Abstract image of a woman sitting on books and studying on a laptop

Insider threat

A
ARCON TECHSOLUTIONS

The document discusses the insider threat landscape, highlighting various real-life cases of insider attacks that caused significant organizational damage, and analyzing motivations such as revenge, ideology, and financial gain. It emphasizes the need for comprehensive risk assessments, established policies, and employee training to mitigate these threats, as well as the importance of monitoring privileged users. The document concludes with a call to create a culture of security within organizations and offers guidance for conducting insider threat risk assessments.

TechnologyBusiness
Related topics:
Data Breach Insights Insider Threats
1 of 53
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
Most read
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Most read
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Insider I id Threat ISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
Insider Beliefs Haven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!” “We use principle of least privilege, separation of duty, and pray. Lots.”
SPOT THE INSIDER INSIDER…..
Insider threat
Terry Child C T Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
Other Real Life Incidents Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious “logic bomb” that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
Other Real Life Incidents HSBC’s system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."
Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
Verizon’s 2010 Data Breach Investigations Report
THE INSIDER
Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
Let s Let’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
Factors that increase the risk of Insider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
Can the INSIDERS Be STOPPED?
Types of Insider Activity
Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
Type 2 – Fraud Theft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
Type 3 – Theft of IP Who did it? ◦ Current employees ◦ Technical or sales positions p What was stolen? ◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. ◦ Customer Information (CI) Why did they do it? ◦ Financial ◦ Entitlement (some didn’t realize it was wrong) ◦ Disgruntled How did they attack? ◦ Using authorized access g ◦ Acted during working hours from within the workplace
Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
Latest Case – Travelocity sues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
So…what could be the insider threats in this scenario? a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. c) An insider can forward a document to another user either inside or outside the organization. d) A user can work late or early hours when the intrusion/misuse detection systems are not running. e) He can copy the contents of a document into another document that is opened simultaneously. f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p y g) An insider can take a dump of the document from the memory and then print the document. h) A malicious insider can tamper with the existing rights on the documents documents.
Policy design considerations to y g prevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
Identification of all types of insider threat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
Insider threat
PROBABLE CAUSES
Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
INSIDER IMPACT AND CHALLENGES
Impacts Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources – Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
MITIGATION STRATEGIES
DSCI- DSCI-KPMG Survey 2009 & 2010
Deloitte 2009 Global Security Survey – India Report
Verizon’s 2010 Data Breach Investigations Report
Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
Summary Insider threat is a problem that impacts and requires understanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security – all employees have responsibility for protection of organization’s information
A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
Thank you for your time today t d Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @

More Related Content

PPTX
Physical security
Tariq Mahmood
 
PPSX
Security Awareness Training
William Mann
 
PPT
Security Management Practices
amiable_indian
 
PPT
Introduction To Information Security
belsis
 
PDF
Cyber Security
Ramiro Cid
 
PPTX
Information security
avinashbalakrishnan2
 
PDF
Cyber Threat Intelligence
ZaiffiEhsan
 
PPT
Module 10 Physical Security
leminhvuong
 
Physical security
Tariq Mahmood
 
Security Awareness Training
William Mann
 
Security Management Practices
amiable_indian
 
Introduction To Information Security
belsis
 
Cyber Security
Ramiro Cid
 
Information security
avinashbalakrishnan2
 
Cyber Threat Intelligence
ZaiffiEhsan
 
Module 10 Physical Security
leminhvuong
 

What's hot (20)

PPTX
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
PPTX
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
PPT
Physical Security
Kriscila Yumul
 
PDF
Insider Threats Webinar Final_Tyco
Matt Frowert
 
PDF
Digital forensic principles and procedure
newbie2019
 
PPTX
Awareness Training on Information Security
Ken Holmes
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
PPTX
Cyber Security
ADGP, Public Grivences, Bangalore
 
PPT
Physical Security Assessments
Tom Eston
 
PPTX
Basic Security Training for End Users
Community IT Innovators
 
PPTX
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
PPTX
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
PPTX
Introduction to information security
jayashri kolekar
 
PPTX
Digital forensics
yash sawarkar
 
PPTX
Social engineering presentation
pooja_doshi
 
PPTX
Phishing awareness
PhishingBox
 
PPT
STRIDE And DREAD
chuckbt
 
PDF
Detecting-Preventing-Insider-Threat
Mike Saunders
 
PPTX
Security awareness
Josh Chandler
 
Social Engineering,social engeineering techniques,social engineering protecti...
ABHAY PATHAK
 
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Physical Security
Kriscila Yumul
 
Insider Threats Webinar Final_Tyco
Matt Frowert
 
Digital forensic principles and procedure
newbie2019
 
Awareness Training on Information Security
Ken Holmes
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Cyber Security
ADGP, Public Grivences, Bangalore
 
Physical Security Assessments
Tom Eston
 
Basic Security Training for End Users
Community IT Innovators
 
Broken Authentication and Authorization(1).pptx
Manahari Darshika Pemarathna
 
INFORMATION SECURITY SYSTEM
ANAND MURALI
 
Introduction to information security
jayashri kolekar
 
Digital forensics
yash sawarkar
 
Social engineering presentation
pooja_doshi
 
Phishing awareness
PhishingBox
 
STRIDE And DREAD
chuckbt
 
Detecting-Preventing-Insider-Threat
Mike Saunders
 
Security awareness
Josh Chandler
 
Ad

Viewers also liked (10)

PDF
The Accidental Insider Threat
Murray Security Services
 
PDF
Insider Threat Detection Recommendations
AlienVault
 
PDF
5 Signs you have an Insider Threat
Lancope, Inc.
 
PPTX
Multimedia Privacy
Symeon Papadopoulos
 
PPSX
Insider threats and countermeasures
KAMRAN KHALID
 
PPTX
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
PPT
Malicious Insiders
gjohansen
 
PPTX
Insider threat event presentation
IISPEastMids
 
PPTX
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
PPTX
Snowden slides
David West
 
The Accidental Insider Threat
Murray Security Services
 
Insider Threat Detection Recommendations
AlienVault
 
5 Signs you have an Insider Threat
Lancope, Inc.
 
Multimedia Privacy
Symeon Papadopoulos
 
Insider threats and countermeasures
KAMRAN KHALID
 
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Malicious Insiders
gjohansen
 
Insider threat event presentation
IISPEastMids
 
Insider Threat Final Powerpoint Prezi
Kashif Semple
 
Snowden slides
David West
 
Ad

Similar to Insider threat (20)

PPTX
Protecting Client Data 11.09.11
pdewitte
 
PPT
Internal Risk Management
Barry Caplin
 
DOCX
Document-3.docx
SonalVanjari
 
PPT
IST Presentation
guest1d1ed5
 
PPT
The Inside Job: Detecting, Preventing and Investigating Data Theft
Case IQ
 
PDF
02 presentation-christianprobst
InfinIT - Innovationsnetværket for it
 
PPT
Social Engineering: "The Cyber-Con"
abercius24
 
PPTX
Internal Control And Fraud 11-19-10
Ed Tobias
 
PPTX
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
PPTX
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
PPTX
Addressing insider threats and data leakage
Lepide USA Inc
 
PDF
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
Jack Pringle
 
PPTX
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
CBIZ, Inc.
 
PPT
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
PDF
(ISC)² Certified in Cybersecurity (CC) self-paced course .pdf
adeniyibamimore
 
PDF
(ISC)² Certified in Cybersecurity (CC) self-paced course .pdf
adeniyibamimore
 
PDF
2014 ota databreach3
Meg Weber
 
PDF
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
infomalad
 
PDF
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Source Conference
 
PPTX
I’ve Been Hacked  The Essential Steps to Take Next
Brian Pichman
 
Protecting Client Data 11.09.11
pdewitte
 
Internal Risk Management
Barry Caplin
 
Document-3.docx
SonalVanjari
 
IST Presentation
guest1d1ed5
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
Case IQ
 
02 presentation-christianprobst
InfinIT - Innovationsnetværket for it
 
Social Engineering: "The Cyber-Con"
abercius24
 
Internal Control And Fraud 11-19-10
Ed Tobias
 
Insider Threat: Cases and Controls to Prevent Internal Fraud and Prevention
Case IQ
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Addressing insider threats and data leakage
Lepide USA Inc
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
Jack Pringle
 
Keeping an Eye On Risk - Current Concerns and Supervisory Oversight
CBIZ, Inc.
 
Social Engineering | #ARMSec2015
Hovhannes Aghajanyan
 
(ISC)² Certified in Cybersecurity (CC) self-paced course .pdf
adeniyibamimore
 
(ISC)² Certified in Cybersecurity (CC) self-paced course .pdf
adeniyibamimore
 
2014 ota databreach3
Meg Weber
 
QuestionConsider the Citibank incident in 2005 where more than 3.9.pdf
infomalad
 
Predrag Zivic - Mike Lecky - Structured Incident Types To Streamline Incident...
Source Conference
 
I’ve Been Hacked  The Essential Steps to Take Next
Brian Pichman
 

Recently uploaded (20)

PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PDF
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PPT
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PPTX
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
What is a Computer? Input Devices /output devices
GulJan8
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
The various Industrial Revolutions .pptx
bandileshozi3
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
Five Habits of High-Impact Board Members
OnBoard
 
sbt 2.0: go big (Scala Days 2025 edition)
Eugene Yokota
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
Galois Field Theory of Risk: A Perspective, Protocol, and Mathematical Backgr...
Melanie Swan
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
AI IN MARKETING- PRESENTED BY ANWAR KABIR 1st June 2025.pptx
HiraJay1
 
Configure Apache Mutual Authentication
Antonino Piraino
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 

Insider threat

  • 1. Insider I id Threat ISACA, Mumbai Chapter Sameer Saxena 23rd July 2011
  • 2. Agenda The Insider Insider Threat Landscape Probable causes Insider Impact and Challenges Mitigation strategies
  • 3. Insider Beliefs Haven’t we heard/said this before!!! “We Trust our Employees” “We have an open environment. We cannot clamp down.” down. “Insiders? Malware is ripping us to shreds” “Its “It an IMPOSSIBLE task!” t k!” “We use principle of least privilege, separation of duty, and pray. Lots.”
  • 4. SPOT THE INSIDER INSIDER…..
  • 6. Terry Child C T Case – S F San Francisco N t i Net Terry Child: Responsible for creating and managing the City of San Francisco's FiberWAN network On July 9, 2008, told over a hostile conference call with the HR Dept., his boss and a police officer, that he was being reassigned and not working officer anymore on FiberWAN Network and is to hand over the passwords Hands over bogus passwords and reluctant to give the right passwords His Justification: nobody in the room was qualified to have admin access to the network In Prison for 7 years and bond of US$ 5 million y $ Jury found him a nice guy, protective of his work, like many IT people, possibly a little paranoid. Didn’t have a good management to keep him in check. All ed free rein, ha e d mana ement t kee check Allowed rein which allowed engineering decisions over the years that made things worse and worse, and locked people out of possibly getting into this network
  • 7. Other Real Life Incidents Roger Duronio, former UBS PaineWebber computer systems administrator convicted for planting a malicious “logic bomb” that caused > USD 3 million in damage and repair costs to the UBS g p computer network He received bonus of USD 32,500 (against USD 50,000) in 2002. p Sentenced to 97 months in prison William Sullivan, former database administrator of Fidelity National I f N i l Information Services, sentenced to 57 months in prison i S i d h i i and ordered to pay USD 3.2 million in restitution for a crime he committed through his power to gain access to databases in the Certegy Check S C Ch k Services division of the f d f h firm. He had stolen H h d l consumer information of 8.4 million people and sold it for USD 600,0000 to marketing firms between 2002 and 2007.
  • 8. Other Real Life Incidents HSBC’s system administrator Herve Falcini who had unfettered root access. What did he do with those credentials? He stole thousands (about 80,000) of customer files (tax evaders) and then tried to sell them to banks and tax ( ) authorities. Subject line: "Tax evasion: client list available."
  • 9. Disgruntled Dave A fictitious character created out of the amalgamation fi titi h t t d t f th l ti of recently caught and reported insiders responsible for breaches ranging from the obscure to the profane Once a trusted insider with privileged access to critical IT infrastructure Change in circumstances g Now unhappy with the status quo to the point where he is intentionally doing harm such as stealing stealing, modifying or deleting data and/or planting malware
  • 10. Verizon’s 2010 Data Breach Investigations Report
  • 12. Who are Insiders Current or former employee contractor or employee, other business partner who: Has h d th i d H or had authorised access t an organisation’s to i ti ’ network, system, or data and ◦ intentionally exceeded or misused that access in a manner that negatively affected the C.I.A. of the organisation’s information, information systems g , y and/or daily business operations
  • 13. Insider may be someone who who… Deliberately seeks employment with an organisation with intent to cause harm Causes harm once employed but who had no intention of doing so when first employed, or g p y , Is exploited by others to do harm o ce employed, and s e p o te ot e s o a once e p oye , a maybe either a passive, unwitting or unwilling insider
  • 14. Let s Let’s break it down a bit further… further Authorized Users ut o e Use s ◦ Employees - Clerks, Accountants, Finance, Salespeople, Purchasing, etc. Privileged Users ◦ DBA’s, DB/App Developers, Application QA, Contractors, Consultants Knowledgeable Users ◦ IT Op’s, N t O ’ Network O ’ S k Op’s, Security P it Personnel, A dit P l Audit Personnel l Outsiders or Malicious User with Insider Access and/or vulnerability k l bilit knowledge l d ◦ The sophisticated “white collar” criminal An individual may belong to more than one group
  • 15. Reasons to cause harm Motivated by one or a combination of reasons A useful acronym to understand the motivations underlying behaviour is crime ◦ coercion – being forced or intimated ◦ revenge – for a real or perceived wrong ◦ ideology – radicalisation or advancement of an ideological or religious objective ◦ money – for illicit financial gain, and/or ◦ e hilaration – f r the thrill of d in s methin wrong exhilaration for f doing something r n
  • 16. Factors that increase the risk of Insider Threat No comprehensive written acceptable use policies Ineffective management of privileged users g p g Inappropriate role and entitlement assignment Poor information classification and policy enforcement Weak user authentication Poor overall identity governance P ll id i Inadequate auditing and analytics
  • 17. Can the INSIDERS Be STOPPED?
  • 18. Types of Insider Activity
  • 19. Type 1 – IT Sabotage Who are they? ◦ System administrators ◦ People with privileged access on systems, and technical systems ability Why do they do it? y y ◦ Bring down systems, cause some kind of harm How did they attack? y ◦ Privileged access ◦ No authorized access ◦ Backdoor accounts, shared accounts, other employees’ accounts, insider’s own account ◦ Remote access outside normal working hours
  • 20. Dynamics of Insider IT Sabotage Disgruntled due to unmet expectations ◦ Period of heightened expectations, followed by a p precipitating event triggering precursors p g gg gp Behavioral precursors were often observed but ignored by the organization ◦ Significant behavioral precursors often came before technical precursors h i l Technical precursors were observable, but not detected observable by the organization
  • 21. Red Flags Unmet Expectations ◦ Insufficient compensation ◦ Lack of career advancement ◦ Inflexible system policies ◦ Co-worker relations; supervisor demands p Behavioural precursors ◦ Drug use; absence/tardiness ◦ Aggressive or violent behaviour; mood swings ◦ Used organization’s computers for personal business Sexual harassment Poor hygiene
  • 22. Types of Sabotage Crimes Constructed or downloaded, tested, planted logic bomb p g Deleted files, databases, or programs Destroyed backups Revealed derogatory, confidential, or pornographic information to customers, employees, or public Modified system or data to present pornography or embarrassing info Denial of Service by modifying authentication info, deleting data, or crashing systems Modified system logs to frame supervisor or innocent person & conceal identity Downloaded customer credit card data & posted to website Cut cables Sabotaged own project g p j Physically stole computers and/or backups Planted virus on customers’ computers Extortion for deleted data & backups Defaced organization’s website
  • 23. Type 2 – Fraud Theft or Modification for Financial Gain Who did it? ◦ Current & former employees ◦ “L “Low l l” positions level” iti ◦ Non-technical What Wh was stolen/modified? l / difi d? ◦ Personally Identifiable Information (PII) ◦ Customer Information (CI) ◦ Very few cases involved trade secrets How did they steal/modify it? ◦ During normal working hours ◦ Using authorized access
  • 24. Dynamics of the Crime Most attacks were long, ongoing schemes long Collusion prevails in this type with internal or external people
  • 25. Examples A check fraud scheme resulted in innocent people receiving collection letters due to fraudulent checks written against their account. g Other cases involved insiders committing credit card g fraud by abusing their access to confidential customer data. One insider accepted payment to modify a database to overturn decisions denying asylum to illegal aliens, enabling them to remain in the U.S. illegally.
  • 26. Red Flags Family medical problems Substance abuse Physical threat of outsiders Financial difficulties Financial compensation issues Hostile work environment Problems with supervisor P bl ith i Layoffs
  • 27. Type 3 – Theft of IP Who did it? ◦ Current employees ◦ Technical or sales positions p What was stolen? ◦ Intellectual Property (IP) like source code, engineering, drawing, drawing scientific formula, etc formula etc. ◦ Customer Information (CI) Why did they do it? ◦ Financial ◦ Entitlement (some didn’t realize it was wrong) ◦ Disgruntled How did they attack? ◦ Using authorized access g ◦ Acted during working hours from within the workplace
  • 28. Dynamics of the Crime Most were quick theft upon resignation Stole information to ◦ Take to a new job ◦ Start a new business ◦ Gi t a f i company or government organization Give to foreign t i ti Collusion ◦ Collusion with at least one insider in almost 1/2 of cases ◦ Outsider recruited insider in less than 1/4 of cases ◦ Acted alone in 1/2 of cases
  • 29. Red Flags Disagreement over ownership of intellectual property Financial compensation issues Relocation issues Hostile work environment Mergers & acquisitions Company attempting to obtain venture capital Problems with supervisor P bl ith i Passed over for promotion Layoffs L ff
  • 30. Latest Case – Travelocity sues Cleartrip Travelocity = Travelguru + Desiya :Victim Cleartrip: Accused Location: Gurgaon Data passed by 3 employees, which led to loss of business These 3 people joined Cleartrip after merger Shared the "entire hotel business model, projections and other proprietary information“ Claimed: US$ 37.5 million (Rs. 168 crore)
  • 31. DCD Example We c eate documents in MS Word…protection of these documents fall e create ocu e ts S o …p otect o o t ese ocu e ts a under Digital Rights Management Lets assume that the place where all documents are stored in called DCD – Document Control Domain in a network n Users in the DCD have a need to collaborate and share the documents securely and with restrictions on the usage of the documents content. Each user belongs to a group with a specific function, usually dictated by the nature of the organization. For instance a software company might have the groups: {CEO, Board Member, Administrator, Software Developer, Technical Writer, and Secretary}. During the course of his/her work, a user produces and consumes a g p variety of documents related to his work function. The DCD aims at protecting these documents from unwarranted usage and compromise.
  • 32. DCD Example The CEO might work on a merger document whose compromise to the outside world could prove catastrophic to the organization. Existing solutions such as encryption are not enough as they protect only f l from the classic h k h l i hackers A malicious insider in the DCD starts off with several privileges. The CEO’s secretary, for instance, could be leaking information to y, , g the outside world. It is quite possible for the secretary to forward the merger document she received for corrections to a rival company. company Hence if there are no constraints on the privileges in the form of access control, then a malicious insider is capable of inflicting serious damage to the documents.
  • 33. So…what could be the insider threats in this scenario? a) ) An insider ca read, copy, a p t a y document he has access to unless s e can ea , and print any ocu e t e as u ess fine-grained access control is in place. b) An insider can become the owner of the document by copying it to a new file and thus set new access control on the copied document document. c) An insider can forward a document to another user either inside or outside the organization. d) A user can work late or early hours when the intrusion/misuse detection systems are not running. e) He can copy the contents of a document into another document that is opened simultaneously. f) An insider can remember the contents of a document, which he opened before, and then create a low priority document with the same contents. p y g) An insider can take a dump of the document from the memory and then print the document. h) A malicious insider can tamper with the existing rights on the documents documents.
  • 34. Policy design considerations to y g prevent such threats Need to consider both the context and information flow between requests Take an approach where multiple policies are specified on the th same resource. Th policies differ in the context when The li i diff i th t t h they become applicable. For example, a policy might allow access to a document in the normal office hours b not d i after-office h h l ffi h but during f ffi hours. The current context is contained in the request for access (or is alternatively maintained on the policy server) Policies should also contain the obligations or the provisional P l h ld l h bl h l authorizations that the subject should satisfy before access can be granted ◦ The obligations are returned to the viewer at the client side as a part of response to the request and the viewer is expected to enforce them. An obligation might specify that a high priority document can be opened if and only if no other documents are currently open. Another obligation might specify that the user can print a document if and only if he has performed a biometric authentication
  • 35. Type 4 - Miscellaneous Reading executive emails for entertainment Providing organizational information to lawyers in lawsuit against organization (ideological) Transmitting organization’s IP to hacker groups Unauthorized access to information to locate a person as accessory to murder
  • 36. Detection of all types of insider threat How was it detected? ◦ Manually due to system failure irregularity ◦ N t h i l means Non-technical ◦ Data irregularities, including suspicious activities in the form of bills tickets or negative indicators on bills, tickets, individual’s credit histories. ◦ Notification by customers, supervisors coworkers customers supervisors, coworkers, auditor, security staff, informant ◦ Detection by law enforcement agencies ◦ Sudden emergence of new competing organisation
  • 37. Identification of all types of insider threat How was the insider identified? ◦ System logs ◦ Remote access logs R t l ◦ File access logs ◦ Database l D b logs ◦ Application logs ◦ Email logs ◦ Competitor information
  • 40. Probable Causes Lack of articulate policies Unauthorised software and Policies based on “book” hardware Lack of periodic user Negligence to policies and education, communication, consequences awareness, etc. Business/Delivery team Lack of reviews, audits and ownership monitoring, Business bats for freedom, Security in applications, an new technologies, etc. g afterthought IT/Security seen as y Poor development practices adversaries OWASP Top 10 hasn’t Business pressure – a perfect changed m ch chan ed much since 2007 vehicle to get around policies High staff turn-over, low morale, etc.
  • 42. Impacts Inability to conduct business due to system/network being down Loss of customer records Inability I bili to produce products due to damaged or destroyed d d d d d d d software or systems Loss of productivity, hence loss of business/revenue productivity Misuse of resources – Leads to a slow-down in the availability of resources to others Loss of sensitive, proprietary data and intellectual property Negative reputational damage, media and public attention, etc. Regulatory and contractual non-compliance Financial loss through fraud, litigation, penalties and so on Trade secrets stolen
  • 43. Impacts Organization & customer confidential information revealed Send wrong signals to other staff Workplace conflicts, leading to indecision, inaction, etc. Impacts to innocent victims Insider committed suicide Private information forwarded to customers, competitors, or employees Exposure of personal information Web site defacements
  • 46. Deloitte 2009 Global Security Survey – India Report
  • 47. Verizon’s 2010 Data Breach Investigations Report
  • 48. Best Practices Consider threats from insiders and business partners in enterprise-wide risk assessments. Clearly document and consistently enforce p y y policies and controls Institute periodic security awareness training for all employees. l Monitor and respond to suspicious or disruptive behaviour Anticipate Antici ate and mana e ne ati e workplace issues manage negative rk lace iss es Track and secure the physical environment Implement strict password and account management policies and practices. Enforce separation of duties and least p p privilege. g
  • 49. Best Practices Use extra caution with system administrators and privileged users. Consider insider threats in the software development life cycle Implement system change controls p y g Log, monitor and audit employee online actions Use layered defense against remote attacks. aye e e e se aga st e ote attac s. Deactivate computer access following termination. Implement secure backup and recovery processes. Develop an insider incident response plan
  • 50. Summary Insider threat is a problem that impacts and requires understanding by everyone ◦ Information Technology ◦ Information Security ◦ Human Resources ◦ Management g ◦ Physical Security ◦ Legal Use enterprise risk management for protection of critical assets from ALL threats, including insiders Incident response plans should include insider incidents Create a culture of security – all employees have responsibility for protection of organization’s information
  • 51. A Closing Statistics As f A of 20th J l 2011 July 2011, 534,978,831 records , , have been breached in USA since 2005, of which 32 106 583 records f h h 32,106,583 d breached by Insiders alone
  • 52. And A Closing Thought Have you been H b Wikileaked Wikil k d yet??
  • 53. Thank you for your time today t d Need to conduct a insider threat risk assessment in your organisation, simply Email E il on sameer.saxena@arconnet.com @