Impact on Confidentiality due to Insider Attacks Project Part 3 Submitted by the Team: AVATAR

Impact on Confidentiality due to Impact on Confidentiality due to Insider AttacksInsider AttacksProject Part 3Project Part 3

Submitted by the Team: AVATARSubmitted by the Team: AVATAR(Jonathon Raclaw, Marek Jakubik, Rajesh Augustine, and Rao Pathangi)(Jonathon Raclaw, Marek Jakubik, Rajesh Augustine, and Rao Pathangi)

Impact on Confidentiality due to Insider Attacks An insider is anyone with access to an organization's protected

assets Insider attack is someone using that access to violate protocol

or cause harm intentionally or unintentionally Protocol violations with good intentions are still considered

threats

We have already identified a variety of fields that have vulnerabilities due to Insider Attacks A Telecommunications Company and it’s employees having

default access to sensitive test data A Credit Card Company and it’s employees having access to

customer credit card numbers A Health Care Company and the diverse collection of

people/employees that have access to user health data [2]

Introduction and BackgroundIntroduction and BackgroundIntroduction and BackgroundIntroduction and Background

There are four basic sources of insider security problems:Maliciousness – that results in compromise or destruction of

information, or disruption of services to other insidersDisdain of Security Practices – that results in compromise or

destruction of information, or disruption of services to other insiders.

Carelessness – in the use of an information system and/or the protection of company information

Ignorance – of security policy, security practices and information system use

Current state of work:Basic User ID/ password validation – missing role based

access, department based access. If you know the User ID/ Password then you have pretty much every thing

Policy and procedures – Not strictly enforced [3]

Develop stronger authentication mechanisms – Some apps do have generic User ID/ Password

Implement role based access control – Provide just what they are eligible to see

Provide access to the information based on their department’s business need – Provide just what they need

Enforce the security policy – tie the violations to job performance

[5]

Purchase Hitachi ID Identity Manager – To better manage user access identities and privileges on a variety of IT systems

Hitachi ID Identity Manager – A complete user provisioning solution that also automates and simplifies the routine tasks of managing users across multiple systems

Features provided by Hitachi ID Identity Manager Provides the Role Based Access Control (RBAC) Enables prompt and complete access deactivation across multiple

systems Automatically deactivates access for terminated users Enforces authorization rules over security change requests

Existing work No Role Based Access Control – If you know User ID/ Password then

you are good to go No centralized control of access control Each system has it’s own way of authenticating users, some with no

authentication!!!

Architectural view of Hitachi ID IntegrationArchitectural view of Hitachi ID Integration

[1]

Cost Analysis – Following example gives a cost savings example for an organization with 10,000 people per year

Benefits: With 10% turnover, 5 day for manual setup, 1 day for automatic setup - $60,000

per year productivity With 1 change per user per year – wait time is reduced from 4 hr to 1 hr 8 administrative FTEs reduced to 4

Risks Additional cost – Cost to acquire, setup cost, maintenance cost Inherent risks of a new IT system Need of experts of Hitachi ID

Item Current Cost

Reduced Cost

Productivity lost by new users waiting for access $1,200,000 $240,000

Productivity lost by current users waiting for changes

$1,200,000 $300,000

Direct cost of security administration $480,000 $240,000

Total $2,880,000 $780,000

Total savings per year $2,100,000

Suited for large companies – Large companies where we have many systems and large number of employees

Build vs. Buy – Building Custom solution would be more costly and may not produce an effective security solution, so go for a ready made solution

Enterprise wide solution – This strategy is to be adopted by the IT and other users of the company’s resources such as contractors, visitors, etc

Incremental Deployment – Is it incrementally deployable and would not require a require complete tear-down.

Cost – Cost is an obstacle but security needs to be implemented and enforced

Lack of expertise – Most of the companies lack expertise in building security solutions, so trust the leader in the field

Benefits of Hitachi ID versus Sun Identity Server

More platform-neutral solution for their IDM products as opposed to Sun that is tied to Oracle

Recognized by industry as more scalable and reliable Integrates equally well with all the major databases,

operating systems, web servers and ERP applications User provisioning is open to allow easy integration Lower lifetime support costs for deployed systems since

the customer has a stronger bargaining position at maintenance renewal time, since replacing one product is much easier than replacing many. [1]

A basic tenet of legal liability should compel a company to address security issues and to eliminate or mitigate hazardous conditions promptly.

Business: No lost revenue due to malicious activities Reputation is maintained/ increased by reducing the information

breaches and fraud Increased user productivity by automating and centralizing the access

control Cost savings in a longer run Safeguard of the confidential information

Legal: Regulatory Compliance such as Sarbanes-Oxley, HIPAA Avoid regulatory penalties for non compliance Avoid Lawsuits by customers for information leakage

With the Hitachi ID solution in place, we could more easily limit access to certain tools, such as make only development and test teams have access to test tools. Thus reducing the temptation of insider attacks by parties that are outside of the target environment.

As the Hitachi implementation would work with the existing employee grade and position matrix, the Role Based Access Control (RBAC) could be targeted and changed easily if there is a restructure effort from management.

Easy monitor of access to telecom systems, provisioning data, customer data, technical and product development data

Fit of Proposed Solution for Telecom sectorFit of Proposed Solution for Telecom sectorFit of Proposed Solution for Telecom sectorFit of Proposed Solution for Telecom sector

Complex nature of business with several applications need a centralized control

Cost savings by using Hitachi ID product does makes business sense

Access for Customer Service Agents Role based, Example: regular agents,

supervisorsBased on their department, Example:

marketing, collections, product salesAccess to Intranet Applications – Based on

roles, Example: employee, manager, directorAccess to specific functionalities within a

Application – Based on roles, Example: in the time entry tool managers to see their staff information

Large number of applications for a educational setup

Constant need of creating and removing the access for students

Hitachi ID enables to propagate the password changes to multiple applications

Access to Intranet Applications – Based on roles, Example: student, professor

Access to specific functionalities within a Application – Based on roles

Example: for teaching aid apps such as black board, professors to have more access than student

Risk Assessment

Risk Assessment

Outcomes

Threats

PrioritizedRisks Select

CountermeasuresSelect

Countermeasures

System Design

Policies Requirements

AvailableCountermeasures

Security Components Develop

Security Architecture

Develop Security

Architecture

Security Architecture

[4]

Source: “A Survey of Insider Attack Detection Research” by Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo• Modeling Unix shell commands: identify signature behavior of users based on the sequence of shell commands executed.

• Support Vector Machines – Pattern Recognition: Model ”insider” click behavior based on “click” data to monior “web” traffic.

• Network Observable User Actions (ELICIT): Model data flow patterns relating to searching, browsing, downloading, printing, sensitive search terms, printer choice, anomalous browsing activity, and retrieving documents outside of one’s social network.

• Honeypots: Systems deliberately placed in the infrastructure to weed out malicious insiders.

• Future Research:• Develop profile models that reveal “user intent” as opposed to “user activity.”• Develop integrated systems that follow the ELICIT model.• Develop systems that preserve privacy in the event of a false positive• Intelligent challenge/response model based on suspicion of anamalous activity• “Trap the traitor” solutions (IT + Psychology)

WhatHow

[4]

1. http://hitachi-id.com/2. http://www.secretservice.gov/ntac/its_report_040820.pdf3. http://www.itsecurity.com/4. “Security Attribute Evaluation Method: A Cost Benefit

Analysis”, Shawn A. Butler, Computer Science Department, Carnegie Mellon University

5. ITM Whitepaper, An Introduction to Insider Threat Management, Presented by infoLock Technologies

6. “A Survey of Insider Attack Detection Research” by Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo