0% found this document useful (0 votes)
140 views7 pages

A Study On Korea's Information Security Management System: An Insider Threat Perspective

The document discusses extending Korea's information security management system (K-ISMS) to better address insider threats. It analyzes best practices for mitigating insider threats from the CERT Guide and related security controls. The paper proposes additions to K-ISMS based on these guidelines to strengthen protections against insider attacks.

Uploaded by

Marylyn Otajal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
140 views7 pages

A Study On Korea's Information Security Management System: An Insider Threat Perspective

The document discusses extending Korea's information security management system (K-ISMS) to better address insider threats. It analyzes best practices for mitigating insider threats from the CERT Guide and related security controls. The paper proposes additions to K-ISMS based on these guidelines to strengthen protections against insider attacks.

Uploaded by

Marylyn Otajal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Int'l Conf.

Security and Management | SAM'17 | 61

A Study on Korea's Information Security Management


System: An Insider Threat Perspective
Ran Kyoung Park1, Jong In Lim1, Hun Yeong Kwon1, and Jin-Young Choi1
1
Graduate School of Information Security, Korea University, Seoul, Seoul, Korea

accidental disclosure of information, phishing/social


Abstract - Insider threats pose a significant information
engineering, degradation of physical records, and loss or theft
security challenge to organizations. Surveys have shown that
of equipment [5].
over half of all security incidents are caused by insiders and
that attacks by insiders have more serious consequences than
The threat of attack from insiders is real and substantial.
those by external attackers. Information security management
The 2015 U.S. State of Cybercrime Survey found that 23% of
systems such as ISO/IEC 27001 and K-ISMS are centered on
electronic crime events were suspected or known to have been
attacks from outside the security perimeter by external
caused by insiders. It also reported that 45% of respondents
attackers. Improvements to these management systems are
believed that damage from insider attacks was more severe
urgently needed to increase their robustness against insider
than that from outsider attacks [5, 6]. The outside attacker
threats. In this study, we analyze the best practices to mitigate
would use insider threats to either originate or receive
insider threats provided by the CERT Guide and the
cooperation from insiders within an organization. In a survey
corresponding security controls in the US standard NISP SP
by the Forrester of firms that had experienced a breach in
800-53. We propose extending Korea’s K-ISMS based on
2015, it was observed that internal incidents were the leading
these best practices and related security controls. These
cause, more than 50% of which were due to inadvertent
extensions are designed to make the information security
misuse or user error. The culprits were classified as
management systems of K-ISMS robust against insider threats.
“accidental insiders” [7]. Recently, 39% of breaches the last
12 months resulted from an internal incident. Of these, 26%
Keywords: insider threat, information security management
were deliberate abuses or done with malicious intent, 56%
system, insider threat management, best practice, security
were inadvertent, and 18% were a combination [8]. The
control
biggest threats to company security therefore come from
insiders and are the ones against which businesses feel least
prepared [9]. Abuse by insiders is difficult to detect [10].
1 Introduction While the level of threat has been increasing, most commonly
In August 2016, North Korea hacked into South Korea's involving the theft of authentication credentials, intellectual
defense network and may have gained access to confidential property, corporate financial data, and personally identifiable
military plans [1]. According to an investigation, this involved information (PII), 70% organizations still give higher priority
a typical scenario in which an insider threat was exploited by to maintaining traditional perimeter defenses than to insider
an external hacker [1, 2, 3]. The incident was comparable in threat management [11].
scale to Snowden’s release of NSA material, which is called
one of the most significant leaks in the US history [4]. Since most organizations are reluctant to disclose the
fact of an accident, little insider threat analysis has been
An insider is someone who has or had authorized access conducted in Korea, making it difficult to understand the
to an organization’s network, systems, or data as a current or nature of such threats. The CERT Guide produced by the
former employee, contractor, or business partner. They may Carnegie Mellon University's Software Engineering Institute
be classified as either malicious or unintentional, depending (SEI) has analyzed over 1,000 cases and presents 20 best
on their motivation. Malicious insiders intentionally use their practices based on this analysis. We used this as the best
access rights in a way that negatively affects the guideline on insider threats [5].
confidentiality, integrity, or availability of the organization’s
information or information systems. Unintentional insiders do An information security management system (ISMS) is
the same thing but without deliberate intent. There has been a the default approach to minimizing risk and ensuring business
substantial increase in the probability of serious harm arising continuity by proactively limiting the impact of security
from intentional or unintentional breaches by insiders. The incidents. An ISMS can improve the information security
damage caused by malicious insiders includes destruction of level of an organization by introducing a set of policies and
information technology, theft of intellectual property, and procedures for systematically managing the organization’s
fraud. That caused by unintentional insiders includes sensitive data. Given the severity of insider threats, ISMS

ISBN: 1-60132-467-7, CSREA Press ©


62 Int'l Conf. Security and Management | SAM'17 |

would be improved by providing a framework for insider were updated in 2013. Since 2013, the system has required
threat management. The Korean government runs a domestic certain organizations to gain certification. These currently
ISMS certification system (K-ISMS) to support organizational include major internet service providers, internet data centers,
information security [12]. K-ISMS, like other ISMSs, is online shopping malls, internet portals, and so on.
designed around the perceived threat of external hacking. Certification involves four phases: application, contract, audit,
Given the increasing scale and severity of damage caused by and certification. Certification is valid three years and can be
insider threats, urgent improvement of existing information renewed following a further examination. A total of 659
security management systems is needed, including K-ISMS. certificates have been issued to date, 477 of which have been
renewed [16]. In a survey conducted in 2016, companies
In this study, we analyze the insider threat cases reported reported an improvement in the security awareness of
in the CERT Guide and discuss extensions to K-ISMS based employees, reduction in infringements, improved management
on the best practices for mitigating insider threats and the understanding of information security, and better budgeting
security controls of NIST SP 800-53 [5, 13]. We also analyze for information security, after K-ISMS certification was
the hacking of the Korean military defense network and obtained [17].
consider the lessons that can be applied to extend K-ISMS to
insider threat management. 3 Overview of the Korean Defense
The remainder of this paper is structured as follows. Network Hacking Incident
Section II introduces K-ISMS. Section III summarizes the
Korean military hacking incident. In Section IV, based on the 3.1 Incident Sequence
best practices recommended in the CERT Guide and their A defense network hacking incident was first reported
mapping to standards, amendments are proposed for security following a parliamentary inspection of the National
controls to extend K-ISMS to insider threats. The proposed Assembly for the Department of Defense [18]. A joint
extensions are then applied to the defense network hacking investigation was then conducted, and pressed the results of
incident to demonstrate their effectiveness. Finally, Section V the investigation [19, 20, 22, 23, 24]. Based on the contents of
presents our conclusions and suggestions for future work. the report, the timeline was as follows [21, 25].

2 Overview of Information Security y August 04, 2016: First infiltration, malicious code log
introduced
Management Systems
An ISMS is a comprehensive management system y September 23, 2016: Intranet hacking traces found.
covering the administrative, technical, and physical protection Department of Defense concludes that malicious code
measures needed to ensure the stability and reliability of an was spread through an Internet vaccine relay server,
information communication network [14]. It is a systematic which plays a role of supplying vaccine programs to all
risk management system for an entire organization that takes connected PCs. If it is infected with malicious code, all
account of the proliferation of IT systems and the increase in the PCs connected to it are exposed to the risk of
cyber infringements. The goal is to achieve continuous infection. About 2,500 Internet computers and 700
management through a balanced and systematic response. intranet computers within the military were infected
Major ISMSs include the ISO 27001 [15] and the Korean with malicious code.
domestic standard K-ISMS [12]. An ISMS is usually divided
into an information security management section responsible y September 30, 2016: A defense cyber joint
for risk management and a security countermeasure investigation team was formed and a joint investigation
responsible for the security controls that the organization was conducted over two months from September 30 to
implements. The security measures are applied universally November 30.
and based on best practice.
y October 06, 2016: It was found that the defense
networks are linked directly to the Internet. A survey
2.1 K-ISMS
by the joint inspection team confirms that the military
K-ISMS is a regulatory and certification scheme that intranet and the external Internet LAN card were used
examines whether an ISMS established, managed, and at the same time in a server of the Kyeryong Defense
operated by a domestic company meets certain standards. It Integrated Data Center (DIDC). This was the
was introduced by the Korean government in 2002 and has connection point through which a hacker had
helped enterprises to establish and operate effective ISMSs. penetrated the defense network.
K- ISMS offers information security management section and
security countermeasures. The management section covers y October 12, 2016: It was confirmed that internal data
five levels of 12 controls. Countermeasures are specified in 13 had been leaked.
fields, comprising a total of 92 controls. The security controls

ISBN: 1-60132-467-7, CSREA Press ©


Int'l Conf. Security and Management | SAM'17 | 63

y December 08, 2016: Department of Defense The vendor did not report Department of Defense to the
announced the results of the investigation. hacking incident and did not change the update key. The
hacker infiltrated the relay server, and spread the
y December 15, 2016: It was reported that seven officers malicious code through the server and connected PCs.
of the joint chiefs and special force had violated
security regulations by writing documents containing ¥G The penetration was made through the connection point
confidential information on a “PC connected to the between the external Internet and the military intranet.
defense network and the Internet.” Two years earlier, when the DIDC was established,
outsourced staff used LAN card to install programs and
y December 23, 2016: The Department of Defense did not remove it.
prosecutor’s office established a task force team to
investigate the military, related organizations, and
¦ Some vulnerable PCs on the defense network stored
private companies.
confidential data entered by military officers who had
failed to observe security regulations, prohibiting the
y May 02, 2017: Department of Defense prosecutors
storing of secret documents on personal computers.
announced the results of the investigation.

3.2 Incident
3.3 Conclusions
The following conclusions were drawn regarding the
The outline of the hacking incident shown in Fig 1 is
defense network hacking case [24].
based on the findings of the Department of Defense
prosecutors. The figure was adapted from [25].
y Management of the Internet vaccine system had been
neglected. The hacker exploited this vulnerability to
attack the relay server and spread the malicious code.

y Network separation failed. While installing software, the


outsourcer had, for convenience, connected the defense
network to the Internet. The responsible manager and
security inspector had failed to check this. The security
supervisor in Korean Army Security Command checked
and twice pointed out the need for network separation.
However, DIDC did not respond to this feedback.

y Confidential data were stored on networked PCs, in


breach of security regulations. Data that had been stored
on an infected PC then leaked.

4 Cause of Incident and Analysis of


Fig. 1 Presumed North Korea Hacking Attack on Defense Information Security Management
Network
System
4.1 Analysis on the Incident Cause and Insider Threat
£G Presumed North Korea hacker: The Department of
Pattern
Defense prosecutors concluded that the hack was linked
to North Korea, as some of the IP addresses used were Insider Analysis: Major insiders in the defense network
located in Shenyang, China. The malicious code hacking case included the vaccine vendor, the outsourced
resembled that known to have been used by North Korea DIDC partner, the inspector who oversaw the outsourcer
before. when the DIDC was under construction, the server and
network administrators in DIDC, the security checkers and
¤G Internet Relay Server Infection: The hacker penetrated supervisors, and the military officers who violated the security
an Internet relay server by exploiting the vulnerability of regulations. It was not revealed whether these insiders had
the military vaccine system. In February 2015, National acted maliciously or intentionally. We assume them to be
Police Agency notified the vaccine vendor to hacking unintentional insiders.
incident that North Korea hacker had infiltrated the
vaccine vendor, stolen the certificate and source code. Analysis of the Type of Insider Threat Damage: The
external attacker exploited vulnerability in the vaccine system.

ISBN: 1-60132-467-7, CSREA Press ©


64 Int'l Conf. Security and Management | SAM'17 |

The vaccine vendor concealed the fact that the vaccine TABLE 1 Best Practices Mapped to Standards, NIST SP 800-
certificate and source code had been stolen. The vaccine 53 and K-ISMS
vendor was an unintentional insider. Though, the damage can
Best Practice NIST SP 800-53 K-ISMS
be classified as an “act of information technology destruction”
CP-2(8) Contingency
caused by an intentional insider. In contrast, the insiders who Plan | Identify Critical 2.2 Roles and Responsibilities
violated the requirement on network separation and Assets 4.1 Information Asset
management of confidential documents acted unintentionally. CM-2 Baseline Identification & Responsibility
This can be classified as “accidental information disclosure.” Configuration 4.2.1 Classification of
CM-8 Information Information Asset and its
1. Know and
System Component Treatment
protect your
4.2 Limitations of K-ISMS critical assets
Inventory 13.1 IT Disaster Recovery
PM-5 Information System Construction
Insiders - employees, contractors, consultants, and System Inventory 13.2 Recovery Measures
suppliers - are as much of a threat to the security of an PM-8 Critical Implementation
Infrastructure Plan N/A (A.17.2.1)
organization as outsiders. For instance, an Advanced RA-2 Security N/A (CM-2, PM-5, PM-8)
Persistent Threat (APT) attack, which is the biggest threat to Categorization
an organization’s information security, makes use of insider 1.1 Security Policies Approval
threats. To achieve its security goals, an ISMS must reflect the and Publication
real security threats an organization is facing. The 1.3 Security Policies
4. Beginning PS-1 Personnel
maintenance and management
organization must therefore implement policies, procedures, with the Security Policies and
2.2 Role and Responsibility
tools, or strategies to effectively respond to insider threats. hiring Procedures
5.1 Review compliance with
process, PS-2 Position Risk
However, the ISMSs do not assess how effectively an monitor and Designation
legal requirements
organization responds to and manages insider threats, and (management section)
respond to PS-3 Personnel
6.1 Information Security Role
even ISMS-certified organizations rarely implement such suspicious or Screening
Responsibility
policies, procedures, or tools. This leads to insider breaches disruptive PS-8 Personnel
6.2 Personnel Policies
behavior. Sanctions
of information systems and information leakages. An 11.1.1 Establishment of
organization must apply risk assessment, develop strategies to Operating Procedures
N/A (PS-2)
address insider threats, and incorporate those strategies into
each area of the ISMS. As long as ISMSs such as K-ISMS fail
Appendix C of the Guide provides a mapping between best
to consider insider threats, organizations must act on their
practices and the security controls of NIST SP 800-53 [5].
own initiative.
Appendix H of NIST SP 800-53 provides a mapping between
NIST SP 800-53 and ISO 27001 [13]. The two mappings were
4.3 Extension of K-ISMS to Insider Threats sequentially used to link the best practices, NIST SP 800-53
security controls, and K-ISMS controls. The notation “N/A
4.3.1 ISMS Extension Strategy for Insider Threats (control name)” in the table indicates that no security control
When considering the extension of K-ISMS to insider corresponds to the “control name” belonging to the reference
threats, we referred to the CERT Guide, NIST Special domain. BP 1 “Know and protect your critical assets”
Publication 800-53, and ISO/IEC 27001:2013 [5, 13, 15]. The corresponds to the security controls CP-2 (8), CM-2, CM-8,
CERT Guide provides a mapping from best practices to the PM-5, PM-8, and RA-2 of NIST SP 800-53. CP-2 is mapped
security controls of NIST SP 800-53. It is one of seven NIST to A.6.1.1, A.17.1.1, and A.17.2.1 of ISO 27001 [13]. The
special publications supporting the FISMA, which is the security control A.6.1.1 “Information security roles and
national standard for ISMSs in the U.S.. It provides a mapping responsibilities” of ISO 27001 is mapped to 2.2 “Roles and
of security controls to ISO 27001, which are in part similar or responsibilities” of K-ISMS, and A.17.1.1 “Planning
identical to those in K-ISMS. K-ISMS certification therefore information security continuity” is mapped to 13.1 “IT disaster
omits 50 redundant items to avoid duplication of auditing with recovery system construction” and 13.2 “Recovery measures
ISO 27001 [27]. To derive extensions to the K-ISMS implementation.” There are no security controls within K-
certification criteria, we compared its security controls with ISMS that map to A.17.2.1 “Availability of information
the best practices against insider threats from the CERT Guide processing facilities” or to CM-2, PM-5, or PM-8. For BP 4
and the security controls of NIST SP 800-53. “Beginning with the hiring process, monitor, and respond to
4.3.2 Comparative Analysis: Insider Threat Best suspicious or disruptive behavior,” there is no security control
Practice Mapped to Security Controls of K-ISMS mapped to PS-2. If the same procedure is applied
Best Practices (BP) are mapped to security controls in NIST to all 20 BPs, it is possible to derive all the security controls of
SP 800-53. The security controls derived from the mapping NIST SP 800-53 that concern insider threats. It also becomes
were then mapped to those of ISO 27001 and K-ISMS, possible to exhaustively list the security controls that are
respectively. Some of these mappings are presented in Table 1. missing from K-ISMS.

ISBN: 1-60132-467-7, CSREA Press ©


Int'l Conf. Security and Management | SAM'17 | 65

4.3.3 Derivation of Security Controls to Extend K-ISMS amendment to K-ISMS. Security countermeasure 5
Appendix G of NIST SP 800-53 provides information “Information Security Training” was amended by NIST
security programs with control and supplementary guide [13]. control AT-3*, and 6 “Human Security” by PS-2. 8 “System
We next compared them with the control objectives of K- Development Security” was amended by many controls in
ISMS. Since the K-ISMS certification system is operated NIST and ISO 27001, which should be considered when
separately from the cloud services security certification system, developing and operating configuration management and
BP 16 “Define explicit security agreements for any cloud information system integrity.
service, especially access restrictions and monitoring
capabilities” was excluded from the analysis. Table 2 shows 5 Analysis and Evaluation
part of the security controls that are absent from K-ISMS or
that require amendment when implementing the 19 BPs. An 5.1 Comparison of the Defense Network Hacking
asterisk (*) indicates a security control that is absent from K- Incident with Best Practice
ISMS and its corresponding ISO control does not fully satisfy
the NIST security control. The causes of the hacking incident can be classified into
four security failures: supply chain assurance, network access,
TABLE 2 Best Practice and K-ISMS Amendment Security security awareness, and monitoring and audit. In each security
Controls area, insider threats and BP for mitigating them were analyzed.
Best Practice K-ISMS Amendment The BPs and corresponding K-ISMS amendments are
summarized in Table 4. These amendments extend K-ISMS to
4. Beginning with the hiring
process, monitor and respond to PS-2 Position Risk Designation
deal with insider threats.
suspicious or disruptive behavior.
6. Consider threats from insiders TABLE 4 Extended K-ISMS Based on Defense Network
RA-3* Risk Assessment
and business partners in
enterprise-wide risk assessments.
PM-9 Risk Management Strategy Hacking Case
Security BP K-ISMS
Insider threat
Area No amendment
4.3.4 K-ISMS Extension
Vaccine vendor: concealed
Some of the security controls related to 19 BPs were vaccine hack and
mapped, as shown in Table 1. The mapping was used to derive Supply chain
vulnerabilities.
possible K-ISMS amendments from NIST SP 800-53 and ISO Employer of DIDC partner 6 RA-3, PM-9
assurance
(outsourcer): ignored security
27001. These are not currently included in K-ISMS, as shown or made mistakes, violating
in Table 2. The derived K-ISMS amendments were given a network access policy.
definition and implemented according to their own standards Outsourcer of DIDC: AC-16, AC-
[13, 15]. For extension to K-ISMS, the security controls have neglected change control 21, AC-22,
procedures CM-2, CM-6,
been arranged to match the relevant management section and Inspector of DIDC: 3, 8, CM-7, SC-4,
Network
TABLE 3 Positioning of Security Controls from NIST SP inspection or supervision 14, A.12.5.1*,
access
failed. 17, A.14.1.2,
800-53 and ISO 27001 as K-ISMS Amendments control
Server/network administrator 19 A.14.1.3,
of DIDC: knowingly left two A.14.2.2,
K-ISMS NIST SP 800-53 ISO 27001 networks connected. A.14.2.3,
5.Information Managers: supervision failed. A.14.2.4
AT-3* Role-Based All insiders: lack of security
Security Security
Security Training awareness/training or 4, 9 PS-2, AT-3*
Training awareness
6. Human PS-2 Position Risk expertise.
Security Designation Lack of system monitoring
A.14.1.2 Securing application and alerts.
CM-2 Baseline Monitoring Logging and reporting failed 12, AU-2, AU-7
services on public networks
Configuration and audit on network access control 13 A.14.1.2
A.14.1.3 Protecting
CM-6 Configuration and data leakage.
application services
Settings Audit failed.
transactions
8. System CM-7 Least
A.14.2.2 System change
Development Functionality
control procedures
Security SC-4 Information in
A.14.2.3 Technical review of
Shared Resource
SA-5 Information
applications after operating 5.2 Application to K-ISMS Extension of Defense
platform changes
System
A.14.2.4 Restrictions on Network Hacking Incident
Documentation
changes to software packages
The K-ISMS extension was applied to the defense
network hacking incident to test its effectiveness in insider
security countermeasure, as shown in Table 3. Table 3 shows threat management.
only three sets of countermeasures. An asterisk (*) indicates
that the security control should be partially considered as an

ISBN: 1-60132-467-7, CSREA Press ©


66 Int'l Conf. Security and Management | SAM'17 |

y Supply chain assurance: While conducting risk responsibilities before authorizing access to the
assessment, the organization develops a comprehensive information system or allowing them to perform the
strategy to manage risk to its operations and assets, to assigned duties (AT-3). The organization determines the
individuals, and to other organizations (RA-3, PM-9). It appropriate content of the security training, based on the
then implements a risk management strategy consistently assigned role and responsibilities of each individual, and
across the organization, and reviews and updates the on the specific security requirements. If DIDC had
strategy as required, to address organizational change. provided adequate security-related training to insiders,
For supply chain assurance, DIDC should have specifically tailored to their assigned duties, the
developed a strategy to manage the risk to critical assets inadvertent security breaches could have been effectively
such as vaccine relay server and network separation. This prevented.
strategy would be applied to individuals, including the
outsourcer, security auditor, officers authorized to have y Audit and Monitoring: The organization determines the
access to confidential information, and to business auditable events and provides a rationale for deeming the
partners such as the vaccine vendor. auditable events adequate to support investigations of
security incidents (AU-2). In the DIDC case, this would
y Network access control: Security attributes are typically have addressed the linking of the Internet and the
associated with the internal data structures of the military intranet, and the use and sharing of confidential
information system and are used to implement access information.
control and flow control policies. They control handling
and distribution or support other aspects of information 6 Conclusions and Further Work
security policy (AC-16). The organization facilitates
information sharing by enabling authorized users to We analyzed the defense network hacking incident to
determine whether the access authorization assigned to identify the limitations of the existing ISMS. The incident
the sharing partner match the access restrictions placed involved both insider threats and an APT attack by external
on the information. Organization-defined automated hackers. The ISMS was unable to counter the insider threats.
mechanisms or manual processes can be employed to Very little information is available on domestic insider threat
assist users in making decisions on information sharing incidents. We therefore identified BP for coping with insider
and collaboration (AC-21). In defense network hacking threats from the comparative analysis of over 1000 cases by
incident, a confidential information with organization- the Carnegie Mellon University's SEI. We derived an
defined security associates can control the access and exhaustive list of proposed amendments to security controls
information sharing of authorized users. The for insider threat management from the controls in NIST SP
organization develops, documents, and maintains under 800-53 and the mapping between NIST and ISO 27001. We
configuration control. Separation of networks must be proposed extensions to K-ISMS based on the security control
highlighted in the baseline configuration (CM-2) and amendments identified and validated these by application to
configuration setting (CM-6) of all information systems the defense network hacking incident.
and interconnection of the networks prohibited or
restricted (CM-7). System change control procedures The security controls of K-ISMS can be improved by the
(A.14.2.2), technical review of applications after addition of these amendments. The control areas, control
operating platform changes (A.14.2.3), restrictions on objectives, control contents, and check items used to achieve
changes to software packages (A.14.2.4) and installation the control objectives can be re-specified for each area. The
of software on operational system (A.12.5.1) reflect the proposed K-ISMS extensions can be applied directly to the
need for adjustment highlighted by the military case. ISMS certification system, for implementation in a number of
industrial areas, particularly in financial and medical services.
y Security awareness and training: The organization The strategy detailed in this study can be extended to the
assigns a risk designation to all positions and establishes security management systems of cloud service providers.
screening criteria for individuals filling those positions
(PS-2). Position risk designations guide and inform the 7 References
type of authorization an individual receives. Position
screening criteria include the explicit requirements for
appointment for information security role. In the case, [1] Lee Yong-soo, “N. Korea hacks into secret war plans,”
security role appointment of insiders - administrator of April 04, 2017, retrieved on Apr. 14, 2017 from
DIDC, inspector, auditor - is not adequate for the http://english.chosun.com/site/data/html_dir/2017/04/04/2017
assigned roles. If position risk designation is managed 040401234.html.
and employees are satisfied with the screening criteria,
then the timely response and behavior of insiders may [2] Kang Jeong-gyu, “[Exclusive] Suspicious security
improve. The organization provides role-based security company employee. disappeared after hacking incident,”
training to personnel assigned security roles and

ISBN: 1-60132-467-7, CSREA Press ©


Int'l Conf. Security and Management | SAM'17 | 67

April 10, 2017, Retrieved on Apr. 14, 2017 from [15] ISO, "ISO/IEC 27001:2013(en)," Retrieved on April 14,
http://www.ytn.co.kr/_ln/0101_201704100506120939. 2017 from https://www.iso.org/obp/ui/#iso:std:iso-
iec:27001:ed-2:v1:en.
[3] Kim Seongju, “Analysis of the cause of the outbreak of
the military operation plan and measures to prevent [16] Korea Internet & Security Agency, "Information security
recurrence,” April 10, 2017, Retrieved on Apr. 14, 2017 from management system (ISMS) certificate Issue, retrieved on
http://amhoin.blog.me/220982023410. April 14, 2017, from https://isms.kisa.or.kr/main/isms/issue/.

[4] Glenn Greenwald, Ewen MacAskill, Laura Poitras. [17] Kim Ki-hong, “Future creation science department,
"Edward Snowden. the whistleblower behind the NSA information security management system certification system
surveillance revelations. (Guardian News and Media development direction,” 2017 Information Security
Limited)." Retrieved on Apr. 14, 2017 from Management System (ISMS), April 27, 2017.
https://www.theguardian.com/world/2013/jun/09/edward-
snowden-nsa-whistleblower-surveillance. [18] Kim Jin-pyo, National Assembly Member of Defense,
Department of Defense Parliamentary audit Press reference
[5] Matthew Collins, Michael Theis, Randall Trzeciak, materials, “Cybercommand hacked,” October 5, 2016.
Jeremy Strozer, Jason Clark, Daniel Costa, Tracy Cassidy,
Michael Albrethsen, Andrew Moore, "Common sense guide [19] Department of Defense, Investigation findings regarding
to mitigating insider threats", 5th Edition, TR, Dec. 2016, military hacking incidents, December 6, 2016.
http://resources.sei.cmu.edu/library/asset-
view.cfm?assetid=484738, checked on 2017/5/15. [20] Lee Cheolhee, Recording of National Defense
Committee Issue Question and Answer, Dec. 12, 2016,
[6] Price Waterhouse Cooper; CSO Magazine; U.S. Secret retrieved on May 10, 2017 from
Service; Deloitte; and Software Engineering Institute CERT https://www.youtube.com/watch?v=K4DYYacmqx0&t=569s.
Division at Carnegie Mellon University. "Key Findings from
the 2015 U.S. State of Cybercrime Survey." 2015.. [21] Lee Daeyoung, “An overview and analysis of the Korea
military intranet hacking,” Dec. 7, 2016, retrieved on April 24,
[7] Shey, Heidi. “Understand the state of data security and 2017 from http://www.itworld.co.kr/news/102451.
privacy: 2015 To 2016.” Forrester Research, Inc., 8 Jan. 2016.
[22] Kim Kookbae, “Department of Defense concludes that
[8] Forrester Research, Inc. “Global business the defense network hacking incident was caused by North
technographics security survey, 2015.” July 2015. Korea hacker ,” May 2, 2017,
http://news.inews24.com/php/news_view.php?g_serial=10211
[9] Forcepoint, "2016 Global Threat Report", 2016. 70&g_menu=020200 , checked on 2017/5/15.

[10] Ponemon Institute LLC. “Ponemon study: The [23] Lee Chi-dong, “S. Korea military says N. Korea behind
unintentional insider risk in United States and German last year's hacking attack,” 2 May 2017,
organizations.” July 30, 2015. http://english.yonhapnews.co.kr/national/2017/05/02/0301000
000AEN20170502007600315.html, checked on 2017/5/15.
[11] Forrester Research, Inc. “Global business
technographics devices and security workforce survey, 2015.” [24] Park Byungsoo, “Defense network hacking conclude
August 2015. overall security hazard,” May 02, 2017, retrieved on May 15,
2017 from
[12] Korea Internet & Security Agency, “An introduction of http://www.hani.co.kr/arti/politics/defense/793223.html.
ISMS certification system,” retrieved on Apr. 14, 2017 from
https://isms.kisa.or.kr/main/isms/. [25] Pan Jongbin, “Military intranet hacking connected
Shenyang, China, similar to malicious codes by North Korea,”
[13] Blank, R. M., P. D. Gallagher, and Joint Task Force December 06, 2016, retrieved on May 15, 2017 from
Transformation Initiative Interagency Working Group. “NIST http://www.yonhapnews.co.kr/bulletin/2016/12/06/020000000
Special Publication 800-53, Security and Privacy Controls for 0AKR20161206027151014.HTML.
Federal Information Systems and Organizations, Revision 4.”
Washington, DC: National Institute of Standards and [26] Korea Internet & Security Agency, Future Creation
Technology (NIST) (2013). Science Notice 2016-59, "[Attachment 4] Scope of the partial
omission of the information security management system
[14] Korea Internet & Security Agency, Information security certification examination (related to Article 17)".
management system (isms) certification guideline (2013).

ISBN: 1-60132-467-7, CSREA Press ©

You might also like