research on security architecture msis for defendin insider threat.pdf

8/12/2019 Research on Security Architecture MSIS for defendin Insider Threat.pdf

1/4

389

Research On Security Architecture MSIS ForDefending Insider Threat

Hui Wang 1,2, Dongmei Han 1, and Shufen Liu21College of Computer Science and Technology, Henan Polytechnic University ,Jiaozuo, China

Email:[email protected],[email protected] of Computer Science and Technology, Jilin University ,Jilin, China

Email: [email protected]

AbstractNetwork threat confronting organizations comes

from not only outsider threat, but also insider threat.

Nowadays, insider threat is widely recognized as an

important issue of security management. However, tools

and controls on how to fight against it are still in the

research phase. Security architecture for defending insider

threat is presented, which is composed of four parts:

monitoring platform, secure authentication platform,information security platform and security management

system. The first three parts of the architecture are to solve

the problem from a technical viewpoint and the last is from

a management point of view. It is simple and practicable to

prevent and reduce insider threats by the combination of

advanced security tools and good management system.

Keywords-Internal Network; Insider Threat; Architecture;

Security Management System

I.INTRODUCTION

At present, the insider threat or insider problem has

received considerable attention, and is cited as the mostserious security problem in many studies. It has become anovel and hot research topic [1, 2, 3 ]. Classificationstatistics were conducted by American CSI / FBIaccording to the event source over the years. And theannual cost of losses is shown in Table 1[4]. Statisticsshow that: although most organizations are implementingeffective strategies against external threat, the weakestlink in organizational information systems security chainis insider threat. Insider threat is much greater thanoutsider threat in terms of the loss.

In January 2008, at Societe Generales second largestbank, a trusted and junior employee, Jerome Kerviel,perpetrated 72 billion worth of loss and fraud, through hisknowledge of banking procedures, information systemsand theft of coworkers passwords. Apart from Kervielsactions, failure of control mechanisms leads to this fraud,

undoubtedly the largest in the history of banking.These two examples show that the most serious

security breach and the most important economic damageare basically made by the insider threat fromorganizations. How to prevent and predict insider threat?

This paper proposes a integrated and overall securityarchitecture from the point of the combination oftechnology and management.

II.INSIDER THREAT

Trzeciak (2009) defines insider and insider threat asAn insider is a current or former employee, a contractoror a business partner who has or had authorized accessand intentionally exceeded that access in a manner thatnegatively affected the confidentiality, integrity oravailability of the organizations information orinformation systems. Insider threat can be defined as thethreat to information system security due to theintentional misuse of computer systems by users who areauthorized to access those systems and networks [5].Dueto the legitimacy and trust the insiders enjoy, this type ofcrime is difficult to detect and mitigate before theoccurrence.

Previously, confidentiality of electronic documentsconcerned by many companies is focused on external

personnel. Technical means, such as intrusion detection,firewall, information encryption, access controlmechanisms, are to solve the problem of external

protection. However, these controls and tools aredesigned to fight against outsider threat of organization

network, and little progress has occurred in dealing withthe insider threat, including insider attack and insidermisuse. Because of the lack of knowledge about insiderthreat, organizations can not take appropriate preventivemeasures. These all cause the frequency of insider threatshigher and higher. Whether intentional or accidental,insider threats will be one of the greatest threats tosecurity. If the network security is unknown or notimplemented, Internet users, in practical applicationssuch as surfing unsafe websites, click on a maliciouse-mail link, or not to encrypt sensitive data and forth, willcontinue to unwittingly play the role of safety bomb. Asthe mobility of business people is more and more, users

use a large number of removable storage devices such asU disk, mobile hard drive, writable CD and MP3 players,network connection such as Bluetooth, as well as mobiledevices such as laptop, PDA. Insider threat as an example

Table1

CSI / FBI annual loss cost survey according to event sourceYear System penetration/$ Insiderabuse/$

Unauthorizedinsider access/$

200520062007

$841,400$758,000

$6,875,000

$6,856,450$1,849,810$2,889,700

$31,233,100$10,617,000$1,042,700

Total $8,474,400 $11,595,960 $42,892,800

This research are supported by The Doctor Grant of Henan PolytechnicUniversit B2010-62 .

ISBN 978-952-5726-10-7Proceedings of the Third International Symposium on Computer Science and Computational Technology(ISCSCT 10)

Jiaozuo, P. R. China, 14-15, August 2010, pp. 389-392

2010 ACADEMY PUBLISHERAP-PROC-CS-10CN007


2/4

390

of mobile devices is shown in figure 1. A serious threatof confidential data leakage to enterprise is posed. Thesurvey of Ministry of Public Security exposed that theratio attack or virus origin from internal staff increased

by 21% over the previous year, and the ratio of involving

external personnel decreased by 18%, which reveals mostnetwork unit concerned for external defensiveconsiderations which led to the threat from insider rise atthe same time. However, the fatal results are usuallycaused by insider threat.

Besides, Hacking tools are easily got by internal staff(including staff who arent familiar with computertechnology) because of network popularization andsoftware development. Interface of these tools is humaneand easy to understand. It is one of reasons that insiderthreats are mostly caused by internal staff. And internalusers generally face database directly and operate directlyon the server. Taking advantage of fast network, critical

data are stolen or destroyed with ease. Users in theorganization have different privileges; secret informationlacks of effective control and supervision; it is difficult tomanage the staff; system is vulnerable to be attacked bymeans of passwords and unauthorized operation. Thesefactors cause insider threats increasing more and more.

III.ESTABLISHING INSIDER THREAT DEFENSE SYSTEM

Damage caused by insider threat is obvious. The goalof this paper is to extremely mitigate business damage

posed by the insider misuse or the insider attack,endeavor to cease the insider threat initially, and reduce

internal risk to a minimum.In order to prevent internal threats, a relatively secure

internal network needs not only advanced and effectivesecurity configuration, but also comprehensivemanagement system and experienced security managers

[6]. In this paper, a integrated and overall securityarchitecture for an effective internal defense has been

proposed combining the results of current research andthe concepts of technology and management. Threesystems platform and a safety management system are

included in the network. This architecture is called MSIStaking the first letter of each part of the composition. Itcan be shown in Figure 2.

A. Monitoring platform MP

The architecture including a monitor platform MP hasbeen proposed in order to make the internal users on thehost and network effectively and prevent violations frominternal and enhance their internal security. Organizationsmust monitor all critical information system activity likeservers, software applications and other data resources,Access must be strictly controlled and any suspiciousactivity must be investigated. MP has a powerful logging

system. As shown in literature [7], an improvedsurveillance method based on complex roles has been

proposed in order to monitor the work activities of theusers in organizations, applications and operatingsystems.

Currently, MP launched by software companies isgenerally composed of three parts: Client, server-side andmanagement-side. Client is the agent installed on thecomputer software. It is used to collect host data andreceive the security policies and directives configured bythe administrator from the server-side. Its ultimate aim isto monitor the host behavior. Server-side is installed in a

platform with the high performance. It is used to receive

various kinds of information sent by the host client. Andthen the information can be managed and stored.Management-side is usually a web service or otherapplications. After users logging in, the correspondingmanagement interface can be accessed by managers.Appropriate security policy is configured and issued.Client log can be inquired and analyzed. A variety ofstatistical information can be counted and managed.

The following functional areas should be included in acomprehensive network of MP: firstly, desktopmanagement and control of host behavioral; secondly,internet behavior management and breaking of illegal hostaccess; thirdly, security management of terminal

equipment and storage media; fourthly, remote installationof system patches distribution and software; whats more,monitoring and safety assessment of the host system

performance; in the end, monitoring of networkequipment.

Although there are many monitoring products in themarket and their functions are different. All the questionscan not be completely solved. This article points out thatscientific management mechanism in internal network andthe fast upgrade of system must be included in a perfectMP. And security policy in off-host must be supportedand excellent compatibility and multiple securitymechanisms must be contained in system deployment.

B. Security authentication platform SAP

This paper presents that SAP performs a variety ofauthentication methods to achieve secure login and

Figure1 Insider Threat--Mobile Devices

Figure 2 MSIS


3/4

391

authentication of users It is independent from the

landing system of the original computer, and has highersecurity and reliability. It is made of the authenticationserver, authentication agent and authentication tokens.Authentication server is the authentication engine of the

network, which is managed by the security administratoror network administrator. It is mainly used for tokenissue, the design and implementation of the security

policy. The certification agent is a special agent softwareimplementing the authentication server to establish avariety of security policies. The authentication tokensserve the users in the form of hardware, software or smartcard and so on, which are used to confirm the usersidentity. If a user provides a correct token code, then itcan be highly assured that the user is a legitimate user.

A complete SAP is the basis of the security system. Ituses the combination of multiple software and hardwarecertification system, improving the reliability and

supporting a variety of standard CA server. It isconvenient and has less influence to the original system.At the same time, for all peripheral, input and output

ports and operating license management, only authorizedpersons can achieve authority to operate the computer,and only authorized disk, disk partition, peripherals,mobile storage devices can be used by an authorized

person on a authorized computer, and only authorizedinput and output ports can be used by a personauthorized. All these measures lay the foundation for thereliable operation of the security system.

C. Information Security Platform ISP

In the ISP, Compulsory encryption to information overa network and Control of all network traffic wereintroduced in this article. That could effectivelycircumvent malicious listeners, unauthorized externalconnections and illegal access.

Communication protocol for computer networks isdesigned without considering its security and it is acompletely open protocol. That makes it easy to beintercepted at random in the course of data transmissionand exchange. To ensure information security within thenetwork, security issues about important data must besolved in communication processes between any twomachines in the LAN. The ISP proposed in this article

makes mandatory encryption for network transmissioncome true and the communication key between any twocomputers is not the same. That effectively prevents thenetwork behavior of malicious listener. At the same time,if host in the internal network gets access to theexternal network illegally through Modem, ADSL dial-upor dual card and other methods, they can notcommunicate with each other because of different dataencapsulation. This effectively prevents the illegal

behavior about access to the external network. Computersto the internal network from the external network,whether accessing to the internal network directlythrough the exchange of equipment or connecting to aninternal computer through direct network connections,can not communicate with others, which effectively

prevents the occurrence of illegal access.

D. Security management system SMS

A prefect SMS is essential to fight against insiderthreat of enterprises. This paper considers that securityadministrators should be able to keep abreast of thelatest developments about network security andimplement real-time monitoring of user behavior on thenetwork. They should protect network equipment andthe security of online information. It is also requiredthat they can foresee network threats and takeappropriate responses. At the same time, they shouldendeavor to cease the insider threat initially, and reduceinternal risk to a minimum.

In addition, from the perspective of networksecurity, enterprises take measures to manageemployees. They should identify data that need to be

protected, keep in touch with employees and providesecurity education everywhere. Firstly, leaders mustrecognize the importance of network security. Only inthis way, can staff recognize it. Then some appropriate

policies and regulations may be developed, so thatenterprises can adhere to the principle that "there shall

be laws to abide by and evidence to investigate,everyone who is meritorious should be reworded,everyone who is wrong should be punished." Only inthat way can employees promote safety awareness andkeep the internal network without damage.

Organizations must monitor all critical informationsystem activity like servers, software applications andother data resources. Access must be strictly controlledand any suspicious activity must be investigated.

IVCONCLUSION

How to reduce insider threat? The use of advancedtechnology is required, but the establishment of insiderthreat for security architecture is essential. Theadvantage of this architecture is that it proposes anintegrated approach on how to combine technology andmanagement. However, details of the various platformsand advanced technologies arent explained more andthe factors including people and environmental issuesare not analyzed accurately. From an overall point ofview, in later research, many cooperative controls abouttechnique, environment and people should be designed

to be ordered and synchronous. At the same time,inter-linkages of various controls and their prioritysequence and control principles should be fullyconsidered.

REFERENCES

[1] GB. Magklaras,S. M. Furnell, A preliminary model ofend user sophistication for insider threat prediction in ITsystems[J], Computers and Security, 2005, vol. 24(5), pp.371-380.

[2] M. Kemp, Barbarians inside the gates: Addressinginternal security threats [J], Network Security, 2005, vol.2005(6), pp. 11-13.

[3] Y. Yu, J. C. Chiueh, Display-only file server: A solutionagainst information theft due to insider attack [C],Washington, DC, United States, 2004, pp. 31-39.


4/4

392

[4] RichardsonR. 2003 CSI/FBI computer crime and securitysurvey [J]. Computer Security Joumal 2003, 19(2): 21-40.

[5] Schultz E. A Framework for Understanding andPredicting Insider Attacks [J]. Computer and Security,2002, 21(6):526-531.

[6] Hui wang, shu-fen liu, and yin-jia zhang, Insider threatanalysis and solution probe of for information system [J],

Jilin University Technology (Engineering Science), 2006,vol. 36(5), pp. 809-813.

[7] Park Joon S, Ho ShuyuanMary, Composite role-basedmonitoring (CRBM) for countering insider threats[J].Springer-Verlag Gm bH, 2004, 3073: 201-213.

research on security architecture msis for defendin insider threat.pdf

Documents