With every Security & Privacy Breach survey pointing towards insiders as a potential threat and incidents leading to data loss and violation of the corporate information security policy, it is imperative that we answer the following questions:
Who are these insiders?
What activities do they carry out to breach security?
Why an insider seeks to cause harm?
How do we mitigate this threat?
1. Insider
I id
Threat
ISACA, Mumbai Chapter
Sameer Saxena
23rd July 2011
2. Agenda
The Insider
Insider Threat Landscape
Probable causes
Insider Impact and Challenges
Mitigation strategies
3. Insider Beliefs
Haven’t we heard/said this before!!!
“We Trust our Employees”
“We have an open environment. We cannot
clamp down.”
down.
“Insiders? Malware is ripping us to shreds”
“Its
“It an IMPOSSIBLE task!”
t k!”
“We use principle of least privilege, separation of
duty, and pray. Lots.”
6. Terry Child C
T Case – S F
San Francisco N t
i Net
Terry Child: Responsible for creating and managing the City of San
Francisco's FiberWAN network
On July 9, 2008, told over a hostile conference call with the HR Dept., his
boss and a police officer, that he was being reassigned and not working
officer
anymore on FiberWAN Network and is to hand over the passwords
Hands over bogus passwords and reluctant to give the right passwords
His Justification: nobody in the room was qualified to have admin access to
the network
In Prison for 7 years and bond of US$ 5 million
y $
Jury found him a nice guy, protective of his work, like many IT people,
possibly a little paranoid.
Didn’t have a good management to keep him in check. All ed free rein,
ha e d mana ement t kee check Allowed rein
which allowed engineering decisions over the years that made things
worse and worse, and locked people out of possibly getting into this
network
7. Other Real Life Incidents
Roger Duronio, former UBS PaineWebber computer systems
administrator convicted for planting a malicious “logic bomb” that
caused > USD 3 million in damage and repair costs to the UBS
g p
computer network
He received bonus of USD 32,500 (against USD 50,000) in 2002.
p
Sentenced to 97 months in prison
William Sullivan, former database administrator of Fidelity
National I f
N i l Information Services, sentenced to 57 months in prison
i S i d h i i
and ordered to pay USD 3.2 million in restitution for a crime he
committed through his power to gain access to databases in the
Certegy Check S
C Ch k Services division of the f
d f h firm. He had stolen
H h d l
consumer information of 8.4 million people and sold it for
USD 600,0000 to marketing firms between 2002 and 2007.
8. Other Real Life Incidents
HSBC’s system administrator Herve Falcini who had unfettered root access.
What did he do with those credentials? He stole thousands (about 80,000) of
customer files (tax evaders) and then tried to sell them to banks and tax
( )
authorities.
Subject line: "Tax evasion: client list available."
9. Disgruntled Dave
A fictitious character created out of the amalgamation
fi titi h t t d t f th l ti
of recently caught and reported insiders responsible for
breaches ranging from the obscure to the profane
Once a trusted insider with privileged access to critical
IT infrastructure
Change in circumstances
g
Now unhappy with the status quo to the point where
he is intentionally doing harm such as stealing
stealing,
modifying or deleting data and/or planting malware
12. Who are Insiders
Current or former employee contractor or
employee,
other business partner who:
Has h d th i d
H or had authorised access t an organisation’s
to i ti ’
network, system, or data and
◦ intentionally exceeded or misused that access in a
manner that negatively affected the C.I.A. of the
organisation’s information, information systems
g , y
and/or daily business operations
13. Insider may be someone who
who…
Deliberately seeks employment with an organisation
with intent to cause harm
Causes harm once employed but who had no intention
of doing so when first employed, or
g p y ,
Is exploited by others to do harm o ce employed, and
s e p o te ot e s o a once e p oye , a
maybe either a passive, unwitting or unwilling insider
14. Let s
Let’s break it down a bit further…
further
Authorized Users
ut o e Use s
◦ Employees - Clerks, Accountants, Finance, Salespeople,
Purchasing, etc.
Privileged Users
◦ DBA’s, DB/App Developers, Application QA, Contractors,
Consultants
Knowledgeable Users
◦ IT Op’s, N t
O ’ Network O ’ S
k Op’s, Security P
it Personnel, A dit P
l Audit Personnel
l
Outsiders or Malicious User with Insider Access and/or
vulnerability k
l bilit knowledge
l d
◦ The sophisticated “white collar” criminal
An individual may belong to more than one group
15. Reasons to cause harm
Motivated by one or a combination of reasons
A useful acronym to understand the motivations
underlying behaviour is crime
◦ coercion – being forced or intimated
◦ revenge – for a real or perceived wrong
◦ ideology – radicalisation or advancement of an ideological or
religious objective
◦ money – for illicit financial gain, and/or
◦ e hilaration – f r the thrill of d in s methin wrong
exhilaration for f doing something r n
16. Factors that increase the risk of
Insider Threat
No comprehensive written acceptable use policies
Ineffective management of privileged users
g p g
Inappropriate role and entitlement assignment
Poor information classification and policy enforcement
Weak user authentication
Poor overall identity governance
P ll id i
Inadequate auditing and analytics
19. Type 1 – IT Sabotage
Who are they?
◦ System administrators
◦ People with privileged access on systems, and technical
systems
ability
Why do they do it?
y y
◦ Bring down systems, cause some kind of harm
How did they attack?
y
◦ Privileged access
◦ No authorized access
◦ Backdoor accounts, shared accounts, other employees’
accounts, insider’s own account
◦ Remote access outside normal working hours
20. Dynamics of Insider IT Sabotage
Disgruntled due to unmet expectations
◦ Period of heightened expectations, followed by a
p
precipitating event triggering precursors
p g gg gp
Behavioral precursors were often observed but ignored
by the organization
◦ Significant behavioral precursors often came before
technical precursors
h i l
Technical precursors were observable, but not detected
observable
by the organization
21. Red Flags
Unmet Expectations
◦ Insufficient compensation
◦ Lack of career advancement
◦ Inflexible system policies
◦ Co-worker relations; supervisor demands
p
Behavioural precursors
◦ Drug use; absence/tardiness
◦ Aggressive or violent behaviour; mood swings
◦ Used organization’s computers for personal business
Sexual harassment
Poor hygiene
22. Types of Sabotage Crimes
Constructed or downloaded, tested, planted logic bomb
p g
Deleted files, databases, or programs
Destroyed backups
Revealed derogatory, confidential, or pornographic information to
customers, employees, or public
Modified system or data to present pornography or embarrassing info
Denial of Service by modifying authentication info, deleting data, or
crashing systems
Modified system logs to frame supervisor or innocent person &
conceal identity
Downloaded customer credit card data & posted to website
Cut cables
Sabotaged own project
g p j
Physically stole computers and/or backups
Planted virus on customers’ computers
Extortion for deleted data & backups
Defaced organization’s website
23. Type 2 – Fraud
Theft or Modification for Financial Gain
Who did it?
◦ Current & former employees
◦ “L
“Low l l” positions
level” iti
◦ Non-technical
What
Wh was stolen/modified?
l / difi d?
◦ Personally Identifiable Information (PII)
◦ Customer Information (CI)
◦ Very few cases involved trade secrets
How did they steal/modify it?
◦ During normal working hours
◦ Using authorized access
24. Dynamics of the Crime
Most attacks were long, ongoing schemes
long
Collusion prevails in this type with internal or external
people
25. Examples
A check fraud scheme resulted in innocent people
receiving collection letters due to fraudulent checks
written against their account.
g
Other cases involved insiders committing credit card
g
fraud by abusing their access to confidential customer
data.
One insider accepted payment to modify a database to
overturn decisions denying asylum to illegal aliens,
enabling them to remain in the U.S. illegally.
26. Red Flags
Family medical problems
Substance abuse
Physical threat of outsiders
Financial difficulties
Financial compensation issues
Hostile work environment
Problems with supervisor
P bl ith i
Layoffs
27. Type 3 – Theft of IP
Who did it?
◦ Current employees
◦ Technical or sales positions
p
What was stolen?
◦ Intellectual Property (IP) like source code, engineering,
drawing,
drawing scientific formula, etc
formula etc.
◦ Customer Information (CI)
Why did they do it?
◦ Financial
◦ Entitlement (some didn’t realize it was wrong)
◦ Disgruntled
How did they attack?
◦ Using authorized access
g
◦ Acted during working hours from within the workplace
28. Dynamics of the Crime
Most were quick theft upon resignation
Stole information to
◦ Take to a new job
◦ Start a new business
◦ Gi t a f i company or government organization
Give to foreign t i ti
Collusion
◦ Collusion with at least one insider in almost 1/2 of
cases
◦ Outsider recruited insider in less than 1/4 of cases
◦ Acted alone in 1/2 of cases
29. Red Flags
Disagreement over ownership of intellectual property
Financial compensation issues
Relocation issues
Hostile work environment
Mergers & acquisitions
Company attempting to obtain venture capital
Problems with supervisor
P bl ith i
Passed over for promotion
Layoffs
L ff
30. Latest Case – Travelocity
sues Cleartrip
Travelocity = Travelguru + Desiya :Victim
Cleartrip: Accused
Location: Gurgaon
Data passed by 3 employees, which led to loss of
business
These 3 people joined Cleartrip after merger
Shared the "entire hotel business model, projections
and other proprietary information“
Claimed: US$ 37.5 million (Rs. 168 crore)
31. DCD Example
We c eate documents in MS Word…protection of these documents fall
e create ocu e ts S o …p otect o o t ese ocu e ts a
under Digital Rights Management
Lets assume that the place where all documents are stored in called DCD
– Document Control Domain in a network
n Users in the DCD have a need to collaborate and share the documents
securely and with restrictions on the usage of the documents content.
Each user belongs to a group with a specific function, usually dictated by
the nature of the organization.
For instance a software company might have the groups: {CEO, Board
Member, Administrator, Software Developer, Technical Writer, and
Secretary}.
During the course of his/her work, a user produces and consumes a
g p
variety of documents related to his work function.
The DCD aims at protecting these documents from unwarranted usage
and compromise.
32. DCD Example
The CEO might work on a merger document whose compromise
to the outside world could prove catastrophic to the organization.
Existing solutions such as encryption are not enough as they
protect only f
l from the classic h k
h l i hackers
A malicious insider in the DCD starts off with several privileges.
The CEO’s secretary, for instance, could be leaking information to
y, , g
the outside world. It is quite possible for the secretary to forward
the merger document she received for corrections to a rival
company.
company
Hence if there are no constraints on the privileges in the form of
access control, then a malicious insider is capable of inflicting
serious damage to the documents.
33. So…what could be the insider
threats in this scenario?
a)
) An insider ca read, copy, a p t a y document he has access to unless
s e can ea , and print any ocu e t e as u ess
fine-grained access control is in place.
b) An insider can become the owner of the document by copying it to a new
file and thus set new access control on the copied document
document.
c) An insider can forward a document to another user either inside or
outside the organization.
d) A user can work late or early hours when the intrusion/misuse detection
systems are not running.
e) He can copy the contents of a document into another document that is
opened simultaneously.
f) An insider can remember the contents of a document, which he opened
before, and then create a low priority document with the same contents.
p y
g) An insider can take a dump of the document from the memory and then
print the document.
h) A malicious insider can tamper with the existing rights on the documents
documents.
34. Policy design considerations to
y g
prevent such threats
Need to consider both the context and information flow
between requests
Take an approach where multiple policies are specified on
the
th same resource. Th policies differ in the context when
The li i diff i th t t h
they become applicable.
For example, a policy might allow access to a document in
the normal office hours b not d i after-office h
h l ffi h but during f ffi hours.
The current context is contained in the request for access
(or is alternatively maintained on the policy server)
Policies should also contain the obligations or the provisional
P l h ld l h bl h l
authorizations that the subject should satisfy before access
can be granted
◦ The obligations are returned to the viewer at the client side as a part of
response to the request and the viewer is expected to enforce them. An
obligation might specify that a high priority document can be opened if and only
if no other documents are currently open. Another obligation might specify that
the user can print a document if and only if he has performed a biometric
authentication
35. Type 4 - Miscellaneous
Reading executive emails for entertainment
Providing organizational information to lawyers in
lawsuit against organization (ideological)
Transmitting organization’s IP to hacker groups
Unauthorized access to information to locate a person
as accessory to murder
36. Detection of all types of insider threat
How was it detected?
◦ Manually due to system failure irregularity
◦ N t h i l means
Non-technical
◦ Data irregularities, including suspicious activities in
the form of bills tickets or negative indicators on
bills, tickets,
individual’s credit histories.
◦ Notification by customers, supervisors coworkers
customers supervisors, coworkers,
auditor, security staff, informant
◦ Detection by law enforcement agencies
◦ Sudden emergence of new competing organisation
37. Identification of all types of insider
threat
How was the insider identified?
◦ System logs
◦ Remote access logs
R t l
◦ File access logs
◦ Database l
D b logs
◦ Application logs
◦ Email logs
◦ Competitor information
40. Probable Causes
Lack of articulate policies Unauthorised software and
Policies based on “book” hardware
Lack of periodic user Negligence to policies and
education, communication, consequences
awareness, etc. Business/Delivery team
Lack of reviews, audits and ownership
monitoring, Business bats for freedom,
Security in applications, an new technologies, etc.
g
afterthought IT/Security seen as
y
Poor development practices adversaries
OWASP Top 10 hasn’t Business pressure – a perfect
changed m ch
chan ed much since 2007 vehicle to get around policies
High staff turn-over, low
morale, etc.
42. Impacts
Inability to conduct business due to system/network being down
Loss of customer records
Inability
I bili to produce products due to damaged or destroyed
d d d d d d d
software or systems
Loss of productivity, hence loss of business/revenue
productivity
Misuse of resources – Leads to a slow-down in the availability of
resources to others
Loss of sensitive, proprietary data and intellectual property
Negative reputational damage, media and public attention, etc.
Regulatory and contractual non-compliance
Financial loss through fraud, litigation, penalties and so on
Trade secrets stolen
43. Impacts
Organization & customer confidential information revealed
Send wrong signals to other staff
Workplace conflicts, leading to indecision, inaction, etc.
Impacts to innocent victims
Insider committed suicide
Private information forwarded to customers, competitors, or
employees
Exposure of personal information
Web site defacements
48. Best Practices
Consider threats from insiders and business partners in
enterprise-wide risk assessments.
Clearly document and consistently enforce p
y y policies and
controls
Institute periodic security awareness training for all
employees.
l
Monitor and respond to suspicious or disruptive behaviour
Anticipate
Antici ate and mana e ne ati e workplace issues
manage negative rk lace iss es
Track and secure the physical environment
Implement strict password and account management policies
and practices.
Enforce separation of duties and least p
p privilege.
g
49. Best Practices
Use extra caution with system administrators and
privileged users.
Consider insider threats in the software development
life cycle
Implement system change controls
p y g
Log, monitor and audit employee online actions
Use layered defense against remote attacks.
aye e e e se aga st e ote attac s.
Deactivate computer access following termination.
Implement secure backup and recovery processes.
Develop an insider incident response plan
50. Summary
Insider threat is a problem that impacts and requires
understanding by everyone
◦ Information Technology
◦ Information Security
◦ Human Resources
◦ Management
g
◦ Physical Security
◦ Legal
Use enterprise risk management for protection of critical
assets from ALL threats, including insiders
Incident response plans should include insider incidents
Create a culture of security – all employees have responsibility
for protection of organization’s information
51. A Closing Statistics
As f
A of 20th J l 2011
July 2011,
534,978,831 records
, ,
have been breached in USA since 2005,
of which 32 106 583 records
f h h 32,106,583 d
breached
by Insiders alone
52. And A Closing Thought
Have you been
H b
Wikileaked
Wikil k d yet??
53. Thank you for your time
today
t d
Need to conduct a insider threat risk assessment in your
organisation, simply
Email
E il on sameer.saxena@arconnet.com
@