SlideShare une entreprise Scribd logo

Insider threat

A
ARCON TECHSOLUTIONS

With every Security & Privacy Breach survey pointing towards insiders as a potential threat and incidents leading to data loss and violation of the corporate information security policy, it is imperative that we answer the following questions: Who are these insiders? What activities do they carry out to breach security? Why an insider seeks to cause harm? How do we mitigate this threat?

TechnologieBusiness
1  sur  53
Insider I id Threat ISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
Insider Beliefs Haven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!” “We use principle of least privilege, separation of duty, and pray. Lots.”
SPOT THE INSIDER INSIDER…..
Terry Child C T Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
Other Real Life Incidents Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious “logic bomb” that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
Other Real Life Incidents HSBC’s system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."
Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
Verizon’s 2010 Data Breach Investigations Report
THE INSIDER
Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
Let s Let’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
Factors that increase the risk of Insider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
Can the INSIDERS Be STOPPED?
Types of Insider Activity
Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
Type 2 – Fraud Theft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
Type 3 – Theft of IP Who did it? ◦ Current employees ◦ Technical or sales positions p What was stolen? ◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. ◦ Customer Information (CI) Why did they do it? ◦ Financial ◦ Entitlement (some didn’t realize it was wrong) ◦ Disgruntled How did they attack? ◦ Using authorized access g ◦ Acted during working hours from within the workplace
Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
Latest Case – Travelocity sues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
So…what could be the insider threats in this scenario? a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. c) An insider can forward a document to another user either inside or outside the organization. d) A user can work late or early hours when the intrusion/misuse detection systems are not running. e) He can copy the contents of a document into another document that is opened simultaneously. f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p y g) An insider can take a dump of the document from the memory and then print the document. h) A malicious insider can tamper with the existing rights on the documents documents.
Policy design considerations to y g prevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
Identification of all types of insider threat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
PROBABLE CAUSES
Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
INSIDER IMPACT AND CHALLENGES
Impacts Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources – Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
MITIGATION STRATEGIES
DSCI- DSCI-KPMG Survey 2009 & 2010
Deloitte 2009 Global Security Survey – India Report
Verizon’s 2010 Data Breach Investigations Report
Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
Summary Insider threat is a problem that impacts and requires understanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security – all employees have responsibility for protection of organization’s information
A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
Thank you for your time today t d Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @

Recommandé

Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Sensitive data
Sensitive dataSensitive data
Sensitive dataS.M. Towhidul Islam
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 

Recommandé

Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
The insider versus external threat
The insider versus external threatThe insider versus external threat
The insider versus external threatzhihaochen
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Sensitive data
Sensitive dataSensitive data
Sensitive dataS.M. Towhidul Islam
 
Sensitive Data Exposure
Sensitive Data ExposureSensitive Data Exposure
Sensitive Data Exposureabodiford
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Cyber security
Cyber securityCyber security
Cyber securityRishav Sadhu
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Social engineering
Social engineering Social engineering
Social engineering Vîñàý Pãtêl
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 

Contenu connexe

Tendances

The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Physical access control
Physical access controlPhysical access control
Physical access controlAhsin Yousaf
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingWilliam Mann
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness trainingAbdalrhmanTHassan
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation tomasztopa
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awarenessPhishingBox
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionUlf Mattsson
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and PrivacyVertex Holdings
 
Data protection ppt
Data protection pptData protection ppt
Data protection pptgrahamwell
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 

Tendances (20)

Cyber security
Cyber securityCyber security
Cyber security
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Physical access control
Physical access controlPhysical access control
Physical access control
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Data security
Data securityData security
Data security
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
 
“Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation “Privacy Today” Slide Presentation
“Privacy Today” Slide Presentation
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Social engineering
Social engineering Social engineering
Social engineering
 
Phishing awareness
Phishing awarenessPhishing awareness
Phishing awareness
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Data Protection and Privacy
Data Protection and PrivacyData Protection and Privacy
Data Protection and Privacy
 
Data protection ppt
Data protection pptData protection ppt
Data protection ppt
 
Information security
Information securityInformation security
Information security
 
Information security
Information securityInformation security
Information security
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 

En vedette

Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentationIISPEastMids
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Snowden slides
Snowden slidesSnowden slides
Snowden slidesDavid West
 

En vedette (9)

The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia Privacy
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insiders
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Snowden slides
Snowden slidesSnowden slides
Snowden slides
 

Similaire à Insider threat

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Internal Risk Management
Internal Risk ManagementInternal Risk Management
Internal Risk ManagementBarry Caplin
 
IST Presentation
IST PresentationIST Presentation
IST Presentationguest1d1ed5
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"abercius24
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Ed Tobias
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionCase IQ
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
Addressing insider threats and data leakage
Addressing insider threats and data leakageAddressing insider threats and data leakage
Addressing insider threats and data leakageLepide USA Inc
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightCBIZ, Inc.
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3Meg Weber
 
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdfQuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdfinfomalad
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Source Conference
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextBrian Pichman
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docxblondellchancy
 

Similaire à Insider threat (20)

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11
 
Internal Risk Management
Internal Risk ManagementInternal Risk Management
Internal Risk Management
 
Document-3.docx
Document-3.docxDocument-3.docx
Document-3.docx
 
IST Presentation
IST PresentationIST Presentation
IST Presentation
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 
02 presentation-christianprobst
02 presentation-christianprobst02 presentation-christianprobst
02 presentation-christianprobst
 
Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"Social Engineering: "The Cyber-Con"
Social Engineering: "The Cyber-Con"
 
Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10Internal Control And Fraud 11-19-10
Internal Control And Fraud 11-19-10
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and PreventionInsider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
Addressing insider threats and data leakage
Addressing insider threats and data leakageAddressing insider threats and data leakage
Addressing insider threats and data leakage
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory OversightKeeping an Eye On Risk - Current Concerns and Supervisory Oversight
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdfQuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
 
I’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take NextI’ve Been Hacked  The Essential Steps to Take Next
I’ve Been Hacked  The Essential Steps to Take Next
 
CCIAOR Cyber Security Forum
CCIAOR Cyber Security ForumCCIAOR Cyber Security Forum
CCIAOR Cyber Security Forum
 
1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx1. Read the RiskReport to see what requirements are.2. Read the .docx
1. Read the RiskReport to see what requirements are.2. Read the .docx
 

Dernier

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Dernier (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Insider threat

  • 1. Insider I id Threat ISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
  • 2. Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
  • 3. Insider Beliefs Haven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!” “We use principle of least privilege, separation of duty, and pray. Lots.”
  • 4. SPOT THE INSIDER INSIDER…..
  • 5.
  • 6. Terry Child C T Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
  • 7. Other Real Life Incidents Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious “logic bomb” that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
  • 8. Other Real Life Incidents HSBC’s system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."
  • 9. Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
  • 10. Verizon’s 2010 Data Breach Investigations Report
  • 12. Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
  • 13. Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
  • 14. Let s Let’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
  • 15. Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
  • 16. Factors that increase the risk of Insider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
  • 17. Can the INSIDERS Be STOPPED?
  • 18. Types of Insider Activity
  • 19. Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
  • 20. Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
  • 21. Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
  • 22. Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
  • 23. Type 2 – Fraud Theft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
  • 24. Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
  • 25. Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
  • 26. Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
  • 27. Type 3 – Theft of IP Who did it? ◦ Current employees ◦ Technical or sales positions p What was stolen? ◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. ◦ Customer Information (CI) Why did they do it? ◦ Financial ◦ Entitlement (some didn’t realize it was wrong) ◦ Disgruntled How did they attack? ◦ Using authorized access g ◦ Acted during working hours from within the workplace
  • 28. Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
  • 29. Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
  • 30. Latest Case – Travelocity sues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
  • 31. DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
  • 32. DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
  • 33. So…what could be the insider threats in this scenario? a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. c) An insider can forward a document to another user either inside or outside the organization. d) A user can work late or early hours when the intrusion/misuse detection systems are not running. e) He can copy the contents of a document into another document that is opened simultaneously. f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p y g) An insider can take a dump of the document from the memory and then print the document. h) A malicious insider can tamper with the existing rights on the documents documents.
  • 34. Policy design considerations to y g prevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
  • 35. Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
  • 36. Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
  • 37. Identification of all types of insider threat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
  • 38.
  • 40. Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
  • 42. Impacts Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources – Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
  • 43. Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
  • 46. Deloitte 2009 Global Security Survey – India Report
  • 47. Verizon’s 2010 Data Breach Investigations Report
  • 48. Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
  • 49. Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
  • 50. Summary Insider threat is a problem that impacts and requires understanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security – all employees have responsibility for protection of organization’s information
  • 51. A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
  • 52. And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
  • 53. Thank you for your time today t d Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @