1 / 40

Brown Bag Presentation: Insider Threats

Brown Bag Presentation: Insider Threats. By Kevin McKeever. What is an Insider Threat?.

lamond
Télécharger la présentation

Brown Bag Presentation: Insider Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brown Bag Presentation:Insider Threats By Kevin McKeever

  2. What is an Insider Threat? • Definition of an Insider Threat – A current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

  3. What Kind of Damage Can Insiders do to an Organization? • To name a few things: • Introduce viruses, worms, and trojan horses into company’s systems and network • Introduce vulnerabilities to allow outside attackers into the network • Steal company information or corporate secrets • Steal money • Corrupt or delete data • Alter data to produce inconvenience or false criminal evidence • Steal identities of specific individuals • Alter equipment protocols, potentially causing physical damage or loss of life

  4. What Kinds of Insiders Are There? • There are 3 general classifications of insiders • The trusted unwitting insider • The trusted witting insider • The untrusted insider

  5. The Trusted Unwitting Insider • Someone with legitimate access to a company’s computer systems or networks, but who errs in judgment, in turn putting the company at risk

  6. The Trusted Witting Insider • Someone with legitimate access to a company’s computer systems or networks who makes a conscious decision to sabotage the company or provide privileged information to an unauthorized party with malicious intent or for personal gain

  7. The Untrusted Insider • Someone who is not authorized access to a company’s computer systems or networks, but has taken advantage of compromised user credentials or a backdoor in the system to assume the role of a trusted employee

  8. How do Insiders Generally Attack? • Insider attacks generally follow a 4 step format: • Gain entry to the system or network • Learn where the system is most vulnerable and discover how to inflict the most damage (depending on an individuals intentions) • Insider sets up a workstation to carry out the devious activities • Insider carries out the destructive activity

  9. Motivations to Commit Insider Attacks • 4 broad categories • Money • Ideology • Ego • Coercion

  10. Examples of Motivations to Steal • Greed or financial need • Anger or revenge • Problems at work • Ideology or identification • Divided loyalty • Adventure or thrill • Vulnerability to blackmail • Ego or self-image • Ingratiation • Compulsive or destructive behavior • Family problems

  11. Understanding the Insider Psyche – US-CERT Study on Insider Attacks • Most insiders that commit IT sabotage have personal predispositions that contributed to their risk of committing IT sabotage • Serious mental health disorders • Abnormal social skills and decision-making bias • History of rule violations

  12. Understanding the Insider Psyche (cont.) – Finding #1 • Most insiders who committed IT sabotage were disgruntled due to unmet expectations • A US-CERT study yielded that 92% of insider attacks followed a negative work-related event like termination, dispute with current/former employer, demotion, or transfers

  13. Understanding the Insider Psyche (cont.) – Finding #2 • Usually, employees that undergo stressful events have a higher likelihood of committing insider IT sabotage

  14. Understanding the Insider Psyche (cont.) – Finding #3 • Behavioral precursors were often observable in insider IT sabotage cases but ignored by the organization • In a US-CERT study, 97% of insiders who committed IT sabotage came to the attention of supervisors or coworkers for concerning behavior before the attack

  15. Understanding the Insider Psyche (cont.) – Finding #4 • Organizations failed to detect technical precursors • In a US-CERT study, 87% of organizations failed to detect technical precursors before an insider attack

  16. Understanding the Insider Psyche (cont.) – Finding #5 • Insiders created or used access paths unknown to management to setup attack and conceal their identity or actions…most insiders attacked after termination • In a US-CERT study, 75% of insiders who committed IT sabotage created access paths unknown to the organization

  17. Understanding the Insider Psyche (cont.) – Finding #6 • Lack of physical and electronic access controls facilitated IT sabotage • In a US-CERT study, 93% of insiders who committed IT sabotage exploited insufficient access controls

  18. What Can Organizations do to Protect Themselves? • 1st line of defense – prevention • Stop the attack from ever happening • 2nd line of defense – detection • Detect malicious activity before it does any substantial damage • 3rd line of defense – respond • Mitigate the damage done and react to the attack

  19. How to Stop Insiders from Attacking • Training • Educate employees on appropriate usage of computers and network systems and the consequences if misused. • Training quality affects the rate of inappropriate online actions and attacks by insiders.

  20. How to Stop Insiders from Attacking • Limit information dispersion • Provide information on a need to know basis • Limit access to information and hardware that has access/can access the network (laptops, USBs, etc.)

  21. How to Stop Insiders from Attacking • Background checks • Perform background checks on people, make sure they are well-rounded and mentally stable people • People who have already committed IT sabotage may do it again sometime in the future

  22. How to Stop Insiders from Attacking • Prosecute the guilty • Make sure to make an example out of the insider who attacked so others won’t soon forget • “Public hangings set a strong deterrent”

  23. How to Stop Insiders from Attacking • Sanctioning • Use punitive measures in an attempt to motivate the insider to reduce inappropriate behavioral or technical actions to avoid further punishment • This can sometimes have an opposite effect however, increasing disgruntlement and inappropriate actions by the employee

  24. How to Stop Insiders from Attacking • Early mitigation through expectation setting • Set the expectations so employees don’t feel as if they were treated unfairly in order to minimize employee disappointment • Communication between employees and managers is key, along with consistent enforcement of company policies to ensure all employees are treated fairly • If disappointment does arise, take action to address it

  25. How to Stop Insiders from Attacking • Handle disgruntlement through positive intervention • Take preventative steps to eliminate the behavioral precursors/technical precursor behavior • For example, offer EAPs or employee assistance programs that assist employees dealing with personal/work related issues that may impact job performance • May not be effective if quality of intervention is low

  26. How to Stop Insiders from Attacking • Targeted monitoring • Not practical for all employees in an organization but effective if used correctly • For example, logging online activity across an organization’s network periodically, or monitoring employees who exhibit suspicious activity

  27. How to Stop Insiders from Attacking • Eliminate unknown access paths • Whether its forgetting old access paths or discovering new ones, they must be taken care of in order to ensure more comprehensive system protection and stop insiders from potentially sabotaging systems. • Organizations can do this by monitoring network traffic

  28. How to Stop Insiders from Attacking • Measures upon demotion or termination • A clearly defined process for demotions and terminations can prevent insiders from attacking an organization • Don’t be too brash in firing employees sometimes it only takes a bit of training and encouragement to get them to conform, but don’t be too forgiving as they may be trouble for the company and never conform even after multiple attempts • Don’t give them a lot of time during the termination process. If they think they will be terminated or once they are terminated, they may attack a system because they may still have access to it or be familiar with techniques to manipulate or exploit it

  29. How to Stop Insiders from Attacking • Frequent system checks • Monitor the system using technical analysis • Frequent people checks • Monitor employees using employee evaluations and other quality checks

  30. How to Stop Insiders from Attacking • Defense in depth – it’s all about checks and balances/separation of powers • Continuously audit systems • Maintain multiple layers of authorization and authentication • Ensure network security systems are in place and functioning properly (firewalls, etc.)

  31. How to Stop Insiders from Attacking • Back up your data • Sometimes insiders do succeed and information is compromised • At this point, it’s damage control and backing up your data to ensure accuracy and credibility is of vital importance • It’s important to back up your data somewhere that isn’t on the same network/also vulnerable to insider attacks, as the insider may have compromised the back up data as well

  32. Behavioral Indicators of an Insider Attack • Without need or authorization, takes proprietary or other material home • Inappropriately seeks or obtains proprietary or classified information on subjects not related to their work duties. • Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors. • Unnecessarily copies material, especially if it is proprietary or classified. • Remotely accesses the computer network while on vacation, sick leave, or at other odd times. • Disregards company computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information. • Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.

  33. Behavioral Indicators of an Insider Attack (cont.) • Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel. • Short trips to foreign countries for unexplained or strange reasons. Unexplained affluence; buys things that they cannot afford on their household income. • Engages in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals. • Overwhelmed by life crises or career disappointments. • Shows unusual interest in the personal lives of co-workers; asks inappropriate questions regarding finances or relationships. • Concern that they are being investigated; leave straps to detect searches of their work area or home; searches for listening devices or cameras. • Many people experience or exhibit some or all of the above to varying degrees; however, most people will not cross the line and commit a crime.

  34. Organizational Factors Contributing to Insider Attacks • The availability and ease of acquiring proprietary, classified, or other protected materials. • Providing access privileges to those who do not need it. • Proprietary or classified information is not labeled as such, or is incorrectly labeled. • The ease that someone may exit the facility (or network system) with proprietary, classified or other protected materials. • Undefined policies regarding working from home on projects of a sensitive or proprietary nature. • The perception that security is lax and the consequences for theft are minimal or non-existent. • Time pressure: Employees who are rushed may inadequately secure proprietary or protected materials, or not fully consider the consequences of their actions. • Employees are not trained on how to properly protect proprietary information.

  35. CERT’s top 10 list for winning the battle against insider threats • Create an insider threat program ASAP • Work together across the organization to stop insider threats • Address employee privacy issues with general counsel (use tact, make sure you don’t violate any privacy rights etc) • Pay close attention at resignation and termination • Educate employees regarding potential recruitment (people trying to recruit you to steal/modify information through you)

  36. CERT’s top 10 list for winning the battle against insider threats (cont.) • Recognize concerning behaviors as a potential indicator • Mitigate threats from trusted business partners, make sure they are subjected to the same policies and procedures as employees to ensure comprehensive system protection • Use your current technologies differently (create an insider team or train security operations center staff about insider threats, etc.) • Protect what’s most important (like intellectual property) • Learn from past incidents so they don’t happen again

  37. Statistics, Trends, and Facts • Insider attacks are becoming more sophisticated. 22% of insiders used rootkits (hacker tools) to attack systems in 2011 compared to just 9% in 2010. • critical system disruption and loss of confidential or proprietary information are the most adverse consequences an organization can experience from insider cybersecurity events,according to respondents in a US-CERT study • More attacks are committed by outsiders, but attacks by insiders are viewed to be the most costly to organizations • In a 2011 study of 607 respondents, 76% of insider incidents were handled internally without legal action, the public is not aware of them many times…12% was handled internally but with legal action, 8% was handled externally where law enforcement was involved, and 3% was handled externally by filing a civil action

  38. Statistics, Trends, and Facts • Cybersecurity attacks from foreign entities has doubled from 5% in 2010 to 10% in 2011 • Unintentional exposure of private or sensitive information has significantly declined from 2010 – 2011, from 52% to 31% thanks to cybersecurity training and implementation of internal monitoring tools like data loss prevention (DLP) amongst other techniques • In the FBI’s pending case load for the current fiscal year (2012), economic espionage losses to the American economy total more than $13 billion • In just the last four years, the number of arrests the FBI has made associated with economic espionage has doubled; indictments have increased five-fold; and convictions have risen eight-fold

  39. Questions?

  40. Sources • http://www.cert.org/insider_threat/\ • http://www.infosecisland.com/blogview/21411-IT-Security-Preventing-Insider-Threats.html • http://searchsecurity.techtarget.com/definition/insider-threat • http://www.csoonline.com/article/682205/the-3-types-of-insider-threat?page=3 • http://www.gideonrasmussen.com/article-13.html • http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

More Related