Session SEC 133 The Devil Inside Internal Threats · Session SEC 133 The Devil Inside –Internal...

Session SEC 133

The Devil Inside – Internal Threats

Ashutosh KapséCISA, CISM, CGEIT, I-RAP Certified

• Copyright & Confidentiality Statement

• Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd ACN 005

770 598 (“SCCS”).

• All rights reserved. No part of this work may be reproduced or transmitted

in any form or by any means, electronic or mechanical, including

photocopying recording or any information storage and retrieval system,

without prior permission in writing from the owner. The Copyright Act 1968

(Cth) applies to this work and the owner expressly reserves all of its rights

under the Act now or as amended.

• Any logos, trademarks used, belong to the respective organisations and

they own their sole right to use and reproduce them

Agenda

• What are insider / internal threats?

• How real is this problem?

• Types of insider / internal threats (Classification)

• Some real life examples

• Profiling

• Response, Survival & Controls

• Future trends

Copyright © 2008 Southern Cross Computer Systems Pty Ltd

Insider v/s Internal Threat

• Insider threat ?

– Prevalent Definition (US / DoD / CERT etc)

– My definition (larger scope) – Internal Threat

– Internal threat

Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd

How real is the problem?

• Some studies & statisticsGartner

Aug 2007 – 70% of unauthorised access to IS, is committed by insider

IDC

2007 – Enterprises rank insider sources as their top security threat.

Carnegie Mellon / DoD / US SS

Under-reporting of insider incidents / 29% critical infrastructure organisations reported insider incidents.

Assoc of Certified Fraud Examiners

Aug 2007 – US companies lose 5% of annual revenue to internal fraud

US Computer Security Institute

2007 survey – internal abuse overtakes viruses as most reported security incident


Classification

• Why is classification required ?

• Can internal threats be classified ?

• Classification –

– Internal - mistakes / errors

– Internal - non-malicious intent / naivety

– Internal / Insider - malicious

– Internal / Insider – Industrial Espionage


Examples

• Examples of security breaches of each

classification type

– Internal mistakes / errors

• Jake Kovco Case – Dept of Defence, Aus.

• TTA, Aus.


Examples - 2

– Internal – non malicious intent

• Security vendor emails contact details

• UK - customs data breach.

• UK – bank customers on eBay


Examples - 3

• Internal / Insider – malicious

– UBS PaineWebber

– Duracell

– Coca cola


Examples - 4

• Internal / Insider – Industrial espionage

– Pharmaceutical company

– Ellery systems – USA

Profiling – Insider malicious

• What is profiling / why is it important ?

• Is it possible to profile insiders that may cause

threat?

• Studies conducted by Texas A&M University,

CERT, Carnegie Mellon & US Secret Service

– Insiders age group – 17 years to 60 years

– Diverse ethnic groups / races

– 96% were male

– 49% married, 45% single, 4% divorced


Insider Perpetrator Profile -1

• A negative work related event triggered action

• Most held work related grievance prior to attack

• Most frequently reported motive was revenge

• Majority held technical positions (engineers, IT,

programmers, sysadmins, etc.)

• In most cases behavioural symptoms were noticeable

but not reported

– Co-workers had “inkling” of the perp’s intentions, plans

– Most perps had acted in an on-going concerning manner

– Majority communicated negative sentiments to others.


Profile - 2

• Activities were planned in advance

• Majority used remote access to initiate attack.

• Majority used – System default accounts, DBA

default accounts, system default passwords

• 41% former employees, 50% current employees

• 48% were fired, 24% made redundant, 20%

resigned.


Profile - 3

• Insider malicious (Fraud only)

– 98% were legitimate users of the system

– Most often performed crimes– Modify credit histories

– Create fraudulent documents

– Loan approval frauds

– Most perps – had large credit card debts themselves,

or had drug related financial difficulties

– Most perps – did not believe they would get caught


Response / Controls

- Extremes –

- Denial

- Policy

- Tools (DLP)

- No “silver bullet”

- Paradigm shift required.

- Holistic view needed

- Not just technology – human behaviour

- Why in addition to How


- Essentially – we must trust humans to

make the right decisions and follow

policy & processes needed to protect

information.

- We can’t rely totally on human behaviour

so we need to also rely on technology

where possible

Defence-in-Depth

Concept of defence-in-depth

33.3333%

33.3333%

33.3333%

People

Processes

Technology

Business Objectives and Requirements


1 Asset inventory & RA

Before one can protect anything, one first needs

to understand what assets need to be protected.

Perform periodical risk assessment on the

assets. (owner establishes relative importance

and value of asset)

Remember that “Information” is also an asset


2 Least privilege, separation & rotation of duties

– Least privilege – Authorise people only for the

resources they need to do their job.

– Separation – dividing functions among people to limit

the possibility that one individual could commit fraud

without co-operation of one or multiple other

individuals.

– Rotation – rotate employees through various roles

All three go hand in hand – towards reducing

risk of insider threat.


Separation of duties matrix

• CISA® review manual 2005 pages 88-91


3 Information Classificaiton

– No matter what kind of organisation, classification

of information is necessary

– Govt agencies are very good at this

– Classification provides a framework for

understanding what information exists, where it is

stored, who is authorised to access it, rules of

access etc.

- Classification along with segregation of users,

(based on roles) critical for information protection

- Information labelling (just like physical asset

labelling)


4 Human factors

Understanding the importance of “trusted”, “semi-trusted” and “un-trusted”.

Pre-Hiring

Post-Hiring

Security awareness training

1. SysAdmin / IT Staff / DBAs training

2. End user awareness

3. Specific end user training- mobility, portable devices, physical security

HR – Close link with HR?


5 Use technology

• Use technology for automation and to counter naivety / ignorance / mistakes.

– Pre-boot encryption of laptops

– Enforced encryption on removable storage devices

– End point control

– Cryptography / steggo / remote access / home PCs

– Host based IDS/IPS

– Network segregation


Other controls

6. Policies and processes

7. Identity and Access management

8. Logging and monitoring

9. Physical security

10. Ongoing / periodic risk assessment

11. Backup/restore, archive, de-duplication


Future Trends

• Outsourcing

• Social Networks (FaceBook, MySpace etc)

• Ubiquitous devices

• Subjective Ethical / moral principles

• Easy to use tools

• Professional and targeted attacks

• Mobile & flexible workforce

• Data archiving / Data de-duplication


Proactive inclusion in Security Architecture

Control Mistakes /

errors

Non-

malicious

intent

Malicious

intent

Ind

Espionage

Targeted awareness & education

Policy / process

Backup / restore / de-duplication

Least privilege / separation & rotation of

duties

HR – background checks, behaviour

education

Physical security

IAM / Access control & termination

Technology / tools

Logging, Auditing and review


Acknowledgements

• Information from following sources is used

– Insider Threat – Dr. Eric Cole & Sandra Ring

– Spies among us – Ira Winkler

– Insider Threat Study – Carnegie Mellon Cylab (Dawn Cappelli, Andrew Moore, et.al)

– Understanding the importance of and Implementing internal security measures – Mike Durgin SANS Institute

– Segregation of duties within Information systems – CISA review manual

– OVPC – survey and recommendations – Jan and Aug 2009

– Aust Privacy commissioner recommendations – May 09


Discussion


Session SEC 133 The Devil Inside Internal Threats · Session SEC 133 The Devil Inside –Internal...

Documents

Transcript of Session SEC 133 The Devil Inside Internal Threats · Session SEC 133 The Devil Inside –Internal...