Computers Insiders Threat

While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organization’s business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.

A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.

An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’s computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company’s web pages, changing text and inserting pornographic images. He also sent each of the company’s customers an email message advising that the website had been hacked. Each email message also contained that customer’s usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a

script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer.

A city government employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworker’s computers the day before the new finance director took office. An investigation identified the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police detective on the case as to whether all of the deleted files were recovered.

No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.

These incidents of sabotage were all committed by “insiders:” individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)

The Nature of Security Threats

The greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.

The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious “insiders”. The greatest threat of attacks against computer systems are from “insiders” who know the codes and security measures that are in place 4&5. With very specific objectives, an insider attack can affect all components of security. As employees with legitimate access to systems, they are familiar with an organization’s computer systems and applications. They are likely to know what actions cause the most damage and how to get away with it undetected. Considered “members of the family,” they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages

or from offshore outsourcing projects are also included in this category of knowledgeable insiders.

Common Insider Threat

Common cases of computer-related employee sabotage include: changing data; deleting data; destroying data or programs with logic bombs; crashing systems; holding data hostage; destroying hardware or facilities; entering data incorrectly, exposing sensitive and embarrassing proprietary data to public view such as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.

A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions. (See chart)

The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider

(hacker) at $56,000, while the average insider attack cost a company in

excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.

Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.

Insider Characteristics

The majority of the insiders were former employees.

• At the time of the incident, 59% of the insiders were former employees or

contractors of the affected organizations and 41% were current employees or

contractors.

• The former employees or contractors left their positions for a variety of reasons.

These included the insiders being fired (48%), resigning (38%), and being laid off

(7%).

Most insiders were either previously or currently employed full-time in a technical

position within the organization.

• Most of the insiders (77%) were full-time employees of the affected

organizations, either before or during the incidents. Eight percent of the insiders

worked part-time, and an additional 8% had been hired as contractors or

consultants. Two (4%) of the insiders worked as temporary employees, and one

(2%) was hired as a subcontractor.

• Eighty-six percent of the insiders were employed in technical positions, which

included system administrators (38%), programmers (21%), engineers (14%),

and IT specialists (14%). Of the insiders not holding technical positions, 10%

were employed in a professional position, which included, among others, insiders

employed as editors, managers, and auditors. An additional two insiders (4%)

worked in service positions, both of whom worked as customer service representatives.

Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.

  • The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.
  • Ninety-six percent of the insiders were male.
  • Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.
  • Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).

Organization Characteristics

The incidents affected organizations in the following critical infrastructure sectors:

• banking and finance (8%)

• continuity of government (16%)

• defense industrial base (2%)

• food (4%)

• information and telecommunications (63%)

• postal and shipping (2%)

• public health (4%)

In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.

What motivate insiders?

Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons [BSB03]:

• Challenge

Many internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.

• Revenge

Internal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses.

• Espionage

Internal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage exists:

  • Industrial espionage

Industrial espionage means that a company may pay its own employees in order to break into

the networks of its competitors or business partners. The company may also hire someone else to do this.

  • International espionage

International espionage means that attackers work for governments and steal confidential

information for other governments.

Definitions of insider threat

1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the “true insider,” is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the “pseudo-insider,” is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.

The activities of both fall into five general categories:

  • exceeds given network, system or data permissions;
  • conducts malicious activity against or across the network, system or data;
  • provided unapproved access to the network, system or data;
  • circumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify; or
  • non-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.

(Presented at the University of Louisville Cyber Securitys Day, October 2006)

2) Insiders — employees, contractors, consultants, and vendors — pose as great a threat to an organization’s security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many organizations, followed by policy review, and employee awareness training.

(Insider Threat Management

Presented by infoLock Technologies)

3)Employees are an organization’s most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods – employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders – not just employees, but consultants, contactors, vendors, and partners – must be actively managed, audited, and monitored in order to protect sensitive data.

(Presented by infoLock Technologies)

4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.

(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)

5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem.

(Dawn M. Cappelli, Akash G. Desai)

6) The “insider threat” or “insider problem” is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an “insider” has information and capabilities not known to other, external attackers. But the studies rarely define what the “insider threat” is, or define it nebulously. The difficulty in handling the “insider threat” is reasonable under those circumstances; if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?

Read also  Toyota’s problem revealed

(Matt Bishop 2005)

Five common insider threat

Exploiting information via remote access software

A considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.

2.) Sending out information via e-mail and instant messaging

Sensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, it’s also one of the easiest to eliminate.

3.) Sharing sensitive files on P2P networks

Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are it’s there and waiting to be abused. The inanimate software in and of itself is not the problem – it’s how it’s used that causes trouble. All it takes is a simple misconfiguration to serve up your network’s local and network drives to the world.

4.) Careless use of wireless networks

Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether it’s at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but don’t overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.

5.) Posting information to discussion boards and blogs

Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.

Views of different authors about insider threat

1) Although insiders in this report tended to be former technical employees, there is no demographic “profile” of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and

executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs to

encourage employees to identify malicious insiders by behavior, not by stereotypical

characteristics. For example, behaviors that should be a source of concern include

making threats against the organization, bragging about the damage one could do to

the organization, or discussing plans to work against the organization. Also of concern

are attempts to gain other employees’ passwords and to fraudulently obtain access

through trickery or exploitation of a trusted relationship.

Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond

information technology to the organization’s overall business processes and the interplay between those processes and the technologies used.

(Michelle Keeney, J.D., Ph.D. atal 2005)

2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the

greatest threat to computer security because they understand their organization’s business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.

(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)

3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.

(Yair Amir Cristina Nita-Rotaru)

4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means

managing policy, process, technology, and most importantly, people. Protecting against

insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected Return on Security Investment.

(Presented by infoLock Technologies)

5) The threat of attack from insiders is real and substantial. The 2004 ECrime

Watch Survey TM conducted by the United States Secret Service, CERT ® Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.

(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)

6) Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organization’s vulnerabilities, have used their technical ability to sabotage their employer’s system or network in revenge for some negative work-related event.

(Dawn M. Cappelli, Akash G. Desai ,at al 2004)

7) The “insider problem” is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitions

vary in meaning. Different definitions imply different countermeasures, as well as different assumptions.

(Matt Bishop 2005)

Solution: User monitoring

Insiders have two things that external attackers don’t: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place. A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze

malicious insider activity.

These are some points which could be helpful in monitoring and minimizing the insider threats:

  • Detecting insider activity starts with an expanded log
  • and event collection.
  • Firewalls, routers and intrusion detection systems are important, but they are not enough.
  • Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.
  • Correlation: identifying known types of suspicious and malicious behavior
  • Anomaly detection: recognizing deviations from norms and baselines.
  • Pattern discovery: uncovering seemingly unrelated events that show a pattern of suspicious activity
  • From case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organization’s procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.
  • Identify suspicious user activity patterns and identify anomalies.
  • Visually track and create business-level reports on user’s activity.
  • Automatically escalate the threat levels of suspicious and malicious individuals.
  • Respond according to your specific and unique corporate governing guidelines.
  • Early detection of insider activity based on early warning indicators of suspicious behavior, such as:
  • Stale or terminated accounts
  • Excessive file printing, unusual printing times and
  • keywords printed
  • Traffic to suspicious destinations
  • Unauthorized peripheral device access
  • Bypassing security controls
  • Attempts to alter or delete system logs
  • Installation of malicious software

The Insider Threat Study?

The global acceptance, business adoption and growth of the Internet, and of

Internetworking technologies in general, in response to customer requests for online

access to business information systems, has ushered in an extraordinary expansion of

electronic business transactions. In moving from internal (closed) business systems to

open systems, the risk of malicious attacks and fraudulent activity has increased

enormously, thereby requiring high levels of information security. Prior to the

requirement for online, open access, the information security budget of a typical

company was less then their tea and coffee expenses.

Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the President’s Critical Infrastructure Protection Board identified several critical infrastructure sectors10:

  • banking and finance
  • information and telecommunications
  • transportation
  • postal and shipping
  • emergency services
  • continuity of government
  • public health
  • Universities
  • chemical industry, textile industry and hazardous materials
  • agriculture
  • defense industrial base

The cases examined in the Insider Threat Study are incidents perpetrated by insiders

(current or former employees or contractors) who intentionally exceeded or misused an

authorized level of network, system, or data access in a manner that affected the

security of the organizations’ data, systems, or daily business operations. Incidents

included any compromise, manipulation of, unauthorized access to, exceeding

authorized access to, tampering with, or disabling of any information system, network,

or data. The cases examined also included any in which there was an unauthorized or

illegal attempt to view, disclose, retrieve, delete, change, or add information.

A completely secure, zero risk system is one which has zero functionality. Latest

technology high-performance automated systems bring with them new risks in the

shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is

an ongoing process. Proper risk management keeps the IT Security plans, policies and

procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can

only be implemented successfully if the top management is committed. And policy’s

effective implementation is not possible without the training and awareness of staff.

The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of IT

Security and the ever-increasing threats it faces in today’s open world cannot be overstated. As more and more of our Banking Operations and products & services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry.

Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reputation of the industry.

CHAPTER 2

REVIEW OF LITRATURE

S, Axelsson. ,(2000)

Anonymous 2001

Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.

Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.

What needs to be protected, against whom and how?

Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of:

Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects.

Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete.

Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services.

Legal Compliance: Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.

A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.

Stoneburner et al (2002)

In this paper the author described a the risks which are posed by a university IT system. This paper 1st gives us the background of risks ,methodology employed, its implementation and knowledge gained by performing risk assessment.

Read also  Office automation systems

Next author defines the term security and risk.According to auther from an IT perspective security can be defined as “ the state of being free from unacceptable risk”.To define a risk author quoted Texas A&M University definition “any event or action that adversely impact the University’s ability to achieve its objectives”Author discussed the security policies and guidelines.

The risk assessment process has two main objectives, namely to implement reasonable safeguards and to document due diligence of management in mitigating risks.

The inherent complexity of most systems, and in particular of large corporate systems, makes their risk assessment a time-consuming process.

It is also important to take time to precisely define what is meant by each threat that is identified. This understanding is required so that agreement can be more readily reached on its likelihood and consequence. Also, when the threat is revisited for determination of risk mitigation action and then later in reviews of the risk management plan, an exact definition is required.

The risk assessment process permits prioritization of a potentially very large number of actions that could be taken to improve security. For a new system, it gives management (and the auditors) some confidence that the risks associated with introduction of the system have been considered and addressed before the system goes live.

For forecasting purposes, author divided the systems, into three categories – simple, medium and complex. From experience gained with the initial high-level and detailed risk assessments, an estimate of the number of personnel and their time involvement were prepared.

Satti, M.,M.,(2003)

In this report the author discuss the global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.

The national level leadership and innovation in managing Information Security

become default standards for all modern states to overcome with coming challenges

of Cyberspace’s threats. This paper will provide an overview of ‘Computer

Emergency Response Team ‘CERT’ its objectives and goals, organization,

infrastructure requirements, plans and standards. The paper will also provide albeit

briefly, core requirements of the group, roles of its members and hierarchical

management model that spread across the sphere of ‘knowledge groups’ to establish

an effective, well-organized and consummate squad to mitigate the online risks of

unseen threats. The forum will provide an unparallel leadership and innovation in

Information Security Management and dissemination of cyber security knowledge

and awareness in all ranks of citizens using Internet, Emails, and web based tools for

business need.

Spitzner (2004)

The author discusses that little research has been done for one of the most dangerous threats, the advance insider, the trusted individual who knows the internal organization. These individuals are not after your systems, they are after the organizations information. This presentation discusses how honeypot technologies can be used to detect, identify, and gather information on the insider threats especially advanced insider threats, are vastly different then those of an external threat.

Author discuss that before discussing how honeypots, specifically Honeynets and honeytokens, can catch the insider threat, there is a need to define goals and the threat face. Basic goal is to detect, identify, and confirm insider threats. This means leveraging honeypots to not only indicate that there is an insider, but also confirm their actions, and potentially learn their motives and resources. But the sophisticated insider made goal difficult. Author simply meant by this “someone who is technically skilled, highly motivated, and has access to extensive resources”. For example, this threat may be an employee working for a large corporation, but in reality they are employed by a competitor to engage in corporate espionage.

Author defines honeypot as:

“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”.

Honeypots do not solve a specific problem. Instead, honeypots are a highly flexible tool that has many applications to security. They can be used everything from slowing down or stopping automated attacks, capturing new exploits to gathering intelligence on emerging threats or early warning and prediction. Second, honeypots come in many different shapes and sizes.

At the end of this paper author concludes that honeypots are an emerging technology, with extensive potential. Honeypots have a tremendous advantages that can be applied to a variety of different environments. Honeypots dramatically reduce false positives, while providing an extremely flexible tool that is easy to customize for different environments and threats.

Randazzo, M.R., et al (2004)

In this paper the author describes the Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem. Basically author discussed that Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers. Author described the reasons of insider threats. Finance is the also an reason, employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organization’s vulnerabilities, have used their technical ability to sabotage their employer’s system or network in revenge for some negative work-related event.

The writer of this paper said that in January 2002 the Carnegie Mellon University Software Engineering Institute’s CERT Program (CERT) and the United States Secret Service (USSS) National Threat Assessment Center (NTAC) started a joint project, the Insider Threat Study. The study combined NTAC’s expertise in behavioral psychology with CERT’s technical security expertise to provide in-depth analysis of approximately 150 insider incidents that occurred in critical infrastructure sectors between 1996 and 2002. Analysis included perusal of case documentation and interview of personnel involved in the incident.

Project reports include statistical findings and implications regarding technical details of the incidents; detection and identification of the insiders; nature of harm; as well as insider planning, communication, behavior, and characteristics. The reports have been well-received across several stakeholder domains including the business community, technical experts, and security officers. But one fear is that practitioners will mistakenly interpret the results as stand-alone statistics and assign consideration of individual implications to various departments within the organization instead of taking a holistic, enterprise-wide approach to mitigating insider threat risk.

The goal of Carnegie Mellon University’s MERIT (Management and Education of the Risk of Insider Threat) project is to develop such tools. MERIT uses system dynamics to model and analyze insider threats and produce interactive learning environments. These tools can be used by policy makers, security officers, information technology, human resources, and management to understand the problem and assess risk from insiders based on simulations of policies, cultural, technical, and procedural factors. The writer of this paper described the MERIT insider threat model and simulation results.

Concluding remarks of the author regarding Insider Threat Study show that to detect insider threats as early as possible or to prevent them altogether, management, IT, human resources, security officers, and others in the organization must understand the psychological, organizational, and technical aspects of the problem, as well as how they coordinate their actions over time.

Keeney, M., et al (2005)

In this paper authors described that an insider had extensive control over the source code of a critical application used by the organization. As lead developer of the software, he made sure that he possessed the only copy of the source code. There were no backups, and very little documentation existed. Following a demotion in both position and pay, the insider “wiped” the hard drive of his company-provided laptop. In doing so, he deleted the only copy of the source code the organization possessed. It took several months to recover the source code from the insider, during which time the organization was unable to update the software.

Cappelli et al (2005)

In this research paper an examination of how each organization could have prevented the attack or at the very least detected it earlier is presented. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices that are critical to the mitigation of the risks from malicious insiders.

Chinchani et al (2005)

The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. In this paper, authors propose a new target-centric model to address this class of security problems and explain the modeling methodology with specific examples. Finally, they perform quantified vulnerability analyses and prove worst case complexity results on our model.

Gordon, L.A., at el (2006)

In this paper author discuss Uncontrolled use of iPods, USB sticks, PDAs and other devices on your network can lead to data theft, introduction of viruses, legal liability issues and more. In a society where the use of portable storage devices is commonplace, the threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.In an on-demand society where individuals can easily access portable music players, PDAs, mobile phones and digital cameras, technological innovation has responded to personal needs with the development of electronic devices that include data storage capabilities. There is, however, a downside to this modern-day scenario – the misuse of these devices in a corporate environment can spell disaster to a corporation!

Virginia et al (2006)

This paper introduces a framework composed of a method and of supporting awareness deliverables. The method organizes the identification and assessment of insider threat risks from the perspective of the organization goal(s)/business mission. This method is supported by three deliverables. First, by attack strategies structured in four decomposition trees. Second, by a pattern of insider attack this reduces an insider attack step to six possible scenarios. Third, by a list of defense strategies this helps on the elicitation of requirements. The output of the method consists of goal-based requirements for the defense against insiders. Attack and defense strategies are collected from the literature and from organizational control principles.

Infolock technologies(2006)

The authors discuss that employees are an organization’s most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods – employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders – not just employees, but consultants, contactors, vendors, and partners – must be actively managed, audited, and monitored in order to protect sensitive data.

In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy,

process, technology, and most importantly, people.

Arc sight

Detecting and Responding to Malicious Insider threats are the easiest to perpetrate, most difficult to prevent, and can be the most challenging .Insiders have two things that external attackers don’t: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place. Some employees become malicious over time; others may be spies planted to conduct industrial espionage; while still others simply make unwitting mistakes that put the organization at risk.

A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. It doesn’t take a skilled hacker to print out sensitive data, copy files to an MP3 player or send confidential information to a competitor. Because of this, anybody can become a malicious insider from the disgruntled system administrator hoping to sabotage access to business critical systems to the human resources intern that is selling employee salary information to recruiters. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze malicious insider activity.

Research questions

The research deals with the aspect of the following questions:

Are organizations aware of the danger of internal security threats? Do internal

security threats have a business impact on organizations? How do organizations

develop a plan for preventing internal security threats?

These questions have many answers because organizations have different organizational

Read also  Event Driven Programming

cultures and structures and do not have the same objectives, plans.In connection with the research questions above, the structure of the thesis will be presented as a process view, according to the figure 1.2. The figure illustrates the process of preventing internal security threats in an organization.

The process is a view of three main stages which are 1) Investigation; 2) Analysis; 3)

Implementation.

The investigation stage will be to collect information in order to be able to identify internal security threats that may occur in an organization. At the investigation stage, the questions are:

  • Are internal security threats reported outside the organization?
  • How are internal security threats detected?
  • Is it possible to identify all kind of internal security threats?

The analysis stage will be to understand the different facets of internal security threats. At the analysis stage, the questions are:

  • What are the different aspects of internal security threats?
  • Are all internal security threats convergent to the same motive?
  • Which are the most critical information assets to protect in organizations?

The implementation stage will be to develop a business continuity plan in order to maintain some degree of critical business activity in spite of a catastrophe, resulting from internal security threats. At the implementation stage, the questions are:

• Is it possible to prevent all internal security threats in organizations?

Overall and Specific Objectives:

The overall objective of the proposed research is to identify unusual access patterns due to insider threats using a run-time monitoring, clustering, and cluster identification of security events. This combination of techniques is novel within the field of security.

The proposed work will make use of an existing system and assertions will be derived from a formally-specified security policy. The assertions check the correctness of security events collected from execution traces of the system’s operation. The proposed

work will to identify those access patterns that do not conform to the a priori security policy. These clusters conforming to access patterns that lead to security violations will be labeled as insider threats and added to the security policy .Unusual access patterns for training and testing the security policy will come from fault injection

of insider threats. Event traces come from internal events and message traffic with the latter being most applicable to systems.

B. Significance of the Proposed Research: Large, complex, information systems have many interacting components, some of which are COTS components and some are internally developed.

These systems are usually distributed, many parts of the application run on different computers.

Security and privacy of these systems is of paramount concern. Security may be maintained by a strict enforcement of a security policy, but often insider attacks

do not conform to existing models of security. Insider threats apply unusual access patterns to exploit existing or intentional internal weaknesses of the system under attack. Unfortunately, it is difficult to certify that a system is resilient to security attack when the attack, itself, is not well understood.

The exploratory work of this proposal will show the feasibility of the proposed approach and may be helpful for protecting from insider attacks.

Justification for the research

Many external security threats are daily reported by different institutes, such as information security center (e.g. CERT, SITIC in Sweden). Such institutes are used to work closely with organizations in order to analyze and understand the risk of the different external security threats, and to report security threats with information on how to protect you against them. Information about internal security threats may be very sensitive for organizations and according to Mr. Bruck, “the risk of internal attacks is very likely to rise in the coming year due to the growth, sophistication and ease of use of hacking tools available online” [BRU03].

Internal security threats may have a strong business impact, and organizations have to be protected by the implementation of a security design plan. The main goal of this research is to investigate and to analyze internal security threats, in order to understand the different facets of internal security threats and to establish a strategic plan to prevent internal security threats.

Who should read this work?

  • Directors, managers
  • System administrators, Security administrators

CHAPTER 3

MATERIALS AND METHODS

The insider threat to critical information systems is widely viewed as being of the greatest concern. However, a great deal of research has been focused on identifying, capturing, and researching external threats. While malicious and dangerous, these attacks are often random with attackers more interested in how many systems they can break into then which systems they break into. To date, limited research has been done to a far more dangerous and devastating threat, the advanced insider.

Insider threat is a potential problem in any organization that conceals or protects valuable information. The aim of this research is to solve the insider threat problem by the identification and assessment of risks that insiders represent to an organization.

This research deals with the aspect of the following questions:

  • Are organizations aware of the danger of internal security threats?
  • Do internal security threats have a business impact on organizations?
  • How do organizations develop a plan for preventing internal security threats?

I chose survey method as Olivier GRANDVAUX(2004) selected in his research.

The process is a view of three main stages which are

1) Investigation

2) Analysis

3) Implementation.

The figure illustrates the process of preventing internal security threats in an organization.

1. Investigation

The investigation stage will be to collect information in order to be able to identify internal security threats that may occur in an organization. At the investigation stage, the questions are:

  • Are internal security threats reported outside the organization?
  • How are internal security threats detected?
  • Is it possible to identify all kind of internal security threats?

The investigation stage is the outcome of a survey [Appendix A], one study from the United States Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center [ITS04] and from other different scientific papers.

The survey has been answered by some employees from Industry name. I got 10

answers in total, and I believe that answers are reliable sources. The ten respondents answered through the Internet and results were anonymous. However I know directly some of the respondents as they are friends and other results are from friends of friends. Thus I judge that the results from the survey are valid.

In instigation stage the source of the threats to the organization will be identified in order to be able to identify internal security threats that may occur in an organization following information will be collected:

  • Identification of Security Threats
  • Sources of Internal Threats Identification

3.1. Identification of Security Threats

3.2. Sources of Internal Threats Identification

3.1 Investigation Techniques

3.1.1 Survey

The survey [Appendix A] is about twenty-five internal security threats. The goal of the survey

was to get opinions from hackers on these twenty-five internal security threats and also to

know if they think that these threats are relevant, not relevant or indifferent to organizations.

For each question, only one answer was possible among these three choices:

ƒ “Yes, I think the internal security threat is relevant”

ƒ “No, I do not think that the internal is relevant”

ƒ “I do not know. I think the threat is indifferent”

I compiled the results as following:

ƒ if more than 70% of respondents think that the threat is relevant, I will

consider the threat as relevant;

ƒ if more than 70% of respondents think that the threat is not relevant, I will

consider the threat as not relevant;

ƒ else I will consider the threat as indifferent.

The results from the survey showed that 64% of internal security threats were considered as

relevant. The result 64% is the number of relevant threats which is 16 divided by the total

number of threats which is 25 (16/25= 0.64)

The results from the survey showed that 20% of internal security threats were considered as

Questioners

Observations

See book

2. Analysis Phase

The analysis stage will be to understand the different facets of internal security threats.

At the analysis stage, the questions are:

  • What are the different aspects of internal security threats?
  • Are all internal security threats convergent to the same motive?
  • Which are the most critical information assets to protect in organizations?

Prioritization of Internal Threats

Excel

Spss

3. Implementation Phase

The implementation stage will be to develop a business continuity plan in order to maintain some degree of critical business activity in spite of a catastrophe, resulting from internal security threats. At the implementation stage, the questions are:

  • Is it possible to prevent all internal security threats in organizations?

Network Setup

HARDWARE / SOFTWARE SELECTION

SOFTWARE SELECTION

The selection of the software is very important factor to be considered during the development phase of the new system. This choice depends on many factors including current environment, amount of data to handle, and cost of programming. After analyzing the problem and considering the organizations needs, I have selected ASP as front end tool and SQL SERVER 2000 as relational data base management system for the development of this system because it has the capability to handle a fairly large amount of data. It also provides relational database management system available for personal and multi-user system. Hence this system will create compatibility among other packages and data share easily. In the design phase of any application development the first strategy to be considered is the tool selection.

So for the web development we must consider the following thing.

  • The application should be fast, because the end user needs fast browsing.
  • The online applications so should contain more graphic and more images on it may junk the station so we need to reduce our coding.
  • The data queries must be secure, and supported by the secure software.
  • It is important to keep the web site simple and intuitive. Web sites, which are complex to navigate and badly designed, fail miserably in sustaining the interest of the audience.
  • People hate long download time as much as they hate waiting in queue. Keep the download time for all pages to minimum.
  • So for achieve the task of the web development we have to select suitable tools. For the purpose we select the following tools.

TOOLS SELECTION

  • VBSCRIPT
  • HTML (Hyper Text Markup Language)
  • CSS (Cascading Style Sheets)
  • ASP(Active Server Page)
  • MS VISUAL INTERDEV 6.0
  • SQL Server 2000 (Database Management System)
  • ADO
  • T_SQL
  • IIS (Internet Information Server)
  • T-SQL (Transact Structured Query Language)

SCRIPTING LAGUAGES

Scripting languages are interpreted programming languages that web page authors can use to perform a variety of operations. Three common examples of scripting languages are VBScript, JScriptTM and JavaScript. To use a page that contains scripting language code, a web browser must be able to interpret the code. Microsoft Internet Explorer version 5.0 can run both VBScript and Jscript code, as well as JavaScript code. Netscape Navigator version 3.0 can run VBScript code if you have the Ncompass Script Active plug-in installed.

VBScript is great for transforming lifeless web pages into dynamic, fully interactive page with real-time response. The VBScript has been used for client side validity. There are many advantages for client side validity. The major advantage is that when the user submit the form or make a request, that request does not have to go to web server for validity, but the VBScript plays an important role and increase the efficiency of the application by validating the application on the client side.

HTML / MS VISUAL INTERDEV 6.0

Html has come a long way from the simple language that Time Berbers lee developed in 1989. The latest modification, all loosely grouped under the heading dynamic HTML (DHTML), bring you Web pages alive with true interactivity and without performance hit. With DHTML, developers can write scripts that change the layout and content of you Web pages without having to generate a new page or retrieve one form the server.

Microsoft Visual InterDev 6.0 is selected as the software tool for the proposed system.

Microsoft Visual InterDev 6.0 is a component of Microsoft Developer Studio that serves as the development platform for applications dealing with the World Wide Web. Microsoft Visual InterDev supports the creation of scripts in scripting languages such as Microsoft visual Basic Scripting Edition (VBScript) and Microsoft Jscript.

FEATURES OF VISUAL INTERDEV 6.0

The following new features make web application development faster, richer and more robust.

DATA ENVIRONMENT

Creating and modifying data-related objects is performed in one place: the graphical data environment. In th data environment, one can drag and drop objects onto Active Server Pages (ASP) to automatically create data-bound design-time controls.

DATA-BOUND DESING-TIME CONTROLS

Design-time controls offer a richer, more visual editing interface for creating data-enriched pages. Data-bound controls make it simple to incorporate the script in the ASP or HTML pages to interact with a database.

SCRIPTING OBJECT MODEL

The scripting object model simplifies web application development by providing a model for object-oriented scripting. Script objects simplify web application development and also greatly reduce the complexity and quality of scripting required for writing applications that span the client (browser) and server.

SITE DESIGNER

To quickly prototype and build web sites, use the graphical Site Designer. In the Site Designer, site diagrams are used to create pages, links, navigation, hierarchy, and more – all with an easy-to-use drag and drop interface.

CASCADING STYLE SHEETS EDITOR

One can edit style sheets easily in the CSS editor. One can create and modify style sheets for a set of web pages and preview how the pages, or any page in the web application w

Order Now

Order Now

Type of Paper
Subject
Deadline
Number of Pages
(275 words)