程序代写代做代考 database flex ThreatsMonday

ThreatsMonday

?
Threats

THREATS

HUMAN-CENTRED SECURITY

Some People Think the danger is outside the Perimeter

How big is the threat?

Verizon Study – Oct 2012

Threat Actions

Outsider Insider

Employee Context

• Permanent employees
– initially vetted
– above suspicion
– subsequent checks

• Temporary employees
– not subjected to the same checks
– less likely to exhibit loyalty
– privileged access to resources
– Example: Zhangyi Liu

• Former employees
– backdoor access
– stockpile resources (passwords etc)
– seek vengeance
– Example: Donald Burleson

Employee Context

• Focus on all employees?

Focus

• Focus on all employees?
• Critical Information Technology Insiders

(CITIs).
– they design, maintain and/or manage critical

information systems.

Focus

Misuse Categories

• Intentional
– self-interest and resources.
– malicious intent.
– waste resources (e.g. shopping, self-promotion).

• Accidental
– employees circumvent policies to complete tasks (e.g. sticky note

with password).
– employees may leak sensitive information through actions (e.g.

social networks, ‘Reply All’ instead of ‘Reply’).
• Ignorance

– lack training and awareness (e.g. device not encrypted).
– unattended equipment and observed in public.
– disposing or taking resources when leaving job.

Misuse Categories

• ASPECTS OF INSIDERS:
• Are on the inside, with access

privileges
• They are trusted
• Access privileges accrue over time
• Aware of policies, procedures &

technology
• Know where the valuable data is

and how to access it

Insiders – Defined by Access

• Financial
• Reputation
• Business Operations
• Harm to specific

individuals
• Availability of data

compromised

Damage

• Claude Carpenter
• Contractor.
• Accessed servers and inserted malicious code

to cause havoc.
• Aim was to get him back to solve problems.
• Hid tracks by turning off logs, removing code

to ensure he would not be uncovered.

IRS

• Two employees in the middle of a labour
dispute sabotaged all the traffic lights

• One actually implemented the system
• Access had been removed!

Traffic Nightmare LA

• They used their supervisor’s access (he had
shared his credentials)

• Murillo allegedly accessed the system and
found a way to block other managers from
fixing the changes. Prosecutors reported it
took four days to repair the signals.

How?

Employment context

Encrypting the Information

• A System Administrator learns that she is to be
downsized

• She decides to encrypt important parts of the
database and hold it hostage

• She will decrypt it in return for substantial
�Severance Pay� and promise of no prosecution

• The organization decides to pay without
consulting with proper authorities and they are
precluded from pursuing charges

Changing the Configuration

• An engineer is on probation after a series of
confrontations with co-workers

• After he has been sent home without pay pending
resolution of the situation, it is discovered that the
network configuration has been changed denying
the organization�s clients the services they have
been promised

• Only the engineer holds the privileges to change
them. Unfortunately he is not interested in helping
out

Mail Flood

• A major Aerospace company recently
fired an employee who caused its e-mail
system to crash for six hours after sending
thousands of other employees a personal
e-mail that requested an electronic receipt

• They lost hundreds of hours of
productivity

Deleting Company Files

• July 1996, Omega

• A recently demoted employee created a
software �time bomb� that affected the
network files

–Deleted the company’s “most critical software
programs”

• Result:
–Caused a loss of over $10 million

–80 people lost jobs

A company’s mobile devices were suddenly
disabled for almost 1000 employees,
grinding sales and delivery operations to a
halt for several days …

Logic bomb went off three months to the
day after a demoted system architect’s
retaliatory resignation.

True Story – Revenge

• Employee loaded a virus
• Cost R20m and affected 700 stores
• He had a grudge against the group for

outsourcing its information technology
maintenance and support work

• 80% of the details for stores in South Africa
were deleted, customer sales had to be
entered manually and hard drives were
damaged.

True Story – Revenge

A company sues a former programmer found
selling a competing product at a tradeshow….

Investigators found copies of
the company’s source code on
his home computer that was
stolen on his last day of work at
the company

True Story – Financial Gain

A financial organization�s routine audit
discovers a $90,000 discrepancy in one of
their software engineer’s personal loan
accounts…

The employee modified critical source code to
siphon off money to cover fraudulent
personal loans he had created.

True Story – Financial Gain

• Gender – mostly males
• Locus of Control – fatalists
• Attribution style – failure is due to external factors
• Core self-evaluations – similar to self-esteem
• Integrity – people who are agreeable,

conscientious, stable, reliable less likely to do this
• Neuroticism – extent to which they experience

anger, anxiety, fear, hostility
– Neurotics feel people are too demanding, distant

and threatening

Who Are They?

A B C

D E F

Terry Childs

Terry Childs

Spot the Threat

B C

D E F

A

Ed Snowden

Spot the Insider

A B C

D E F

• Sold info to the Soviet Union for $5m
• Disclosed over 100 covert operations
• Betrayed 30 double agents (10

executed)
• Crippled the CIA�s activities for some

years
• He did not use technology

Aldrich Ames – Money

• Spied for the Soviets for 22 years
• Got $1.4m
• Even the Soviets didn�t know who he

was
• Disclosed 1000s of secrets
• Accessed everything via his default

access rights

Robert Hanssen – Money

• Gary Min was a research scientist at DuPont
• Downloaded 16700 pdf documents ($400 m)
• Gave it to his new employer
• Most had nothing to do with his research
• 15 times more downloads than other users
• Only caught when he announced he was

leaving and they started looking at the usage
logs

Money

Spot the Insider

A B C

D E F

• US Soldier
• Provided info to WikiLeaks
• Transferred classified data onto his personal

computer

• Arrested on May 26, 2010
• On March 1, 2011, an additional 22 charges were

preferred, including wrongfully obtaining classified

material for the purpose of posting it on the

Internet, knowing that the information would be

accessed by the enemy; the illegal transmission of

defense information; fraud; and aiding the enemy.

Bradley Manning

Spot the Insider

A B
C

D E F

• Sentenced to 97 months
• took down as many as 2,000 servers around

the country in UBS PaineWebber offices.
• This meant that the company was unable to

make trades for up to several weeks in some
offices

• The company reported a cost of $3.1 million
to recover from the attacks

• He had a criminal record!

UBS PaineWebber (Roger Duronio)

• 2/3 would steal data if fired
• 85% have confidential info at home
• 75% have client records
• ½ have accessed data they had no business

accessing
• ¾ said they could easily do this

http://www.infoworld.com/d/security/many-employees-would-sell-
corporate-information-study-finds-168110

Circle of Damage

Minor

Company

Customers

Citizens

http://www.mobile-financial.com/node/14446/The-risk-
profile-for-mobile-operators

http://mybroad
band.co.za/new
s/cellular/8779-
vodacom-at-
centre-of-
banking-sms-
scam.html

It worked!

• Technical Users Account for 86% of all attacks
• 90% had systems administrator or privileged

system access

• most crimes were committed by insiders
following termination. Most incursions — 64%
— involved VPNs and old passwords that had
never been terminated

• The impact of the attacks is 10x greater than
from external sources

• 30% have a prior history

Reality

• Unauthorised access at time of attack
– Accounts not disabled
– User rights not changed when employee responsibilities

changed
• 31% of cases attackers used their own credentials
• 33% of attacks used another employee�s

credentials
• 56% of cases another account was compromised
• 17% of attackers used back-door accounts
• 15% used sys admin accounts

Attack Metrics

• Logic Bomb
• Back door accounts
•Virus/Malware
• Remote sys admin tools
•Using other people�s credentials
• Elevated Privileges

Methods Used

Why?

Dark Triad

• Espionage
• Sabotage
• Theft of Intellectual Property
• Financial gain
• Revenge
• Curiosity/Because they can
• Vanity

Insider Misbehaviour Motivations

Understanding (familiarity & experience)

Consequences

(scope, duration, impact)

Perceived Risk

• Level 1 – judge the value of the materials
• Level 2 – can they detect a pattern
• Level 3 – can they distinguish between facts

and inferences
• Level 4 – can they use the info in a new

situation
• Level 5 – can they recall data or information

Understanding

• Level 1 – Trivial
• Level 2 – Recoverable
• Level 3 – Serious and long term
• Level 4 – Raise deep concerns
• Level 5 – Catastrophic

Consequences

• Shortcut – allows people to make decisions
quickly

• Emotion influences decisions
• Eg lung cancer -> dread
• Instinct based reaction
• Thus the higher the benefit the lower people

see the risk as
• No focus on realistic statistics – I won’t get

caught!

Insiders use Effect Heuristic

• Isolation Errors
– Prediction of future outcomes biased by

scenarios of success
– Past results ignored

• Perceived benefits seem to outweigh
perceived risks

Two biases

Fraud Triangle

• Pressure/non-Shareable financial problems
– Unable to meet obligations
– Personal failure
– Business reversals
– Physical isolation
– Status gaining
– Employer-employee relations

• Mostly status seeking or status maintaining

Motivation

• Technical Skills
• Position of trust
• Hearing about other violations
• Getting access to someone else’s password

Opportunity

• Insiders view themselves as
– Non criminal
– Justified
– Part of general irresponsibility in the

organisation

Rationalisation

Fraud Triangle

Path to Revenge

Disillusion

Resentment

Revenge

Unfriendly Atmosphere
Dull Office Environment

Fear of Redundancy
No Promotion and No Pay Rises

Aggressive Boss
Unethical Company Policies

THREATS

Insider Threats

Fraud Triangle

• Pressure/non-Shareable financial problems
– Unable to meet obligations
– Personal failure
– Business reversals
– Physical isolation
– Status gaining
– Employer-employee relations

• Mostly status seeking or status maintaining

Motivation

• Technical Skills
• Position of trust
• Hearing about other violations
• Getting access to someone else’s password
• Poor Management Practices

Opportunity

• Insiders view themselves as
– Non criminal
– Justified
– Part of general irresponsibility in the

organisation

Rationalisation

Path to Revenge

Disillusion

Resentment

Revenge

Unfriendly Atmosphere
Dull Office Environment

Fear of Redundancy
No Promotion and No Pay Rises

Aggressive Boss
Unethical Company Policies

Understand the problem

Develop effective strategies

Deploy the tools

Catch/deter insiders

ü

1. Understand Risk of Detection (and do it)
Employee Education
Proactive Detection

2. Create a fair working environment

Mitigation

Russia’s Approach

•Use software
tools
•And soft tools

All is not visible…

Continuous monitoring

• Employee profiling could be carried out pre-hire
– Fast and Legal
– Also do a background check on new employees
– Check CVs

• Prevents
– Wrongful termination
– Financial Loss
– Embezzlement
– Workplace disruption
– Injury claims

• Check external contractors too

Employee Profiling (Prevention)

• Prevent:
– Pre-hire practices

• Detect:
– Red Flag Events

• What should bosses look out for?
• What should they do when these events occur?
• Access control practices

• Respond:
– What Interventions?
– Termination practices – what needs to be done?

• Tools needed
• Outsourcing?

Need a Policy for Insider Threat
Mitigation

Detection & Response

Red Flags On Alert

Investigating

Attacked!

?

Response?

• Prevent:
– Principle of least privilege
– Separation of duties

• Detect
– Log, monitor and audit employee activity
– Special attention to admins and privileged users
– Allow anonymous reporting of issues

• Respond
– Termination procedures essential – lots of

incidents from non-employees
– Retain all logs to support investigations

Insider Threat Management

• Insiders are often disgruntled (57%)
– Disgruntlement level

• Insiders often attacked following a negative
event (92%) – dispute, demotion, transfer
– Precipitating event

• Insiders exhibit concerning behaviour
BEFORE the attack (offline)
– Behavioural precursor

• Many held IT positions (86%)
– Technical Precursor

What the Research tells us:

• Overwork or a consistently heavy workload
• Feeling unappreciated or underappreciated
• Conditions of the workplace
• Demanding, rigid supervision that is too involved in

the work being done
• Unsupportive, weak supervision that does not offer

enough input or guidance
• Unmet expectations

– Insufficient compensation
– Lack of career advancement
– Inflexible policies
– Supervisor demands/co-worker relations

Precipitating event

Behavioural Precursor

• Absenteeism
• Raising the voice

frequently
• Depression
• Impatience
• Irritability
• Memory/

Concentration
problems

• Paranoia
• Showing up late
• Argumentativeness
• Poor Performance
• Violations of

policies/procedures

Disgruntlement Predisposition

• People have expectations of �freedoms�
• People accumulate access paths over time.

The organisation easily loses track of these
– Few formal access path tracking procedures
– Some are granted, some are fraudulently created
– People sometimes share access with others to

achieve organisational operations
• Majority attacked AFTER termination (59%)

More info

• Awareness
• Responding to incidents

– Offer remediation opportunities
– Counselling
– Empower colleagues to provide support
– Destressing activities

• Continue to Monitor

Interventions

• First identify the stocks
• Then identify the connections between them
• And the causatives
• There are many correct answers!

Systems Diagrams

• Show interplay between
– Disgruntlement
– Precipitating event
– Freedom Expectations
– Actual Freedoms
– Unmet expectations i.e. discrepancies
– Predisposition to disgruntlement

Draw a Systems Diagram

1

My Diagram

Freedom
Expectations

Unmet
Expectations

Actual
Freedom

++ Precipitating
Event

+
–

Disgruntlement

+

Predisposition to
Disgruntlement

• Behavioural precursors (Inappropriate
Behaviour)

• Sanctions
• Employee intervention
• Delay (Time to realise insider is becoming a

problem)
• Behaviour Perceived by organisation

Now add to your diagram

2

My Diagram

Freedom
Expectations

Unmet Expectations Actual Freedom

++ Precipitating
Event

+
–

Disgruntlement

+

Predisposition to
Disgruntlement

Behavioural
Precursors

Offline Behaviour
Inappropriate+

+

Employee Intervention

Sanctions
+

–

+

–

Behaviour Perceived
By Organisation

Delay

• Attackers have a sense of entitlement. This
escalates over time.
– If curbed, this could lead to resentment
– If not curbed, entitlement increases

• Interventions:
– Counselling
– Sanctions
– Technical Monitoring

• Termination
– Time period for behaviour to become serious

enough
– Time to close all access paths

• Show interplay of
– Known access paths
– Unknown access paths
– Damage
– Disgruntlement
– Technical misbehaviours
– Actions perceived by organisation
– Delay (for organisation to realise)
– Predisposition for technical sabotage

New Diagram

3

My Diagram

Disgruntlement
Unknown

Access Paths
Known

Access Paths

Technical
Precursors

Acting
Inappropriately

Online

+

+Predisposition
For technical

sabotage

+

Actions
Perceived by
Organisation

+

Time to
Realise

–
+

Damage

+
+ Potential

Delay

• Insider starts acting inappropriately online
– Accessing unauthorised material
– Getting more privileges
– Stealing material

• It takes time for the organisation to realise
this is happening

• Organisation hampered in dealing with this
– By not knowing paths
– When they do find out, they act to remove them
– They might not know about logic bombs

Attack Starts….

• Audit
• Termination
• Actions upon termination i.e. disabling access

paths

Add to your Diagram

4

My Diagram

Disgruntlement Unknown
Access Paths

Known
Access Paths

Forgetting

Discovering

Technical
Precursors

Acting
Inappropriately

Online

+

+

+

Actions
Perceived by
Organisation

+

Time to
Realise

–
+

Damage

+
+ Potential

Delay

Disable

–
Decision

To Terminate

+

+

Audit
To
Discover

• Pre-employment Checks (red)
– Low risk, medium risk and high risk.

• Non-technical (blue)
– Non-technical actions that companies take to

guard against insider threats.
• Technical (green)

– Technical actions that companies take to guard
against insider threats.

Task

Technical Tools/Monitoring

Employee Monitoring

• Specific Actions
– Files accessed
– Databases used
– Network access
– Check against policies and alert if violation

• Monitor behaviour and compare to historic
usage patterns
– Is it different from usual?
– Eg – download the whole customer database

instead of only one customer

Employee Monitoring

InfoWeek Strategic Security Survey

Soft Tools