SlideShare uma empresa Scribd logo
1 de 53
Insider
  I id
  Threat

ISACA, Mumbai Chapter
     Sameer Saxena
      23rd July 2011
Agenda
 The Insider
 Insider Threat Landscape
 Probable causes
 Insider Impact and Challenges
 Mitigation strategies
Insider Beliefs
Haven’t we heard/said this before!!!

          “We Trust our Employees”
  “We have an open environment. We cannot
                 clamp down.”
                        down.
  “Insiders? Malware is ripping us to shreds”
          “Its
          “It an IMPOSSIBLE task!”
                                 t k!”
“We use principle of least privilege, separation of
               duty, and pray. Lots.”
SPOT THE INSIDER
         INSIDER…..
Insider threat
Terry Child C
T           Case – S F
                   San Francisco N t
                            i    Net
  Terry Child: Responsible for creating and managing the City of San
  Francisco's FiberWAN network
  On July 9, 2008, told over a hostile conference call with the HR Dept., his
  boss and a police officer, that he was being reassigned and not working
                     officer
  anymore on FiberWAN Network and is to hand over the passwords
  Hands over bogus passwords and reluctant to give the right passwords
  His Justification: nobody in the room was qualified to have admin access to
  the network
  In Prison for 7 years and bond of US$ 5 million
                  y                   $
  Jury found him a nice guy, protective of his work, like many IT people,
  possibly a little paranoid.
  Didn’t have a good management to keep him in check. All ed free rein,
         ha e      d mana ement t kee            check Allowed        rein
  which allowed engineering decisions over the years that made things
  worse and worse, and locked people out of possibly getting into this
  network
Other Real Life Incidents
Roger Duronio, former UBS PaineWebber computer systems
administrator convicted for planting a malicious “logic bomb” that
caused > USD 3 million in damage and repair costs to the UBS
                                g        p
computer network
He received bonus of USD 32,500 (against USD 50,000) in 2002.
                           p
Sentenced to 97 months in prison


                               William Sullivan, former database administrator of Fidelity
                            National I f
                            N i l Information Services, sentenced to 57 months in prison
                                            i S i                 d              h i    i
                            and ordered to pay USD 3.2 million in restitution for a crime he
                            committed through his power to gain access to databases in the
                                 Certegy Check S
                                 C       Ch k Services division of the f
                                                        d          f h firm. He had stolen
                                                                              H h d       l
                                 consumer information of 8.4 million people and sold it for
                                 USD 600,0000 to marketing firms between 2002 and 2007.
Other Real Life Incidents
HSBC’s system administrator Herve Falcini who had unfettered root access.
What did he do with those credentials? He stole thousands (about 80,000) of
customer files (tax evaders) and then tried to sell them to banks and tax
                (            )
authorities.
     Subject line: "Tax evasion: client list available."
Disgruntled Dave
 A fictitious character created out of the amalgamation
    fi titi    h    t       t d t f th        l    ti
 of recently caught and reported insiders responsible for
 breaches ranging from the obscure to the profane

 Once a trusted insider with privileged access to critical
 IT infrastructure

 Change in circumstances
     g

 Now unhappy with the status quo to the point where
 he is intentionally doing harm such as stealing
                                        stealing,
 modifying or deleting data and/or planting malware
Verizon’s 2010 Data Breach
Investigations Report
THE INSIDER
Who are Insiders
 Current or former employee contractor or
                    employee,
 other business partner who:
   Has h d th i d
   H or had authorised access t an organisation’s
                                   to         i ti ’
   network, system, or data and
 ◦ intentionally exceeded or misused that access in a
   manner that negatively affected the C.I.A. of the
   organisation’s information, information systems
      g                      ,              y
   and/or daily business operations
Insider may be someone who
                       who…
 Deliberately seeks employment with an organisation
 with intent to cause harm

 Causes harm once employed but who had no intention
 of doing so when first employed, or
        g                 p y ,

 Is exploited by others to do harm o ce employed, and
  s e p o te     ot e s     o a once e p oye , a
 maybe either a passive, unwitting or unwilling insider
Let s
Let’s break it down a bit further…
                          further
 Authorized Users
  ut o e Use s
 ◦ Employees - Clerks, Accountants, Finance, Salespeople,
   Purchasing, etc.

 Privileged Users
 ◦ DBA’s, DB/App Developers, Application QA, Contractors,
   Consultants

 Knowledgeable Users
 ◦ IT Op’s, N t
      O ’ Network O ’ S
                k Op’s, Security P
                             it Personnel, A dit P
                                        l Audit Personnel
                                                        l

 Outsiders or Malicious User with Insider Access and/or
 vulnerability k
   l    bilit knowledge
                   l d
 ◦ The sophisticated “white collar” criminal
    An individual may belong to more than one group
Reasons to cause harm
 Motivated by one or a combination of reasons

 A useful acronym to understand the motivations
 underlying behaviour is crime
 ◦ coercion – being forced or intimated
 ◦ revenge – for a real or perceived wrong
 ◦ ideology – radicalisation or advancement of an ideological or
   religious objective
 ◦ money – for illicit financial gain, and/or
 ◦ e hilaration – f r the thrill of d in s methin wrong
   exhilaration for               f doing something r n
Factors that increase the risk of
Insider Threat
 No comprehensive written acceptable use policies

 Ineffective management of privileged users
                 g         p      g

 Inappropriate role and entitlement assignment

 Poor information classification and policy enforcement

 Weak user authentication

 Poor overall identity governance
 P         ll id i

 Inadequate auditing and analytics
Can the
INSIDERS
   Be
STOPPED?
Types of Insider Activity
Type 1 – IT Sabotage
 Who are they?
 ◦ System administrators
 ◦ People with privileged access on systems, and technical
                                    systems
   ability
 Why do they do it?
   y       y
 ◦ Bring down systems, cause some kind of harm
 How did they attack?
            y
 ◦ Privileged access
 ◦ No authorized access
 ◦ Backdoor accounts, shared accounts, other employees’
   accounts, insider’s own account
 ◦ Remote access outside normal working hours
Dynamics of Insider IT Sabotage
 Disgruntled due to unmet expectations
 ◦ Period of heightened expectations, followed by a
   p
   precipitating event triggering precursors
        p      g          gg    gp

 Behavioral precursors were often observed but ignored
 by the organization
 ◦ Significant behavioral precursors often came before
   technical precursors
      h i l

 Technical precursors were observable, but not detected
                           observable
 by the organization
Red Flags
 Unmet Expectations
 ◦ Insufficient compensation
 ◦ Lack of career advancement
 ◦ Inflexible system policies
 ◦ Co-worker relations; supervisor demands
                            p
 Behavioural precursors
 ◦ Drug use; absence/tardiness
 ◦ Aggressive or violent behaviour; mood swings
 ◦ Used organization’s computers for personal business
 Sexual harassment
 Poor hygiene
Types of Sabotage Crimes
 Constructed or downloaded, tested, planted logic bomb
                                       p        g
 Deleted files, databases, or programs
 Destroyed backups
 Revealed derogatory, confidential, or pornographic information to
 customers, employees, or public
 Modified system or data to present pornography or embarrassing info
 Denial of Service by modifying authentication info, deleting data, or
 crashing systems
 Modified system logs to frame supervisor or innocent person &
 conceal identity
 Downloaded customer credit card data & posted to website
 Cut cables
 Sabotaged own project
        g         p j
 Physically stole computers and/or backups
 Planted virus on customers’ computers
 Extortion for deleted data & backups
 Defaced organization’s website
Type 2 – Fraud
Theft or Modification for Financial Gain
  Who did it?
  ◦ Current & former employees
  ◦ “L
    “Low l l” positions
          level”    iti
  ◦ Non-technical
  What
  Wh was stolen/modified?
                 l / difi d?
  ◦ Personally Identifiable Information (PII)
  ◦ Customer Information (CI)
  ◦ Very few cases involved trade secrets
  How did they steal/modify it?
  ◦ During normal working hours
  ◦ Using authorized access
Dynamics of the Crime
 Most attacks were long, ongoing schemes
                   long

 Collusion prevails in this type with internal or external
 people
Examples
 A check fraud scheme resulted in innocent people
 receiving collection letters due to fraudulent checks
 written against their account.
          g

 Other cases involved insiders committing credit card
                                         g
 fraud by abusing their access to confidential customer
 data.

 One insider accepted payment to modify a database to
 overturn decisions denying asylum to illegal aliens,
 enabling them to remain in the U.S. illegally.
Red Flags
 Family medical problems
 Substance abuse
 Physical threat of outsiders
 Financial difficulties
 Financial compensation issues
 Hostile work environment
 Problems with supervisor
 P bl         ith       i
 Layoffs
Type 3 – Theft of IP
Who did it?
◦ Current employees
◦ Technical or sales positions
                     p
What was stolen?
◦ Intellectual Property (IP) like source code, engineering,
  drawing,
  drawing scientific formula, etc
                     formula etc.
◦ Customer Information (CI)
Why did they do it?
◦ Financial
◦ Entitlement (some didn’t realize it was wrong)
◦ Disgruntled
How did they attack?
◦ Using authorized access
      g
◦ Acted during working hours from within the workplace
Dynamics of the Crime
 Most were quick theft upon resignation

 Stole information to
 ◦ Take to a new job
 ◦ Start a new business
 ◦ Gi t a f i company or government organization
   Give to foreign                t      i ti

 Collusion
 ◦ Collusion with at least one insider in almost 1/2 of
   cases
 ◦ Outsider recruited insider in less than 1/4 of cases
 ◦ Acted alone in 1/2 of cases
Red Flags
 Disagreement over ownership of intellectual property
 Financial compensation issues
 Relocation issues
 Hostile work environment
 Mergers & acquisitions
 Company attempting to obtain venture capital
 Problems with supervisor
 P bl        ith      i
 Passed over for promotion
 Layoffs
 L ff
Latest Case – Travelocity
sues Cleartrip
 Travelocity = Travelguru + Desiya :Victim
 Cleartrip: Accused
 Location: Gurgaon
 Data passed by 3 employees, which led to loss of
 business
 These 3 people joined Cleartrip after merger
 Shared the "entire hotel business model, projections
 and other proprietary information“
 Claimed: US$ 37.5 million (Rs. 168 crore)
DCD Example
 We c eate documents in MS Word…protection of these documents fall
   e create ocu e ts       S o …p otect o o t ese ocu e ts a
 under Digital Rights Management
 Lets assume that the place where all documents are stored in called DCD
 – Document Control Domain in a network
 n Users in the DCD have a need to collaborate and share the documents
 securely and with restrictions on the usage of the documents content.
 Each user belongs to a group with a specific function, usually dictated by
 the nature of the organization.
    For instance a software company might have the groups: {CEO, Board
    Member, Administrator, Software Developer, Technical Writer, and
    Secretary}.
 During the course of his/her work, a user produces and consumes a
       g                                   p
 variety of documents related to his work function.
 The DCD aims at protecting these documents from unwarranted usage
 and compromise.
DCD Example
 The CEO might work on a merger document whose compromise
 to the outside world could prove catastrophic to the organization.
 Existing solutions such as encryption are not enough as they
 protect only f
            l from the classic h k
                     h l i hackers
 A malicious insider in the DCD starts off with several privileges.
 The CEO’s secretary, for instance, could be leaking information to
                      y,            ,                g
 the outside world. It is quite possible for the secretary to forward
 the merger document she received for corrections to a rival
 company.
 company
 Hence if there are no constraints on the privileges in the form of
 access control, then a malicious insider is capable of inflicting
 serious damage to the documents.
So…what could be the insider
threats in this scenario?
a)
 )   An insider ca read, copy, a p t a y document he has access to unless
           s e can ea ,        and print any ocu e t e as          u ess
     fine-grained access control is in place.
b)   An insider can become the owner of the document by copying it to a new
     file and thus set new access control on the copied document
                                                        document.
c)   An insider can forward a document to another user either inside or
     outside the organization.
d)   A user can work late or early hours when the intrusion/misuse detection
     systems are not running.
e)   He can copy the contents of a document into another document that is
     opened simultaneously.
f)   An insider can remember the contents of a document, which he opened
     before, and then create a low priority document with the same contents.
                                   p      y
g)   An insider can take a dump of the document from the memory and then
     print the document.
h)   A malicious insider can tamper with the existing rights on the documents
                                                                    documents.
Policy design considerations to
     y     g
prevent such threats
  Need to consider both the context and information flow
  between requests
  Take an approach where multiple policies are specified on
  the
  th same resource. Th policies differ in the context when
                       The li i diff i th           t t h
  they become applicable.
    For example, a policy might allow access to a document in
    the normal office hours b not d i after-office h
      h         l ffi h       but     during f       ffi hours.
    The current context is contained in the request for access
    (or is alternatively maintained on the policy server)
  Policies should also contain the obligations or the provisional
  P l       h ld l              h bl               h            l
  authorizations that the subject should satisfy before access
  can be granted
   ◦ The obligations are returned to the viewer at the client side as a part of
     response to the request and the viewer is expected to enforce them. An
     obligation might specify that a high priority document can be opened if and only
     if no other documents are currently open. Another obligation might specify that
     the user can print a document if and only if he has performed a biometric
     authentication
Type 4 - Miscellaneous
 Reading executive emails for entertainment

 Providing organizational information to lawyers in
 lawsuit against organization (ideological)

 Transmitting organization’s IP to hacker groups

 Unauthorized access to information to locate a person
 as accessory to murder
Detection of all types of insider threat
   How was it detected?
   ◦ Manually due to system failure irregularity
   ◦ N t h i l means
     Non-technical
   ◦ Data irregularities, including suspicious activities in
     the form of bills tickets or negative indicators on
                   bills, tickets,
     individual’s credit histories.
   ◦ Notification by customers, supervisors coworkers
                        customers supervisors, coworkers,
     auditor, security staff, informant
   ◦ Detection by law enforcement agencies
   ◦ Sudden emergence of new competing organisation
Identification of all types of insider
threat
  How was the insider identified?
  ◦   System logs
  ◦   Remote access logs
      R      t         l
  ◦   File access logs
  ◦   Database l
      D b        logs
  ◦   Application logs
  ◦   Email logs
  ◦   Competitor information
Insider threat
PROBABLE CAUSES
Probable Causes
 Lack of articulate policies    Unauthorised software and
 Policies based on “book”       hardware
 Lack of periodic user          Negligence to policies and
 education, communication,      consequences
 awareness, etc.                Business/Delivery team
 Lack of reviews, audits and    ownership
 monitoring,                    Business bats for freedom,
 Security in applications, an   new technologies, etc.
           g
 afterthought                   IT/Security seen as
                                           y
 Poor development practices     adversaries
 OWASP Top 10 hasn’t            Business pressure – a perfect
 changed m ch
 chan ed much since 2007        vehicle to get around policies
                                High staff turn-over, low
                                morale, etc.
INSIDER IMPACT AND
CHALLENGES
Impacts
Inability to conduct business due to system/network being down
Loss of customer records
Inability
I bili to produce products due to damaged or destroyed
                d        d      d       d        d d          d
software or systems
Loss of productivity, hence loss of business/revenue
          productivity
Misuse of resources – Leads to a slow-down in the availability of
resources to others
Loss of sensitive, proprietary data and intellectual property
Negative reputational damage, media and public attention, etc.
Regulatory and contractual non-compliance
Financial loss through fraud, litigation, penalties and so on
Trade secrets stolen
Impacts
 Organization & customer confidential information revealed
 Send wrong signals to other staff
 Workplace conflicts, leading to indecision, inaction, etc.
 Impacts to innocent victims
 Insider committed suicide
 Private information forwarded to customers, competitors, or
 employees
 Exposure of personal information
 Web site defacements
MITIGATION
STRATEGIES
DSCI-
DSCI-KPMG Survey 2009 & 2010
Deloitte 2009 Global Security
Survey – India Report
Verizon’s 2010 Data Breach
Investigations Report
Best Practices
 Consider threats from insiders and business partners in
 enterprise-wide risk assessments.
 Clearly document and consistently enforce p
        y                          y          policies and
 controls
 Institute periodic security awareness training for all
 employees.
      l
 Monitor and respond to suspicious or disruptive behaviour
 Anticipate
 Antici ate and mana e ne ati e workplace issues
                 manage negative     rk lace iss es
 Track and secure the physical environment
 Implement strict password and account management policies
 and practices.
 Enforce separation of duties and least p
            p                           privilege.
                                               g
Best Practices
 Use extra caution with system administrators and
 privileged users.
 Consider insider threats in the software development
 life cycle
 Implement system change controls
     p        y          g
 Log, monitor and audit employee online actions
 Use layered defense against remote attacks.
       aye e e e se aga st e ote attac s.
 Deactivate computer access following termination.
 Implement secure backup and recovery processes.
 Develop an insider incident response plan
Summary
Insider threat is a problem that impacts and requires
understanding by everyone
 ◦ Information Technology
 ◦ Information Security
 ◦ Human Resources
 ◦ Management
         g
 ◦ Physical Security
 ◦ Legal

Use enterprise risk management for protection of critical
assets from ALL threats, including insiders

Incident response plans should include insider incidents

Create a culture of security – all employees have responsibility
for protection of organization’s information
A Closing Statistics
          As f
          A of 20th J l 2011
                    July 2011,
         534,978,831 records
             ,   ,
have been breached in USA since 2005,
      of which 32 106 583 records
       f h h 32,106,583        d
                breached
           by Insiders alone
And A Closing Thought
    Have you been
    H        b
    Wikileaked
    Wikil k d yet??
Thank you for your time
         today
         t d
Need to conduct a insider threat risk assessment in your
                 organisation, simply
        Email
        E il on sameer.saxena@arconnet.com
                             @

Mais conteúdo relacionado

Mais procurados

Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Information security
Information securityInformation security
Information securityMustahid Ali
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
CSE-Ethical-Hacking-ppt.pptx
CSE-Ethical-Hacking-ppt.pptxCSE-Ethical-Hacking-ppt.pptx
CSE-Ethical-Hacking-ppt.pptxAnshumaanTiwari2
 
operation security
operation securityoperation security
operation securityKajalsing23
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMANAND MURALI
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information SecurityKen Holmes
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityPriyanshu Ratnakar
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityjayashri kolekar
 
Security and management
Security and managementSecurity and management
Security and managementArtiSolanki5
 

Mais procurados (20)

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposure
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Information security
Information securityInformation security
Information security
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threat
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
CSE-Ethical-Hacking-ppt.pptx
CSE-Ethical-Hacking-ppt.pptxCSE-Ethical-Hacking-ppt.pptx
CSE-Ethical-Hacking-ppt.pptx
 
operation security
operation securityoperation security
operation security
 
INFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEMINFORMATION SECURITY SYSTEM
INFORMATION SECURITY SYSTEM
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Awareness Training on Information Security
Awareness Training on Information SecurityAwareness Training on Information Security
Awareness Training on Information Security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking Powerpoint
 
Information Security
Information SecurityInformation Security
Information Security
 
Social engineering
Social engineering Social engineering
Social engineering
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Security and management
Security and managementSecurity and management
Security and management
 

Destaque

Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentationIISPEastMids
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Snowden slides
Snowden slidesSnowden slides
Snowden slidesDavid West
 

Destaque (10)

The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia Privacy
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insiders
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_Tyco
 
Snowden slides
Snowden slidesSnowden slides
Snowden slides
 

Semelhante a Insider threat

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Internal Risk Management
Internal Risk ManagementInternal Risk Management
Internal Risk ManagementBarry Caplin
 
IST Presentation
IST PresentationIST Presentation
IST Presentationguest1d1ed5
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Ed Tobias
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionCase IQ
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Addressing insider threats and data leakage
Addressing insider threats and data leakageAddressing insider threats and data leakage
Addressing insider threats and data leakageLepide USA Inc
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextBrian Pichman
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docxblondellchancy
 

Semelhante a Insider threat (20)

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Internal Risk Management
Internal Risk ManagementInternal Risk Management
Internal Risk Management
 
Document-3.docx
Document-3.docxDocument-3.docx
Document-3.docx
 
IST Presentation
IST PresentationIST Presentation
IST Presentation
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
02 presentation-christianprobst
02 presentation-christianprobst02 presentation-christianprobst
02 presentation-christianprobst
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Addressing insider threats and data leakage
Addressing insider threats and data leakageAddressing insider threats and data leakage
Addressing insider threats and data leakage
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
 
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
 

Último

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Último (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

Insider threat

  • 1. Insider I id Threat ISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
  • 2. Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
  • 3. Insider Beliefs Haven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!” “We use principle of least privilege, separation of duty, and pray. Lots.”
  • 4. SPOT THE INSIDER INSIDER…..
  • 6. Terry Child C T Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
  • 7. Other Real Life Incidents Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious “logic bomb” that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
  • 8. Other Real Life Incidents HSBC’s system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."
  • 9. Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
  • 10. Verizon’s 2010 Data Breach Investigations Report
  • 12. Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
  • 13. Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
  • 14. Let s Let’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
  • 15. Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
  • 16. Factors that increase the risk of Insider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
  • 17. Can the INSIDERS Be STOPPED?
  • 18. Types of Insider Activity
  • 19. Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
  • 20. Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
  • 21. Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
  • 22. Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
  • 23. Type 2 – Fraud Theft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
  • 24. Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
  • 25. Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
  • 26. Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
  • 27. Type 3 – Theft of IP Who did it? ◦ Current employees ◦ Technical or sales positions p What was stolen? ◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. ◦ Customer Information (CI) Why did they do it? ◦ Financial ◦ Entitlement (some didn’t realize it was wrong) ◦ Disgruntled How did they attack? ◦ Using authorized access g ◦ Acted during working hours from within the workplace
  • 28. Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
  • 29. Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
  • 30. Latest Case – Travelocity sues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
  • 31. DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
  • 32. DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
  • 33. So…what could be the insider threats in this scenario? a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. c) An insider can forward a document to another user either inside or outside the organization. d) A user can work late or early hours when the intrusion/misuse detection systems are not running. e) He can copy the contents of a document into another document that is opened simultaneously. f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p y g) An insider can take a dump of the document from the memory and then print the document. h) A malicious insider can tamper with the existing rights on the documents documents.
  • 34. Policy design considerations to y g prevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
  • 35. Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
  • 36. Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
  • 37. Identification of all types of insider threat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
  • 40. Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
  • 42. Impacts Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources – Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
  • 43. Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
  • 46. Deloitte 2009 Global Security Survey – India Report
  • 47. Verizon’s 2010 Data Breach Investigations Report
  • 48. Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
  • 49. Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
  • 50. Summary Insider threat is a problem that impacts and requires understanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security – all employees have responsibility for protection of organization’s information
  • 51. A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
  • 52. And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
  • 53. Thank you for your time today t d Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @