2. Overview
What is Insider Threats?
Mistakes of Employee which creates threat
Three Kinds of Insider Threats
Source of Visibility
Internal Visibility
IT Sabotage
Combating Insider Threat is a multidisciplinary challenge
Conclusion
3. What is Insider Threats?
An insider threat is a malicious threat to an organization that comes from
following people within the organization
◦ Employees
◦ Former employees
◦ Contractors
◦ Business associates
◦ The person who have inside information concerning the organization's
security practices, data and computer systems.
4. Mistakes of Employee which creates
threat
PASSWORD HANDLING
• Shoulder Surfing:- When a person looks over another person’s shoulder
and watches keystrokes or watches data as it appears on the screen in
order to uncover information in an unauthorized manner.
• Dumpster Diving:- When password is very hard to remember so user
write it down, some times he write on a piece of paper which will be in
garbage without discarding. The intruder would have to gain physical
access to the premises, but the area where the garbage is kept is usually
not highly guarded.
5. Three Kinds of Insider Threats
Negligent Insiders
• Employees who
accidentally expose
data.
Malicious Insiders
• Employees who
intentionally
expose data.
Compromised
Insiders
• Employees whose
access credentials
or personal
computers have
been compromised
by an outside
attacker.
6. Three Kinds of Insider Threats
Negligent Insiders
• Prevention
• Access controls
• Encryption of data
at rest
• DRM?
• Education
Malicious Insiders
• Prevention
• Access Controls
• Checks and
Balances
• Detection
• Management
Training
• Monitoring
Compromised Insiders
• Detection
8. Source of Visibility
Firewall logs
• Are you logging
everything or
just denies?
Internal & Host
IPS systems
• HIPS potentially
has a lot of
breadth
• Can be
expensive to
deploy
• Signature based
Log Management
Solutions/SIEM
• Are you
collecting
everything?
• You can only see
what gets logged
Netflow
• Lots of breadth,
less depth
• Lower disk space
requirements
Full Packet
Capture
• Deep but not
broad
• Expensive
• High disk space
requirements
10. Internal Visibility
with Net flow
Internet
DMZ
VPN
Internal
Network
Internet
NetFlow Packets
start time
end time
mac address
byte count
- more -
NetFlow
3G
Internet
3G
Internet
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow Collector
11. IT Sabotage
Targeted monitoring of employees who are “on the HR radar”
Access after termination (!) (accounts or open sessions)
Unusual Access
◦ Times
◦ Devices
◦ Source Addresses
◦ Destination Addresses
◦ Mismatches
12. Combating Insider Threat is a
multidisciplinary challenge
IT cannot address insider threat by itself
◦ People have a tendency to think that IT is solely responsible for all computer security issues.
Legal: Are policies in place? Are they realistic? Does legal support IT practices?
HR: Who is coming and going? Who has workplace issues? Are there soft solutions?
IT: Is the privacy of end users adequately protected?
What impact on workplace harmony are policies, monitoring,
and enforcement having?
Are you applying policies consistently?
IT
HR Legal
13. Conclusion
There are three kinds of insider threat
• Negligent Insiders
• Malicious Insiders
• Compromised Insiders
Managing the problem involves
• Logs, Logs, Logs
• Visibility into the internal network
• A multidisciplinary team