© 2008 carnegie mellon university preventing insider threats: avoiding the nightmare scenario of a...
TRANSCRIPT
![Page 1: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/1.jpg)
© 2008 Carnegie Mellon University
Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad
Dawn CappelliOctober 31, 2008
![Page 2: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/2.jpg)
2
TRUE STORY:
Personal information stolen for millions of customers of
phone companies, credit card companies and banks …
Companies contracted with a consumer data organization
that hired a data mining organization
whose system administrator stole the data
![Page 3: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/3.jpg)
3
TRUE STORY:
Emergency services are forced to rely on manual address lookups for
911 calls on Friday night ….
Employee sabotages the system and steals all backup tapes
![Page 4: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/4.jpg)
4
TRUE STORY:Financial institution discovers $691 million in
losses ...
Covered up for 5 years by trusted employee
![Page 5: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/5.jpg)
5
Agenda
Introduction
How bad is the insider threat?
Background on CERT’s insider threat research
Brief overview of findings from our research
Tools for preventing or detecting insider threats
![Page 6: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/6.jpg)
6
What is CERT?
Center of Internet security expertise
Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today
Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)
• Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania)
![Page 7: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/7.jpg)
7
CERT’s Definition of Malicious Insider
Current or former employee, contractor, or business partner who
o has or had authorized access to an organization’s network, system or data and
o intentionally exceeded or misused that access in a manner that
o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Note: Note: This presentation does not address national This presentation does not address national security espionage involving classified information.security espionage involving classified information.
![Page 8: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/8.jpg)
8
2007 e-Crime Watch Survey
CSO Magazine, USSS, Microsoft, & CERT
671 respondents
0
20
40
60
80
100
2004 2005 2006 2007
Percentage of Participants Who Experienced an Insider Incident
41 39
5549
![Page 9: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/9.jpg)
9
CERT’s Insider Threat Research
Insider Threat Cases
Database
Hundreds of cases have been analyzed
• US cases from 1996 to 2007 in critical infrastructure sectors
• US Secret Service
• Carnegie Mellon CyLab
• Department of Defense
Data includes both technical & behavioral information
![Page 10: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/10.jpg)
10
Breakdown of Insider Threat Cases in CERT Database
0
10
20
30
40
50
60
70
80
Theft or Modification for Financial Gain
Theft for Business Advantage
IT Sabotage
76
24
74
17
Misc
![Page 11: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/11.jpg)
11
Comparison of Insider Crimes - 1
IT SabotageTheft or
Modification for Financial Gain
Theft for Business
Advantage% of crimes in case database
45% 44% 14%
Current or former employee?
Former CurrentCurrent (95%
resigned)
Type of positionTechnical (e.g. sys admins or DBAs)
Non-technical, low-level positions with
access to confidential or
sensitive information (e.g. data entry,
customer service)
Technical (71%) - scientists,
programmers, engineers
Sales (29%)
Gender MaleFairly equally split between male and
femaleMale
[1
![Page 12: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/12.jpg)
12
Comparison of Insider Crimes - 2
IT SabotageTheft or
Modification for Financial Gain
Theft for Business
Advantage
TargetNetwork, systems, or
dataPII or Customer
Information
IP (trade secrets) – 71%
Customer Info – 33%
Access used Unauthorized Authorized Authorized
WhenOutside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
Recruited by outsiders
None½ recruited for theft;
less than 1/3 recruited for mod
Less than 1/4
Collusion None
Mod: almost ½ colluded with
another insiderTheft: 2/3 colluded
with outsiders
Almost ½ colluded with at least one insider; ½ acted
alone; 25% stole for foreign gov/org
[1
![Page 13: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/13.jpg)
13
What Can You Do?
Review CERT’s Common Sense Guide to Prevention and Detection of Insider Threats
http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf
Version 3 to be published in January 2009
![Page 14: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/14.jpg)
14
Tools for Preventing or Detecting Insider
Threats
![Page 15: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/15.jpg)
15
Change Control
Help to prevent or detect• Planting or downloading of malicious code or
unauthorized software
• Unauthorized modification of critical files
• Unauthorized changes to source code
• Unauthorized installation of hardware devices
![Page 16: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/16.jpg)
16
Data Leakage Tools
Help to prevent or detect accidental or intentional leakage of confidential information• Emails
• Documents
• Printing, copying, or downloading
• Removable media
![Page 17: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/17.jpg)
17
Network/Employee Monitoring Tools
Help to detect• Unauthorized access
• Suspicious activity around resignation
• Unauthorized escalation of privileges
• Anomalous user activity
![Page 18: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/18.jpg)
18
Identity Management Systems
Help to • Prevent creation of or detect usage of backdoor
accounts
• Implement and maintain access control
• Disable all access upon termination
![Page 19: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/19.jpg)
19
Others
Encryption
Physical access control systems
Automated data integrity checks
Backup and recovery systems
![Page 20: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008](https://reader035.vdocuments.us/reader035/viewer/2022062421/56649cc55503460f9498f171/html5/thumbnails/20.jpg)
20
Contact Information
Insider Threat Team Lead:Dawn M. CappelliTechnical Manager, Threat and Incident ManagementCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-9136 – [email protected] – Email
http://www.cert.org/insider_threat/