1 / 11

A Discussion of the Insider Threat

A Discussion of the Insider Threat. Outside. Inside. Jason Franklin. Example Insider Attack. Ivan the insider gets fired and Alf the administrator forgets to void Ivan’s (login) credentials.

johana
Download Presentation

A Discussion of the Insider Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Discussion of the Insider Threat Outside Inside Jason Franklin

  2. Example Insider Attack • Ivan the insider gets fired and Alf the administrator forgets to void Ivan’s (login) credentials. • Ivan goes home, logins into his work machine and takes some malicious action (introduces bugs into source, deletes files and backups, etc…) • Alternatively, Alf might void Ivan’s credentials, but forget that Ivan also uses a shared group account.

  3. Trusted Computing Base Proposed Definition • A malicious insider is an adversary who operates inside the trusted computing base, basically a trusted adversary. • The insider threat is an adversarial model encompassing all possible malicious insiders. Ivan

  4. Example Threats • Data corruption, deletion, and modification • Leaking sensitive data • Denial of service attacks • Blackmail • Theft of corporate data • On and on….

  5. Statistics • Insider attacks account for as much as 80% of all computer and Internet related crimes [1] • 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders [1] • Majority of insiders are privileged users and majority of attacks are launched from remote machines [3]

  6. Problem Discussion • Typical adversarial models ignore the insider threat by assuming the TCB is free of threats • Insider threat violates this assumption Corporate Network Firewall/IDS

  7. Prevailing Sentiments (Myths?) • Current systems are capable of countering the insider threat • Insider threat is impossible to counter because of the insider’s resources and access permissions • Insider attacks are a social or organizational issue which cannot be countered by technical means (Anderson94)

  8. Remediation: Initial Thoughts • Minimize the size of the TCB to decrease the number of possible insiders • Distribute trust amongst multiple parties to force collusion • Most insiders act alone • Question trust assumptions made in computing systems • Treat the LAN like the WAN • BroLAN, SANE, etc… • Others?

  9. Is the insider threat unavoidable? • If we define an insider as an adversary inside the TCB, can we ever eliminate the insider threat? • Perhaps we can only reduce the number of possible insiders or the extent of possible damage? • Perhaps we should rely on the “lone wolf” nature of insiders and distribute trust?

  10. Discussion • Is the insider threat definition a good one? • Is the insider an actual threat or just media hype? • Can/do we build systems that already counter the insider threat? • Is this worth our time? • What’s the best paper you could imagine in this area?

  11. References • [1] Jim Carr. Strategies and issues: Thwarting insider attacks, 2002. • [2] Nathan Einwechter. The enemy inside the gates: Preventing and detecting insider attacks, 2002. • [3] National Threat Assessment Center - Insider Threat Study, http://www.ustreas.gov/usss/ntac_its.shtml • [4] Jason Franklin, Parisa Tabriz, and Matthew Thomas. A Case Study of the Insider Threat through Modifications to Legacy Network Security Architectures, unpublished manuscript.

More Related