Uploaded bymilliemill
PPT, PDF1,115 views

Managing insider threat

Managing insider threats is a priority for organizations. Key aspects include establishing a strong security culture from the top-down through policies and regular reviews, identifying and monitoring high-risk employee behaviors, and implementing technical controls like access monitoring and honeypot approaches. Data-centric policies and identifying where sensitive data is located and who can access it are also important strategies for mitigating insider risks.

Embed presentation

Downloaded 59 times
Millie Law ACC626
Introduction Reasons Strategies Current Issues Conclusion
Definition Top 3 Macro Security Issues 69% of data breaches More costly than external breaches Cases
4 Risky Areas Damage Theft Deletion/Corruption Leakage
Assets attacked: Customer info Source code Business plans Trade secrets Internal business info Proprietary software
Not a priority 35% invest in internal security High impact, very low frequency Just a technology problem IT department should handle it
Security tone at the top Security conscious culture Top level policies Effective governance structure 2 teams: X-Team Exec Team Regular reviews
27% had financial difficulty 4 Types of lucrative data: Payment card data Authentication credentials Personal Info Intellectual Property Employee Assistance Program (EAP)
Unintentional behaviors Forgot to log off Failed to change passwords regularly Inappropriately discarding sensitive info Email (37% sensitive info leaked) Training & Education CERT’s 16 Best Practices Email Best Practices
Identify high-risk behaviors Federated Model Distribute responsibility across the hierarchy Central group: set common standards Business units: manage local executions Network Monitoring Approach Logical pairing of log files Log analysis Event correlation
1/3 surveyed abused access rights People Paradox “ Trusted” circle is the primary threat Legit access
Attribute-Based Group Access Control Model Based on access capabilities, not role-based
Identity Access Management (IAM) Centralized and automated controls Digital rights management technology Data tagged Real time access monitoring
Controls target external threats Firewall Intrusion detection system Electronic building access Honey Pot Approach Attract ‘unauthorized access’ w/ fictitious data
No specific type of high-risk attackers Not exclusive to IT personnel More technology savvy employees Manage: Employee screening process Accuracy: standardize presentation of records Hire external screening agency Not standalone strategy
Employee Traits
Organizations do not know how much data they have Increases legal and reputational liability High maintenance cost Data inventory project Take inventory of sensitive files Accurately record their location on the server Keep track of access rights to these files
Data Centric Policy Create data-flow diagrams Assess data loss risk Apply controls Formalize the data-centric policy
Globalization Multinational operating environments Lacks research study Virtual Work Environments Reliance on manual controls Lack of tested and practical strategies
Managing insider threat is a priority Tone at the top Policies and controls Strategies
&quot;Cyber-Ark; Cyber-Ark Global Survey Shows External Cyber-Security Risks Will Surpass Insider Threats. &quot; Investment Weekly News 30 Apr. 2011: ABI/INFORM Trade & Industry, ProQuest. Web. 9 May. 2011. &quot;DHS Immigration System Vulnerable To Insider Threats. &quot; Informationweek - Online 28 Feb. 2011: ABI/INFORM Global, ProQuest. Web. 9 May. 2011. Blades, M.. (2010, November). The Insider Threat. Security Technology Executive, 20(9), 32-33,35-37. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2233949191). Nunn-Price, J.. (2010, October). Public job cuts increase insider threat. Computer Weekly,12. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2198713041). Rajendra Chaudhary. (2009, August). ''The problem of insider threat exists within every organization''. Express Intelligent Enterprise. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1949260831). Warkentin, M., & Willison, R.. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems: Special Issue: Behavioral and Policy Issues in Information, 18(2), 101-105. Retrieved May 9, 2011, from ABI/INFORM Global. (Document ID: 1751536561). - Loch K.D., Carr H.H. and Warkentin M.E. (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173-186. Secure Computing IT Director survey reveals &quot;insider threats&quot; as biggest organizational concern. (2008, June 12). Al Bawaba. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1493428881). Aldhizer III, George R. &quot;The Insider Threat.&quot; Internal Auditor 65.2 (2008): 71-73. Business Source Complete. EBSCO. Web. 9 May 2011. Fyffe, G.. (2008). Addressing the insider threat. Network Security, 2008(3), 11-14. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1574237321). Mike Heck. (2007, February). Surveying the Insider Threat Detection Landscape. InfoWorld, 29(8), 39. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1229181051). Moscaritolo, Angela. &quot;Verizon Report Finds Less Shrewd Attacks but More Breaches.&quot; SC Magazine (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=SCMAGA0020110420e74j00001&pp=1&fcpil=en&napc=S&sa_from=>. &quot;Data Security; More Than Half of IT Security Professionals Are Unsure Where Sensitive Files Are Located.&quot; Information Technology Newsweekly 131 (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=INTEWK0020110415e74j0003e&pp=1&fcpil=en&napc=S&sa_from=>. Noonan, Thomas, and Edmund Archuleta. &quot;The National Infrastructure Advisory Council's Final Report and Recommendation - The Insidr Threat to Critical Infrastructures.&quot; Department of Homeland Security. Web. 9 May 2011. <http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf>. Stolfo, Salvatore J. (Salvatore Joseph); Workshop on Insider Attack and Cyber Security (1st : 2007 : Washington, D.C.) New York : Springer c2008 Randazzo, Marisa, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew Moore. &quot;Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2005. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/reports/04tr021.cfm>. &quot;An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2011. Web. 3 May 2011. <http://www.cert.org/archive/pdf/11tn006.pdf>. Cappelli, Dawn, Andrew Moore, and Timothy Shimeall. &quot;Protecting against Insider Threat.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymatters200702.cfm>. Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005. DeZabala, Ted. &quot;Lock It Up or Set It Free? A Risk Intelligent Approach to Data and Intellectual Property.&quot; Enterprise Risk Services. Issue 6. Deloitte, 2010. Web. 3 May 2011. <http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Deloitte%20Review/US_deloittereview_Lock_It_Up_Or_Set_It_Free_Jan10.pdf>. Grant, Ian. &quot;RSA 2008: Spot the Warning Signs of Insider Attacks.&quot; Computer Weekly, 2008. Web. 3 May 2011. <http://www.computerweekly.com/Articles/2008/04/10/230233/RSA-2008-spot-the-warning-signs-of-insider-attacks.htm>. Gelles, Michael, David Brant, and Brian Geffert. &quot;Building a Secure Workforce: Guard against Insider Threat.&quot; Enterprise Risk Services. Deloitte, 2008. Web. 3 May 2011. Westby, Jody, and Julia Allen. &quot;Governing for Enterprise Security (GES).&quot; Software Engineering Institute of Carnegie Mellon University., 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/download-report.cfm?pdf_name=07tn020.pdf&download=true>. Goodchild, Joan. &quot;What Security Can Learn from the $15M Sprint Employee Breach.&quot; CSO Magazine Online, 2010. Web. 3 May 2011. <http://www.csoonline.com/article/609363/what-security-can-learn-from-the-15m-sprint-employee-breach?source=rss_wireless_mobile_security>. Datardina, Malik, and Gerald Trites. &quot;CICA.&quot; Whitepaper: Data-centric Security (2009). Google Scholar. Web. 24 May 2011. <http://www.cica.ca/research-and-guidance/it-advisory-committee/publications/item33711.pdf>. Justin Myers, Michael R. Grimaila, and Robert F. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 54 , 4 pages. DOI=10.1145/1558607.1558670 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558670 Michael D. Carroll. 2006. Information security: examining and managing the insider threat. In Proceedings of the 3rd annual conference on Information security curriculum development (InfoSecCD '06). ACM, New York, NY, USA, 156-158. DOI=10.1145/1231047.1231082 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1231047.1231082 William R. Claycomb and Dongwan Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the 2010 ACM workshop on Insider threats (Insider Threats '10). ACM, New York, NY, USA, 29-36. DOI=10.1145/1866886.1866894 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1866886.1866894 Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates. 2008. We have met the enemy and he is us. In Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1595676.1595678 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1595676.1595678 Ignacio J. Martinez-Moyano, Eliot Rich, Stephen Conrad, David F. Andersen, and Thomas R. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Trans. Model. Comput. Simul. 18, 2, Article 7 (April 2008), 27 pages. DOI=10.1145/1346325.1346328 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1346325.1346328 Clive Blackwell. 2009. A security architecture to protect against the insider threat from damage, fraud and theft. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 45 , 4 pages. DOI=10.1145/1558607.1558659 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558659 Dattatreya Wed, Yesh. &quot;Building an Enterprise Security Program in Ten Simple Steps CIO.com.&quot; CIO.com. 15 Oct. 2008. Web. 30 June 2011. &quot;Email Best Practices.&quot; WVU Office of Information Technology. West Virginia University. Web. 30 June 2011. <http://oit.wvu.edu/email/bestpractices/>.

More Related Content

PDF
Dealing with Data Breaches Amidst Changes In Technology
byCSCJournals
 
PDF
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
byijcsit
 
PDF
The CISO’s Guide to Being Human
byClearswift
 
DOCX
Chapter 8 securing information systems MIS
byAmirul Shafiq Ahmad Zuperi
 
PDF
Ijnsa050201
byIJNSA Journal
 
PDF
Cyber security: challenges for society- literature review
byIOSR Journals
 
DOCX
Cybersecurity Business Risk, Literature Review
byEnow Eyong
 
PDF
wp-us-cities-exposed
byNumaan Huq
 
Dealing with Data Breaches Amidst Changes In Technology
byCSCJournals
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
byijcsit
 
The CISO’s Guide to Being Human
byClearswift
 
Chapter 8 securing information systems MIS
byAmirul Shafiq Ahmad Zuperi
 
Ijnsa050201
byIJNSA Journal
 
Cyber security: challenges for society- literature review
byIOSR Journals
 
Cybersecurity Business Risk, Literature Review
byEnow Eyong
 
wp-us-cities-exposed
byNumaan Huq
 

What's hot

PPTX
The Information Disruption Industry and the Operational Environment of the Fu...
byVincent O'Neil
 
PDF
Cyber security rule of use internet safely
byAlexander Decker
 
PPT
Gebm os presentation final
bysunnyjoshi88
 
PPTX
Session#7; securing information systems
byOmid Aminzadeh Gohari
 
PDF
McNair_Paper_Hill
byDennis Hill
 
PDF
Kaspersky: Global IT Security Risks
byConstantin Cocioaba
 
PPTX
Top cited managing information technology articles
byIJMIT JOURNAL
 
PDF
Julius Clark is Making Criminal Hackers Miserable
byJulius Clark, CISSP, CISA
 
PDF
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
PDF
8 - Securing Info Systems
byHemant Nagwekar
 
PDF
IRJET- Security Risk Assessment on Social Media using Artificial Intellig...
byIRJET Journal
 
PPT
Module0&1 intro-foundations-b
byBbAOC
 
PDF
Study and analysis of E-Governance Information Security (InfoSec) in Indian C...
byIOSRjournaljce
 
PPTX
Ethical Questions of Facial Recognition Technologies by Mika Nieminen
byMindtrek
 
PDF
Cloud computing advances in 2020
byAIRCC Publishing Corporation
 
PDF
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PDF
Ijsrp p5211
byVishvi Vidanapathirana
 
PDF
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
byIJCNCJournal
 
PDF
Key findings from information security survey at higher education institution...
byMajedahAlkharji
 
The Information Disruption Industry and the Operational Environment of the Fu...
byVincent O'Neil
 
Cyber security rule of use internet safely
byAlexander Decker
 
Gebm os presentation final
bysunnyjoshi88
 
Session#7; securing information systems
byOmid Aminzadeh Gohari
 
McNair_Paper_Hill
byDennis Hill
 
Kaspersky: Global IT Security Risks
byConstantin Cocioaba
 
Top cited managing information technology articles
byIJMIT JOURNAL
 
Julius Clark is Making Criminal Hackers Miserable
byJulius Clark, CISSP, CISA
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
byIJNSA Journal
 
8 - Securing Info Systems
byHemant Nagwekar
 
IRJET- Security Risk Assessment on Social Media using Artificial Intellig...
byIRJET Journal
 
Module0&1 intro-foundations-b
byBbAOC
 
Study and analysis of E-Governance Information Security (InfoSec) in Indian C...
byIOSRjournaljce
 
Ethical Questions of Facial Recognition Technologies by Mika Nieminen
byMindtrek
 
Cloud computing advances in 2020
byAIRCC Publishing Corporation
 
Information Security for Small Business
byJulius Clark, CISSP, CISA
 
Fall2015SecurityShow
byAdam Heller
 
Ijsrp p5211
byVishvi Vidanapathirana
 
DOES DIGITAL NATIVE STATUS IMPACT END-USER ANTIVIRUS USAGE?
byIJCNCJournal
 
Key findings from information security survey at higher education institution...
byMajedahAlkharji
 

Viewers also liked

PPTX
insider threat research
byAsma Al-maskaria
 
PDF
Countering insider threat attacks - CDE themed call launch 14 May 2013
byDefence and Security Accelerator
 
PPTX
Insider Threat Experiences
byNapier University
 
PDF
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
byRaffael Marty
 
PPT
Internal Risk Management
byBarry Caplin
 
PPTX
Insider Threat Solution from GTRI
byZivaro Inc
 
insider threat research
byAsma Al-maskaria
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
byDefence and Security Accelerator
 
Insider Threat Experiences
byNapier University
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
byRaffael Marty
 
Internal Risk Management
byBarry Caplin
 
Insider Threat Solution from GTRI
byZivaro Inc
 

Similar to Managing insider threat

PPTX
3.IS@Mohsin.pptx,.,,........,.............
bysalmannawaz6566504
 
PPT
The Inside Job: Detecting, Preventing and Investigating Data Theft
byCase IQ
 
PPTX
Security Advisories - SOC - Finannl.pptx
bymettildauthayakumar
 
PDF
IQ4 Final Presentation (1)
byChathura Wickramage
 
PDF
2011 SC Magazine Insider Threat Keynote
byJohn D. Johnson
 
PPTX
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Accidental Insider
byBarry Caplin
 
PPTX
APT &amp; What we can do TODAY
byJames Ryan, CSyP, EA, PMP
 
PPTX
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
byBert Blevins
 
PDF
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
PPTX
People are the biggest risk
byEvan Francen
 
PDF
Insider Threat Detection | 5 Tools to Protect Your Business.pdf
byTime Champ
 
PDF
Ht r32
bySelectedPresentations
 
PPTX
Insider Threat
byAndy Thompson
 
PPTX
Insider Threat Program: Comprehensive Protection from Within
byBert Blevins
 
PPTX
Managing Insider Threat
byiris_cheung
 
PPT
The Insider Threat
byillustro
 
PPTX
Privileged Access Management (PAM): Understanding and Mitigating Insider Secu...
byBert Blevins
 
PDF
_Insider Threat Prevention_ Protecting Your Business from Internal Risks
byRemoteDesk1
 
PPT
Ch10
byAli Khawaja
 
3.IS@Mohsin.pptx,.,,........,.............
bysalmannawaz6566504
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
byCase IQ
 
Security Advisories - SOC - Finannl.pptx
bymettildauthayakumar
 
IQ4 Final Presentation (1)
byChathura Wickramage
 
2011 SC Magazine Insider Threat Keynote
byJohn D. Johnson
 
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Accidental Insider
byBarry Caplin
 
APT &amp; What we can do TODAY
byJames Ryan, CSyP, EA, PMP
 
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...
byBert Blevins
 
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
People are the biggest risk
byEvan Francen
 
Insider Threat Detection | 5 Tools to Protect Your Business.pdf
byTime Champ
 
Ht r32
bySelectedPresentations
 
Insider Threat
byAndy Thompson
 
Insider Threat Program: Comprehensive Protection from Within
byBert Blevins
 
Managing Insider Threat
byiris_cheung
 
The Insider Threat
byillustro
 
Privileged Access Management (PAM): Understanding and Mitigating Insider Secu...
byBert Blevins
 
_Insider Threat Prevention_ Protecting Your Business from Internal Risks
byRemoteDesk1
 
Ch10
byAli Khawaja
 

Recently uploaded

PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Workflow and decision Automation with Flowable
bychakib ch
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 

Managing insider threat

  • 1.
  • 2.
    Introduction Reasons Strategies Current Issues Conclusion
  • 3.
    Definition Top 3Macro Security Issues 69% of data breaches More costly than external breaches Cases
  • 4.
    4 Risky AreasDamage Theft Deletion/Corruption Leakage
  • 5.
    Assets attacked: Customerinfo Source code Business plans Trade secrets Internal business info Proprietary software
  • 6.
    Not a priority 35% invest in internal security High impact, very low frequency Just a technology problem IT department should handle it
  • 7.
    Security tone atthe top Security conscious culture Top level policies Effective governance structure 2 teams: X-Team Exec Team Regular reviews
  • 8.
    27% had financialdifficulty 4 Types of lucrative data: Payment card data Authentication credentials Personal Info Intellectual Property Employee Assistance Program (EAP)
  • 9.
    Unintentional behaviors Forgotto log off Failed to change passwords regularly Inappropriately discarding sensitive info Email (37% sensitive info leaked) Training & Education CERT’s 16 Best Practices Email Best Practices
  • 10.
    Identify high-risk behaviorsFederated Model Distribute responsibility across the hierarchy Central group: set common standards Business units: manage local executions Network Monitoring Approach Logical pairing of log files Log analysis Event correlation
  • 11.
    1/3 surveyed abusedaccess rights People Paradox “ Trusted” circle is the primary threat Legit access
  • 12.
    Attribute-Based Group AccessControl Model Based on access capabilities, not role-based
  • 13.
    Identity Access Management(IAM) Centralized and automated controls Digital rights management technology Data tagged Real time access monitoring
  • 14.
    Controls target externalthreats Firewall Intrusion detection system Electronic building access Honey Pot Approach Attract ‘unauthorized access’ w/ fictitious data
  • 15.
    No specific typeof high-risk attackers Not exclusive to IT personnel More technology savvy employees Manage: Employee screening process Accuracy: standardize presentation of records Hire external screening agency Not standalone strategy
  • 16.
  • 17.
    Organizations do notknow how much data they have Increases legal and reputational liability High maintenance cost Data inventory project Take inventory of sensitive files Accurately record their location on the server Keep track of access rights to these files
  • 18.
    Data Centric PolicyCreate data-flow diagrams Assess data loss risk Apply controls Formalize the data-centric policy
  • 19.
    Globalization Multinational operatingenvironments Lacks research study Virtual Work Environments Reliance on manual controls Lack of tested and practical strategies
  • 20.
    Managing insider threatis a priority Tone at the top Policies and controls Strategies
  • 21.
    &quot;Cyber-Ark; Cyber-Ark GlobalSurvey Shows External Cyber-Security Risks Will Surpass Insider Threats. &quot; Investment Weekly News 30 Apr. 2011: ABI/INFORM Trade & Industry, ProQuest. Web. 9 May. 2011. &quot;DHS Immigration System Vulnerable To Insider Threats. &quot; Informationweek - Online 28 Feb. 2011: ABI/INFORM Global, ProQuest. Web. 9 May. 2011. Blades, M.. (2010, November). The Insider Threat. Security Technology Executive, 20(9), 32-33,35-37. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2233949191). Nunn-Price, J.. (2010, October). Public job cuts increase insider threat. Computer Weekly,12. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2198713041). Rajendra Chaudhary. (2009, August). ''The problem of insider threat exists within every organization''. Express Intelligent Enterprise. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1949260831). Warkentin, M., & Willison, R.. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems: Special Issue: Behavioral and Policy Issues in Information, 18(2), 101-105. Retrieved May 9, 2011, from ABI/INFORM Global. (Document ID: 1751536561). - Loch K.D., Carr H.H. and Warkentin M.E. (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173-186. Secure Computing IT Director survey reveals &quot;insider threats&quot; as biggest organizational concern. (2008, June 12). Al Bawaba. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1493428881). Aldhizer III, George R. &quot;The Insider Threat.&quot; Internal Auditor 65.2 (2008): 71-73. Business Source Complete. EBSCO. Web. 9 May 2011. Fyffe, G.. (2008). Addressing the insider threat. Network Security, 2008(3), 11-14. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1574237321). Mike Heck. (2007, February). Surveying the Insider Threat Detection Landscape. InfoWorld, 29(8), 39. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1229181051). Moscaritolo, Angela. &quot;Verizon Report Finds Less Shrewd Attacks but More Breaches.&quot; SC Magazine (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=SCMAGA0020110420e74j00001&pp=1&fcpil=en&napc=S&sa_from=>. &quot;Data Security; More Than Half of IT Security Professionals Are Unsure Where Sensitive Files Are Located.&quot; Information Technology Newsweekly 131 (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=INTEWK0020110415e74j0003e&pp=1&fcpil=en&napc=S&sa_from=>. Noonan, Thomas, and Edmund Archuleta. &quot;The National Infrastructure Advisory Council's Final Report and Recommendation - The Insidr Threat to Critical Infrastructures.&quot; Department of Homeland Security. Web. 9 May 2011. <http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf>. Stolfo, Salvatore J. (Salvatore Joseph); Workshop on Insider Attack and Cyber Security (1st : 2007 : Washington, D.C.) New York : Springer c2008 Randazzo, Marisa, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew Moore. &quot;Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2005. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/reports/04tr021.cfm>. &quot;An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2011. Web. 3 May 2011. <http://www.cert.org/archive/pdf/11tn006.pdf>. Cappelli, Dawn, Andrew Moore, and Timothy Shimeall. &quot;Protecting against Insider Threat.&quot; Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymatters200702.cfm>. Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005. DeZabala, Ted. &quot;Lock It Up or Set It Free? A Risk Intelligent Approach to Data and Intellectual Property.&quot; Enterprise Risk Services. Issue 6. Deloitte, 2010. Web. 3 May 2011. <http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Deloitte%20Review/US_deloittereview_Lock_It_Up_Or_Set_It_Free_Jan10.pdf>. Grant, Ian. &quot;RSA 2008: Spot the Warning Signs of Insider Attacks.&quot; Computer Weekly, 2008. Web. 3 May 2011. <http://www.computerweekly.com/Articles/2008/04/10/230233/RSA-2008-spot-the-warning-signs-of-insider-attacks.htm>. Gelles, Michael, David Brant, and Brian Geffert. &quot;Building a Secure Workforce: Guard against Insider Threat.&quot; Enterprise Risk Services. Deloitte, 2008. Web. 3 May 2011. Westby, Jody, and Julia Allen. &quot;Governing for Enterprise Security (GES).&quot; Software Engineering Institute of Carnegie Mellon University., 2007. Web. 3 May 2011. <http://www.sei.cmu.edu/library/download-report.cfm?pdf_name=07tn020.pdf&download=true>. Goodchild, Joan. &quot;What Security Can Learn from the $15M Sprint Employee Breach.&quot; CSO Magazine Online, 2010. Web. 3 May 2011. <http://www.csoonline.com/article/609363/what-security-can-learn-from-the-15m-sprint-employee-breach?source=rss_wireless_mobile_security>. Datardina, Malik, and Gerald Trites. &quot;CICA.&quot; Whitepaper: Data-centric Security (2009). Google Scholar. Web. 24 May 2011. <http://www.cica.ca/research-and-guidance/it-advisory-committee/publications/item33711.pdf>. Justin Myers, Michael R. Grimaila, and Robert F. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 54 , 4 pages. DOI=10.1145/1558607.1558670 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558670 Michael D. Carroll. 2006. Information security: examining and managing the insider threat. In Proceedings of the 3rd annual conference on Information security curriculum development (InfoSecCD '06). ACM, New York, NY, USA, 156-158. DOI=10.1145/1231047.1231082 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1231047.1231082 William R. Claycomb and Dongwan Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the 2010 ACM workshop on Insider threats (Insider Threats '10). ACM, New York, NY, USA, 29-36. DOI=10.1145/1866886.1866894 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1866886.1866894 Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates. 2008. We have met the enemy and he is us. In Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1595676.1595678 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1595676.1595678 Ignacio J. Martinez-Moyano, Eliot Rich, Stephen Conrad, David F. Andersen, and Thomas R. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Trans. Model. Comput. Simul. 18, 2, Article 7 (April 2008), 27 pages. DOI=10.1145/1346325.1346328 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1346325.1346328 Clive Blackwell. 2009. A security architecture to protect against the insider threat from damage, fraud and theft. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 45 , 4 pages. DOI=10.1145/1558607.1558659 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558659 Dattatreya Wed, Yesh. &quot;Building an Enterprise Security Program in Ten Simple Steps CIO.com.&quot; CIO.com. 15 Oct. 2008. Web. 30 June 2011. &quot;Email Best Practices.&quot; WVU Office of Information Technology. West Virginia University. Web. 30 June 2011. <http://oit.wvu.edu/email/bestpractices/>.

Editor's Notes

  • #2 Hi everyone this is Millie Law and today’s topic is managing insider threat
  • #3 Our agenda is first to introduce and define insider threat Then I will talk about the key risk factors and the according managing strategies I will talk about the current issues facing insider risk management and then I will give the conclusion
  • #4 Insider threat is defined as attacks from within the organization by individuals who have unintentionally or intentionally caused the loss of organizational assets Insider threat is identified as one of the top three macro security issues today for organizations. insiders were responsible for 69% of database breaches. In the 2010 e-Crime Survey, relative to external breaches, incidents of insider attack are often more costly to organizations. A Sprint employee who cloned customer data using a low-tech breach technique had caused Sprint to lose US$15M and to lay off 80 employees. Additionally, $700M loss was caused by a complex financial fraud committed by an insider in a financial institution
  • #5 Deloitte UK identified four major areas that are susceptible to insider threat, including (1) Damage and (2) Theft of key assets and critical equipment (3) Massive deleting/corrupting files and records (4) Exposure and leakage of information that is sensitive
  • #7 Researchers have shown that C-suite executives lack insight and understanding of insider threat and its implications, such as decrease in competitiveness, efficiency, compliance, and security. Mitigation of insider threats is often not a top priority for executives because they see it as a “high impact, very low-frequency issue According to the Secure Computing IT Director Survey, only 35% of the organizations surveyed placed internal security as a priority in planned investment despite the economic downturn. According to a Deloitte survey for Fortune 1000 companies, 9 of 10 executives believed that security and privacy are primarily a technology problem, so they believe the IT department should take full responsibility for finding a solution The technical manager of Computer Emergency Response Team (CERT) exclaimed that it has been difficult to convince the C-suite executives that insider threat is not just an IT problem. This implies that executives do not understand that insider threat pervades the business process and that is not just a technology problem
  • #8 The Enterprise Security Program (ESP) is an effective system which directs an organization to establish the security tone at the top. The objective of the ESP is the sustainability of a pervasive culture of security in the organization’s beliefs, behaviors, capabilities, and actions. This is achieved by implementing top-level policies and an effective governance structure The executive team sets up top-level security policies, establishes the risk thresholds for the organization, obtains funds for the ESP, and creates the X-team. The X-team comprises of sub-teams which are responsible for day-to-day IT security operations The executive team and the X-team should focus on conducting regular reviews of processes that are governed by the policies described above for their effectiveness and efficiency.
  • #9 More than 27% of insiders studied stated that they were experiencing financial difficulty when the incident occurred. For instance, a cell phone number is sold for £10.00 each ron the black market according to the FBI. There are four types of data which are quite lucrative and are often stolen by insiders Since individual financial crisis is usually the motivating factor behind insider attacks, organizations should not underestimate the return on investments in employee assistance programs (EAP), according to a study conducted by Deloitte. An effective and well-funded EAP provides guidance and support to employees, emotionally and financially. When an employee who is facing financial crisis is helped by the program provided by the organization, it prevents employees from compromising their organization’s information for financial gain.
  • #10 Lack of education and awareness remains an obstacle in mitigiting insider risk. The insider risk is introduced by employees that lack the motivation and awareness to vigorously protect the integrity and the privacy of sensitive information of the stakeholders. Information system risks can be caused by unintentional behaviors, such as forgetting to log off a workstation, failure to change passwords regularly, and inappropriately discarding of sensitive information. In 2007, more than 37% organizations experienced leakage of sensitive information through emails. In order to reduce information system risks caused by unintentional behaviors, management is responsible for identifying areas with high risk exposure and providing education. CERT’s 16 Best Practices are defensive measures to prevent or facilitate early detection of insider incidents.
  • #11 Ineffective identity management, which relates to lack of accountability of access activities, increases insider risk. In order to gather information on insider threat detection pertaining to a specific organization, log collection and event correlation analysis are imperative in identifying high-risk behaviors. Any suspicious behavior, such as above average use of company’s network, should be detected, monitored, reported, and investigated The Federated Model is adopted by many large global corporations to distribute responsibility across the company’s hierarchy, ensuring that people are accountable for the safety and protection of the organization’s assets. This model has a centralized group responsible for setting common standards and coordinating functions, while business units manage ‘local’ executions. However, this model may not be suitable for small businesses, where owner-manager oversight serves as the primary risk mitigation strategy to the insider threat. Smaller organizations can consider using log management techniques with the network monitoring approach, where log files go through logical pairing, followed by log analysis and event correlation
  • #12 A third of organizations have reported that employees have abused their access rights, either intentionally or accidentally The people paradox states that people within the ‘trusted’ circle of the organization are the primary threat to the organization’s assets. This paradox applies to the fact that employees are trusted by the organization with their access privileges, but many have breached the trust by misusing them.
  • #13 The attribute based model defines insiders based on access attributes. The defined groups are categorized based on access capabilities, and identifies high-risk users to high-risk resources Since the users are grouped by their ability to access organizational resources using the Attributed based model, security personnel can focus on monitoring those that pose the most threat to the organization.
  • #14 Another approach to mitigate insider threat caused by misused access privileges is “Identity Access Management” (IAM). IAM is the implementation of centralized and automated controls that enforce security policies by monitoring employee and third-party access and use of sensitive data in real time across multiple databases in different locations. IAM uses internal auditing to determine, amongst the stakeholders, the information that needs to be protected the most, and what kind of database application is used for storage. After defining what it means by sensitive data, stakeholders must agree to this common definition. These data are then tagged and consolidated within centralized servers protected by encryption and physical security measures. IAM applies digital rights management technology to control whether this information can be transferred outbound of the server, while balancing the need for employees to complete their job responsibilities
  • #15 Insiders have significant advantage over external attackers since insiders can bypass physical and logical security measures designed to prevent unauthorized access. Most insider attackers are aware of their insider advantage, such as vulnerabilities in internal controls, systems, and networks. Employees have realized that control mechanisms such as firewalls, intrusion-detection systems, and electronic building-access systems are usually geared towards defending against external threats. The risk of unauthorized access within the organization may be mitigated by the Honey Pot approach, which is a relatively new strategy in dealing with insider threat. Fictitious data such as credit card numbers, social security numbers, and documents are put into this ‘honey pot’ to attract unauthorized access. These unauthorized access attempts are then recorded and would be followed by punitive managerial decisions
  • #16 According to the “Insider Threat Study”, insiders held different positions in the organization – there was no specific type of high-risk attackers. Contrary to the perception that the IT department is most likely to snoop around confidential information It should be stressed that the insider threat is not exclusive to IT personnel, because employees are now more technologically savvy. The employee screening process should include the best available criminal history records. To ensure accuracy, organizations can standardize the presentation of these records or hire an external agency for screening. However, background checking will not completely remove insider threat, as most attackers come to the organization without a criminal background. Hence, the screening is not a standalone process and is only effective when complemented with other security measures.
  • #17 However, there are general traits which high-risk employees can identify – but security professionals should not generalize these traits but only use them as a reference source. When hiring, employers should make reference to the characteristics of a Risk-indicator and Risk-mitigator as they show the potential an employee to conduct an insider attack. Organizations should also look for competencies such as accountability and integrity for a secure workforce
  • #18 Many organizations today have silo’ed physical and information system architecture. It is expensive to integrate and coordinate between physical and cyber infrastructure and assets; hence, companies shy away from this investment which increases the risk of combined fraud and theft of these properties. The risk is further increased when the organizations do not know how much data they have. For instance, only 18% of the 150 IT security professionals surveyed were certain of the exact number of sensitive files in their organizations Since maintaining these data creates significant cost for collection and storage, and carries huge potential costs in legal responsibilities, companies should conduct data inventory projects and modify their systems architecture for leaner data inventory and more efficient architecture for cost and legal liability risk reduction. The recommended data inventory project comprises of the following steps: Take inventory of sensitive files Accurately record their location on the server Keep track of access rights to these files By doing the above, the organization would be able to guard against insider threat by timely detection of the addition, removal, and improper access of these sensitive data. It should be noted that a comprehensive data inventory project must be acted on before an adverse event in order to maximize its benefits.
  • #19 In addition to the data inventory project, companies should implement the data-centric policy which would focus managers, auditors, and other parties to be involved in securing data under the mobile environment.
  • #20 The trend for globalization has increased insider risk in multinational operating environments, especially when these environments lack guidance on how to protect against insider threats. Current research studies lack validity in international environments. Also, globalization complicates the issue of trust, and the technology and business process collaboration The insider risk regarding virtual work environment is increased as many organizations still use and rely on policies and manual controls to review user administration, segregation of duties, etc. However, the issue is that there are a lack of tested and practical strategies to minimize insider threat for these ‘cloud-based’ work environments.
  • #21 Managing insider threat should be a priority, especially for C-suite executives when they are the one responsible to institute a security conscious tone at the top – There are best practicses guidelines and various managing strategies which small to large organizations can use to establish policies and control procedures to address the risk factors. This concludes my presentation Thanks for listening