Insider threat


Published on

With every Security & Privacy Breach survey pointing towards insiders as a potential threat and incidents leading to data loss and violation of the corporate information security policy, it is imperative that we answer the following questions:
Who are these insiders?
What activities do they carry out to breach security?
Why an insider seeks to cause harm?
How do we mitigate this threat?

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insider threat

  1. 1. Insider I id ThreatISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
  2. 2. Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
  3. 3. Insider BeliefsHaven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!”“We use principle of least privilege, separation of duty, and pray. Lots.”
  5. 5. Terry Child CT Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Franciscos FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
  6. 6. Other Real Life IncidentsRoger Duronio, former UBS PaineWebber computer systemsadministrator convicted for planting a malicious “logic bomb” thatcaused > USD 3 million in damage and repair costs to the UBS g pcomputer networkHe received bonus of USD 32,500 (against USD 50,000) in 2002. pSentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
  7. 7. Other Real Life IncidentsHSBC’s system administrator Herve Falcini who had unfettered root access.What did he do with those credentials? He stole thousands (about 80,000) ofcustomer files (tax evaders) and then tried to sell them to banks and tax ( )authorities. Subject line: "Tax evasion: client list available."
  8. 8. Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
  9. 9. Verizon’s 2010 Data BreachInvestigations Report
  10. 10. THE INSIDER
  11. 11. Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
  12. 12. Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
  13. 13. Let sLet’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
  14. 14. Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
  15. 15. Factors that increase the risk ofInsider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
  16. 16. Can theINSIDERS BeSTOPPED?
  17. 17. Types of Insider Activity
  18. 18. Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
  19. 19. Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
  20. 20. Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
  21. 21. Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
  22. 22. Type 2 – FraudTheft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
  23. 23. Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
  24. 24. Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
  25. 25. Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
  26. 26. Type 3 – Theft of IPWho did it?◦ Current employees◦ Technical or sales positions pWhat was stolen?◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc.◦ Customer Information (CI)Why did they do it?◦ Financial◦ Entitlement (some didn’t realize it was wrong)◦ DisgruntledHow did they attack?◦ Using authorized access g◦ Acted during working hours from within the workplace
  27. 27. Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
  28. 28. Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
  29. 29. Latest Case – Travelocitysues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
  30. 30. DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
  31. 31. DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
  32. 32. So…what could be the insiderthreats in this scenario?a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place.b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document.c) An insider can forward a document to another user either inside or outside the organization.d) A user can work late or early hours when the intrusion/misuse detection systems are not running.e) He can copy the contents of a document into another document that is opened simultaneously.f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p yg) An insider can take a dump of the document from the memory and then print the document.h) A malicious insider can tamper with the existing rights on the documents documents.
  33. 33. Policy design considerations to y gprevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
  34. 34. Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
  35. 35. Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
  36. 36. Identification of all types of insiderthreat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
  38. 38. Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
  40. 40. ImpactsInability to conduct business due to system/network being downLoss of customer recordsInabilityI bili to produce products due to damaged or destroyed d d d d d d dsoftware or systemsLoss of productivity, hence loss of business/revenue productivityMisuse of resources – Leads to a slow-down in the availability ofresources to othersLoss of sensitive, proprietary data and intellectual propertyNegative reputational damage, media and public attention, etc.Regulatory and contractual non-complianceFinancial loss through fraud, litigation, penalties and so onTrade secrets stolen
  41. 41. Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
  43. 43. DSCI-DSCI-KPMG Survey 2009 & 2010
  44. 44. Deloitte 2009 Global SecuritySurvey – India Report
  45. 45. Verizon’s 2010 Data BreachInvestigations Report
  46. 46. Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
  47. 47. Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
  48. 48. SummaryInsider threat is a problem that impacts and requiresunderstanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ LegalUse enterprise risk management for protection of criticalassets from ALL threats, including insidersIncident response plans should include insider incidentsCreate a culture of security – all employees have responsibilityfor protection of organization’s information
  49. 49. A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , ,have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
  50. 50. And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
  51. 51. Thank you for your time today t dNeed to conduct a insider threat risk assessment in your organisation, simply Email E il on @