Editor’s Note: Excerpts of this post series were originally published by ACI-NA.
There are many potential insider threat vectors within a connected aviation ecosystem. Airports alone have numerous systems, applications, databases, and other technology assets to manage, monitor, and protect. It is virtually impossible to categorize the most likely threats.
Without knowing where the threat might initiate, managing the insider threat begins with basic IT hygiene. The best practices that have been espoused in IT organizations for decades for other purposes, are often the same practices which best manage and mitigate the insider threat. Listed below are the most common IT best practices which directly mitigate cybersecurity threats.
1. Inventory Management – It is essential to know the airport’s IT assets, including hardware, software, and data. To protect an airport’s assets, you must be aware of their existence and location. Simple processes such as inventory control on all equipment (laptops, phones, digital cameras, etc.) is essential to ensure that data isn’t purposely or inadvertently loss.
2. Network Monitoring – Even in a world without a cyber threat, network monitoring is an essential element of sound IT practices. Checking for bandwidth shortages, throughput issues, unresponsive network nodes, and network congestion are basic network maintenance practices. The insider threat, however, substantially increases the importance of these seemingly mundane tasks.
The network is the primary threat vector from external sources. For the insider threat, indicators of nefarious activity also go through the network, but more likely in the opposite direction. Identification and analysis of outbound data packets is an essential practice for looking for possible fraudulent activities. In segmented networks, looking for unexpected transfers of data from one area to another may also be a sign of improper activities occurring.
Simple activities, such as monitoring email usage and hours spent on the internet may yield an indication that something is occurring which needs further analysis.
3. Least Privilege – Establishing a practice of least privilege is essential. The “need to know or have access” is the basic essential element in logical access, much the same as it is in physical access. Airports must ensure that data is categorized according to its usage and access to that data is based on a role-based, mandatory or discretionary access control. Simply put access is granted based on person’s position classification, the organization in which they work or some other “need to know” factor. All access rights and privileges should be reviewed of every employee at least once a year. System and database administrators should have their access rights reviewed at least every six months.
4. Security Education, Training and Awareness (SETA) – Insider threats by definition obviously begin with your employees. Thus, they also become the first line of defense when combating the insider threat. As mentioned earlier, establishing a Culture of Security is an integral step in protection and this step begins with user awareness and training.
5. The Nexus of Cyber and Physical Security – Strict policies must be established and maintained to protect the physical nature of the airport’s IT environment. Protection of the data center, communication rooms, building points of entry, fiber drops, and other essential physical components of the IT environment are essential to maintain the confidentiality, availability, and integrity of systems. Because employees and contractors already have some level of access to the airport’s facilities, segregation enforced by physical access control is essential.
Access to data centers, for example, should be very limited, even within the IT Department itself. The days when a flashy data center was shown to the public have been gone for a long time. The strictest security of the airport’s most important IT asset must be handed in the most restrictive manner.
Where possible, all IT assets should be protected through physical access control and regular monitoring of even authorized users should be audited on a regular basis.
6. Proper disposition of storage devices – An often overlooked vector for the inadvertent loss of critical information is the improper or careless disposition of data. With data being stored on numerous devices, an airport must ensure that it has a data disposition policy which covers the following devices: mobile devices (laptops, phones, tablets), cameras, recording devices, desktop computers, network and desktop storage devices, copying machines, FAX machines, and USB drives.
Each of these devices has the capacity to store data, potentially classified or sensitive data, and their contents can easily be overlooked when being disposed. The airport needs to have a thoughtful, detailed plan for the appropriate disposition and/or destruction of all storage devices.
While cybersecurity threats can come from a variety of sources, the insider threat can cause havoc on an organization’s cybersecurity and IT team. By leveraging these useful practices and basic cyber hygiene recommendations, airports can significantly reduce the headaches caused by the insider threat.