Mitigation Controls on 13-Dec-16 1
An organization s users are its greatest assets and its most challenging adversaries. one of the vulnerabilities posed by insiders is their knowledge of the quality of their organization s defenses. 13-Dec-16 2
EMPLOYEES CONTRACTORS BUSINESS ASSOCIATES FORMER EMPLOYEES FORMER CONTRACTORS 13-Dec-16 3
FRAUD THEFT OF CONFIDENTIAL OR COMMERCIALLY VALUABLE INFORMATION INTELECTUAL PROPERTY SABOTAGE OF COMPUTER SYSTEM 13-Dec-16 4
CHECK RESTRAIN HINDER 13-Dec-16 5
URGENTLY NEEDED ABSOLUTELY NECESSARY 13-Dec-16 6
Source: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/ 13-Dec-16 7
Percentage of crimes in CERT s case database Current or former employee? Type of position Insider IT Sabotage Insider Theft or Modification of Information for Financial Gain 45% 44% 14% Former Current Current Technical (e.g. system administrators or database administrators) Non-technical, lowlevel positions with access to confidential or sensitive information (e.g. data entry, customer service) Gender Male Fairly equally split between male and female Source: http://www.cert.org/insider-threat/ Insider Theft of Information for Business Advantage Technical (71%) - scientists, programmers, engineers Sales (29%) 13-Dec-16 8 Male
Target Insider IT Sabotage Network, systems, or data Insider Theft or Modification of Information for Financial Gain Personally Identifiable Information or Customer Information Insider Theft of Information for Business Advantage Intellectual Property (trade secrets) 71% Customer Information 33% Access used Unauthorized access Authorized access Authorized access When Outside normal working hours During normal working hours During normal working hours Where Remote access At work At work Recruited by outsiders None Half recruited for theft; less than one third recruited for modification Collusion None ~ ½ colluded with another insider in modification cases; 2/3 colluded with outsiders in theft cases Less than one fourth ~ ½ colluded with at least one insider; half acted alone 13-Dec-16 9
13-Dec-16 10
UNAUTHORIZED DEVICES UNAUTHORIZED SOFTWARE INSECURE CONFIGURATION VULNERABLE ASSET EXCESSIVE ADMINISTRATIVE PREVILEDGES Source: https://www.cisecurity.org/critical-controls/ 13-Dec-16 11
UNAUTHORIZED DEVICE UNAUTHORIZED SOFTWARE 13-Dec-16 12
13-Dec-16 13
13-Dec-16 14
UNAUTHORIZED DEVICE UNAUTHORIZED SOFTWARE 13-Dec-16 15
13-Dec-16 16
ADMINISTRATOR 13-Dec-16 17
INVENTORY AUTHORIZED AND UNAUTHORIZED DEVICES AUTHORIZED AND UNAUTHORIZED SOFTWARE SECURE CONFIGRATION CONTINUOUS VULNERABILITY ASSESSMENT AND REMEDIATION LIMIT AND CONTROL ADMIN PREVILEDGES 13-Dec-16 Source: https://www.cisecurity.org/critical-controls/ 18
Offense informs defense Prioritization Metrics Continuous diagnostic and mitigation Automation 13-Dec-16 19
Policy: standard naming convention for PCs, servers, network devices and everything that authorized to connect to network. in every incident or support request, related device name should be recorded in helpdesk ticket. record all devices MAC addresses, addition and removal of devices should be reported to helpdesk so then record can be updated. Process: regularly scan all network segments and compare scan result with authorized devices MAC addresses list. mapping authorized MAC addresses to IP addresses detect any addition or reduction of devices as a result of regular network scanning detect any changes in mapping between MAC addresses to IP addresses Technical Control: Use ZENMAP (www.kali.org) for network segment scanning Use SNORT (www.securityonion.net) to detect any anomaly or malicious activities in critical segment 13-Dec-16 20
Policy: Installation of authorized software should and only can be performed by authorized ICT personnel. User should not have administrative privilege on a device provided by company List of standard software for each type of machine should be available, regularly reviewed and updated. Process: Standard image (baseline configuration) should be created for each type of devices Standard image should be regularly reviewed and updated Software installation as part of standard image should adhere software licensing policy. Each software should have valid license Technical Control: Standard (baseline) image. Compare result with authorized software list on each type of machine (General, Engineering and Mobile) 13-Dec-16 21
Policy: Standard hardware and software configuration document should exist for all types of CI Standard configuration should be reviewed periodically Configuration changes should follow proper change management process Process: Each new hardware and software default configuration should be altered following secure standard configuration Following completion of configuration, scanning for possible configuration weakness or vulnerabilities should take place immediately Technical Control: Technical writer and SME for each CI should work closely to put together configuration standards use OpenVAS and ZENMAP (both available on Kali Linux) to detect vulnerabilities and unnecessary or insecure services running on CI. Use Microsoft Baseline Security Analyzer to evaluate Windows end point configuration. 13-Dec-16 22
Policy: Vulnerability assessment and finding remediation should be exercised regularly. Process: Vulnerability assessment on critical CI should be performed on regular basis and any medium to critical vulnerabilities found should be rectified immediately. Technical Control: Use OpenVAS to perform vulnerability assessment 13-Dec-16 23
Policy: Administrative privileges should only be given to appropriately trained and fully accountable personnel. Inventory of account with elevated access right such as administrator or root account should be done regularly. Change control board should approved every new account that requires persistent administrative or root access. Personnel with administrative privileges should not use his or her administrative account for dayto-day activities and should have different account for that purpose. Process: Administrator account creation should follow strict process and should have definite period and expiry date. Technical Control: Microsoft: use Microsoft Management Console and RunAs using administrative privileges account. Linux: login using regular account and run as root or sudo su as and when needed only for the activity period that need it. 13-Dec-16 24
Switched Port Analyzer (SPAN) Configuration 13-Dec-16 25
13-Dec-16 26
13-Dec-16 27
13-Dec-16 28
13-Dec-16 Sumber: https://securityonion.net/ 29
Insider threats is an enterprise wide risk Enforced policies and procedures is vital in mitigating insider threats risk Awareness training for all to adhere prevalent policies Log, monitor, and audit all online actions. 13-Dec-16 Source: http://resources.sei.cmu.edu/asset_files/technicalreport/2012_005_001_34033.pdf 30
MONITOR AND RESPOND TO SUSPICIOUS OR DISRUPTIVE BEHAVIOR, BEGINNING WITH THE HIRING PROCESS ANTICIPATE AND MANAGE NEGATIVE WORKPLACE ISSUES TRACK AND SECURE THE PHYSICAL ENVIRONMENT IMPLEMENT STRICT PASSWORD AND ACCOUNT MANAGEMENT POLICIES AND PRACTICES. ENFORCE SEPARATION OF DUTIES AND LEAST PRIVILEGE. CONSIDER INSIDER THREATS IN THE SOFTWARE DEVELOPMENT LIFE CYCLE USE EXTRA CAUTION WITH SYSTEM ADMINISTRATORS AND TECHNICAL OR PRIVILEGED USERS IMPLEMENT SYSTEM CHANGE CONTROLS. USE LAYERED DEFENSE AGAINST REMOTE ATTACKS DEACTIVATE COMPUTER ACCESS FOLLOWING TERMINATION IMPLEMENT SECURE BACKUP AND RECOVERY PROCESSES DEVELOP AN INSIDER INCIDENT RESPONSE PLAN 13-Dec-16 Source: http://resources.sei.cmu.edu/asset_files/technicalreport/2012_005_001_34033.pdf 31
13-Dec-16 32
Abu Hanifah mailto:abuhanifah@live.com https://id.linkedin.com/in/abuhanifah https://absissite.wordpress.com/ 13-Dec-16 33