© 2008 carnegie mellon university preventing insider threats: avoiding the nightmare scenario of a...
TRANSCRIPT
© 2008 Carnegie Mellon University
Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad
Dawn CappelliOctober 31, 2008
2
TRUE STORY:
Personal information stolen for millions of customers of
phone companies, credit card companies and banks …
Companies contracted with a consumer data organization
that hired a data mining organization
whose system administrator stole the data
3
TRUE STORY:
Emergency services are forced to rely on manual address lookups for
911 calls on Friday night ….
Employee sabotages the system and steals all backup tapes
4
TRUE STORY:Financial institution discovers $691 million in
losses ...
Covered up for 5 years by trusted employee
5
Agenda
Introduction
How bad is the insider threat?
Background on CERT’s insider threat research
Brief overview of findings from our research
Tools for preventing or detecting insider threats
6
What is CERT?
Center of Internet security expertise
Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today
Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)
• Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania)
7
CERT’s Definition of Malicious Insider
Current or former employee, contractor, or business partner who
o has or had authorized access to an organization’s network, system or data and
o intentionally exceeded or misused that access in a manner that
o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
Note: Note: This presentation does not address national This presentation does not address national security espionage involving classified information.security espionage involving classified information.
8
2007 e-Crime Watch Survey
CSO Magazine, USSS, Microsoft, & CERT
671 respondents
0
20
40
60
80
100
2004 2005 2006 2007
Percentage of Participants Who Experienced an Insider Incident
41 39
5549
9
CERT’s Insider Threat Research
Insider Threat Cases
Database
Hundreds of cases have been analyzed
• US cases from 1996 to 2007 in critical infrastructure sectors
• US Secret Service
• Carnegie Mellon CyLab
• Department of Defense
Data includes both technical & behavioral information
10
Breakdown of Insider Threat Cases in CERT Database
0
10
20
30
40
50
60
70
80
Theft or Modification for Financial Gain
Theft for Business Advantage
IT Sabotage
76
24
74
17
Misc
11
Comparison of Insider Crimes - 1
IT SabotageTheft or
Modification for Financial Gain
Theft for Business
Advantage% of crimes in case database
45% 44% 14%
Current or former employee?
Former CurrentCurrent (95%
resigned)
Type of positionTechnical (e.g. sys admins or DBAs)
Non-technical, low-level positions with
access to confidential or
sensitive information (e.g. data entry,
customer service)
Technical (71%) - scientists,
programmers, engineers
Sales (29%)
Gender MaleFairly equally split between male and
femaleMale
[1
12
Comparison of Insider Crimes - 2
IT SabotageTheft or
Modification for Financial Gain
Theft for Business
Advantage
TargetNetwork, systems, or
dataPII or Customer
Information
IP (trade secrets) – 71%
Customer Info – 33%
Access used Unauthorized Authorized Authorized
WhenOutside normal working hours
During normal working hours
During normal working hours
Where Remote access At work At work
Recruited by outsiders
None½ recruited for theft;
less than 1/3 recruited for mod
Less than 1/4
Collusion None
Mod: almost ½ colluded with
another insiderTheft: 2/3 colluded
with outsiders
Almost ½ colluded with at least one insider; ½ acted
alone; 25% stole for foreign gov/org
[1
13
What Can You Do?
Review CERT’s Common Sense Guide to Prevention and Detection of Insider Threats
http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf
Version 3 to be published in January 2009
14
Tools for Preventing or Detecting Insider
Threats
15
Change Control
Help to prevent or detect• Planting or downloading of malicious code or
unauthorized software
• Unauthorized modification of critical files
• Unauthorized changes to source code
• Unauthorized installation of hardware devices
16
Data Leakage Tools
Help to prevent or detect accidental or intentional leakage of confidential information• Emails
• Documents
• Printing, copying, or downloading
• Removable media
17
Network/Employee Monitoring Tools
Help to detect• Unauthorized access
• Suspicious activity around resignation
• Unauthorized escalation of privileges
• Anomalous user activity
18
Identity Management Systems
Help to • Prevent creation of or detect usage of backdoor
accounts
• Implement and maintain access control
• Disable all access upon termination
19
Others
Encryption
Physical access control systems
Automated data integrity checks
Backup and recovery systems
20
Contact Information
Insider Threat Team Lead:Dawn M. CappelliTechnical Manager, Threat and Incident ManagementCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-9136 – [email protected] – Email
http://www.cert.org/insider_threat/