While much of the cybersecurity conversation within the federal government centers around preventing infiltration and corruption from external, malicious sources, panelists speaking July 20 at the FOSE conference in Washington, D.C. emphasized the risk of insider threats.

"A lot of the security breaches in government and in the commercial sector have nothing to do with hacking or penetrating systems," said Dave McClure, associate administrator in the office of citizen services and innovative technologies at the General Services Administration.

The National Institute of Standards and Technology will address the insider threat, industrial system security controls and cybersecurity supply chain risk management in a major update to its security controls guidance due out in December, said Ron Ross, project leader of the NIST FISMA implementation project.

"We haven't spent a lot of time on it, but it's now front and center," said Ross.

"As Wikileaks pointed out, it's not always about technology. We've got to pay attention to all aspects of controls: management, operational and technical. The adversaries will find your soft spot. They will find where you are weak. And if it's a people issue, like in Wikileaks, when those privileges should have been yanked from that individual a long time ago, and they weren't that's what results," said Ross.

Guidance already exists to help agencies detect insider threats, but the technologies federal workers interact with have changed, said McClure. Web applications present a major challenge because they've been pushed further to the edge of organizations and they are sometimes adopted without early security certification, he added.

"A lot of times you'll find that some of these malicious attacks that occur from within an organization are due to the fact that people have too many privileges," said Ross.

"There's been an explosion in mobile applications. Most people download these applications on their mobile devices and they don't have a clue who developed the app, how good it is, [or if] there is a threat vector through that application right back to the corporate network," said Ross.

Related Articles:
24,000 files stolen from DOD contractor in single March attack 
Hayden: Policymakers should consider a hardened, secure domain for critical services 
State governments face internal cybersecurity threats