secSDLC The Security SDLC is a variant that identifies specific threats and creates controls to counter them within this model. It can be used in developing an information security policy. The investigation phase: during this phase, an outcome is the thorough outline of the policy development plan with the details of scope, cost and schedule. The analysis phase: a fresh risk assessment can be carried out to identify the current InfoSec needs of the organisation. All the relevant documents and reference materials should be collected during this phase. Design phase: the dissemination of the policies must be planned to make sure that the policies are distributed properly. It is to be ensured that all members of the organisation will receive, and understand the policies. Implementation phase: it is where the policies are written. Maintenance phase: the activities of monitoring, maintaining, and modifying the policies as and when required are carried out. This is to meet the objectives of keeping the policies effective and relevant. (Jayaseelan, 2013) 1.2 Types of laws that an organisation in South Africa can use to prosecute an inside attacker: Computer Fraud and Abuse Act of 1986 Computer Security Act of 1987 1.3 Three organisations that have experienced insider cyber-attacks: U.S. Investigations Services (services): U.S. Investigations Services, a subcontractor for federal employee background check, suffered a data breach in August 2014, which led to the theft of employee personnel information. Although no specific origin of attack was reported, the company believes that the attack was state-sponsored. The Severity: High. Unnamed public works (energy and utilities): according to the department of Homeland Security, an unnamed public utility’s controls were accessed by hackers through a brute-force attack on employee’s log-in passwords. The Severity: High. A&T (communications): April 2014, for two weeks the A&T was hacked from the inside by personnel who accessed user information, including the social security information. The Severity: High. (Riley, 2014) 1.4 Reasons why there is high number of cyber-attacks coming from the internal employee: Many employees are willing to sell the information: while every employer would like to believe that their workers can be trusted, the sad reality of the situation is that some employees are ready to sell the company data for personal profit. Naivety: Many times data can be exposed simply because an employee doesn’t know the dangers of certain actions. Employees who use their personal devices for work: Increasingly, insiders often unwittingly expose their employers to threats by doing work on electronic gadgets. (David & Sadie, 2014). 1.5 The type of an attack is: Deliberate acts of sabotage/vandalism In the scenario, the employees sabotaged the system controlling the traffic lights of a major city. This type of an attack involves the deliberate sabotage of a computer system or business or acts of vandalism to either destroy an asset or damage the image of an organisation. Examples: Destroying hardware and infrastructure Deleting software Planting viruses (Whitman & Coles, 2012) 1.6 Developing a security strategy to protect against insider attacks: Strategy: Data Loss Prevention (DLP) programs. Measures/ actions that can be done to reduce the impact of insider attacks: Implement a dedicated DLP appliance or software: the DLP appliances or software allows you to track the travel of your organisation’s data, either in real time or by collecting information and summarizing it in daily or weekly reports. You’ll want a DLP system that can be able to read and intercept SSL or other encrypted messages, or users will be able to defeat its purpose simply by encrypting the data they send outside the network. The DLP drawback is that it may negatively impact the performance of network. Identify management: since the access privileges are granted on the identity of the user, then you have in place a good identity management system. It becomes very important in today’s network environment, whereby the company mergers and the moving of some or all data into the cloud complicate things more. Change management: the configuration and change management tools help you to identify when changes are made to the configurations of the systems that may be done by some employees to gain access to information they shouldn’t have. There are many products on the market that can be used to track changes on the network. File access auditing: the implementation of the audit of access to file system objects will help you to detect when the insiders are accessing information for which they don’t have a need in order to do their jobs. Control USB devices: DLP firewalls and mail content filtering will help to prevent the insiders from sending the sensitive company information outside the network via the internet. The removable USB drives especially the concealed thumb drives are often used by insiders to copy sensitive company information and manually carry it outside the company. In order to prevent this, you can disable all the USB ports on systems of those who absolutely don’t need them. The usage of the Windows Group Policy to restrict or block the installation of USB devices. The software such as the GFI Endpoint Security can be used to manage user access and log the activities of USB drives, CDs, etc. and anything that connects to computers via the USB. Area of responsibility or segregation of duties: it is a policy that ensures that no one can process an important transaction alone. One person may be able to initiate the process but it can’t be completed without the authorisation of one or more other individuals. This provides a set of checks and balances to protect against a lone rogue employee or infiltrator. Rights management system: the rights management allows you to give users access to data, but helps prevent them from sharing that data with others who aren’t authorised to have it. Windows Rights Management Services (RMS) allows you to block copying or printing of documents, block forwarding or copying of email messages. Windows also blocks taking a screenshot of protected document or messages. Data encryption: encrypting data will make it more difficult for those inside the network to be able to access and read the information even if they manage to take it outside. Least privilege policy: for the best security and protection against the insider threats, always follow a policy of giving users the most restrictive set of privileges that will still allow them to do the work they need to do. Apply this same policy when configuring the DLP product or firewall’s outbound of rules, by starting off by blocking everything and then allowing those that are needed, rather than the opposite method of starting off by allowing everything then restricting things selectively. The key to access the encrypted data should be available to only those whose jobs require that they access that data, not all employees who happen to work in a specific department or hold a particular position. Configure firewall to address traffic going both ways: most modern firewalls are capable of filtering both inbound and outbound traffic but many configured to only control the former. Set up outbound rules on your firewall explicitly block or allow the network traffic that matches the criteria you set. Use packet inspection within the network: DLP appliances and firewall focus on traffic being sent outside the network. You can use packet inspection tools such as Network Analysis and Visibility (NAV) products to inspect the contents of packets moving within the internal network. NAV tools can examine the contents in great depth and look for particular words or types of data within the document or file. Use mail security products with content filtering: You can use the content of filtering feature on your email security products to, for example block the outbound messages that contain certain keywords, or block users from sending attachments to prevent insiders from sending confidential information outside the network. (Deb, 2011)