Скачать презентацию Insider Threat and Information Security Dawn Cappelli Faculty Скачать презентацию Insider Threat and Information Security Dawn Cappelli Faculty

ed2e25a530938a0ee781d9f60d521178.ppt

  • Количество слайдов: 45

Insider Threat and Information Security Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Insider Threat and Information Security Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Professor, Carnegie Mellon University

Insider Threat • Hassan Abujihaad (Formerly Paul Hall) – Arrested March 7, 2007 – Insider Threat • Hassan Abujihaad (Formerly Paul Hall) – Arrested March 7, 2007 – Sailor on USS Benfold (2000 -2001) – Passed SECRET information to known Islamic Jihadists containing battle group weaknesses – Islamic Fundamentalist Convert – http: //cicentre. com 2

Insider Threat • Leandro Aragoncillo – Arrested: September 10, 2005 – Sentenced to 10 Insider Threat • Leandro Aragoncillo – Arrested: September 10, 2005 – Sentenced to 10 years: July 18, 2007 – Retired Marine, Administration Chief of White House VP Security Detail – Passed 101 classified documents to Philippine government, 37 marked SECRET – Played to Filipino loyalties – http: //cicentre. com 3

Insider Threat • Robert Hanssen – Arrested February 18, 2001 • Spy since 1985 Insider Threat • Robert Hanssen – Arrested February 18, 2001 • Spy since 1985 – Long-time FBI agent – “Worst case of espionage in US history” • Washington Post, 20 Feb 01 – Spied in exchange for $1. 4 M in cash and diamonds 4

Spy cases • What did these have in common? – Trusted insiders who “turned” Spy cases • What did these have in common? – Trusted insiders who “turned” – Used information system trust to commit espionage. • Did precursors exist to alert management? • Could these have been prevented? – Use of technology controls to mitigate – Use of management observation to mitigate 5

Disclaimer • This is not “trusted computing” or “computational correctness” • This does not Disclaimer • This is not “trusted computing” or “computational correctness” • This does not make the case that Insider Threats are a known and prevalent problem. This is a given assumption. 6

Overview • Trust and Trust Online • A brief overview of Trust – Shifting Overview • Trust and Trust Online • A brief overview of Trust – Shifting Trust from Technology to People • Trust and information systems – Credibility, Ease of Use, Perceived Risk – Technology Adoption – Fear of the unknown • The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon 7

Trust • “Nearly 70% of Americans agree with the statement, ‘I don't know whom Trust • “Nearly 70% of Americans agree with the statement, ‘I don't know whom to trust anymore’” – February 2002 Golin/Harris Poll • “What is Trust? ” quesiton is not new – Interpersonal Trust – Team Trust – Societal Trust • Trust and Abstract Systems 8

What is Trust Online? • “An attitude of confident expectation in an online situation What is Trust Online? • “An attitude of confident expectation in an online situation of risk that one’s vulnerabilities will not be exploited. ” – (Corritore, Kracher, & Wiedenbeck, 2003) 9

A brief overview of Trust • General vs. Specific Trust • Kinds of Trust A brief overview of Trust • General vs. Specific Trust • Kinds of Trust – Cognitive vs. Emotional Trust • (Komiak & Benbasat, 2004) – Slow Trust vs. Swift Trust • Degrees of Trust – Weak to Strong Trust – Basic Trust, Guarded Trust, Extended Trust • Stages of Trust – Deterrence Based, Knowledge Based, and Shared Identification Based Trust • Shifting Trust – Trust in Technology vs. Trust in People 10

Shifting Trust • Trust in Technology vs. People • Shift from technology to people Shifting Trust • Trust in Technology vs. People • Shift from technology to people through technology – (Chopra & Wallace, 2003) Shifting Trust from Technology to People Goal 11

Trust in Technology • Trust in technology follows an interpersonal model of trust. – Trust in Technology • Trust in technology follows an interpersonal model of trust. – Web page or electronic document – We trust the data if: • It is believed to be reliable • If we trust willingly • If we can accept or reject the information on the document. 12

Trust in People • Electronic commerce – Closer to humanistic trust, where the trustee Trust in People • Electronic commerce – Closer to humanistic trust, where the trustee is now a person or organization – Confidence that a transaction will be fulfilled appropriately. • Online relationships – Confidence that the other party will maintain a quality relationship. • Intelligence, positive intentions, ethics, dependability, predictability, confidentiality • This is where we approach trust and information systems 13

Trust and Information Systems 14 Trust and Information Systems 14

Credibility • Credibility and the perception of credibility has four components: – – Honesty Credibility • Credibility and the perception of credibility has four components: – – Honesty Expertise Predictability Reputation • (Corritore, et al. 2003) • Regular communication builds trust (credibility) in online environments – (Gibson, 2003) 15

Ease of Use • A website that is easy for users to navigate and Ease of Use • A website that is easy for users to navigate and find the information needed instills a sense of trust in the user, and satisfies the user with their online experience. – (Corritore, Kracher, & Wiedenbeck, 2003) • How well users can achieve their goals while using a computer – The hard to use ACS systems is one of the factors contributing to espionage in the Robert Hanssen espionage case • (Band et al. , 2006). 16

Technology Adoption • Choose the path of least resistance • Technology Acceptance Model (TAM) Technology Adoption • Choose the path of least resistance • Technology Acceptance Model (TAM) – Perceived Usefulness (PU) – Perceived Ease of Use (PEOU) 17

Perceived Risk • A user’s perception of risk is closely linked to their trust. Perceived Risk • A user’s perception of risk is closely linked to their trust. – A person buying a large ticket item online for the first time may feel they have little control over the transaction. • Users may not be fully aware of all the unknown risks, they have an “awareness of the unknown” that increases their perceived risk. – (Komiak & Benbasat, 2004) 18

The only thing we have to fear is fear itself • Fear of the The only thing we have to fear is fear itself • Fear of the unknown – Previously discussed Cognitive and Emotional Trust – (Komiak & Benbasat, 2004) 19

Trust and Insider Threat • Organizations must trust their employees to some extent • Trust and Insider Threat • Organizations must trust their employees to some extent • Trust without management or technical controls can enable insider attacks • We can’t fix stupid • Insider attacks follow a pattern - a “critical pathway” – Caveat: Not applicable to trained foreign intelligence agents 20

Critical Pathway (Shaw & Fischer, 2005) 21 Critical Pathway (Shaw & Fischer, 2005) 21

Critical Pathway • At-risk Subject Characteristics – Serious promotional or personal setbacks – Previous Critical Pathway • At-risk Subject Characteristics – Serious promotional or personal setbacks – Previous computer misuse – Disabling organizational security devices – Disregard for security protocols – Self-esteem issues, a “high maintenance employee” – Personnel conflicts – Anger – Lack of inhibitions about retaliation or revenge (Shaw, 2006) 22

System Dynamics • Modeled through System Dynamics – Jay W. Forrester, 1961 • A System Dynamics • Modeled through System Dynamics – Jay W. Forrester, 1961 • A method and supporting toolset – Holistically model, document, and analyze complex problems as they evolve over time – Develop effective mitigation strategies that balance competing concerns • Carnegie Mellon System Dynamics Research – Discovered the “trust trap” 23

Summary • Discussed so far: – – Trust and Trust Online A brief overview Summary • Discussed so far: – – Trust and Trust Online A brief overview of Trust and information systems The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon – Management and Education of Risks of Insider Threat (MERIT Model) 24

MERIT Model of Insider IT Sabotage 25 MERIT Model of Insider IT Sabotage 25

MERIT Model actual risk of insider attack behavioral precursor ability to conceal activity discovery MERIT Model actual risk of insider attack behavioral precursor ability to conceal activity discovery of precursors disgruntlement sanctions behavioral monitoring insider's unmet expectation insider's expectation personal predisposition technical precursor acquiring unknown paths unknown access paths technical monitoring perceived risk of insider attack TRU S TRA T P!! org's trust of insider expectation fulfillment precipitating event 26 © 2007 Carnegie Mellon University

MERIT Model actual risk of insider attack behavioral precursor ability to conceal activity discovery MERIT Model actual risk of insider attack behavioral precursor ability to conceal activity discovery of precursors disgruntlement sanctions behavioral monitoring insider's unmet expectation insider's expectation personal predisposition technical precursor acquiring unknown paths unknown access paths technical monitoring perceived risk of insider attack org's trust of insider expectation fulfillment precipitating event 27 © 2007 Carnegie Mellon University

Insider Threat Mitigation • Balance information sharing with information restriction and monitoring • Technical Insider Threat Mitigation • Balance information sharing with information restriction and monitoring • Technical Controls • Management Controls • Operational Controls – Series of recommendations from Carnegie Mellon 28

Best Practices 29 Best Practices 29

Our Thoughts About Best Practices • Refer to the Common Sense Guide and Insider Our Thoughts About Best Practices • Refer to the Common Sense Guide and Insider Threat Study reports for supporting data. • Our goal here is to use case examples to motivate you to ask yourself Could something like this happen to me? 30 © 2007 Carnegie Mellon University

Best Practice #1 : Institute periodic enterprise-wide risk assessments. Emergency services are forced to Best Practice #1 : Institute periodic enterprise-wide risk assessments. Emergency services are forced to rely on manual address lookups for 911 calls when an insider sabotages the system. Organizations need to develop a risk-based security strategy to protect its critical assets from both external and internal threats. 31 © 2007 Carnegie Mellon University

Best Practice #2 : Institute periodic security awareness training. A team of software developers Best Practice #2 : Institute periodic security awareness training. A team of software developers pay the price after they ignore the team lead’s contempt and deliberate violation of management’s directives. Without broad understanding and buy-in from the organization, technical or managerial controls will be short-lived. 32 © 2007 Carnegie Mellon University

Best Practice #3: Enforce separation of duties and least privilege. A supervisor accepts $50, Best Practice #3: Enforce separation of duties and least privilege. A supervisor accepts $50, 000 to grant asylum to immigrants who had been or could have been otherwise denied. While security awareness training is an excellent start, separation of duties and least privilege must be implemented to limit the damage that malicious insiders can inflict. 33 © 2007 Carnegie Mellon University

Best Practice #4: Implement strict password & account management practices. A disgruntled contractor snoops Best Practice #4: Implement strict password & account management practices. A disgruntled contractor snoops to his heart’s content after he uses a password cracker to obtain 40 passwords, including the root password. If an organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms. 34 © 2007 Carnegie Mellon University

Best Practice #5: Log, monitor, and audit employee online actions. A contractor’s sophisticated scheme, Best Practice #5: Log, monitor, and audit employee online actions. A contractor’s sophisticated scheme, which allowed him to steal 5000 employee passwords, is discovered in the nick of time. Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions. 35 © 2007 Carnegie Mellon University

Best Practice #6: Use extra caution with privileged users. An insider’s fiancée finds her Best Practice #6: Use extra caution with privileged users. An insider’s fiancée finds her promotion is better than he ever imagined when she gives him $615, 000 over the next two years. System administrators and privileged users have the technical ability, access, and oversight responsibility to commit and conceal malicious activity. 36 © 2007 Carnegie Mellon University

Best Practice #7: Actively defend against malicious code. A software developer realizes that the Best Practice #7: Actively defend against malicious code. A software developer realizes that the fox is guarding the henhouse when he is able to modify his own source code to override his own security measures. While insiders frequently use simple user commands to do their damage, logic bombs and other malicious code are used frequently enough to be of concern. 37 © 2007 Carnegie Mellon University

Best Practice #8: Used layered defense against remote attacks. A foreign currency trader hides Best Practice #8: Used layered defense against remote attacks. A foreign currency trader hides $691 million in losses over a 5 year period – mostly from home in the middle of the night. Remote access provides a tempting opportunity for insiders to attack with less risk. 38 © 2007 Carnegie Mellon University

Best Practice #9 : Monitor and respond to suspicious activity. A software development manager Best Practice #9 : Monitor and respond to suspicious activity. A software development manager who verbally attacks management and coworkers on a regular basis is finally fired, but steals critical software and demands $50 K for its return. One method of reducing the threat of malicious insiders is to proactively deal with difficult employees. 39 © 2007 Carnegie Mellon University

Best Practice #10 : Deactivate computer access following termination. A system administrator terminated with Best Practice #10 : Deactivate computer access following termination. A system administrator terminated with no advanced notice remotely logs in using an administrator account and shuts down their mission critical server. It is important that organizations follow rigorous termination procedures that disable all open access points to the networks, systems, applications, and data. 40 © 2007 Carnegie Mellon University

Best Practice #11 : Collect and save data for use in investigations. Monthly audit Best Practice #11 : Collect and save data for use in investigations. Monthly audit log recycling causes company difficulty in prosecuting a long-term fraud scheme with losses of over $500 K. Collecting and saving usable evidence preserves response options, including legal actions. 41 © 2007 Carnegie Mellon University

Best Practice #12 : Implement secure backup and recovery processes. A disgruntled system administrator Best Practice #12 : Implement secure backup and recovery processes. A disgruntled system administrator amplifies the impact of a logic bomb by centralizing critical programs and intimidating coworker out of backup tapes. It is important that organizations prepare for the possibility of insider attacks by implementing secure backup and recovery processes that are tested periodically. 42 © 2007 Carnegie Mellon University

Best Practice #13 : Clearly document insider threat controls. After transferring to a new Best Practice #13 : Clearly document insider threat controls. After transferring to a new department, absence of policy allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions. To ensure consistent handling and to protect against accusations of discrimination, procedures for dealing with malicious insiders must be clearly documented. 43 © 2007 Carnegie Mellon University

Questions • Earl Crane – Crane at andrew * cmu * edu • Dawn Questions • Earl Crane – Crane at andrew * cmu * edu • Dawn Cappelli – DMC at cert * org 44

Summary of Best Practices • Institute periodic enterprise-wide risk assessments. • Institute periodic security Summary of Best Practices • Institute periodic enterprise-wide risk assessments. • Institute periodic security awareness training for all employees. • Enforce separation of duties and least privilege. • Implement strict password and account management policies and practices. • Log, monitor, and audit employee online actions. • Use extra caution with system administrators and privileged users. • Actively defend against malicious code. • Use layered defense against remote attacks. • Monitor and respond to suspicious or disruptive behavior. • Deactivate computer access following termination. • Collect and save data for use in investigations. • Implement secure backup and recovery processes. • Clearly document insider threat controls. 45 © 2007 Carnegie Mellon University