Insider Threats in Cyber Security

Transcription

1 Insider Threats in Cyber Security

2 Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. For a complete list of titles published in this series, go to

3 Christian W. Probst Jeffrey Hunker Dieter Gollmann Matt Bishop Editors Insider Threats in Cyber Security 1 C

4 Editors Christian W. Probst Technical University of Denmark Informatics & Mathematical Modelling Richard Petersens Plads DK-2800 Kongens Lyngby Denmark Jeffrey Hunker 5109 Bayard St Pittsburgh, PA USA Dieter Gollmann Technische Universität Hamburg-Harburg Institut für Sicherheit in verteilten Anwendungen Harburger Schlossstrasse Hamburg-Harburg Germany Matt Bishop University of California, Davis Department of Computer Science Shields Ave. One Davis California USA ISSN ISBN e-isbn DOI / Springer New York Dordrecht Heidelberg London Library of Congress Control Number: Springer Science+Business Media, LLC 2010 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper Springer is part of Springer Science+Business Media (

5 Preface Insider threats are easy to counter. One only needs a concise model of human behaviour and its dependencies on outer and inner influences, a surveillance system in place that is able to observe in necessary detail action and influences, and an evaluation system, that can draw the necessary conclusions from its input. Neither of the components just described is easy to realise, or desirable to have in the first place. Modelling human behaviour is close to impossible, let alone modelling how it depends on outer and inner factors. A surveillance system is heavily dependent on legal boundaries of what is allowed to be monitored or not, and the amount of data even from legal monitoring can be overwhelming at best. An evaluation system would need to be able to take all the input and models into account, and this is yet another complex task. This book collects a series of chapters that try to map the territory between modelling, analysing, and evaluating insider threat scenarios. The chapters cover aspects from insider threats in electronic voting, over monitoring and access control systems, to legal aspects and the integration of the approaches described into Information Security Management systems. One important and recurring theme is the question of how much surveillance is admissible and acceptable in different settings. It is this question that in the end determines the success of techniques aiming to reduce insider threats, or threats in general. This is especially true when dealing with systems beyond the pure technical aspects, but towards psychological aspects. We are indebted to the participants of the Dagstuhl Seminar Countering Insider Threats (08302), during which the idea for this book was first discussed, and the staff at Schloss Dagstuhl. It has been a long road, but we believe that the result, which you are reading now, was worth it. Kongens Lyngby, Pittsburgh, Hamburg-Harburg, and Davis January 2010 Christian W. Probst Jeffrey Hunker Dieter Gollmann Matt Bishop v

6 Contents Aspects of Insider Threats... 1 Christian W. Probst, Jeffrey Hunker, Dieter Gollmann, and Matt Bishop 1 Introduction Insiders and Insider Threats Insider Threats Taxonomies Detection and Mitigation Policies Human Factors and Compliance Conclusion References Combatting Insider Threats Peter G. Neumann 1 A Contextual View of Insiders and Insider Threats Risks of Insider Misuse Types of Insiders Types of Insider Misuse Threats, Vulnerabilities, and Risks Relevant Knowledge and Experience Exploitations of Vulnerabilities Potential Risks Resulting from Exploitations Countermeasures Specification of Sound Policies for Data Gathering and Monitoring Detection, Analysis, and Identification of Misuse Desired Responses to Detected Anomalies and Misuses Decomposition of Insider Misuse Problems Stages of Development and Use Extended Profiling Including Psychological and Other Factors vii

7 viii Contents 6 Requirements for Insider-Threat-Resistant High-Integrity Elections 33 7 Relevance of the Countermeasures to Elections Research and Development Needs Conclusions References Insider Threat and Information Security Management Lizzie Coles-Kemp and Marianthi Theoharidou 1 Introduction Definitions of Insider and the Relevance to Information Security Management Risk and Insiderness The Importance of Organisational Culture and the Significance of Cultural Risks Fieldwork on Culture and the Insider Threat The Structure of the ISMS and Traditional Information Security Management Responses to Insiderness Analysis - Turning an ISMS Inwards The Role of Operationalisation Information Security Management Standards, Best Practice and the Insider Threat General Security Management Standards Guidelines Focused on the Management of the Insider Threat Analysis of the Contribution of Best Practice and Guidelines Crime theories and insider threat Existing Connections between Crime Theories and Information Security Management Implications of Crime Theories for ISMS Design Application of SCP to the ISO Control Domains Implications for ISMS Process Design Summary of Crime Theory Contribution Conclusions References A State of the Art Survey of Fraud Detection Technology Ulrich Flegel, Julien Vayssière, and Gunter Bitz 1 Introduction Data Analysis Methodology Survey of Technology for Fraud Detection in Practice General Approaches for Intrusion and Fraud Detection State of the Art of Fraud Detection Tools and Techniques 78 3 Why Fraud Detection is not the Same as Intrusion Detection Challenges for Fraud Detection in Information Systems Summary

8 Contents ix References Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation Frank L. Greitzer and Deborah A. Frincke 1 Introduction Background Issues of Security and Privacy Predictive Modeling Approach Training Needs Conclusions and Research Challenges Acknowledgments References A Risk Management Approach to the Insider Threat Matt Bishop, Sophie Engle, Deborah A. Frincke, Carrie Gates, Frank L. Greitzer, Sean Peisert, and Sean Whalen 1 Introduction Insider Threat Assessment Example Summary Access-Based Assessment Psychological Indicator-Based Assessment Application of Risk to System Countermeasures Example Summary Conclusion References Legally Sustainable Solutions for Privacy Issues in Collaborative Fraud Detection Ulrich Flegel, Florian Kerschbaum, Philip Miseldine, Ganna Monakova, Richard Wacker, and Frank Leymann 1 Introduction Monitoring Modern Distributed Systems Evidence Model Observing Fraudulent Service Behaviours Architectural Support Introduction to the Legal Perspective Basic Principles of Data Privacy Law A Set of Six Basic Rules General Legal Requirements of Fraud Detection Systems Privacy Relevance of Fraud Detection Systems Necessary Data for Fraud Detection Transparency in the Fraud Detection Context Purpose Specification and Binding in Fraud Detection

9 x Contents 6.5 Permissibility of Fraud Detection Quality of Event Data Security of Event Data Technical Solutions for Privacy-respecting Fraud Detection Technical Requirements Lossless Information Reduction with Covered Data Lossy Information Reductions for Timestamps Legal Improvements by Pseudonymizing Event Data Technical Description Privacy Relevance of Pseudonymized Event Data Strengthening the Data Privacy Official Disclosure With Legal Permission Data and System Security Conclusion References Towards an Access-Control Framework for Countering Insider Threats. 173 Jason Crampton and Michael Huth 1 Introduction Motivation and related work Illustrative scenarios Definitions of insiders Access control The insider problem and access control Trust, trustworthiness, and the insider problem Insiderness Trust management and risk assessment Pragmatics of identifying suspicious events Toward a context- and insider-aware policy language Context and request predicates Requirements Policy transformations via declarative programming Discussion of requirements Policy transformations Risk- and trustworthiness-aware policy composition Access-control architectures and the insider problem Concluding remarks References Monitoring Technologies for Mitigating Insider Threats Brian M. Bowen, Malek Ben Salem, Angelos D. Keromytis, and Salvatore J. Stolfo 1 Introduction Related Research Threat Model - Level of Sophistication of the Attacker Decoy Properties...202

10 Contents xi 5 Architecture Decoy Document Distributor SONAR Decoys and Network Monitoring Host-based Sensors Concluding Remarks and Future Work References Insider Threat Specification as a Threat Mitigation Technique George Magklaras and Steven Furnell 1 Introduction The Insider Threat Problem Background The Common Intrusion Specification Language Panoptis Insider Misuse Taxonomies and Threat Models The Scope of the Insider Threat Prediction Specification Language The Domain Specific Language Programming Paradigm Conclusion References