450 likes | 698 Views
Insider Threat and Information Security. Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Professor, Carnegie Mellon University. Insider Threat. Hassan Abujihaad (Formerly Paul Hall) Arrested March 7, 2007 Sailor on USS Benfold (2000-2001)
E N D
Insider Threat and Information Security Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Professor, Carnegie Mellon University
Insider Threat • Hassan Abujihaad (Formerly Paul Hall) • Arrested March 7, 2007 • Sailor on USS Benfold (2000-2001) • Passed SECRET information to known Islamic Jihadists containing battle group weaknesses • Islamic Fundamentalist Convert • http://cicentre.com
Insider Threat • Leandro Aragoncillo • Arrested: September 10, 2005 • Sentenced to 10 years: July 18, 2007 • Retired Marine, Administration Chief of White House VP Security Detail • Passed 101 classified documents to Philippine government, 37 marked SECRET • Played to Filipino loyalties • http://cicentre.com
Insider Threat • Robert Hanssen • Arrested February 18, 2001 • Spy since 1985 • Long-time FBI agent • “Worst case of espionage in US history” • Washington Post, 20 Feb 01 • Spied in exchange for $1.4M in cash and diamonds
Spy cases • What did these have in common? • Trusted insiders who “turned” • Used information system trust to commit espionage. • Did precursors exist to alert management? • Could these have been prevented? • Use of technology controls to mitigate • Use of management observation to mitigate
Disclaimer • This is not “trusted computing” or “computational correctness” • This does not make the case that Insider Threats are a known and prevalent problem. This is a given assumption.
Overview • Trust and Trust Online • A brief overview of Trust • Shifting Trust from Technology to People • Trust and information systems • Credibility, Ease of Use, Perceived Risk • Technology Adoption • Fear of the unknown • The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon
Trust • “Nearly 70% of Americans agree with the statement, ‘I don't know whom to trust anymore’” • February 2002 Golin/Harris Poll • “What is Trust?” quesiton is not new • Interpersonal Trust • Team Trust • Societal Trust • Trust and Abstract Systems
What is Trust Online? • “An attitude of confident expectation in an online situation of risk that one’s vulnerabilities will not be exploited.” • (Corritore, Kracher, & Wiedenbeck, 2003)
A brief overview of Trust • General vs. Specific Trust • Kinds of Trust • Cognitive vs. Emotional Trust • (Komiak & Benbasat, 2004) • Slow Trust vs. Swift Trust • Degrees of Trust • Weak to Strong Trust • Basic Trust, Guarded Trust, Extended Trust • Stages of Trust • Deterrence Based, Knowledge Based, and Shared Identification Based Trust • Shifting Trust • Trust in Technology vs. Trust in People
Shifting Trust • Trust in Technology vs. People • Shift from technology to people through technology • (Chopra & Wallace, 2003) Shifting Trust from Technology to People Goal
Trust in Technology • Trust in technology follows an interpersonal model of trust. • Web page or electronic document • We trust the data if: • It is believed to be reliable • If we trust willingly • If we can accept or reject the information on the document.
Trust in People • Electronic commerce • Closer to humanistic trust, where the trustee is now a person or organization • Confidence that a transaction will be fulfilled appropriately. • Online relationships • Confidence that the other party will maintain a quality relationship. • Intelligence, positive intentions, ethics, dependability, predictability, confidentiality • This is where we approach trust and information systems
Credibility • Credibility and the perception of credibility has four components: • Honesty • Expertise • Predictability • Reputation • (Corritore, et al. 2003) • Regular communication builds trust (credibility) in online environments • (Gibson, 2003)
Ease of Use • A website that is easy for users to navigate and find the information needed instills a sense of trust in the user, and satisfies the user with their online experience. • (Corritore, Kracher, & Wiedenbeck, 2003) • How well users can achieve their goals while using a computer • The hard to use ACS systems is one of the factors contributing to espionage in the Robert Hanssen espionage case • (Band et al., 2006).
Technology Adoption • Choose the path of least resistance • Technology Acceptance Model (TAM) • Perceived Usefulness (PU) • Perceived Ease of Use (PEOU)
Perceived Risk • A user’s perception of risk is closely linked to their trust. • A person buying a large ticket item online for the first time may feel they have little control over the transaction. • Users may not be fully aware of all the unknown risks, they have an “awareness of the unknown” that increases their perceived risk. • (Komiak & Benbasat, 2004)
The only thing we have to fear is fear itself • Fear of the unknown • Previously discussed Cognitive and Emotional Trust • (Komiak & Benbasat, 2004)
Trust and Insider Threat • Organizations must trust their employees to some extent • Trust without management or technical controls can enable insider attacks • We can’t fix stupid • Insider attacks follow a pattern - a “critical pathway” • Caveat: Not applicable to trained foreign intelligence agents
Critical Pathway (Shaw & Fischer, 2005)
Critical Pathway • At-risk Subject Characteristics • Serious promotional or personal setbacks • Previous computer misuse • Disabling organizational security devices • Disregard for security protocols • Self-esteem issues, a “high maintenance employee” • Personnel conflicts • Anger • Lack of inhibitions about retaliation or revenge (Shaw, 2006)
System Dynamics • Modeled through System Dynamics • Jay W. Forrester, 1961 • A method and supporting toolset • Holistically model, document, and analyze complex problems as they evolve over time • Develop effective mitigation strategies that balance competing concerns • Carnegie Mellon System Dynamics Research • Discovered the “trust trap”
Summary • Discussed so far: • Trust and Trust Online • A brief overview of Trust • Trust and information systems • The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon • Management and Education of Risks of Insider Threat (MERIT Model)
actual risk of technical insider attack precursor acquiring unknown paths behavioral ability to precursor conceal unknown activity access paths discovery of disgruntlement precursors technical monitoring sanctions behavioral monitoring perceived risk of insider attack insider's unmet expectation org's trust of insider expectation insider's expectation fulfillment precipitating personal predisposition event MERIT Model TRUST TRAP!! © 2007 Carnegie Mellon University
actual risk of technical insider attack precursor acquiring unknown paths behavioral ability to precursor conceal unknown activity access paths discovery of disgruntlement precursors technical monitoring sanctions behavioral monitoring perceived risk of insider attack insider's unmet expectation org's trust of insider expectation insider's expectation fulfillment precipitating personal predisposition event MERIT Model © 2007 Carnegie Mellon University
Insider Threat Mitigation • Balance information sharing with information restriction and monitoring • Technical Controls • Management Controls • Operational Controls • Series of recommendations from Carnegie Mellon
Our Thoughts About Best Practices • Refer to the Common Sense Guide and Insider Threat Study reports for supporting data. • Our goal here is to use case examples to motivate you to ask yourself Could something like this happen to me? © 2007 Carnegie Mellon University
Emergency services are forced to rely on manual address lookups for 911 calls when an insider sabotages the system. Organizations need to develop a risk-based security strategy to protect its critical assets from both external and internal threats. Best Practice #1 : Institute periodic enterprise-wide risk assessments. © 2007 Carnegie Mellon University
A team of software developers pay the price after they ignore the team lead’s contempt and deliberateviolation of management’s directives. Without broad understanding and buy-in from the organization, technical or managerial controls will be short-lived. Best Practice #2 : Institute periodic security awareness training. © 2007 Carnegie Mellon University
A supervisor accepts $50,000 to grant asylum to immigrants who had been or could have been otherwise denied. While security awareness training is an excellent start, separation of duties and least privilege must be implemented to limit the damage that malicious insiders can inflict. Best Practice #3:Enforce separation of duties and least privilege. © 2007 Carnegie Mellon University
A disgruntled contractor snoops to his heart’s content after he uses a password cracker to obtain 40 passwords, including the root password. If an organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms. Best Practice #4:Implement strict password & account management practices. © 2007 Carnegie Mellon University
A contractor’s sophisticated scheme, which allowed him to steal 5000employee passwords, is discovered in the nick of time. Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions. Best Practice #5:Log, monitor, and audit employee online actions. © 2007 Carnegie Mellon University
An insider’s fiancée finds her promotion is better than he ever imagined when she gives him $615,000 over the next two years. System administrators and privileged users have the technical ability, access, and oversight responsibility to commit and conceal malicious activity. Best Practice #6:Use extra caution with privileged users. © 2007 Carnegie Mellon University
A software developer realizes that the fox is guarding the henhouse when he is able to modify his own source code to override his own security measures. While insiders frequently use simple user commands to do their damage, logic bombs and other malicious code are used frequently enough to be of concern. Best Practice #7:Actively defend against malicious code. © 2007 Carnegie Mellon University
A foreign currency trader hides $691 million in losses over a 5 year period – mostly from home in the middle of the night. Remote access provides a tempting opportunity for insiders to attack with less risk. Best Practice #8:Used layered defense against remote attacks. © 2007 Carnegie Mellon University
A software development manager who verbally attacks management and coworkers on a regular basis is finally fired, but steals critical software and demands $50K for its return. One method of reducing the threat of malicious insiders is to proactively deal with difficult employees. Best Practice #9 : Monitor and respond to suspicious activity. © 2007 Carnegie Mellon University
A system administrator terminated with no advanced notice remotely logs in using an administrator account and shuts down their mission critical server. It is important that organizations follow rigorous termination procedures that disable all open access points to the networks, systems, applications, and data. Best Practice #10 : Deactivate computer access following termination. © 2007 Carnegie Mellon University
Monthly audit log recycling causes company difficulty in prosecuting a long-term fraud scheme with losses of over $500K. Collecting and saving usable evidence preserves response options, including legal actions. Best Practice #11 : Collect and save data for use in investigations. © 2007 Carnegie Mellon University
A disgruntled system administrator amplifies the impact of a logic bomb by centralizing critical programs and intimidating coworker out of backup tapes. It is important that organizations prepare for the possibility of insider attacks by implementing secure backup and recovery processes that are tested periodically. Best Practice #12 : Implement secure backup and recovery processes. © 2007 Carnegie Mellon University
After transferring to a new department, absence of policy allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions. To ensure consistent handling and to protect against accusations of discrimination, procedures for dealing with malicious insiders must be clearly documented. Best Practice #13 : Clearly document insider threat controls. © 2007 Carnegie Mellon University
Questions • Earl Crane • Crane at andrew * cmu * edu • Dawn Cappelli • DMC at cert * org
Institute periodic enterprise-wide risk assessments. Institute periodic security awareness training for all employees. Enforce separation of duties and least privilege. Implement strict password and account management policies and practices. Log, monitor, and audit employee online actions. Use extra caution with system administrators and privileged users. Actively defend against malicious code. Use layered defense against remote attacks. Monitor and respond to suspicious or disruptive behavior. Deactivate computer access following termination. Collect and save data for use in investigations. Implement secure backup and recovery processes. Clearly document insider threat controls. Summary of Best Practices © 2007 Carnegie Mellon University