© 2008 carnegie mellon university preventing insider threats: avoiding the nightmare scenario of a...

20
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

Upload: anabel-booth

Post on 16-Dec-2015

218 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

© 2008 Carnegie Mellon University

Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad

Dawn CappelliOctober 31, 2008

Page 2: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

2

TRUE STORY:

Personal information stolen for millions of customers of

phone companies, credit card companies and banks …

Companies contracted with a consumer data organization

that hired a data mining organization

whose system administrator stole the data

Page 3: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

3

TRUE STORY:

Emergency services are forced to rely on manual address lookups for

911 calls on Friday night ….

Employee sabotages the system and steals all backup tapes

Page 4: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

4

TRUE STORY:Financial institution discovers $691 million in

losses ...

Covered up for 5 years by trusted employee

Page 5: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

5

Agenda

Introduction

How bad is the insider threat?

Background on CERT’s insider threat research

Brief overview of findings from our research

Tools for preventing or detecting insider threats

Page 6: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

6

What is CERT?

Center of Internet security expertise

Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today

Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)

• Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania)

Page 7: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

7

CERT’s Definition of Malicious Insider

Current or former employee, contractor, or business partner who

o has or had authorized access to an organization’s network, system or data and

o intentionally exceeded or misused that access in a manner that

o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Note: Note: This presentation does not address national This presentation does not address national security espionage involving classified information.security espionage involving classified information.

Page 8: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

8

2007 e-Crime Watch Survey

CSO Magazine, USSS, Microsoft, & CERT

671 respondents

0

20

40

60

80

100

2004 2005 2006 2007

Percentage of Participants Who Experienced an Insider Incident

41 39

5549

Page 9: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

9

CERT’s Insider Threat Research

Insider Threat Cases

Database

Hundreds of cases have been analyzed

• US cases from 1996 to 2007 in critical infrastructure sectors

• US Secret Service

• Carnegie Mellon CyLab

• Department of Defense

Data includes both technical & behavioral information

Page 10: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

10

Breakdown of Insider Threat Cases in CERT Database

0

10

20

30

40

50

60

70

80

Theft or Modification for Financial Gain

Theft for Business Advantage

IT Sabotage

76

24

74

17

Misc

Page 11: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

11

Comparison of Insider Crimes - 1

IT SabotageTheft or

Modification for Financial Gain

Theft for Business

Advantage% of crimes in case database

45% 44% 14%

Current or former employee?

Former CurrentCurrent (95%

resigned)

Type of positionTechnical (e.g. sys admins or DBAs)

Non-technical, low-level positions with

access to confidential or

sensitive information (e.g. data entry,

customer service)

Technical (71%) - scientists,

programmers, engineers

Sales (29%)

Gender MaleFairly equally split between male and

femaleMale

[1

Page 12: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

12

Comparison of Insider Crimes - 2

IT SabotageTheft or

Modification for Financial Gain

Theft for Business

Advantage

TargetNetwork, systems, or

dataPII or Customer

Information

IP (trade secrets) – 71%

Customer Info – 33%

Access used Unauthorized Authorized Authorized

WhenOutside normal working hours

During normal working hours

During normal working hours

Where Remote access At work At work

Recruited by outsiders

None½ recruited for theft;

less than 1/3 recruited for mod

Less than 1/4

Collusion None

Mod: almost ½ colluded with

another insiderTheft: 2/3 colluded

with outsiders

Almost ½ colluded with at least one insider; ½ acted

alone; 25% stole for foreign gov/org

[1

Page 13: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

13

What Can You Do?

Review CERT’s Common Sense Guide to Prevention and Detection of Insider Threats

http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf

Version 3 to be published in January 2009

Page 14: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

14

Tools for Preventing or Detecting Insider

Threats

Page 15: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

15

Change Control

Help to prevent or detect• Planting or downloading of malicious code or

unauthorized software

• Unauthorized modification of critical files

• Unauthorized changes to source code

• Unauthorized installation of hardware devices

Page 16: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

16

Data Leakage Tools

Help to prevent or detect accidental or intentional leakage of confidential information• Emails

• Documents

• Printing, copying, or downloading

• Removable media

Page 17: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

17

Network/Employee Monitoring Tools

Help to detect• Unauthorized access

• Suspicious activity around resignation

• Unauthorized escalation of privileges

• Anomalous user activity

Page 18: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

18

Identity Management Systems

Help to • Prevent creation of or detect usage of backdoor

accounts

• Implement and maintain access control

• Disable all access upon termination

Page 19: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

19

Others

Encryption

Physical access control systems

Automated data integrity checks

Backup and recovery systems

Page 20: © 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

20

Contact Information

Insider Threat Team Lead:Dawn M. CappelliTechnical Manager, Threat and Incident ManagementCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-9136 – [email protected] – Email

http://www.cert.org/insider_threat/