Академический Документы
Профессиональный Документы
Культура Документы
Agenda
The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
Disgruntled Dave
A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
THE INSIDER
Privileged Users
DBAs, DB/App Developers, Application QA, Contractors, Consultants
Knowledgeable Users
IT Ops, N t O Network O S k Ops, Security P it Personnel, A dit P l Audit Personnel l
Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d
The sophisticated white collar criminal An individual may belong to more than one group
Type 1 IT Sabotage
Who are they?
System administrators systems People with privileged access on systems, and technical ability
Technical precursors were observable, but not detected observable by the organization
Red Flags
Unmet Expectations Insufficient compensation Lack of career advancement Inflexible system policies p Co-worker relations; supervisor demands Behavioural precursors Drug use; absence/tardiness Aggressive or violent behaviour; mood swings Used organizations computers for personal business Sexual harassment Poor hygiene
Examples
A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks g written against their account. Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
Red Flags
Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
Type 3 Theft of IP
Who did it?
Current employees Technical or sales positions p
Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. Customer Information (CI) Financial Entitlement (some didnt realize it was wrong) Disgruntled Using authorized access g Acted during working hours from within the workplace
Collusion Collusion with at least one insider in almost 1/2 of cases Outsider recruited insider in less than 1/4 of cases Acted alone in 1/2 of cases
Red Flags
Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
DCD Example
We c eate documents in MS Wordprotection of these documents fall e create ocu e ts S o p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
DCD Example
The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEOs secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. An insider can forward a document to another user either inside or outside the organization. A user can work late or early hours when the intrusion/misuse detection systems are not running. He can copy the contents of a document into another document that is opened simultaneously. An insider can remember the contents of a document, which he opened p y before, and then create a low priority document with the same contents. An insider can take a dump of the document from the memory and then print the document. A malicious insider can tamper with the existing rights on the documents documents.
Type 4 - Miscellaneous
Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organizations IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
PROBABLE CAUSES
Probable Causes
Lack of articulate policies Policies based on book Lack of periodic user education, communication, awareness, etc. Lack of reviews, audits and monitoring, Security in applications, an g afterthought Poor development practices OWASP Top 10 hasnt changed m ch chan ed much since 2007 Unauthorised software and hardware Negligence to policies and consequences Business/Delivery team ownership Business bats for freedom, new technologies, etc. IT/Security seen as y adversaries Business pressure a perfect vehicle to get around policies High staff turn-over, low morale, etc.
Impacts
Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
Impacts
Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
MITIGATION STRATEGIES
Best Practices
Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
Best Practices
Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
Summary
Insider threat is a problem that impacts and requires understanding by everyone Information Technology Information Security Human Resources Management g Physical Security Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security all employees have responsibility for protection of organizations information
A Closing Statistics
As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone