Network Security Part II: Attacks The Insider Threat.

Network SecurityNetwork SecurityPart II: AttacksPart II: Attacks

The Insider The Insider ThreatThreat

SECURITY INNOVATION ©20032

Problem DefinitionProblem Definition

• Everyone has information and Everyone has information and reputation to protectreputation to protect– "Failing to implement the security essentials "Failing to implement the security essentials

exposes an organization to the unnecessary exposes an organization to the unnecessary risk of potential loss of income or customer risk of potential loss of income or customer loyalty, costly legal challenges, or, at worst, loyalty, costly legal challenges, or, at worst, major business disruption.“ -- major business disruption.“ -- Source: META Source: META Group, "Enterprise Security: The Bare Group, "Enterprise Security: The Bare Essentials", March 1999Essentials", March 1999

• Everyone is dependent on their Everyone is dependent on their infrastructures running 7x24x365!infrastructures running 7x24x365!


Problem DefinitionProblem Definition• Little attention has been paid to Little attention has been paid to

intranet securityintranet security– "Today, however, enterprises recognize the "Today, however, enterprises recognize the

value of an overall security plan to their value of an overall security plan to their business success and are coming to vendors business success and are coming to vendors and service providers for help in the design and and service providers for help in the design and implementation of a complete security implementation of a complete security program.” -- program.” -- Source: Dataquest, " Information Source: Dataquest, " Information Security in the Enterprise Extranet", July 31Security in the Enterprise Extranet", July 31stst, , 20002000

• Hacking methodologies are only improvingHacking methodologies are only improving– ““The network is no longer about bits, bytes, The network is no longer about bits, bytes,

and email. The network is about establishing, and email. The network is about establishing, maintaining, and enhancing trust in every maintaining, and enhancing trust in every relationship the business owns. The network is relationship the business owns. The network is the business.“ - the business.“ - Source: IDCSource: IDC


Importance of Enterprise Importance of Enterprise SecuritySecurity

2000 Computer Crime & Security Survey Results2000 Computer Crime & Security Survey Results

Of Organizations Surveyed:Of Organizations Surveyed:

• 90% detected computer security breaches 90% detected computer security breaches within the last 12 monthswithin the last 12 months

• 70% reported serious computer security 70% reported serious computer security breaches e.g. theft of proprietary information, breaches e.g. theft of proprietary information, financial fraud, system penetration from the financial fraud, system penetration from the outside, denial of service attacksoutside, denial of service attacks


Importance of Enterprise Importance of Enterprise SecuritySecurity

• 74% acknowledged financial losses 74% acknowledged financial losses due to computer breachesdue to computer breaches

• 32% didn’t know if there had been 32% didn’t know if there had been unauthorized access or misuseunauthorized access or misuse

Source: The Computer Security Institute March 22, Source: The Computer Security Institute March 22, 20002000


Information Security Information Security MagazineMagazine

Survey 2000Survey 2000

• Nearly Nearly twice as manytwice as many companies experienced companies experienced insider attacks, such as theft, sabotage or insider attacks, such as theft, sabotage or intentional destruction of computer property, intentional destruction of computer property, as compared to 1999. as compared to 1999.

• Meanwhile, 41% more companies had to deal Meanwhile, 41% more companies had to deal with employees who intentionally disclosed or with employees who intentionally disclosed or destroyed proprietary corporate information. destroyed proprietary corporate information.

• Companies spending more than $1million on Companies spending more than $1million on security security doubleddoubled in 1999 in 1999


Information Security Information Security MagazineMagazine

Survey 2000Survey 2000• Companies engaging in business-to-business or Companies engaging in business-to-business or

business-to-consumer electronic commerce business-to-consumer electronic commerce were were easier targetseasier targets

• ““Information Security's study also indicated Information Security's study also indicated that the best defense against security attacks that the best defense against security attacks is a is a layered defenselayered defense, which uses overlapping , which uses overlapping computer technologies to detect and react to computer technologies to detect and react to security breaches.”security breaches.”

• The consulting industry spent the most on The consulting industry spent the most on security, topping the chart with $2 million in security, topping the chart with $2 million in the average budget, followed by banking and the average budget, followed by banking and finance firms, which averaged $950,000. Post-finance firms, which averaged $950,000. Post-secondary education institutions spent the secondary education institutions spent the least for security, with an average security least for security, with an average security budget of $100,000.budget of $100,000.


Elements of Security Elements of Security RiskRisk

• Unpredictable access for new ‘mobile’ Unpredictable access for new ‘mobile’ workforceworkforce– Connection paradigm has changedConnection paradigm has changed

• Attacks may go unnoticed in today's Attacks may go unnoticed in today's information-overloaded companyinformation-overloaded company– Attacked resources do not flag assaultAttacked resources do not flag assault

• Once attacked it is difficult to predict or assess Once attacked it is difficult to predict or assess total damagetotal damage– Scale of damage is hard to estimate due to Scale of damage is hard to estimate due to

‘invisibility’ of assailant‘invisibility’ of assailant


Insider ThreatInsider Threat• It is estimated that only about 3% of It is estimated that only about 3% of

internal attacks are detected and 1% of internal attacks are detected and 1% of those are reportedthose are reported

• Many organizations consider toleration of Many organizations consider toleration of internal threats a “Cost of doing internal threats a “Cost of doing Business”, and also don’t want to offend Business”, and also don’t want to offend employees or harm their reputation, employees or harm their reputation, consequently both punishment for, and consequently both punishment for, and disclosure of attacks is spottydisclosure of attacks is spotty


YearYear 20002000 20012001 20022002

IntrusionsIntrusions 72%72% 85%85% 90%90%

Avg $ LossAvg $ Loss $ 1.06 M$ 1.06 M $ 2.03 M$ 2.03 M $ 2.04 M$ 2.04 M

Total Total LossesLosses $265 M$265 M $377 M$377 M $455 M$455 M

CSI / FBI Survey CSI / FBI Survey (source: (source: Adriaan Valk, Special Agent, FBI, Nashville, TN)Adriaan Valk, Special Agent, FBI, Nashville, TN)


CSI / FBI Survey (Costs)CSI / FBI Survey (Costs) source: source: Adriaan Valk, Special Agent, FBI, Nashville, TN)Adriaan Valk, Special Agent, FBI, Nashville, TN)

YearYear 20002000 20012001 20022002

IntrusionsIntrusions 72%72% 85%85% 90%90%

Avg Avg Loss($M)Loss($M)

1.061.06 2.032.03 2.042.04

Total Loss Total Loss ($M) ($M)

265265 377377 455455


Elements of Security Elements of Security RiskRisk

• Attackers are difficult to trackAttackers are difficult to track– Point-products tend to block access or Point-products tend to block access or

content – too broad for today’s e-business content – too broad for today’s e-business environments. Monitoring of access and environments. Monitoring of access and traffic become criticaltraffic become critical

• Attacks come in varying degrees of size Attacks come in varying degrees of size and methodology making them difficult and methodology making them difficult to profile and protect againstto profile and protect against– Transient attacks are difficult to log and Transient attacks are difficult to log and

profileprofile


Who is the Insider?Who is the Insider?

• the Insiderthe Insider is the is the EEmployee mployee TThreat to hreat to EEnterprisenterprise

• the Insiderthe Insider represents 70% of all attacks on the represents 70% of all attacks on the corporate Enterprisecorporate Enterprise

• the Insiderthe Insider is the largest threat to enterprise security is the largest threat to enterprise security that exists todaythat exists today

– the Insider is connected to your intranet

– the Insider is attached to your company’s entire IT structure every day of the working week

– the Insider is abusing or attacking resources through a high-speed 10 or 100Mbps connection


Who is the Insider?Who is the Insider?

– the Insider has access to your IT investment from home, hotel room or supplier’s facilities

– the Insider is unchallenged from 99% of security systems today

– the Insider does not have to pass through your Internet firewall technology

– the Insider may not be intentionally damaging IT resources

– the Insider may just be misusing the intranet, or damage through virus reception


What is an Insider?What is an Insider?

• Insiders are those with legitimate access to or Insiders are those with legitimate access to or association with some aspect of the environment association with some aspect of the environment or the system which is being considered.or the system which is being considered.

• Insiders therefore have increased opportunity Insiders therefore have increased opportunity and/or knowledge in comparison with outside and/or knowledge in comparison with outside intrudersintruders

• Insiders usually have a clearly defined motive Insiders usually have a clearly defined motive (revenge, financial gain, information, etc)(revenge, financial gain, information, etc)

• ““There is no longer a clear distinction between There is no longer a clear distinction between insiders and outsiders, between a corporate ally insiders and outsiders, between a corporate ally and a corporate enemy. And preventing access is and a corporate enemy. And preventing access is the exact opposite of what companies are trying the exact opposite of what companies are trying to do.” [Dickey, S. Beyond Computing. pp34--38]to do.” [Dickey, S. Beyond Computing. pp34--38]


What is an Insider?What is an Insider?

• People with legitimate access to or association People with legitimate access to or association with some aspect of the environment or the with some aspect of the environment or the system.system.

• Insiders have increased opportunity and Insiders have increased opportunity and knowledge in comparison with outside knowledge in comparison with outside intruders.intruders.

• Insiders usually have a clearly defined motive Insiders usually have a clearly defined motive (revenge, financial gain, information, etc).(revenge, financial gain, information, etc).


Insiders are Everywhere!Insiders are Everywhere!

• DevelopersDevelopers• TestersTesters• Everyone who works Everyone who works

in the development in the development lablab

• Staff working in the Staff working in the companycompany

• … … but also ...but also ...


Profile of an InsiderProfile of an Insider• Some Some generalgeneral observations - not meant to observations - not meant to

besmirch an entire category of what are besmirch an entire category of what are very valuable professionalsvery valuable professionals

• Addresses those Insiders whose intent is Addresses those Insiders whose intent is personal gain or harm to the organization - personal gain or harm to the organization - not those who are careless, ill-trained, or not those who are careless, ill-trained, or just “goofing around”just “goofing around”

• Valuable in order to better understand Valuable in order to better understand which safeguards can effectively be which safeguards can effectively be employed employed


Profile (continued)Profile (continued)

• Physical and Logical AccessPhysical and Logical Access• Special KnowledgeSpecial Knowledge• Introversion - not a Team PlayerIntroversion - not a Team Player• Social and Personal ProblemsSocial and Personal Problems• Lack of Empathy for OthersLack of Empathy for Others• Reduced LoyaltyReduced Loyalty• Sense of EntitlementSense of Entitlement• Computer Expertise and DependencyComputer Expertise and Dependency• Ethical “Flexibility”Ethical “Flexibility”


User ProfilingUser Profiling

• Important technique for detecting Important technique for detecting insider misuse.insider misuse.

• Contains information that characterizes Contains information that characterizes a user's behavior, e.g., commands, files a user's behavior, e.g., commands, files accessed.accessed.

• Anomaly detection to identify deviations Anomaly detection to identify deviations from normal patterns.from normal patterns.


Anomaly DetectionAnomaly Detection

• Anomalous behaviors might imply that Anomalous behaviors might imply that the system security is being comprised.the system security is being comprised.

• Tends to generate many false alarmsTends to generate many false alarms• Might be the only way to detect insider Might be the only way to detect insider

misuses.misuses.


User ProfilingUser Profiling

• Distinguish one user from anotherDistinguish one user from another• Adapt to user behavior changes, Adapt to user behavior changes,

““concept driftconcept drift””


Win NT user profiling Win NT user profiling datadata

• UNIX shell commands have been used to UNIX shell commands have been used to characterize a user's behavior with characterize a user's behavior with modest success (Lane et al.)modest success (Lane et al.)

• Relatively little attention has been paid Relatively little attention has been paid to the Windows.to the Windows.

• NT profiling has been researched by NT profiling has been researched by Dr.Tom Goldring of NSA.Dr.Tom Goldring of NSA.


NT Profiling DataNT Profiling Data

• A tool queries the Windows process A tool queries the Windows process table periodically then collects all the table periodically then collects all the process information.process information.

• Processes are mapped to various user Processes are mapped to various user modes representing different modes representing different applications the user runs.applications the user runs.

• Short sequences of user modes were Short sequences of user modes were used High error rate ~20%.used High error rate ~20%.


User ModesUser Modes

acrobat activesync calculator cdwriter chat acrobat activesync calculator cdwriter chat ControlPanel database dos emacs explorer ControlPanel database dos emacs explorer frontpage ganttchart graphics help id install frontpage ganttchart graphics help id install logon mail mouse msie multimedia netscape logon mail mouse msie multimedia netscape network office perl perlbuilder pgp powerpoint network office perl perlbuilder pgp powerpoint printing programming registry rundll32 printing programming registry rundll32 screensaver screensvr spreadsheet sql screensaver screensvr spreadsheet sql sysadmin system tablet taskmgr telnet time sysadmin system tablet taskmgr telnet time w3_1FileMgr web welcome winzip w3_1FileMgr web welcome winzip wordprocessingwordprocessing


Sources of Profile DataSources of Profile Data

• Search queriesSearch queries• Frequently visited web pagesFrequently visited web pages• BookmarksBookmarks• Time spent on web pages, amount of Time spent on web pages, amount of

scrollingscrolling


Profile Results in a Profile Results in a Database of InterestsDatabase of Interests

• Search queriesSearch queries• Keywords extracted from frequently Keywords extracted from frequently

visited web pages, using word weighting visited web pages, using word weighting techniquestechniques

• timestampstimestamps


Analyze the DatabaseAnalyze the Database

• Simple queries may answerSimple queries may answer– Was he interested in a particular item?Was he interested in a particular item?– What was he interested in during a What was he interested in during a

particular time interval?particular time interval?

• Build knowledge tree for a userBuild knowledge tree for a user• Infer user intentions?Infer user intentions?


Insider Detection – Insider Detection – Research issuesResearch issues

• Develop profiling as a techniqueDevelop profiling as a technique• Detect misuse of applicationsDetect misuse of applications• Provide traceability for system-object Provide traceability for system-object

usageusage• Identify critical information Identify critical information

automaticallyautomatically• Design systems that allow detectionDesign systems that allow detection• Determine unauthorized changes due Determine unauthorized changes due

to physical accessto physical access


Develop Profiling as a Develop Profiling as a TechniqueTechnique

• Research objectives:Research objectives:– To discriminate between normal and To discriminate between normal and

anomalous behavior for a given useranomalous behavior for a given user– To be able to discriminate among usersTo be able to discriminate among users– To create technology that can identify new To create technology that can identify new

insider-initiated misuseinsider-initiated misuse

• Unique insider characteristic:Unique insider characteristic:– Ability to collect user profile data is unique Ability to collect user profile data is unique

to the insider problemto the insider problem


Develop Profiling as a Develop Profiling as a TechniqueTechnique

• Research horizons:Research horizons:– What are the best (sensor) sources of data?What are the best (sensor) sources of data?– Feature extraction problemsFeature extraction problems– Best algorithms for detectionBest algorithms for detection– Fusion/correlation of diverse information Fusion/correlation of diverse information

collectedcollected– Scientific evaluation and comparison of Scientific evaluation and comparison of

techniquestechniques– Design of experiments to contrast resultsDesign of experiments to contrast results


Detection of Application Detection of Application MisuseMisuse

• Research objectives:Research objectives:– Detect insider misuse of given resources and Detect insider misuse of given resources and

privilegesprivileges– Develop application-level sensors and Develop application-level sensors and

detectors of misusedetectors of misuse– Go beyond access controls in user monitoringGo beyond access controls in user monitoring– Generalize profiles to applicationsGeneralize profiles to applications

• Unique insider characteristic:Unique insider characteristic:– This is a higher layer of detection that is This is a higher layer of detection that is

specifically applicable to insiders, since specifically applicable to insiders, since system apps and processes are available to system apps and processes are available to themthem


Detection of Application Detection of Application MisuseMisuse

• Research horizons:Research horizons:– Develop techniques for program profilingDevelop techniques for program profiling– Apply this detection technique within Apply this detection technique within

commercial OSscommercial OSs– Develop application-specific misuse Develop application-specific misuse

detectiondetection– Examine cases of insider misuse; develop a Examine cases of insider misuse; develop a

weighted threat model or matrixweighted threat model or matrix– Develop a method to audit object accessesDevelop a method to audit object accesses


Methodology for System-Methodology for System-Object Usage TraceabilityObject Usage Traceability

• Research objectives:Research objectives:– Be able to determine who uses what, Be able to determine who uses what,

when, and howwhen, and how– Detect suspicious reads/writes of data, Detect suspicious reads/writes of data,

programs, and intellectual propertyprograms, and intellectual property– Provide object-centric traceabilityProvide object-centric traceability

• Unique insider characteristic:Unique insider characteristic:– This is quite specific to the insider This is quite specific to the insider

problem, since the vast majority of uses problem, since the vast majority of uses of inside system resources is by insidersof inside system resources is by insiders


Methodology for System-Methodology for System-Object Usage TraceabilityObject Usage Traceability

• Research horizons:Research horizons:– Mandatory watermarking of objectsMandatory watermarking of objects– Embedding audit trails in objectsEmbedding audit trails in objects– Apply techniques to text, graphics, source Apply techniques to text, graphics, source

and binary codeand binary code– Retrofit COTS software enabling Retrofit COTS software enabling

watermarking of intellectual propertywatermarking of intellectual property– Developing appropriate algorithms and Developing appropriate algorithms and

infrastructureinfrastructure


Automatic Identification of Automatic Identification of Critical InformationCritical Information

• Research objectives:Research objectives:– Machine recognition of critical, possibly Machine recognition of critical, possibly

classified, information by its contentclassified, information by its content– Development of classification guides (to be Development of classification guides (to be

used by automated recognition used by automated recognition procedures)procedures)

• Unique insider characteristic:Unique insider characteristic:– The description and protection of critical The description and protection of critical

information is done “inside” an enterprise, information is done “inside” an enterprise, and tailored to unique needs of insidersand tailored to unique needs of insiders


Automatic Identification of Automatic Identification of Critical InformationCritical Information

• Research horizons:Research horizons:– Develop expert systems and/or rule-based Develop expert systems and/or rule-based

approaches for recognizing critical contentapproaches for recognizing critical content– Investigate statistical modeling approachesInvestigate statistical modeling approaches– Develop means for reliable detection of Develop means for reliable detection of

critical contentcritical content– Identify ground truth in recognizing critical Identify ground truth in recognizing critical

contentcontent


The Threat from the The Threat from the InsiderInsider


Risk Assessment (cont)Risk Assessment (cont)

• Most likely security threat (70%)Most likely security threat (70%)– Disgruntled employeeDisgruntled employee– Insider abuseInsider abuse– Unauthorized accessUnauthorized access

• Most dangerous security threatMost dangerous security threat– Disgruntled unit computing specialist (Disgruntled unit computing specialist (With With

the current rounds of budget cutting and dot com the current rounds of budget cutting and dot com deaths we don’t have to worry about this.)deaths we don’t have to worry about this.)


Physical and Physical and InfrastructureInfrastructure

• 8% of losses are due to infrastructure 8% of losses are due to infrastructure failuresfailures..

• Power failures, loss of communications, Power failures, loss of communications, water outages, sewer backup, lack of water outages, sewer backup, lack of transport, fire, flood, civil unrest, strikes, transport, fire, flood, civil unrest, strikes, terrorist attack.terrorist attack.


Malicious HackersMalicious Hackers

• ““Current losses due to hacker attacks Current losses due to hacker attacks are significantly smaller than losses due are significantly smaller than losses due to insiders.”to insiders.”

• However the hacker problem is However the hacker problem is widespread and growing.widespread and growing.


The Inside Threat The Inside Threat • When considering your defense in depth When considering your defense in depth

configuration, you must give great configuration, you must give great consideration to the consideration to the insider threatinsider threat. .

• The insider can be a threat against all three The insider can be a threat against all three computer security bedrock principles: computer security bedrock principles: – ConfidentialityConfidentiality– IntegrityIntegrity– AvailabilityAvailability

• The most serious security breaches resulting in The most serious security breaches resulting in financial losses occurred through unauthorized financial losses occurred through unauthorized access by insiders. access by insiders.


The Inside ThreatThe Inside Threat• InsiderInsider

– ““Anyone possessing legitimate access to an organization’s Anyone possessing legitimate access to an organization’s resources”resources”

– Includes members of your organization (full or part time, on-site Includes members of your organization (full or part time, on-site or home-worker and contractors) with legitimate logical access or home-worker and contractors) with legitimate logical access and support staff (security guards, cleaners, maintenance staff, and support staff (security guards, cleaners, maintenance staff, etc.) with legitimate physical accessetc.) with legitimate physical access

– The Insider possesses unique access, knowledge, privileges, and The Insider possesses unique access, knowledge, privileges, and motivationmotivation

– Firewall is of little value as protection against InsidersFirewall is of little value as protection against Insiders

• ThreatThreat– ““The Menace of Harm”The Menace of Harm”– Consists of a Threat Agent and motivationConsists of a Threat Agent and motivation– Characterized by a combination of likelihood and impactCharacterized by a combination of likelihood and impact


The Inside ThreatThe Inside Threat• Threats can be classified as:Threats can be classified as:

– Unauthorized Disclosure - compromise of ConfidentialityUnauthorized Disclosure - compromise of Confidentiality– Interruption - AvailabilityInterruption - Availability– Unauthorized Modification - IntegrityUnauthorized Modification - Integrity– Destruction - AvailabilityDestruction - Availability– Removal - AvailabilityRemoval - Availability– Deception - Authentication and AccountabilityDeception - Authentication and Accountability

• Examples of Threat Agents acting on their motivationExamples of Threat Agents acting on their motivation– Theft of company information for personal gainTheft of company information for personal gain– Misuse of resources (curiosity, personal use)Misuse of resources (curiosity, personal use)– Acts of revenge against the company or fellow employeesActs of revenge against the company or fellow employees– Incompetence/carelessnessIncompetence/carelessness


Impacts of Insider Impacts of Insider ThreatsThreats

• Insider threats …Insider threats …– Represent the greatest threat to computer Represent the greatest threat to computer

security because they understand their security because they understand their organization's business and how the organization's business and how the computer systems work. computer systems work.

– Would be more successful at attacking the Would be more successful at attacking the systems and extracting critical information.systems and extracting critical information.

– Represent the greatest challenge in securing Represent the greatest challenge in securing your network because they are authorized a your network because they are authorized a level of access to your network and are level of access to your network and are granted a degree of trust. granted a degree of trust.


IT Expands Insider Threat IT Expands Insider Threat ExponentiallyExponentially

•It is no longer “Who are you allowing in It is no longer “Who are you allowing in your building?”your building?”

•It is “Who are you allowing in your It is “Who are you allowing in your network?”network?”

– And you would be surprised to learn who And you would be surprised to learn who you are allowing on your networkyou are allowing on your network


The Insiders The Insiders IdentifiedIdentified

• Insiders are those individuals who work Insiders are those individuals who work for the target organization or have a for the target organization or have a relationship with the organization that relationship with the organization that grants the individual some level of access. grants the individual some level of access.

• Some of the insiders include:Some of the insiders include:– EmployeesEmployees– ContractorsContractors– Business partnersBusiness partners– CustomersCustomers– Subcontractors Subcontractors


““The greatest threat The greatest threat you face is not the you face is not the

viruses or the hackers viruses or the hackers or the whatever, but or the whatever, but rather complacency”rather complacency”

Michael Tucker, Editor, Michael Tucker, Editor, SC Magazine, Sep 99SC Magazine, Sep 99


Errors and OmissionsErrors and Omissions

• 65% of computer-related economic 65% of computer-related economic losses are the result of errors and losses are the result of errors and omissions.omissions.

• Most, if not all, computer installations Most, if not all, computer installations have maintenance errors that introduce have maintenance errors that introduce significant security vulnerabilities.significant security vulnerabilities.


Unwitting IT InsidersUnwitting IT Insiders

•Your employees can allow great risk Your employees can allow great risk unwittingly.unwittingly.

•Existing malicious code can perform Existing malicious code can perform most of these functions.most of these functions.

– Chernobyl (flashes BIOS)Chernobyl (flashes BIOS)– Sircam (e-mails random documents)Sircam (e-mails random documents)– Badtrans (records keystrokes)Badtrans (records keystrokes)

•DoD even defined malicious code as a DoD even defined malicious code as a type of insider.type of insider.


Lack of KnowledgeLack of Knowledge

• Many network security intrusions are the Many network security intrusions are the result of employees' lack of knowledge. result of employees' lack of knowledge.

• Educated users are essential to Educated users are essential to computer security: computer security: – Ensure that users are educated about the Ensure that users are educated about the

dangers of allowing other users access to dangers of allowing other users access to their accounts. their accounts.

– Educate users against opening insecure Educate users against opening insecure access on their personal computers.access on their personal computers.

• For example, setting up a FTP server on their For example, setting up a FTP server on their own computer with full anonymous access or own computer with full anonymous access or running a small Web serverrunning a small Web server


Lack of KnowledgeLack of Knowledge

• Education should emphasize the sharing Education should emphasize the sharing of information with unauthorized of information with unauthorized personnel such as … personnel such as … – Giving their password to others.Giving their password to others.– Mentioning the products and versions of Mentioning the products and versions of

products usedproducts used on the network. on the network.

• Users should be educated against … Users should be educated against … – Writing their passwords on post-its and Writing their passwords on post-its and

putting them around their computer.putting them around their computer.– Selecting easily guessed passwords.Selecting easily guessed passwords.– Opening email attachments from unknown Opening email attachments from unknown

people. people.


Social EngineeringSocial Engineering• Social engineering is a low-tech method Social engineering is a low-tech method

of cracking network security by of cracking network security by manipulating people inside the network manipulating people inside the network into providing the necessary information into providing the necessary information to gain access.to gain access.– It is also defined as the ability to achieve a It is also defined as the ability to achieve a

goal through the use of effective persuasion.goal through the use of effective persuasion.

• Social engineering can be a very Social engineering can be a very effective means of intrusion. effective means of intrusion. – It plays on the human desire to be helpful It plays on the human desire to be helpful

and do the "right thing", relying on the and do the "right thing", relying on the helpfulness and politeness of the user. helpfulness and politeness of the user.


Social EngineeringSocial Engineering

• Some of the methods used in social Some of the methods used in social engineering include: engineering include: – Cunningly soliciting the help of an unsuspecting Cunningly soliciting the help of an unsuspecting

and sympathetic user.and sympathetic user.– The intruder admiring the way a user performs The intruder admiring the way a user performs

a certain function and getting the user to a certain function and getting the user to instruct them on how to perform the function.instruct them on how to perform the function.

– Convincing the user that there would be Convincing the user that there would be repercussions if the user did not assist him). repercussions if the user did not assist him).

– Another tactic is requesting information from a Another tactic is requesting information from a user just before quitting time. user just before quitting time. • The user will more than likely fulfill the request to The user will more than likely fulfill the request to

expedite his departure. expedite his departure.


Threats Posed by IT Threats Posed by IT InsidersInsiders

•Attack the networkAttack the network

•Attack the informationAttack the information

•Export the informationExport the information

•Allow others to have accessAllow others to have access


Disgruntled EmployeesDisgruntled Employees

• Destroying facilities, planting logic bombs, Destroying facilities, planting logic bombs, incorrect data entry, crashing systems, incorrect data entry, crashing systems, changing or deleting data, holding data changing or deleting data, holding data hostagehostage..

• ““As long as people feel cheated, bored, As long as people feel cheated, bored, harassed, endangered, or betrayed at work, harassed, endangered, or betrayed at work, sabotage will be used as a direct method of sabotage will be used as a direct method of achieving job satisfaction.”achieving job satisfaction.”


Case Study #1: Encrypting Case Study #1: Encrypting the Informationthe Information

• A System Administrator learns that she is to A System Administrator learns that she is to be downsizedbe downsized

• She decides to encrypt important parts of the She decides to encrypt important parts of the database and hold it hostagedatabase and hold it hostage

• She will decrypt it in return for substantial She will decrypt it in return for substantial “Severance Pay” and promise of no “Severance Pay” and promise of no prosecutionprosecution

• The organization decides to pay without The organization decides to pay without consulting with proper authorities and they consulting with proper authorities and they are precluded from pursuing charges are precluded from pursuing charges


Case Study #2: Changing Case Study #2: Changing the Configurationthe Configuration

• An engineer is on probation after a series of An engineer is on probation after a series of confrontations with co-workersconfrontations with co-workers

• After he has been sent home without pay After he has been sent home without pay pending resolution of the situation, it is pending resolution of the situation, it is discovered that the network configuration has discovered that the network configuration has been changed denying the organization’s been changed denying the organization’s clients the services they have been promisedclients the services they have been promised

• Only the engineer holds the privileges to Only the engineer holds the privileges to change them. Unfortunately he is not change them. Unfortunately he is not interested in helping out interested in helping out


Case Study #3: Day Trading Case Study #3: Day Trading and Porn Surfingand Porn Surfing

• An organization wishes to find justification An organization wishes to find justification to release a “problem” employeeto release a “problem” employee

• A first-time search of network audit logs A first-time search of network audit logs indicates that he has been spending much indicates that he has been spending much of his day trading stocks, surfing to of his day trading stocks, surfing to unsavory Web sites and sending jokes to unsavory Web sites and sending jokes to his co-workershis co-workers

• They find out that he is not alone in this They find out that he is not alone in this abuseabuse


Case Study #4: Mail Case Study #4: Mail Flood Flood

• A major Aerospace company recently A major Aerospace company recently fired an employee who caused its e-fired an employee who caused its e-mail system to crash for six hours after mail system to crash for six hours after sending thousands of other employees sending thousands of other employees a personal e-mail that requested an a personal e-mail that requested an electronic receiptelectronic receipt

• They lost hundreds of hours of They lost hundreds of hours of productivityproductivity


Case #5: Deleting Case #5: Deleting Company FilesCompany Files

•July 1996, OmegaJuly 1996, Omega•A recently demoted employee created a A recently demoted employee created a

software “time bomb” that affected the software “time bomb” that affected the network filesnetwork files

– Deleted the company’s “most critical Deleted the company’s “most critical software programs”software programs”

•Result:Result:– Caused a loss of over $10 millionCaused a loss of over $10 million– 80 people lost jobs80 people lost jobs

Delete


Case Study #6: Exporting Case Study #6: Exporting InformationInformation

•May 2001, Lucent TechnologiesMay 2001, Lucent Technologies•Two arrested for transferring Two arrested for transferring

information from Lucent servers to information from Lucent servers to Datang Telecom Technology Co in Datang Telecom Technology Co in Beijing, PRCBeijing, PRC

– Physical design of the PathStar ProjectPhysical design of the PathStar Project– Computer code for routing telephone callsComputer code for routing telephone calls


Harm CausedHarm Caused

• Lost productivity ($)Lost productivity ($)• Downtime ($)Downtime ($)• EmbarrassmentEmbarrassment• Legal liability ($)Legal liability ($)


How can we Neutralize the How can we Neutralize the Insider?Insider?

• PreventPrevent• DeterDeter• DetectDetect• RespondRespond

Prevent

DeterDetect

Respond


PreventionPrevention

• Make it difficult for the Insider Make it difficult for the Insider to launch an attack through to launch an attack through the use of:the use of:– Authentication (accountability)Authentication (accountability)– Access Control (containment)Access Control (containment)– Development of Trusted PathsDevelopment of Trusted Paths


DeterrenceDeterrence

• Dissuade the Insider from Dissuade the Insider from trying to circumvent your trying to circumvent your safeguards through use of:safeguards through use of:– PolicyPolicy– AwarenessAwareness– ConsequencesConsequences


DetectionDetection

• Make yourself aware of Make yourself aware of violations by: violations by: – Identifying Critical DataIdentifying Critical Data– Profiling Your UsersProfiling Your Users– Monitoring Your Users (IDS)Monitoring Your Users (IDS)– Developing Audit TrailsDeveloping Audit Trails


ResponseResponse

• Should an attack occur:Should an attack occur:– Assess the damageAssess the damage– Contain the damageContain the damage– Repair the damageRepair the damage– Restore serviceRestore service– Institute Remedial PreventionInstitute Remedial Prevention


An Effective ResponseAn Effective Response


A Framework for SuccessA Framework for Success

• PolicyPolicy• Continuous Risk AssessmentContinuous Risk Assessment• Strong Authentication and Strong Authentication and

Access ControlAccess Control• Monitoring and AuditMonitoring and Audit


Policies & ProceduresPolicies & Procedures

• Must be writtenMust be written• Must exist within a Security OrganizationMust exist within a Security Organization• Should include:Should include:

– Acceptable use policy for Internet and Acceptable use policy for Internet and e-maile-mail

– Information protection policies and Information protection policies and proceduresprocedures

– Response proceduresResponse procedures


Threat and Risk Threat and Risk Assessment (TRA)Assessment (TRA)

• Methodology to Determine System RiskMethodology to Determine System Risk– System Description - define systemSystem Description - define system– Statement of Sensitivity - valuate assetsStatement of Sensitivity - valuate assets– Statement of Threat - define threatsStatement of Threat - define threats– Statement of Vulnerability - resultant vuln. Statement of Vulnerability - resultant vuln.

– Statement of Risk - Residual Risk (RStatement of Risk - Residual Risk (RRR))

– Recommendations - to reduce RRecommendations - to reduce RRR

• TRA must be kept currentTRA must be kept current


Authentication and Access Authentication and Access Control Control

• AuthenticateAuthenticate - uniquely identify the user to a - uniquely identify the user to a level of certainty appropriate to the situationlevel of certainty appropriate to the situation

• Access ControlAccess Control - keep the unauthorized out - keep the unauthorized out– ClearanceClearance– Need-to-knowNeed-to-know– Control access to an appropriate levelControl access to an appropriate level

• System?System?• Folder?Folder?• File?File?• Transaction?Transaction?• Packet?Packet?


Monitoring and AuditMonitoring and Audit

• Consists of:Consists of:– AttributionAttribution– CollectionCollection– MaintenanceMaintenance– ProcessingProcessing– StorageStorage

There are legal and privacy issuesThere are legal and privacy issues


PKIPKI

• Encryption - Access ControlEncryption - Access Control• Digital Signatures - AuthenticationDigital Signatures - Authentication

– TimestampingTimestamping– Non-repudiationNon-repudiation

• An e-Government enablerAn e-Government enabler


Technology Helps Technology Helps Insiders!Insiders!

• Over 80% of the attacks are [from Over 80% of the attacks are [from insiders (internal)]insiders (internal)]

• As employees become more savvy they As employees become more savvy they can go out on the Internet and find out can go out on the Internet and find out how to break into sites pretty easily … how to break into sites pretty easily … organizations need to protect against that organizations need to protect against that ..

• Many of these back doors are taking on Many of these back doors are taking on espionage qualities.espionage qualities.

• Many laptops now have a video camera Many laptops now have a video camera for video conferencing built into the for video conferencing built into the laptop or desktop. Back doors allow them laptop or desktop. Back doors allow them to watch, listen -- and pump that to watch, listen -- and pump that information remotely over the network to information remotely over the network to a remote site.a remote site.


New Tools for IT InsidersNew Tools for IT Insiders

•Key-chain size hard drivesKey-chain size hard drives•Powerful encryptionPowerful encryption•Anonymous remailersAnonymous remailers•SteganographySteganography•Peer to peer technologyPeer to peer technology•WirelessWireless

– IRIR– RFRF


Considering InsidersConsidering Insiders

• Expanded view of insidersExpanded view of insiders• Increasingly distributed nature of Increasingly distributed nature of

corporate resourcescorporate resources• Common weaknesses in access controlCommon weaknesses in access control


Industrial EspionageIndustrial Espionage

• Increased 260% in the US from 1985 to Increased 260% in the US from 1985 to 19921992..

• Increased 260% in the US from 1985 to Increased 260% in the US from 1985 to 19921992..

• 30% of the losses in 1991 and 1992 had 30% of the losses in 1991 and 1992 had foreign involvement.foreign involvement.


Industrial EspionageIndustrial Espionage (cont)(cont)

• 58% perpetrated by current or former employees.58% perpetrated by current or former employees. • Most damaging stolen information: pricing data, Most damaging stolen information: pricing data,

manufacturing processes, product development manufacturing processes, product development specifications.specifications.

• Other stolen information: customer lists, basic research, Other stolen information: customer lists, basic research, sales data, personnel data, compensation data, cost sales data, personnel data, compensation data, cost data, proposals, strategic plans, negotiating positions, data, proposals, strategic plans, negotiating positions, contract data.contract data.


Foreign Government Foreign Government EspionageEspionage

• There are at least 13 countries with There are at least 13 countries with nationally sponsored information nationally sponsored information warfare capabilitieswarfare capabilities..


AIS Security, Computer Forensics and the Insider Threat

Are You Really Safeguarding Classified Information?A Frightening Look at the Insider Threat

It’s 3am. The computer at work has been in as secure state for hours. The national security information processed by it safely protected -- or is it?

The other side of the world is waking to a new day. It’s an atypically happy day for one foreign intelligence service (FIS) in particular. One of their agents has just handed over a disk containing U.S. national security information. How could this have happened? Did the FIS agent surreptitiously gain access to the classified AIS during the wee hours in the U.S. and download classified? No, nothing that elaborate. The FIS agent simply waited for the trusted employee to circumvent security.

Computer Crime, Computer Ethics and the Trusted Employee

Several weeks earlier, a “trusted” employee used a classified computer to do some personal business. Baseball games, kids activities, etc. prevented the trusted employee from writing a letter to his mortgage company at home. He decided to write the letter at work.

The employee felt he was “honest.” He brought the disk in from home, used his lunch hour to write the letter (on a classified system) and didn’t even print it (how conscientious). He finished the letter, removed the disk from the area and took it home to print the document on his home printer. All went well. Or so it would seem.

Several days later, the employee’s son took the disk to school - he had used it to process his homework. The son then loaned the disk to a foreign student who was in need of a disk. Now a foreigner had access to our national security information and to some adverse personal financial information about the trusted employee. It was just that easy! How did it happen? Classified was never written to the disk -- or was it?


E O F

Mortgage Document300 bytes

512 bytes

??Classified Info??212 bytes

Computer Forensics Steps In

The mortgage document was written using a typical word processing program. When the computer creates a document, it does so in clumps

that must be 512 bytes long. This particular mortgage document was only 300 bytes long. After writing the End-of-File, the system needed an additional 212 bytes of information to fill the remaining space . Users do not have the opportunity find information to fill this space -- the computer does it. The additional information needed can be drawn from the unclassified information previously stored on the disk or downloaded from the memory of the classified system that was used to process the Document. If the second scenario is used, there is a good chance that classified information will be written to the disk - without your knowledge and without you being able to check it or remove it. A computer forensics tool would have to be used to find the classified information. Unfortunately, forensics tools are only effective if they are used. This disk was never taken to anyone who could check it using forensics software.

What Went Wrong

The employee:• brought a disk in from home for use in the program area• did not check the disk with the ISSO,• used to disk to process non work related materials on a classified system, and• removed the disk from a program area without authorization (or checking for contamination.)

An “honest” employee made a very costly mistake. One in which the security of the national defense did not stand a chance. Is this a proven case of espionage? No. Was information compromised to a foreign entity? Definitely

Adhering to AIS security procedures governing the use of magnetic media and AISs inside program areas will prevent these costly mistakes.


Malicious CodeMalicious Code

• Viruses, worms, Trojan horses, logic Viruses, worms, Trojan horses, logic bombsbombs

• The number of known viruses is The number of known viruses is increasing exponentiallyincreasing exponentially..


Threats to Personal Threats to Personal PrivacyPrivacy

• Buying and selling confidential Buying and selling confidential information from Social Security filesinformation from Social Security files..

• Browsing IRS filesBrowsing IRS files..• Buying and selling bank account name Buying and selling bank account name

lists.lists.• Medical InformationMedical Information


Top Ten Common Top Ten Common Security MythsSecurity Myths

• If I have a firewall, my network can’t be If I have a firewall, my network can’t be hackedhacked

• Passwords are a good way of protecting Passwords are a good way of protecting systems from misuse or attacksystems from misuse or attack

• Single sign-on is adequate security on Single sign-on is adequate security on my private networkmy private network


Top Ten Common Top Ten Common Security Myths (cont)Security Myths (cont)

• Most security breaches are from outside the Most security breaches are from outside the companycompany

• Hackers are just geeks who are out to show Hackers are just geeks who are out to show that they can break into networksthat they can break into networks

• My home PC is safe from attack by hackersMy home PC is safe from attack by hackers• Servers on internal networks are safe from Servers on internal networks are safe from

attackattack


Top Ten Common Top Ten Common Security Myths (cont)Security Myths (cont)

• People on my private network can be trustedPeople on my private network can be trusted• Intrusion Detection Systems are another layer Intrusion Detection Systems are another layer

of securityof security• Our company won’t get hacked - hackers don’t Our company won’t get hacked - hackers don’t

attack companies like oursattack companies like ours


ConclusionsConclusions

•Insiders are not just employees any Insiders are not just employees any moremore

•New technology makes insiders more New technology makes insiders more dangerous than everdangerous than ever

•The threat is real - identify your The threat is real - identify your insiders!insiders!


Summary of Needs to Summary of Needs to Mitigate the Insider Mitigate the Insider

ThreatThreat• AwarenessAwareness• TrainingTraining• ProceduresProcedures• PolicyPolicy


ConclusionsConclusions

• Insiders pose a greater threat than Insiders pose a greater threat than Outsiders yet are largely ignoredOutsiders yet are largely ignored

• Insiders will be less of a threat if they Insiders will be less of a threat if they know they are accountable know they are accountable

• Any effort to mitigate the inside threat Any effort to mitigate the inside threat will have the same effect on outsiderswill have the same effect on outsiders

• Many measures can actually save Many measures can actually save money, are unobtrusive and provide money, are unobtrusive and provide other benefitsother benefits


ConclusionsConclusions• Best Countermeasures are:Best Countermeasures are:

– Reflecting the value of your assets in an Reflecting the value of your assets in an appropriate Security Policyappropriate Security Policy

– Continuous risk assessmentContinuous risk assessment– Security awareness trainingSecurity awareness training– Accountability through strong Accountability through strong

authentication and effective access controlauthentication and effective access control– Management of the network (knowing Management of the network (knowing

what’s going on within it (IDS, Audit)what’s going on within it (IDS, Audit)– Encryption: end-to-end protection of dataEncryption: end-to-end protection of data

Network Security Part II: Attacks The Insider Threat.

Documents

security innovation

network security

security essentials

computer security institute

overall security plan

complete security program

computer breaches74

idc slide