has occurred. The cost to operate systems in existing silos is expensive.

On top of that, managing the processes, procedures and people required to manage access points, databases and systems is essential to protection of airport infrastructure, since systems themselves do not naturally interact with one another. AlertEnterprise delivers a single unifying application with a dualfocused objective: to bridge gaps while eliminating redundant spending.

Can we really afford to not protect our airports against insider threat? The complexities inherent in insider threat detection can be widely spread across the airport enterprise and prove to be an overwhelming task without the use of innovative technology to assist in this effort.

This article originally appeared in the September 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Unified VMS

    AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities 3