Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Similar documents
2013 US State of Cybercrime Survey

Components and Considerations in Building an Insider Threat Program

The Insider Threat Center: Thwarting the Evil Insider

Empirically Based Analysis: The DDoS Case

Insider Threats: Actual Attacks by Current and Former Software Engineers

Cyber Threat Prioritization

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

4. Lessons Learned in Introducing MBSE: 2009 to 2012

Multi-Modal Communication

ARINC653 AADL Annex Update

Kathleen Fisher Program Manager, Information Innovation Office

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Current Threat Environment

The CERT Top 10 List for Winning the Battle Against Insider Threats

DoD Common Access Card Information Brief. Smart Card Project Managers Group

Information, Decision, & Complex Networks AFOSR/RTC Overview

A Review of the 2007 Air Force Inaugural Sustainability Report

Using Templates to Support Crisis Action Mission Planning

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Technological Advances In Emergency Management

Directed Energy Using High-Power Microwave Technology

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

FUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.

Corrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011

C2-Simulation Interoperability in NATO

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

Data to Decisions Terminate, Tolerate, Transfer, or Treat

U.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC

75th Air Base Wing. Effective Data Stewarding Measures in Support of EESOH-MIS

Center for Infrastructure Assurance and Security (CIAS) Joe Sanchez AIA Liaison to CIAS

COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)

CENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE

Secure FAST: Security Enhancement in the NATO Time Sensitive Targeting Tool

Energy Security: A Global Challenge

Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED

Running CyberCIEGE on Linux without Windows

Space and Missile Systems Center

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

Introducing I 3 CON. The Information Interpretation and Integration Conference

Architectural Implications of Cloud Computing

Towards a Formal Pedigree Ontology for Level-One Sensor Fusion

Using Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland

Topology Control from Bottom to Top

Concept of Operations Discussion Summary

Mitigation Controls on. 13-Dec-16 1

By Derrick H. Karimi Member of the Technical Staff Emerging Technology Center. Open Architectures in the Defense Intelligence Community

Using the SORASCS Prototype Web Portal

The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links

Data Warehousing. HCAT Program Review Park City, UT July Keith Legg,

2011 NNI Environment, Health, and Safety Research Strategy

Use of the Polarized Radiance Distribution Camera System in the RADYO Program

ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)

Dana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:

Defining Computer Security Incident Response Teams

A Distributed Parallel Processing System for Command and Control Imagery

ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD

Fall 2014 SEI Research Review Verifying Evolving Software

Wireless Connectivity of Swarms in Presence of Obstacles

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

Dr. Stuart Dickinson Dr. Donald H. Steinbrecher Naval Undersea Warfare Center, Newport, RI May 10, 2011

Ross Lazarus MB,BS MPH

The State of Standardization Efforts to support Data Exchange in the Security Domain

Web Site update. 21st HCAT Program Review Toronto, September 26, Keith Legg

MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware

QuanTM Architecture for Web Services

SURVIVABILITY ENHANCED RUN-FLAT

Lessons Learned in Adapting a Software System to a Micro Computer

ATCCIS Replication Mechanism (ARM)

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

Space and Missile Systems Center

Safety- and Security-Related Requirements for

Headquarters U.S. Air Force. EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS

Shallow Ocean Bottom BRDF Prediction, Modeling, and Inversion via Simulation with Surface/Volume Data Derived from X-Ray Tomography

CERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University

Guide to Windows 2000 Kerberos Settings

A Comedy of Errors: Assessing and Managing the Human Element of Cyber Risk

AFRL-ML-WP-TM

Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization

ASPECTS OF USE OF CFD FOR UAV CONFIGURATION DESIGN

Washington University

Exploring the Query Expansion Methods for Concept Based Representation

Coalition Interoperability Ontology:

Approaches to Improving Transmon Qubits

MATREX Run Time Interface (RTI) DoD M&S Conference 10 March 2008

Office of Global Maritime Situational Awareness

Nationwide Automatic Identification System (NAIS) Overview. CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

Accuracy of Computed Water Surface Profiles

UMass at TREC 2006: Enterprise Track

DEVELOPMENT OF A NOVEL MICROWAVE RADAR SYSTEM USING ANGULAR CORRELATION FOR THE DETECTION OF BURIED OBJECTS IN SANDY SOILS

Advanced Numerical Methods for Numerical Weather Prediction

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation

Information Assurance Technology Analysis Center (IATAC)

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

BUPT at TREC 2009: Entity Track

Analyzing and Specifying Reusable Security Requirements

M&S Strategic Initiatives to Support Test & Evaluation

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

SCICEX Data Stewardship: FY2012 Report

Transcription:

Preventing Insider Sabotage: Lessons Learned From Actual Attacks Dawn Cappelli November 14, 2005 2005 Carnegie Mellon University

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 14 NOV 2005 2. REPORT TYPE 3. DATES COVERED 00-00-2005 to 00-00-2005 4. TITLE AND SUBTITLE Preventing Insider Sabotage: Lessons Learned From Actual Attacks 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Carnegie Mellon University,Software Engineering Institute,Pittsburgh,PA,15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 11. SPONSOR/MONITOR S REPORT NUMBER(S) 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified Same as Report (SAR) 18. NUMBER OF PAGES 39 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Agenda What is CERT? Are Insiders a Threat? CERT/U.S. Secret Service (USSS) Insider Threat Study Best practices Supporting Findings Case Examples What s Next Questions/Discussion 2005 Carnegie Mellon University 2

What is CERT? Center of Internet security expertise Established in 1988 by the Department of Defense (DARPA) in 1988 on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today Located in the Software Engineering Institute (SEI) Federally Funded Research & Development Center (FFRDC) Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania) 2005 Carnegie Mellon University 3

- Security Information Flow The CERT /CC gains a broad view of Internet security threats with data from many sources. CERT/CC analysts synthesize the data and publish timely, accurate information fast. Researchers develop long-term strategies to improve system security and survivability. DoD Private Sector Organizations Federal and Civilian Agencies law Enforcement CERT/CC Partners International CSIRTs Risk Assessments...... Surveys CERT Coordination \ and Analysis Centers ~ ~... Vulnerability Reports Serurity lncioont.----~ Reports,_...;..--..L...---. State-of-t he Procfire Da1o Threat Assessments Semfty Event Dall1 Artifacts (or malicious code) Security Practices Risk Management Strategies Threat Reports Models and Assessment Methods Vulnerability Reports Survivable Systems Engineering Practices Analysis Reports 2005 Carnegie Mellon University 4

Are Insiders a Threat? 2005 Carnegie Mellon University 5

e-crime Watch CSO, USSS & CERT/CC 819 respondents Average number of e-crimes in 2004: 86 35% increase in e crimes in 2004 68% at least one e-crime or intrusion 39% of the organizations experienced one or more insider attacks or intrusions 20% of all attacks by insiders (versus outsiders) 2005 Carnegie Mellon University 6

We'are all too paranoid, no point looking behind your back, we are already here. Posted by: Anonymous 2005 Carnegie Mellon University 3

idiocy to say the least having been a statistic myself i see that fear and stupidy prevail nothing is secure trust no-one ever Posted by: C0rpR4t3_H4C < 2005 Carnegie Mellon University 4

USSS/CERT Insider Threat Study Definition of insider Purpose of the study Study method Reports 2005 Carnegie Mellon University 5

Study Definition of Insider Current or former employees or contractors who intentionally exceeded or misused an authorized level of access to networks, systems or data in a manner that targeted a specific individual or affected the security of the organization s data, systems and/or daily business operations 2005 Carnegie Mellon University 6

Study Purpose Identify information that was known or potentially detectable prior to the incident. Analyze physical, social and online behaviors of insiders. Develop information to help private industry, government and law enforcement better understand, detect and prevent harmful insider activity. 2005 Carnegie Mellon University 7

Study Method Incidents perpetrated by insiders in critical infrastructure sectors. Initial incidents occurred between 1996 and 2002. Reported publicly or investigated by the Secret Service. Reviewed primary source material (investigative reports, court documents) and conducted supplemental interviews. 2005 Carnegie Mellon University 8

USSS/CERT Insider Threat Study Definition of insider Purpose of the study Study method Reports Cases 2005 Carnegie Mellon University 9 50 45 40 35 30 25 20 15 10 5 0 Banking & Finance Cross Sector Sabotage Fraud Information Theft

Insider Sabotage Who were they? Why did they do it? What were the consequences? Best practices Supporting Findings Case Examples 2005 Carnegie Mellon University 10

Who Were the Insiders? Male 17-60 years old About half married Variety of racial & ethnic backgrounds Not disgruntled 43% Disgruntled 57% 2005 Carnegie Mellon University 11

Primary Motive Percentage 100 90 80 70 60 50 40 30 20 10 0 84% 92% Sabotage Cases Financial Revenge Response to negative event 2005 Carnegie Mellon University 12

Consequences to Targeted Organizations Financial Loss Harm to Individuals No financial loss 19% Experienced financial loss 81% 2005 Carnegie Mellon University 13

Consequences to Targeted Organizations Financial Loss Harm to Individuals Harmed an individual 35% 65% No individual harm 2005 Carnegie Mellon University 14

Best Practices 2005 Carnegie Mellon University 15

Background checks Conduct background checks & consider results carefully. Previous arrest(s) 30% 70% No previous arrest(s) 2005 Carnegie Mellon University 16

Security Awareness Training Institute periodic employee security awareness training for all employees. Percentage 100 90 80 70 60 50 40 30 20 10 0 62% 31% Sabotage Cases Planned in advance Others knew 2005 Carnegie Mellon University 17

Separation of Duties Enforce separation of duties and least privilege. Only detected by security staff 29% 71% Detected by non-security personnel 2005 Carnegie Mellon University 18

Password & Account Management Implement strict password and account management policies and practices. Had authorized access 43% 57% Did not have authorized access 2005 Carnegie Mellon University 19

Monitoring Log, monitor, and audit employee online actions. No system failure or irregularity 6% 94% Detected due to system failure or irregularity 2005 Carnegie Mellon University 20

System Administrators Use additional controls for system administrators and privileged users. Non-technical position 14% 86% Technical position 2005 Carnegie Mellon University 21

Malicious Code Actively defend against malicious code. Technically sophisticated 61% 39% Not technically sophisticated 2005 Carnegie Mellon University 22

Remote Access Use layered defense against remote attacks. Remote access not used 36% 64% Used remote access 2005 Carnegie Mellon University 23

Suspicious Behavior Monitor and respond to suspicious or disruptive behavior. No concerning behavior 20% 80% Concerning behavior 2005 Carnegie Mellon University 24

Access Following Termination Deactivate access following termination. Current employees 41% 59% Former employees 2005 Carnegie Mellon University 25

Investigation Collect and save data for use in investigations. System logs not used for investigation 30% 70% System logs used for investigation 2005 Carnegie Mellon University 26

Back Up & Recovery Implement secure backup and recovery processes. No impact on business operations 25% 75% Impacted business operations 2005 Carnegie Mellon University 27

Formal Documentation Clearly document insider threat controls. Most ITs I know, even the entry-level guys, install root kits as a first order of business when they join a company. They do it as a reflex, not because they have malicious intent or plan to hack the company, but to give themselves convenient access so they can work from home or school. Posted by: Ben 2005 Carnegie Mellon University 28

Summary of Best Practices Conduct background checks & consider results carefully. Institute periodic employee security awareness training for all employees. Enforce separation of duties and least privilege. Implement strict password and account management policies and practices. Log, monitor, and audit employee online actions. Use additional controls for system administrators and privileged users. Actively defend against malicious code. Use layered defense against remote attacks. Monitor and respond to suspicious or disruptive behavior. Deactivate access following termination. Collect and save data for use in investigations. Implement secure backup and recovery processes. Clearly document insider threat controls. 2005 Carnegie Mellon University 29

What s Next In progress: Additional sector reports IT sector Government sector Training U.S. Secret Service Electronic Crimes Task Force meetings System Dynamics Modeling Planned: Insider Threat Phase 2 2005 Carnegie Mellon University 30

System Dynamics Modeling Model interaction over time between organizational culture organization s mission policies & procedures technology behavioral psychology 2005 Carnegie Mellon University 31

MERIT Management Education on Risk of Insider Threat Management Simulator for insider threat problem Decision support system for management Evaluate relative insider threat risk 2005 Carnegie Mellon University 32

Insider Threat Phase 2 Collaborate with government and industry partners 2005 Carnegie Mellon University 33

I worked at a medium-sized software company, and had root access to their main servers. Purely as an intellectual exercise, I thought about how I could most malliciously use that access. This is what I came up with: Step 1: Hack the backup system: all backups are secretly encrypted as they are made, and decrypted when read back (so that checks of the backups shows nothing.) Step 2: Wait a year or more. Step 3: Wipe all the disks on the servers - including the hacked backup encryption/decryption software. Step 4: Send extortion demand for the encryption key to the backups. Unless they pay, they've lost years of work. Of course, I didn't actually try it, so I don't know if it would work... Posted by: Filias Cupio 2005 Carnegie Mellon University 34

Questions/Discussion 2005 Carnegie Mellon University 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback