Social Engineering, Insiders and Security v. Christian W. Probst - Oplæg til InfinIT-seminar om Insidertrusler den 12. marts 2015

1. Social engineering, Insiders,
and Security
Christian W Probst
Technical University of Denmark
infinIT seminar om insidertrusler
NetIQ, 2015/03/12

2. 2
What is the Problem?
• We depend increasingly upon complex information
systems
• Focus on the vulnerability to
– Computer crime
– Security attacks [RAND Report, 2004]
“The insider threat is
perhaps the greatest threat
to [society, information
system, ...]”

3. 3
Securing Against the Inside
• Protect against attacks from an insider
• Insider has
– Better knowledge/information
– Better access
• Hard or impossible to distinguish from admissible
actions
• Little research on analysing socio-technical systems

4. 4
What is an Insider?
• An insider is an entity that has been legitimately
empowered with the right to access, represent, or
decide about one or more assets of the
organization’s structure.
• A program can also be an insider
• It is sufficient to have access to an asset containing
the asset in question

5. 5
Example 1: The Hard Disk Example
Naive user and absent policy
In 2003, Banner Therapy employee Christina Binney, a co-
founder of the company, was discharged from her position for
“misconduct”, and instructed not to return to the office. BT
claimed she impermissibly removed a hard drive from her work
computer and took it home over the weekend to prepare for a
client meeting.

6. 6
Example 1: The Hard Disk Example (ctd)
Naive user and absent policy
BT claimed that the removal crippled Banners operations and
placed vital data at risk. Binney explained that a customer
requested a meeting on a Friday for the following Monday
morning. To prepare, she chose to remove the entire hard drive
from her work computer, rather than to transfer the files to a
disk. At the time, BT had neither company policy about taking
work equipment home nor established computing protocols.
When Binney attempted to return to work on Monday, she was
denied access; this prevented her from returning the drive as
she claimed she had planned.

7. 7
Example 2: The Trade Secret Example
Malicious user steals trade secrets
In 2007, FBI agents arrested two engineers, who had worked for
NetLogic Microsystems (NLM) until 2003. The two men used
money from mainland China to create and incorporate a
company for the sole purpose of exploiting the secrets they
stole. They downloaded sensitive NLM documents onto their
home computers, top-level confidential technical descriptions
in enough specificity to enable someone to produce the
technology. Together, the men accumulated the information
needed to design and produce their own lines of
microprocessors and microchips.

8. 8
Example 2: The Trade Secret Example (ctd)
Malicious user steals trade secrets
To finance the business, the men contacted Beijing FBNI
Electronic Technology Development Company Ltd, and entered
into an agreement to develop and sell microprocessor chips.
Both men were able to access proprietary information without
exceeding their individual authorizations. Investigators
uncovered evidence that the venture capitalist had ties to the
Chinese government and military.

9. 9
Example 3: The Tax Fraud Example
Perimeter definition and system design
H. Walters and others are accused for perpetrating the biggest
fraud in Washingtons history. Until her arrest, “Walters was a
26-year tax employee known as a problem solver with a knack
for finding solutions by using the departments antiquated and
balky computers or finding a way around them.” She allegedly
used her position to produce fake checks for bogus refunds
with fictitious names; the total is said to exceed $50 million.

10. 10
Example 3: The Tax Fraud Example (ctd)
Perimeter definition and system design
The scheme involved Washingtons new Integrated Tax System.
During design phase, Walters “contributed to the decision that
her unit, which handled real estate tax refunds, be left out of it.”
At the time, the decision seemed to make sense for cost
reasons.
The scheme exploited several loopholes: each check was under
the threshold for requiring a supervisor’s approval, and no
action was taken to cancel the first check or confirm that it had
not already been cashed.

11. 11
Example 4: The Cloud Provider Sysadmin
Perimeter definition
A system administrator in the facilities of a cloud provider
allegedly used a package sniffer to record the image of a
migrating virtual machine of a financial institution.
The virtual machine was migrated from one server to another,
possibly triggered by some action of the system administrator,
allowing him to capture the network traffic.
Once home, he replayed the network traffic, and reinstantiated
the virtual machine, giving him access to all the data of the VM.

12. 12
Elements of Insider Threats
• An owner of an asset
• An inside entity that can access the asset
• The possibility that the insider might do something
with which the owner does not allowed it to do
– This might be the access to the asset, or some
action using the asset

13. 13
Possible Insider Threats
• Accidental Insider
– Ooops... I REALLY did not want that
• Malicious insider
– Motivation is to harm the organisation
– Or personal gain
• Unaware insider
– Could you just do this...
– Social engineered to do something

14. 14
Accidental Insider
• Hard to control
• But potentially catastrophic consequences
– Leaving door unlocked
– Sending confidential files
– ...

15. 15
Malicious Insider
• The "typical" insider
• Disgruntled employee
• Motivation, opportunity, abilities
• Often developing over time
• Motivation
– Harm the organisation, revenge
– Monetary gain
– Make a point

16. 16
Unaware Insider
• Is "convinced" by an attacker to perform an action
• Usually social engineering
• Believes to do "the right thing" or a favor
• Severe consequences
• Can be anything from opening a door, providing access,
installing something

17. 17
Can't we just detect them?

18. 18
Detecting Inside attacker is "easy"
• Need a concise model of human behaviour
• Dependencies on the surroundings,
• A sufficiently precise surveillance system, and
• An evaluation system, that can draw the necessary
conclusions from its input.
• Neither “easy” to realise, or in any form desirable.
• Lack techniques to model human behaviour.
• Surveillance systems depend on legal boundaries.

19. 19
Containing Insider Threats
• Three major components
– Identification of potential insider attackers
– Monitoring of operations
– Training of employees

20. 20
Identify Factors
• Important areas are legal frameworks, policies, and human
behaviour
• Goal: provide classifications of events and observations
• Analyse policies to determine short-comings, contradictions,
inconsistencies, and loopholes
– These are often exploited to realise insider attacks.

21. 21
Monitoring
• analyses the events in an organisation for signs of insider
threats
• Should be adapted to the expected level of threat and the
value of assets
• Challenge 1: ensure that the right data is collected, and that
the data can be analysed
• Challenge 2: differentiate legal actions by legal users, illegal
actions by legal users, and illegal actions by illegal users.
– How to deal with false positives/negatives?

22. 22
Training
• Important component in containing insider threats.
• Main goal: rising awareness for insider threats.
• Subgoals:
– Streamline policies, detect distortions, or sharpen alertness
• Tap into employees' knowledge about faulty policies and
workflows, insider threats, and counter measures

23. 23
Social Engineering
• Mix of science, psychology, and art.
• Skillfully maneuver somebody to take action or not in some
aspect of their life.
• Dress up as courier with heavy box, ask to open door;
• Telephone technician;
• Clorius technician;
• Santa Claus;
• Call employee, pretend to be from IT service; or many other.

24. 24
Social Engineering
• Works by building up a pretext.
• Goal:
– Make it likely that attack succeeds, and
– Give the victim a good reason to excuse their actions to
themselves.
• Heavy box;
• Construct scenario of urgency based on cover story; or
• Give reason to believe that you belong into the picture.

25. 25
How to defend against Social Engineering
• Perform physical security / social engineering tests.
• Teach your employees social engineering.
– The more they know, the easier they can identify them.
• Create a security awareness "program"
– Enforce regular training activities.
– Re-enact "typical" scenarios.
• Make employees aware of
– The value of assets, and
– The consequences of actions.

26. 26
Contact
Christian W Probst
DTU Compute
Richard Petersens Plads 324
2800 Kgs. Lyngby
Email cwpr@dtu.dk
Mobil +45 26 57 32 96