managing insider threat
DESCRIPTION
TRANSCRIPT
Millie Law
ACC626
Introduction Reasons Strategies Current Issues Conclusion
Definition Top 3 Macro Security Issues 69% of data breaches More costly than external breaches Cases
4 Risky Areas• Damage• Theft• Deletion/Corruption• Leakage
Assets attacked:• Customer info• Source code• Business plans • Trade secrets• Internal business info• Proprietary software
Not a priority • 35% invest in internal security• High impact, very low frequency
Just a technology problem• IT department should handle it
Security tone at the top• Security conscious culture
Top level policies Effective governance structure 2 teams:
• X-Team• Exec Team
Regular reviews
27% had financial difficulty 4 Types of lucrative data:
• Payment card data• Authentication credentials • Personal Info• Intellectual Property
Employee Assistance Program (EAP)
Unintentional behaviors• Forgot to log off• Failed to change passwords regularly• Inappropriately discarding sensitive info• Email (37% sensitive info leaked)
Training & Education • CERT’s 16 Best Practices • Email Best Practices
Identify high-risk behaviors Federated Model
• Distribute responsibility across the hierarchy
• Central group: set common standards• Business units: manage local executions
Network Monitoring Approach• Logical pairing of log files• Log analysis• Event correlation
1/3 surveyed abused access rights People Paradox
• “Trusted” circle is the primary threat • Legit access
Attribute-Based Group Access Control Model • Based on access capabilities, not role-
based
Identity Access Management (IAM)• Centralized and automated controls• Digital rights management technology
Data tagged • Real time access monitoring
Controls target external threats • Firewall• Intrusion detection system• Electronic building access
Honey Pot Approach• Attract ‘unauthorized access’ w/ fictitious
data
No specific type of high-risk attackers Not exclusive to IT personnel
• More technology savvy employees
Manage: Employee screening process• Accuracy: standardize presentation of records • Hire external screening agency• Not standalone strategy
Employee Traits
Organizations do not know how much data they have• Increases legal and reputational liability• High maintenance cost
Data inventory project• Take inventory of sensitive files• Accurately record their location on the
server • Keep track of access rights to these files
Data Centric Policy• Create data-flow diagrams• Assess data loss risk• Apply controls• Formalize the data-centric policy
Globalization• Multinational operating environments• Lacks research study
Virtual Work Environments• Reliance on manual controls • Lack of tested and practical strategies
Managing insider threat is a priority Tone at the top Policies and controls Strategies
"Cyber-Ark; Cyber-Ark Global Survey Shows External Cyber-Security Risks Will Surpass Insider Threats. " Investment Weekly News 30 Apr. 2011: ABI/INFORM Trade & Industry, ProQuest. Web. 9 May. 2011.
"DHS Immigration System Vulnerable To Insider Threats. " Informationweek - Online 28 Feb. 2011: ABI/INFORM Global, ProQuest. Web. 9 May. 2011. Blades, M.. (2010, November). The Insider Threat. Security Technology Executive, 20(9), 32-33,35-37. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2233949191). Nunn-Price, J.. (2010, October). Public job cuts increase insider threat. Computer Weekly,12. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2198713041). Rajendra Chaudhary. (2009, August). ''The problem of insider threat exists within every organization''. Express Intelligent Enterprise. Retrieved May 9, 2011, from ABI/INFORM Trade &
Industry. (Document ID: 1949260831). Warkentin, M., & Willison, R.. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems: Special Issue: Behavioral and
Policy Issues in Information, 18(2), 101-105. Retrieved May 9, 2011, from ABI/INFORM Global. (Document ID: 1751536561). - Loch K.D., Carr H.H. and Warkentin M.E. (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173-186.
Secure Computing IT Director survey reveals "insider threats" as biggest organizational concern. (2008, June 12). Al Bawaba. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1493428881).
Aldhizer III, George R. "The Insider Threat." Internal Auditor 65.2 (2008): 71-73. Business Source Complete. EBSCO. Web. 9 May 2011. Fyffe, G.. (2008). Addressing the insider threat. Network Security, 2008(3), 11-14. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1574237321). Mike Heck. (2007, February). Surveying the Insider Threat Detection Landscape. InfoWorld, 29(8), 39. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1229181051). Moscaritolo, Angela. "Verizon Report Finds Less Shrewd Attacks but More Breaches." SC Magazine (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?
ref=SCMAGA0020110420e74j00001&pp=1&fcpil=en&napc=S&sa_from=>. "Data Security; More Than Half of IT Security Professionals Are Unsure Where Sensitive Files Are Located." Information Technology Newsweekly 131 (2011). Factiva. Web. 9 May 2011.
<http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=INTEWK0020110415e74j0003e&pp=1&fcpil=en&napc=S&sa_from=>. Noonan, Thomas, and Edmund Archuleta. "The National Infrastructure Advisory Council's Final Report and Recommendation - The Insidr Threat to Critical Infrastructures." Department of
Homeland Security. Web. 9 May 2011. <http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf>. Stolfo, Salvatore J. (Salvatore Joseph); Workshop on Insider Attack and Cyber Security (1st : 2007 : Washington, D.C.) New York : Springer c2008 Randazzo, Marisa, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew Moore. "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector." Security & Survivability.
Software Engineering Institute of Carnegie Mellon University, 2005. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/reports/04tr021.cfm>. "An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2011. Web. 3 May
2011. <http://www.cert.org/archive/pdf/11tn006.pdf>. Cappelli, Dawn, Andrew Moore, and Timothy Shimeall. "Protecting against Insider Threat." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2007. Web. 3
May 2011. <http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymatters200702.cfm>. Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005. DeZabala, Ted. "Lock It Up or Set It Free? A Risk Intelligent Approach to Data and Intellectual Property." Enterprise Risk Services. Issue 6. Deloitte, 2010. Web. 3 May 2011.
<http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Deloitte%20Review/US_deloittereview_Lock_It_Up_Or_Set_It_Free_Jan10.pdf>. Grant, Ian. "RSA 2008: Spot the Warning Signs of Insider Attacks." Computer Weekly, 2008. Web. 3 May 2011. <http://www.computerweekly.com/Articles/2008/04/10/230233/RSA-2008-spot-
the-warning-signs-of-insider-attacks.htm>. Gelles, Michael, David Brant, and Brian Geffert. "Building a Secure Workforce: Guard against Insider Threat." Enterprise Risk Services. Deloitte, 2008. Web. 3 May 2011. Westby, Jody, and Julia Allen. "Governing for Enterprise Security (GES)." Software Engineering Institute of Carnegie Mellon University., 2007. Web. 3 May 2011.
<http://www.sei.cmu.edu/library/download-report.cfm?pdf_name=07tn020.pdf&download=true>. Goodchild, Joan. "What Security Can Learn from the $15M Sprint Employee Breach." CSO Magazine Online, 2010. Web. 3 May 2011. <http://www.csoonline.com/article/609363/what-security-
can-learn-from-the-15m-sprint-employee-breach?source=rss_wireless_mobile_security>. Datardina, Malik, and Gerald Trites. "CICA." Whitepaper: Data-centric Security (2009). Google Scholar. Web. 24 May 2011.
<http://www.cica.ca/research-and-guidance/it-advisory-committee/publications/item33711.pdf>. Justin Myers, Michael R. Grimaila, and Robert F. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and
Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 54 , 4 pages. DOI=10.1145/1558607.1558670 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558670
Michael D. Carroll. 2006. Information security: examining and managing the insider threat. In Proceedings of the 3rd annual conference on Information security curriculum development (InfoSecCD '06). ACM, New York, NY, USA, 156-158. DOI=10.1145/1231047.1231082 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1231047.1231082
William R. Claycomb and Dongwan Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the 2010 ACM workshop on Insider threats (Insider Threats '10). ACM, New York, NY, USA, 29-36. DOI=10.1145/1866886.1866894 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1866886.1866894
Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates. 2008. We have met the enemy and he is us. In Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1595676.1595678 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1595676.1595678
Ignacio J. Martinez-Moyano, Eliot Rich, Stephen Conrad, David F. Andersen, and Thomas R. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Trans. Model. Comput. Simul. 18, 2, Article 7 (April 2008), 27 pages. DOI=10.1145/1346325.1346328 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1346325.1346328
Clive Blackwell. 2009. A security architecture to protect against the insider threat from damage, fraud and theft. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 45 , 4 pages. DOI=10.1145/1558607.1558659 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558659
Dattatreya Wed, Yesh. "Building an Enterprise Security Program in Ten Simple Steps CIO.com." CIO.com. 15 Oct. 2008. Web. 30 June 2011. "Email Best Practices." WVU Office of Information Technology. West Virginia University. Web. 30 June 2011. <http://oit.wvu.edu/email/bestpractices/>.