Combatting Insider Threat
Convergence technology takes into account a malicious insider
The recent disappearance of Egypt Air Flight MS804 on May 19
has once again highlighted the issues of insider threat at airports.
While the cause of this incident remains under investigation, airports
around the world are reviewing procedures. You may recall the
unfortunate Metro Jet crash widely thought to be the result of an
insider incident also originated in the same part of the world. However, this insidious
threat is not limited to faraway lands. We all need to realize that it lurks here
in the very places we live.
The CERT Division of the Software Engineering Institute (SEI) at Carnegie
Mellon Institute defines Insider Threat as follows: “A malicious insider threat to
an organization is a current or former employee, contractor, or other business
partner who has or had authorized access to an organization’s network, system, or
data and intentionally exceeded or misused that access in a manner that negatively
affected the confidentiality, integrity, or availability of the organization’s information
or information systems.”
Recent incidents both domestic and abroad have immediately galvanized the
need and expectation to extend screening and monitoring of trusted individuals
within the airport community. Deploying an effective technological platform to tie
key airport systems together for credential management and behavior monitoring
plays a key role in the overall security response.
Contrary to the impressions many have, airport and aviation leaders, combined
with government agencies are taking this threat seriously. In early 2015, in
response to weapons smuggling incidents amongst airline baggage handlers at a
major U.S. Airport, the Transportation Security Administration (TSA) requested
that the Aviation Security Advisory Committee (ASAC) re-evaluate airport employee
screening to address risk from employees and contractors. The ASAC work
group did respond with recommendations for key improvements to airport security
concerning insider threat, advantageous security deployment and disruptive
tactical methodologies. However, with the stakes being so high, airports and airlines
together need to speed up the adoption of emerging technologies, including
software that will help mitigate this threat.
Insider Threat is a vulnerability that has become easy to exploit when much of
the focus at airports is to counter external threat. Terrorists and other perpetrators
recognize this major loophole to security and are relentlessly pushing the limits of
security breaches at airports.
Insider threat comes in many shapes and forms at airports, but the perpetrator
is often the same: an intelligent airport employee. In a malevolent attack, this
employee will mislead an employer into thinking the employee can be trusted,
sometimes with control over an entire physical security system. In an unintentional
attack, it is an employee who threatens the critical infrastructure of an organization
often via human error or recklessness. Much of the focus at airports
(commercial and non-commercial) is to counter external threat. Unbeknownst to
many, insider threat poses greater damage to our critical infrastructure, including
to our physical, logical and security systems. Insiders have privileged access to
airport processes and procedures, access to secured areas, and the inside scoop on
an airport’s vulnerabilities.
Airports have continued to spend millions of dollars to employ greater security
measures, including tighter security checkpoints, facial recognition software, fullbody
scanners, access control systems, intrusion detection systems, alarms, closed
circuit monitors/video surveillance and an increase in security personnel. While
these measures provide additional layers of security, they only address external
physical threats, with minimal protection against threats that arise from within the
airport organization. Effective airport security requires a multi-faceted approach
to address myriad of threats, both external and internal. It is helpful to explore
these facets that comprise the spectrum of true security at airports.
THE TRUTH ON INSIDER THREAT RESPONSE
The Department of Homeland Security (DHS) and TSA have collectively invested
a great deal of time, effort and energy in laying the foundation for security of
Critical Infrastructure and Key Resources to ensure the safety and security of our
nation, including our airports. While efforts to secure our nation and its airports
have been successful, the ever-evolving and changing threat landscape and the persistence
of ill-willed threat tactics have required airports to incorporate innovative
and unique security measures.
Insider threat is a crucial aspect of security that requires a heightened, innovative
approach. While airports have made great strides to secure the ‘front door’ at
airports through increased passenger screenings and related efforts, the greatest
threat to airports remains in limbo. The ever-increasing number of incidents at airports
combined with documented studies reinforces this statement. Recent studies
and information obtained by DHS, the FBI and other agencies, indicates that insiders
are not only utilized by terrorists to gain access to sensitive information and
targets, but insider themselves are carrying out their own chain of devastation to
critical airport infrastructure.
To effectively respond to insider threat at airports
requires dynamic risk management and use of cuttingedge
tools and technology. The use of cutting-edge
technology for airports produces smarter security and
eliminates reliance on manual, siloed (disconnected)
and error-prone processes.
INSIDER THREAT AT AIRPORTS HAS EVOLVED
An “insider” can swiftly cause a chain of devastation
to airport infrastructure, leaving little trace of potential
damage until the devastation manifests. The farreaching
effects of insider threat at airports have produced
damaging effects to critical physical and logical
systems, and resulted in tarnished faith of security to
our airports and its citizenry.
Just a couple of months ago, in March 2016, an
airline flight attendant was caught trying to smuggle
two suitcases loaded with drugs through an airport
checkpoint using her insider status as a means of
avoiding X-ray screening. Experts are even more concerned
that the smuggled contraband could contain
far more dangerous materials leading to a potentially
tragic outcome.
Such incidents are not a new development. In
2008, an elevator mechanic was arrested for smuggling
at least 17 illegal immigrants, including two with
criminal records. He was suspected of being part of a
larger smuggling ring that used him to gain access to
restricted areas at Los Angeles Airport.
In September 2009, Najibullah Zazi, a 24-yearold
Afghan immigrant and former Denver airport
shuttle-van driver, was arrested on federal terrorism
conspiracy charges.
In 2010, a customs agent at Atlanta International
Airport was accused of using his badge to smuggle
guns and drug money in and out of the secured areas
of the airport.
At Chicago O’Hare Airport, an owner of a temporary
employment agency (a contractor to the airport)
was found to have manufactured dozens of fake security
badges for her mostly illegally immigrated staff,
allowing them to perform duties in the secure area
of the airport. While the motive was to enable workers
who would not otherwise qualify for a legitimate
security badge due to immigration status, to work in
the restricted area of the airport, this case highlights
the detrimental risks a trusted contractor working for
airports can produce.
In another recent case, fraudulent acquisition of security
badges by illegal immigrants, highlight a major
vulnerability in verifying the actual identity of employees.
In this case, a sting operation at a New York airport
revealed that 12 employees were charged with using
forged immigration documents to verify their identity
and thus acquire airport security badges. While this
does not constitute a terrorist ring, it does demonstrate
the ability for individuals to be granted access to secure
areas under the pretense of legitimate means.
The culmination of these incidents, among a multitude
of others, highlights the ease of access by insiders
to airport infrastructure and the processes by which
employees are screened to work at airports. It is apparent
that grave loopholes to security lie within the
airport landscape which require immediate resolution.
THE NEED FOR A RESOLUTION TO SECURITY
APPROACH AND METHODOLOGY
Across the spectrum of airport environments, airports
often take on a “manage risk” approach more
often than a “prevention” approach. In a manage risk
approach, once a threat manifests itself, airport personnel
contact respective TSA and other personnel
to handle the matter. Many times while a resolution
sought is being sought on a matter, staff shut down
entire security checkpoints and block of sterile areas,
resulting in flight operations and a halt in airport
operations. The realization is that with a refined approach,
most instances of threat and risk at airports
could be prevented.
A proactive prevention approach is the most practical
and current approach to resolution of incidents at airports. As technology is increasingly becoming more high-tech, more sophisticated,
and more advanced, airports must also keep up with the changing pace
of technology as well as the advancements in intelligent insider threat behaviors.
For this reason, the methods by which most airports are currently resolving threat
issues are outdated, slow, and just not enough to keep up. This is why we need
to advocate for change within our airports to take on a more refined, innovative
approach to security of our airport infrastructure. Automation marks a key component
to this approach.
HOW LIMITED SECURITY MAKES THE NEED
FOR AUTOMATION EVIDENTLY CLEAR
The enemy with greatest harm may not be a terrorist organization. Rather, it is an
intelligent threat actor within your airport environment. It could be your most reliable,
hardworking employee. Many cases of espionage come without notice. Even
a background check is unable to predict one’s hidden criminal agenda. Reliance on
manual detection of threat, insider or outsider, is no longer a viable and practical
solution for airports.
It is evidently clear that the current approaches to preventing and mitigating
insider threat at airports, including through the credentialing, badging and vetting
processes, are somewhat limited. While the Security Threat Assessments (STA)
performed as part of the vetting and credentialing process are a great measure
to ensure that an individual’s Criminal History Record Check (CHRC) alongside
other checks are performed before authorized credentials are issued, continuous
risk monitoring of personnel activities with authorized credentials in combination
with continuous vetting is what provides a more comprehensive method of managing
insider threat.
A thorough and more comprehensive approach to addressing insider threat
management is derived from state-of-the-art advancements in technology. Namely,
in solutions and experience from other airports that are monitoring and managing
insider threat successfully. This approach goes beyond traditional physical screening
and threat profiling methods by employing intelligence and information from
existing systems to detect and monitor insider elements with intent to harm. Such
a technology solution is inclusive of a risk-based methodology that gives special
focus to insider threat behavior with increased risk like high risk flights. An additional
capability of this new technological approach is to connect the seemingly
unrelated acts of suspicious behavior and analyze data and patterns to uncover
emerging threats with a combined ability to manage and mitigate these situations.
It is important to mention that no measure, technological or not, will completely
eliminate insider threat. However, technology can allow for powerful measures to
be put into place to act as a strong deterrent and reduce the probability of terrorism
or other activity by an insider.
CHALLENGES AT AIRPORTS
Airports environments are abundant with pain points but the good news is that
there are proven, effective methodologies that provide resolution of these pain
points. Common pain points experienced by airports include management of
multiple identities across the entire airport landscape, document management for
critical airport processes and resolution of lost, stolen or expired badges. We’ve
addressed some pain points for you below.
Repeat badge swipe attempts, including after hours: The airport environment is
abundant with security access doors and vehicle gates with associated assigned access.
Situational awareness technology now helps to resolve these issues by detecting
repeat denial attempts to access secured areas at the airport. If such an event is detected,
an alert will be generated in the System for real-time response to the situation.
Where a badge holder is repeatedly attempting to gain access to a secured area,
the System will monitor these access attempts for suspicious behavior. The attempt
could be at a single door or vehicle gate, or could be across multiple doors
or vehicle gates.
Monitoring of behavior anomalies: Many critical areas of airports are restricted
to only those staff, who have been granted specified access but it is not uncommon
for employees to attempt to access doors to which they do not have access.
The reasons for this could range from finding a shortcut through the airport to believing access also exists for multiple
doors to attempts at insider threat activity.
Whatever the reason may be, it is
important to monitor all types of suspicious
behaviors within the airport,
from the process standpoint to the actual
physical entry attempt standpoint.
Security convergence technology
aids in detecting blended threats across
all systems and linking these threats to
suspicious behavioral patterns. To determine
what type of next action or resolution
to take when a pattern of suspicious
behavior is detected, convergence
technology issues real-time automated
resolution alerts to security personnel
while simultaneously denying access to
secured areas.
Resolution of stolen, lost or expired
badges across all airport systems. Attempts
to use an expired, lost or stolen
security badge for a vehicle gate,
access door or other access method is
not uncommon. What is not common,
however, is effective resolution of the
discrepancies that exist across PACS
systems for such security badges. Due
to the number of different PACS systems
and logical systems that exist within
an airport environment, it is difficult
for security staff to manually monitor,
across all systems, what badges are stolen,
lost, expired, or unreturned.
For instance, the system will proactively
monitor badge status for any suspended
badge and determine whether
such badges are still being used to gain
access to unauthorized areas within the
airport terminal. If such an event is
detected, an alert will be generated for
real-time response to the event.
AlertEnterprise offers an automated
solution for credible, reliable and immediate
detection to insider threat.
We have a dual-focused objective: to
monitor threat from intelligent actors,
thereby significantly reducing the appearance
of human error, and to improve
the resiliency and stability in your
organizational processes.
AN EFFECTIVE RESPONSE TO
INSIDER THREAT AND INCIDENT
MANAGEMENT
Insider threat is difficult to detect. Staggering
numbers of people will not realize
the infiltration of insider threat
until after the damage is done. This is
especially true when individuals rely on
manual processes to detect the threat.
The use of state-of-the-art software
that can monitor privileged user
activity, correlate IT with physical access,
and conduct frequent background
checks, is key to preventing insider
threat. The ability to conduct risk
analysis prior to provisioning access is
a crucial component to prevention of
threat. In addition, immediate removal
of physical access to facilities and critical
assets upon an employee’s termination
is one of the best ways to prevent
insider incidents. This state-of-the-art
software is the AlertEnterprise Insider
Threat Solution.
AlertEnterprise provides for true
security against insider threat through
unique Situational Awareness and predictive
analytics capabilities. To safeguard
physical, logical and control
systems, AlertEnterprise technology
provides powerful risk-modeling and
insider threat prevention capabilities to automate access review for all types of
risk analysis. The technology delivers
situational awareness through situation
and incident management, reporting
and remediation leveraging multilevel
workflow notification across all
existing systems.
By analyzing behavior across IT,
physical and control systems, the technology
enables an airport organization to
discover and resolve potential incidents
before they evolve into serious threats.
Case study from a large U.S. commercial
airport. The AlertEnterprise
system deployed at a large U.S. commercial
airport identifies behavioral
trends and provides statistical information
to monitor/manage:
Suspicious behavior – Multiple
alerts by the same individual
Criminal activity – Use of revoked/
destroyed cards
Security violations – Piggybacking
and unauthorized escorting
Operational and procedural issues –
Door and alarm malfunctions
Number of alerts over a daily/weekly/
monthly time period
A key observation from the implementation
at this particular airport is
that automated monitoring of insider
threat produces a record of success in
security management, both in terms of
reduction in overall threat to airport security
and enhanced efficiency in airport
processes at U.S. commercial airports.
COSTS OF AUTOMATION
How expensive is it really, to automate
your processes? You can provide your
own answer to this question by asking
yourself what value your airport places
on preventing insider threat. Security
personnel who have experienced insider
threat incidents can tell you that the
costs associated with managing the occurrence
of an inside threat can by far,
negatively outweigh the cost of automation
of your critical infrastructure.
The cost of automation for many
industries can prove to be a more practical
and feasible approach than managing
an insider threat incident after it
has occurred. The cost to operate systems
in existing silos is expensive.
On top of that, managing the processes,
procedures and people required
to manage access points, databases and
systems is essential to protection of airport
infrastructure, since systems themselves
do not naturally interact with
one another. AlertEnterprise delivers a
single unifying application with a dualfocused
objective: to bridge gaps while
eliminating redundant spending.
Can we really afford to not protect
our airports against insider threat? The
complexities inherent in insider threat
detection can be widely spread across
the airport enterprise and prove to be
an overwhelming task without the use
of innovative technology to assist in
this effort.
This article originally appeared in the September 2016 issue of Security Today.