Insider threat and information security
Download
1 / 45

Insider Threat and Information Security - PowerPoint PPT Presentation


  • 168 Views
  • Updated On :

Insider Threat and Information Security. Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Professor, Carnegie Mellon University. Insider Threat. Hassan Abujihaad (Formerly Paul Hall) Arrested March 7, 2007 Sailor on USS Benfold (2000-2001)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Insider Threat and Information Security' - salvador


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Insider threat and information security l.jpg

Insider Threat and Information Security

Dawn Cappelli

Faculty, Carnegie Mellon University

Earl Crane

Adjunct Professor, Carnegie Mellon University


Insider threat l.jpg
Insider Threat

  • Hassan Abujihaad (Formerly Paul Hall)

    • Arrested March 7, 2007

    • Sailor on USS Benfold (2000-2001)

    • Passed SECRET information to known Islamic Jihadists containing battle group weaknesses

    • Islamic Fundamentalist Convert

    • http://cicentre.com


Insider threat3 l.jpg
Insider Threat

  • Leandro Aragoncillo

    • Arrested: September 10, 2005

    • Sentenced to 10 years: July 18, 2007

    • Retired Marine, Administration Chief of White House VP Security Detail

    • Passed 101 classified documents to Philippine government, 37 marked SECRET

    • Played to Filipino loyalties

    • http://cicentre.com


Insider threat4 l.jpg
Insider Threat

  • Robert Hanssen

    • Arrested February 18, 2001

      • Spy since 1985

    • Long-time FBI agent

    • “Worst case of espionage in US history”

      • Washington Post, 20 Feb 01

    • Spied in exchange for $1.4M in cash and diamonds


Spy cases l.jpg
Spy cases

  • What did these have in common?

    • Trusted insiders who “turned”

    • Used information system trust to commit espionage.

  • Did precursors exist to alert management?

  • Could these have been prevented?

    • Use of technology controls to mitigate

    • Use of management observation to mitigate


Disclaimer l.jpg
Disclaimer

  • This is not “trusted computing” or “computational correctness”

  • This does not make the case that Insider Threats are a known and prevalent problem. This is a given assumption.


Overview l.jpg
Overview

  • Trust and Trust Online

  • A brief overview of Trust

    • Shifting Trust from Technology to People

  • Trust and information systems

    • Credibility, Ease of Use, Perceived Risk

    • Technology Adoption

    • Fear of the unknown

  • The Critical Pathway

  • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon


Trust l.jpg
Trust

  • “Nearly 70% of Americans agree with the statement, ‘I don't know whom to trust anymore’”

    • February 2002 Golin/Harris Poll

  • “What is Trust?” quesiton is not new

    • Interpersonal Trust

    • Team Trust

    • Societal Trust

  • Trust and Abstract Systems


What is trust online l.jpg
What is Trust Online?

  • “An attitude of confident expectation in an online situation of risk that one’s vulnerabilities will not be exploited.”

    • (Corritore, Kracher, & Wiedenbeck, 2003)


A brief overview of trust l.jpg
A brief overview of Trust

  • General vs. Specific Trust

  • Kinds of Trust

    • Cognitive vs. Emotional Trust

      • (Komiak & Benbasat, 2004)

    • Slow Trust vs. Swift Trust

  • Degrees of Trust

    • Weak to Strong Trust

    • Basic Trust, Guarded Trust, Extended Trust

  • Stages of Trust

    • Deterrence Based, Knowledge Based, and Shared Identification Based Trust

  • Shifting Trust

    • Trust in Technology vs. Trust in People


Shifting trust l.jpg
Shifting Trust

  • Trust in Technology vs. People

  • Shift from technology to people through technology

    • (Chopra & Wallace, 2003)

Shifting Trust from Technology to People

Goal


Trust in technology l.jpg
Trust in Technology

  • Trust in technology follows an interpersonal model of trust.

    • Web page or electronic document

    • We trust the data if:

      • It is believed to be reliable

      • If we trust willingly

      • If we can accept or reject the information on the document.


Trust in people l.jpg
Trust in People

  • Electronic commerce

    • Closer to humanistic trust, where the trustee is now a person or organization

    • Confidence that a transaction will be fulfilled appropriately.

  • Online relationships

    • Confidence that the other party will maintain a quality relationship.

      • Intelligence, positive intentions, ethics, dependability, predictability, confidentiality

  • This is where we approach trust and information systems



Credibility l.jpg
Credibility

  • Credibility and the perception of credibility has four components:

    • Honesty

    • Expertise

    • Predictability

    • Reputation

      • (Corritore, et al. 2003)

  • Regular communication builds trust (credibility) in online environments

    • (Gibson, 2003)


Ease of use l.jpg
Ease of Use

  • A website that is easy for users to navigate and find the information needed instills a sense of trust in the user, and satisfies the user with their online experience.

    • (Corritore, Kracher, & Wiedenbeck, 2003)

  • How well users can achieve their goals while using a computer

    • The hard to use ACS systems is one of the factors contributing to espionage in the Robert Hanssen espionage case

      • (Band et al., 2006).


Technology adoption l.jpg
Technology Adoption

  • Choose the path of least resistance

  • Technology Acceptance Model (TAM)

    • Perceived Usefulness (PU)

    • Perceived Ease of Use (PEOU)


Perceived risk l.jpg
Perceived Risk

  • A user’s perception of risk is closely linked to their trust.

    • A person buying a large ticket item online for the first time may feel they have little control over the transaction.

  • Users may not be fully aware of all the unknown risks, they have an “awareness of the unknown” that increases their perceived risk.

    • (Komiak & Benbasat, 2004)


The only thing we have to fear is fear itself l.jpg
The only thing we have to fear is fear itself

  • Fear of the unknown

    • Previously discussed Cognitive and Emotional Trust

    • (Komiak & Benbasat, 2004)


Trust and insider threat l.jpg
Trust and Insider Threat

  • Organizations must trust their employees to some extent

  • Trust without management or technical controls can enable insider attacks

  • We can’t fix stupid

  • Insider attacks follow a pattern - a “critical pathway”

    • Caveat: Not applicable to trained foreign intelligence agents


Critical pathway l.jpg
Critical Pathway

(Shaw & Fischer, 2005)


Critical pathway22 l.jpg
Critical Pathway

  • At-risk Subject Characteristics

    • Serious promotional or personal setbacks

    • Previous computer misuse

    • Disabling organizational security devices

    • Disregard for security protocols

    • Self-esteem issues, a “high maintenance employee”

    • Personnel conflicts

    • Anger

    • Lack of inhibitions about retaliation or revenge

      (Shaw, 2006)


System dynamics l.jpg
System Dynamics

  • Modeled through System Dynamics

    • Jay W. Forrester, 1961

  • A method and supporting toolset

    • Holistically model, document, and analyze complex problems as they evolve over time

    • Develop effective mitigation strategies that balance competing concerns

  • Carnegie Mellon System Dynamics Research

    • Discovered the “trust trap”


Summary l.jpg
Summary

  • Discussed so far:

    • Trust and Trust Online

    • A brief overview of Trust

    • Trust and information systems

    • The Critical Pathway

  • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon

    • Management and Education of Risks of Insider Threat (MERIT Model)


Merit model of insider it sabotage l.jpg
MERIT Model ofInsider IT Sabotage


Merit model l.jpg

actual risk of

technical

insider attack

precursor

acquiring

unknown paths

behavioral

ability to

precursor

conceal

unknown

activity

access paths

discovery of

disgruntlement

precursors

technical

monitoring

sanctions

behavioral

monitoring

perceived risk

of insider attack

insider's unmet

expectation

org's trust

of insider

expectation

insider's

expectation

fulfillment

precipitating

personal

predisposition

event

MERIT Model

TRUST

TRAP!!

© 2007 Carnegie Mellon University


Merit model27 l.jpg

actual risk of

technical

insider attack

precursor

acquiring

unknown paths

behavioral

ability to

precursor

conceal

unknown

activity

access paths

discovery of

disgruntlement

precursors

technical

monitoring

sanctions

behavioral

monitoring

perceived risk

of insider attack

insider's unmet

expectation

org's trust

of insider

expectation

insider's

expectation

fulfillment

precipitating

personal

predisposition

event

MERIT Model

© 2007 Carnegie Mellon University


Insider threat mitigation l.jpg
Insider Threat Mitigation

  • Balance information sharing with information restriction and monitoring

  • Technical Controls

  • Management Controls

  • Operational Controls

    • Series of recommendations from Carnegie Mellon



Our thoughts about best practices l.jpg
Our Thoughts About Best Practices

  • Refer to the Common Sense Guide and Insider Threat Study reports for supporting data.

  • Our goal here is to use case examples to motivate you to ask yourself

Could something like this happen to me?

© 2007 Carnegie Mellon University


Best practice 1 institute periodic enterprise wide risk assessments l.jpg

Emergency services are forced to rely on manual address lookups for 911 calls when an insider sabotages the system.

Organizations need to develop a risk-based security strategy to protect its critical assets from both external and internal threats.

Best Practice #1 : Institute periodic enterprise-wide risk assessments.

© 2007 Carnegie Mellon University


Best practice 2 institute periodic security awareness training l.jpg

A team of software developers pay the price after they ignore the team lead’s contempt and deliberateviolation of management’s directives.

Without broad understanding and buy-in from the organization, technical or managerial controls will be short-lived.

Best Practice #2 : Institute periodic security awareness training.

© 2007 Carnegie Mellon University


Best practice 3 enforce separation of duties and least privilege l.jpg

A supervisor accepts $50,000 to grant asylum to immigrants who had been or could have been otherwise denied.

While security awareness training is an excellent start, separation of duties and least privilege must be implemented to limit the damage that malicious insiders can inflict.

Best Practice #3:Enforce separation of duties and least privilege.

© 2007 Carnegie Mellon University


Best practice 4 implement strict password account management practices l.jpg

A disgruntled contractor snoops to his heart’s content after he uses a password cracker to obtain 40 passwords, including the root password.

If an organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms.

Best Practice #4:Implement strict password & account management practices.

© 2007 Carnegie Mellon University


Best practice 5 log monitor and audit employee online actions l.jpg

A contractor’s sophisticated scheme, which allowed him to steal 5000employee passwords, is discovered in the nick of time.

Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions.

Best Practice #5:Log, monitor, and audit employee online actions.

© 2007 Carnegie Mellon University


Best practice 6 use extra caution with privileged users l.jpg

An insider’s fiancée finds her promotion is better than he ever imagined when she gives him $615,000 over the next two years.

System administrators and privileged users have the technical ability, access, and oversight responsibility to commit and conceal malicious activity.

Best Practice #6:Use extra caution with privileged users.

© 2007 Carnegie Mellon University


Best practice 7 actively defend against malicious code l.jpg

A software developer realizes that the fox is guarding the henhouse when he is able to modify his own source code to override his own security measures.

While insiders frequently use simple user commands to do their damage, logic bombs and other malicious code are used frequently enough to be of concern.

Best Practice #7:Actively defend against malicious code.

© 2007 Carnegie Mellon University


Best practice 8 used layered defense against remote attacks l.jpg

A foreign currency trader hides $691 million in losses over a 5 year period – mostly from home in the middle of the night.

Remote access provides a tempting opportunity for insiders to attack with less risk.

Best Practice #8:Used layered defense against remote attacks.

© 2007 Carnegie Mellon University


Best practice 9 monitor and respond to suspicious activity l.jpg

A software development manager who verbally attacks management and coworkers on a regular basis is finally fired, but steals critical software and demands $50K for its return.

One method of reducing the threat of malicious insiders is to proactively deal with difficult employees.

Best Practice #9 : Monitor and respond to suspicious activity.

© 2007 Carnegie Mellon University


Best practice 10 deactivate computer access following termination l.jpg

A system administrator terminated with no advanced notice remotely logs in using an administrator account and shuts down their mission critical server.

It is important that organizations follow rigorous termination procedures that disable all open access points to the networks, systems, applications, and data.

Best Practice #10 : Deactivate computer access following termination.

© 2007 Carnegie Mellon University


Best practice 11 collect and save data for use in investigations l.jpg

Monthly audit log recycling causes company difficulty in prosecuting a long-term fraud scheme with losses of over $500K.

Collecting and saving usable evidence preserves response options, including legal actions.

Best Practice #11 : Collect and save data for use in investigations.

© 2007 Carnegie Mellon University


Best practice 12 implement secure backup and recovery processes l.jpg

A disgruntled system administrator amplifies the impact of a logic bomb by centralizing critical programs and intimidating coworker out of backup tapes.

It is important that organizations prepare for the possibility of insider attacks by implementing secure backup and recovery processes that are tested periodically.

Best Practice #12 : Implement secure backup and recovery processes.

© 2007 Carnegie Mellon University


Best practice 13 clearly document insider threat controls l.jpg

After transferring to a new department, absence of policy allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions.

To ensure consistent handling and to protect against accusations of discrimination, procedures for dealing with malicious insiders must be clearly documented.

Best Practice #13 : Clearly document insider threat controls.

© 2007 Carnegie Mellon University


Questions l.jpg
Questions allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions.

  • Earl Crane

    • Crane at andrew * cmu * edu

  • Dawn Cappelli

    • DMC at cert * org


Summary of best practices l.jpg

Institute periodic enterprise-wide risk assessments. allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions.

Institute periodic security awareness training for all employees.

Enforce separation of duties and least privilege.

Implement strict password and account management policies and practices.

Log, monitor, and audit employee online actions.

Use extra caution with system administrators and privileged users.

Actively defend against malicious code.

Use layered defense against remote attacks.

Monitor and respond to suspicious or disruptive behavior.

Deactivate computer access following termination.

Collect and save data for use in investigations.

Implement secure backup and recovery processes.

Clearly document insider threat controls.

Summary of Best Practices

© 2007 Carnegie Mellon University


ad