preventing insider threats: avoiding the nightmare scenario of a good employee gone bad
DESCRIPTION
Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad. Dawn Cappelli October 31, 2008. TRUE STORY : Personal information stolen for millions of customers of phone companies, credit card companies and banks … - PowerPoint PPT PresentationTRANSCRIPT
© 2008 Carnegie Mellon University
Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad
Dawn CappelliOctober 31, 2008
2
TRUE STORY:
Personal information stolen for millions of customers of phone companies, credit card companies and banks …
Companies contracted with a consumer data organization
that hired a data mining organization
whose system administrator stole the data
3
TRUE STORY:Emergency services are forced to rely on manual address lookups for
911 calls on Friday night ….
Employee sabotages the system and steals all backup tapes
4
TRUE STORY:Financial institution discovers $691 million in
losses ...
Covered up for 5 years by trusted employee
5
AgendaIntroduction
How bad is the insider threat?
Background on CERT’s insider threat research
Brief overview of findings from our research
Tools for preventing or detecting insider threats
6
What is CERT?
Center of Internet security expertiseEstablished in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet todayLocated in the Software Engineering Institute (SEI)
• Federally Funded Research & Development Center (FFRDC)• Operated by Carnegie Mellon University (Pittsburgh,
Pennsylvania)
7
CERT’s Definition of Malicious InsiderCurrent or former employee, contractor, or business partner who
o has or had authorized access to an organization’s network, system or data and
o intentionally exceeded or misused that access in a manner that
o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Note: Note: This presentation does not address national This presentation does not address national security espionage involving classified information.security espionage involving classified information.
8
2007 e-Crime Watch SurveyCSO Magazine, USSS, Microsoft, & CERT671 respondents
0
20
40
60
80
100
2004 2005 2006 2007
Percentage of Participants Who Experienced an Insider Incident
41 39
55 49
9
CERT’s Insider Threat Research
Insider Threat Cases
Database
Hundreds of cases have been analyzed• US cases from 1996 to 2007 in critical
infrastructure sectors• US Secret Service• Carnegie Mellon CyLab• Department of Defense
Data includes both technical & behavioral information
10
Breakdown of Insider Threat Cases in CERT Database
01020304050607080
Theft or Modification for Financial Gain
Theft for Business Advantage
IT Sabotage
76
24
74
17
Misc
11
Comparison of Insider Crimes - 1
IT SabotageTheft or
Modification for Financial Gain
Theft for Business
Advantage% of crimes in case database 45% 44% 14%
Current or former employee? Former Current Current (95%
resigned)
Type of position Technical (e.g. sys admins or DBAs)
Non-technical, low-level positions with
access to confidential or
sensitive information (e.g. data entry,
customer service)
Technical (71%) - scientists,
programmers, engineers
Sales (29%)
Gender MaleFairly equally split between male and
femaleMale
[1
12
Comparison of Insider Crimes - 2IT Sabotage
Theft or Modification for Financial Gain
Theft for Business
Advantage
Target Network, systems, or data
PII or Customer Information
IP (trade secrets) – 71%
Customer Info – 33%
Access used Unauthorized Authorized Authorized
When Outside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
Recruited by outsiders None
½ recruited for theft; less than 1/3
recruited for modLess than 1/4
Collusion None
Mod: almost ½ colluded with
another insiderTheft: 2/3 colluded
with outsiders
Almost ½ colluded with at least one insider; ½ acted
alone; 25% stole for foreign gov/org
[1
13
What Can You Do?Review CERT’s Common Sense Guide to Prevention
and Detection of Insider Threats
http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf
Version 3 to be published in January 2009
14
Tools for Preventing or Detecting Insider
Threats
15
Change ControlHelp to prevent or detect
• Planting or downloading of malicious code or unauthorized software
• Unauthorized modification of critical files• Unauthorized changes to source code• Unauthorized installation of hardware devices
16
Data Leakage ToolsHelp to prevent or detect accidental or intentional
leakage of confidential information• Emails• Documents• Printing, copying, or downloading • Removable media
17
Network/Employee Monitoring ToolsHelp to detect
• Unauthorized access• Suspicious activity around resignation• Unauthorized escalation of privileges• Anomalous user activity
18
Identity Management Systems
Help to • Prevent creation of or detect usage of backdoor
accounts• Implement and maintain access control• Disable all access upon termination
19
OthersEncryption
Physical access control systems
Automated data integrity checks
Backup and recovery systems
20
Contact InformationInsider Threat Team Lead:Dawn M. CappelliTechnical Manager, Threat and Incident ManagementCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-9136 – [email protected] – Email
http://www.cert.org/insider_threat/