Insider I id Threat

ISACA, Mumbai Chapter

Sameer Saxena 23rd July 2011

Agenda
The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies

Insider Beliefs Havent we heard/said this before!!!

We Trust our Employees We have an open environment. We cannot clamp down. down. Insiders? Malware is ripping us to shreds Its It an IMPOSSIBLE task! t k! We use principle of least privilege, separation of duty, and pray. Lots.

SPOT THE INSIDER INSIDER..

Terry Child C T Case S F San Francisco N t i Net

Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didnt have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network

Other Real Life Incidents

Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious logic bomb that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.

Other Real Life Incidents

HSBCs system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."

Disgruntled Dave
A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware

Verizons 2010 Data Breach Investigations Report

THE INSIDER

Who are Insiders

Current or former employee contractor or employee, other business partner who:
Has h d th i d H or had authorised access t an organisations to i ti network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisations information, information systems g , y and/or daily business operations

Insider may be someone who who

Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider

Let s Lets break it down a bit further further

Authorized Users ut o e Use s
Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc.

Privileged Users
DBAs, DB/App Developers, Application QA, Contractors, Consultants

Knowledgeable Users
IT Ops, N t O Network O S k Ops, Security P it Personnel, A dit P l Audit Personnel l

Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d
The sophisticated white collar criminal An individual may belong to more than one group

Reasons to cause harm

Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime
coercion being forced or intimated revenge for a real or perceived wrong ideology radicalisation or advancement of an ideological or religious objective money for illicit financial gain, and/or e hilaration f r the thrill of d in s methin wrong exhilaration for f doing something r n

Factors that increase the risk of Insider Threat

No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics

Can the INSIDERS Be STOPPED?

Types of Insider Activity

Type 1 IT Sabotage
Who are they?
System administrators systems People with privileged access on systems, and technical ability

Why do they do it? y y

Bring down systems, cause some kind of harm

How did they attack? y

Privileged access No authorized access Backdoor accounts, shared accounts, other employees accounts, insiders own account Remote access outside normal working hours

Dynamics of Insider IT Sabotage

Disgruntled due to unmet expectations
Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp

Behavioral precursors were often observed but ignored by the organization

Significant behavioral precursors often came before technical precursors h i l

Technical precursors were observable, but not detected observable by the organization

Red Flags
Unmet Expectations Insufficient compensation Lack of career advancement Inflexible system policies p Co-worker relations; supervisor demands Behavioural precursors Drug use; absence/tardiness Aggressive or violent behaviour; mood swings Used organizations computers for personal business Sexual harassment Poor hygiene

Types of Sabotage Crimes

Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers computers Extortion for deleted data & backups Defaced organizations website

Type 2 Fraud Theft or Modification for Financial Gain

Who did it? Current & former employees L Low l l positions level iti Non-technical What Wh was stolen/modified? l / difi d? Personally Identifiable Information (PII) Customer Information (CI) Very few cases involved trade secrets How did they steal/modify it? During normal working hours Using authorized access

Dynamics of the Crime

Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people

Examples
A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks g written against their account. Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.

Red Flags
Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs

Type 3 Theft of IP
Who did it?
Current employees Technical or sales positions p

What was stolen?

Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. Customer Information (CI) Financial Entitlement (some didnt realize it was wrong) Disgruntled Using authorized access g Acted during working hours from within the workplace

Why did they do it?

How did they attack?

Dynamics of the Crime

Most were quick theft upon resignation Stole information to
Take to a new job Start a new business Gi t a f i company or government organization Give to foreign t i ti

Collusion Collusion with at least one insider in almost 1/2 of cases Outsider recruited insider in less than 1/4 of cases Acted alone in 1/2 of cases

Red Flags
Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff

Latest Case Travelocity sues Cleartrip

Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information Claimed: US$ 37.5 million (Rs. 168 crore)

DCD Example
We c eate documents in MS Wordprotection of these documents fall e create ocu e ts S o p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.

DCD Example
The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEOs secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.

Sowhat could be the insider threats in this scenario?

a) ) b) c) d) e) f) g) h)

An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. An insider can forward a document to another user either inside or outside the organization. A user can work late or early hours when the intrusion/misuse detection systems are not running. He can copy the contents of a document into another document that is opened simultaneously. An insider can remember the contents of a document, which he opened p y before, and then create a low priority document with the same contents. An insider can take a dump of the document from the memory and then print the document. A malicious insider can tamper with the existing rights on the documents documents.

Policy design considerations to y g prevent such threats

Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted
The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication

Type 4 - Miscellaneous
Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organizations IP to hacker groups Unauthorized access to information to locate a person as accessory to murder

Detection of all types of insider threat

How was it detected?
Manually due to system failure irregularity N t h i l means Non-technical Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individuals credit histories. Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant Detection by law enforcement agencies Sudden emergence of new competing organisation

Identification of all types of insider threat

How was the insider identified?
System logs Remote access logs R t l File access logs Database l D b logs Application logs Email logs Competitor information

PROBABLE CAUSES

Probable Causes
Lack of articulate policies Policies based on book Lack of periodic user education, communication, awareness, etc. Lack of reviews, audits and monitoring, Security in applications, an g afterthought Poor development practices OWASP Top 10 hasnt changed m ch chan ed much since 2007 Unauthorised software and hardware Negligence to policies and consequences Business/Delivery team ownership Business bats for freedom, new technologies, etc. IT/Security seen as y adversaries Business pressure a perfect vehicle to get around policies High staff turn-over, low morale, etc.

INSIDER IMPACT AND CHALLENGES

Impacts
Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen

Impacts
Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements

MITIGATION STRATEGIES

DSCIDSCI-KPMG Survey 2009 & 2010

Deloitte 2009 Global Security Survey India Report

Verizons 2010 Data Breach Investigations Report

Best Practices
Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g

Best Practices
Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan

Summary
Insider threat is a problem that impacts and requires understanding by everyone Information Technology Information Security Human Resources Management g Physical Security Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security all employees have responsibility for protection of organizations information

A Closing Statistics
As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone

And A Closing Thought

Have you been H b Wikileaked Wikil k d yet? ?

Thank you for your time today t d

Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @