Session SEC 133
The Devil Inside – Internal Threats
Ashutosh KapséCISA, CISM, CGEIT, I-RAP Certified
• Copyright & Confidentiality Statement
• Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd ACN 005
770 598 (“SCCS”).
• All rights reserved. No part of this work may be reproduced or transmitted
in any form or by any means, electronic or mechanical, including
photocopying recording or any information storage and retrieval system,
without prior permission in writing from the owner. The Copyright Act 1968
(Cth) applies to this work and the owner expressly reserves all of its rights
under the Act now or as amended.
• Any logos, trademarks used, belong to the respective organisations and
they own their sole right to use and reproduce them
Agenda
• What are insider / internal threats?
• How real is this problem?
• Types of insider / internal threats (Classification)
• Some real life examples
• Profiling
• Response, Survival & Controls
• Future trends
Copyright © 2008 Southern Cross Computer Systems Pty Ltd
Insider v/s Internal Threat
• Insider threat ?
– Prevalent Definition (US / DoD / CERT etc)
– My definition (larger scope) – Internal Threat
– Internal threat
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
How real is the problem?
• Some studies & statisticsGartner
Aug 2007 – 70% of unauthorised access to IS, is committed by insider
IDC
2007 – Enterprises rank insider sources as their top security threat.
Carnegie Mellon / DoD / US SS
Under-reporting of insider incidents / 29% critical infrastructure organisations reported insider incidents.
Assoc of Certified Fraud Examiners
Aug 2007 – US companies lose 5% of annual revenue to internal fraud
US Computer Security Institute
2007 survey – internal abuse overtakes viruses as most reported security incident
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Classification
• Why is classification required ?
• Can internal threats be classified ?
• Classification –
– Internal - mistakes / errors
– Internal - non-malicious intent / naivety
– Internal / Insider - malicious
– Internal / Insider – Industrial Espionage
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Examples
• Examples of security breaches of each
classification type
– Internal mistakes / errors
• Jake Kovco Case – Dept of Defence, Aus.
• TTA, Aus.
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Examples - 2
– Internal – non malicious intent
• Security vendor emails contact details
• UK - customs data breach.
• UK – bank customers on eBay
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Examples - 3
• Internal / Insider – malicious
– UBS PaineWebber
– Duracell
– Coca cola
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Examples - 4
• Internal / Insider – Industrial espionage
– Pharmaceutical company
– Ellery systems – USA
Profiling – Insider malicious
• What is profiling / why is it important ?
• Is it possible to profile insiders that may cause
threat?
• Studies conducted by Texas A&M University,
CERT, Carnegie Mellon & US Secret Service
– Insiders age group – 17 years to 60 years
– Diverse ethnic groups / races
– 96% were male
– 49% married, 45% single, 4% divorced
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Insider Perpetrator Profile -1
• A negative work related event triggered action
• Most held work related grievance prior to attack
• Most frequently reported motive was revenge
• Majority held technical positions (engineers, IT,
programmers, sysadmins, etc.)
• In most cases behavioural symptoms were noticeable
but not reported
– Co-workers had “inkling” of the perp’s intentions, plans
– Most perps had acted in an on-going concerning manner
– Majority communicated negative sentiments to others.
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Profile - 2
• Activities were planned in advance
• Majority used remote access to initiate attack.
• Majority used – System default accounts, DBA
default accounts, system default passwords
• 41% former employees, 50% current employees
• 48% were fired, 24% made redundant, 20%
resigned.
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Profile - 3
• Insider malicious (Fraud only)
– 98% were legitimate users of the system
– Most often performed crimes– Modify credit histories
– Create fraudulent documents
– Loan approval frauds
– Most perps – had large credit card debts themselves,
or had drug related financial difficulties
– Most perps – did not believe they would get caught
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Response / Controls
- Extremes –
- Denial
- Policy
- Tools (DLP)
- No “silver bullet”
- Paradigm shift required.
- Holistic view needed
- Not just technology – human behaviour
- Why in addition to How
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
- Essentially – we must trust humans to
make the right decisions and follow
policy & processes needed to protect
information.
- We can’t rely totally on human behaviour
so we need to also rely on technology
where possible
Defence-in-Depth
Concept of defence-in-depth
33.3333%
33.3333%
33.3333%
People
Processes
Technology
Business Objectives and Requirements
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
1 Asset inventory & RA
Before one can protect anything, one first needs
to understand what assets need to be protected.
Perform periodical risk assessment on the
assets. (owner establishes relative importance
and value of asset)
Remember that “Information” is also an asset
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
2 Least privilege, separation & rotation of duties
– Least privilege – Authorise people only for the
resources they need to do their job.
– Separation – dividing functions among people to limit
the possibility that one individual could commit fraud
without co-operation of one or multiple other
individuals.
– Rotation – rotate employees through various roles
All three go hand in hand – towards reducing
risk of insider threat.
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Separation of duties matrix
• CISA® review manual 2005 pages 88-91
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
3 Information Classificaiton
– No matter what kind of organisation, classification
of information is necessary
– Govt agencies are very good at this
– Classification provides a framework for
understanding what information exists, where it is
stored, who is authorised to access it, rules of
access etc.
- Classification along with segregation of users,
(based on roles) critical for information protection
- Information labelling (just like physical asset
labelling)
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
4 Human factors
Understanding the importance of “trusted”, “semi-trusted” and “un-trusted”.
Pre-Hiring
Post-Hiring
Security awareness training
1. SysAdmin / IT Staff / DBAs training
2. End user awareness
3. Specific end user training- mobility, portable devices, physical security
HR – Close link with HR?
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
5 Use technology
• Use technology for automation and to counter naivety / ignorance / mistakes.
– Pre-boot encryption of laptops
– Enforced encryption on removable storage devices
– End point control
– Cryptography / steggo / remote access / home PCs
– Host based IDS/IPS
– Network segregation
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Other controls
6. Policies and processes
7. Identity and Access management
8. Logging and monitoring
9. Physical security
10. Ongoing / periodic risk assessment
11. Backup/restore, archive, de-duplication
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Future Trends
• Outsourcing
• Social Networks (FaceBook, MySpace etc)
• Ubiquitous devices
• Subjective Ethical / moral principles
• Easy to use tools
• Professional and targeted attacks
• Mobile & flexible workforce
• Data archiving / Data de-duplication
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Proactive inclusion in Security Architecture
Control Mistakes /
errors
Non-
malicious
intent
Malicious
intent
Ind
Espionage
Targeted awareness & education
Policy / process
Backup / restore / de-duplication
Least privilege / separation & rotation of
duties
HR – background checks, behaviour
education
Physical security
IAM / Access control & termination
Technology / tools
Logging, Auditing and review
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Acknowledgements
• Information from following sources is used
– Insider Threat – Dr. Eric Cole & Sandra Ring
– Spies among us – Ira Winkler
– Insider Threat Study – Carnegie Mellon Cylab (Dawn Cappelli, Andrew Moore, et.al)
– Understanding the importance of and Implementing internal security measures – Mike Durgin SANS Institute
– Segregation of duties within Information systems – CISA review manual
– OVPC – survey and recommendations – Jan and Aug 2009
– Aust Privacy commissioner recommendations – May 09
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd
Discussion
Copyright © 2007-09 Southern Cross Computer Systems Pty Ltd