The Association between Capacity Management, Cybersecurity, and

Insider Threat

Chris Greco, PMP, PMI-ACP, CISSP, ITIL (Foundation)

Assumptions • Every computer has at least one

user • Every user accesses the

computer through a series of access controls

• Every access control has at least one method of authentication (two preferred)

• Every one of these authentication methods have an effect on capacity

• Every capacity change incorporates a set of risks

2

Background of Speaker

• Over 35 years of project management experience combined with 15 years of IT experience

• Speaker at CMG on a variety of topics • In 2006, presented the topic of capacity and

security • In that presentation, showed that capacity will

grow exponentially in the next 10 years due to security concerns

3

Stunning Statistics

• 2010: 60% of respondents to survey stated they would take anything from their prior employer, including information

• 2012: Former NSA contractor takes information from computers (insider threat)

• 2013: Hacking continues, and in some cases, originates within companies (insider threats)

• 2016: Insider Threats presents a very real and present danger to companies and governments

4

How Does This Relate to Capacity?

• Let’s do the logic • There are approximately 7 billion people in

the world • If half own and use a computer (3.5 billion)

then they have at least one password • The password may contain upwards of 15

characters • If each character of that password is a byte,

then you have 53 Gigabytes of information

5

That’s Not Bad At All

• Nope, not bad, then you start to add it all up • You have a “forgotten password” feature where

you store 3 questions and answers for each user • The questions are standard (but still need to be

stored) and the answers vary • If the answers have an average of 10 characters

(which in my opinion is underestimated) then you have about 105 Gigabytes of information

6

But It is Not Over Yet!

• If the entity employs multi-factor authentication, then it becomes even more complicated

• You have to store phone numbers of the users, and issue random numbers for verifications

• To store phone numbers will be to increase your data storage by at least 10 bytes, which would be an additional 35 Gigabytes

7

The Sum And The Consequences

• 53 + 105 + 35 = 173 Gigabytes • And that is for only one password for one

application (or one application access) • The reason for this introduction is to say that

there is a rise in the authentication requirement

• As a user, your responsibility is to ensure your passwords are strong

• The infrastructure manager has to do the rest

8

The Growth of Authentication

• In the beginning, the password was the only authentication needed for access

• Then multi-factor authentication required more – Something you know – password – Something you have – cellphone (or a “fob”) – Something you are – biometrics

• This has required more capacity to store all this data

9

Authentication And The Numbers

• Assumptions – Your company has 1000 employees – Each of these employees have strong passwords

(i.e. 10 characters, different character sets) – Your company has also incorporated biometrics

(“something you are”) which is one fingerprint • The password will be approximately 21

kilobytes, and the fingerprint will be approximately 1 megabyte

10

What Is the Problem?

• So far, given the previous slide, everything is not bad at all

• However, there are some other issues you need to consider – The storage of past passwords (don’t want users

using the same password for everything – The storage of USERIDs (at least 7 characters) – The storage of more than one fingerprint (increase

by approximately 1 MB each time)

11

Access By Application

• Of course most of us have access to applications or single sign on (SSO), so the storage is not a problem (right?)

• The baseline storage still has to occur, as well as the possibility of placing certain folders under access

• Every folder or document that has access must also have an access control

12

Simulated Access Control

• The following diagram shows a simulated access to one document by a set of users

• This is just a simulation, but one can imagine the amount of storage that would be required to keep the passwords or other access current

• You may have an Access Control List (ACL) but that means you have to store at least the following: – Name (or employee number or other ID) – USERID – PASSWORD – Other access controls including versions of the documents

13

Access Chart for Single Document

14

A Quick Review

• Your storage has to accommodate for the following security protections – Something you know (passwords, passcodes, userid) – Something you have (fobs, cellphone numbers,

random number generator) – Something you are (biometrics including fingerprints,

iris scans, facial recognition) • All of this just to ensure authorized access • This does nothing to prevent insider threat if not

done in combination with other measusres

15

Insider Threat

• Insider Threat is nothing new • Disgruntled employees have existed as long as

there are companies • In the past, they sometimes took office supplies,

or other things of value • Now, they could take something of great value –

information! • How do you stop this insidious practice? • You will NEVER stop Insider Threat (in my

opinion) but you can try to prevent and detect it

16

Capacity Management and Insider Threat

• Storage of user identifying information – Every user takes up space in the storage formula – The amount of information will vary

• What we need to discuss is how to detect and/or prevent insider threat

• What are the various forms of data you store in order to implement an insider threat detection/prevention?

17

Logic Behind Detecting Insider Threat

• Let’s assume again that you have 1000 employees

• Each of these employees has access to 1000 documents in various folders on the servers

• You, as the computer security manager, have a “feeling” that there is information being pilfered from the system

• In order to confirm that feeling with data you have to monitor activity on those servers

18

What Should We Consider?

• If we wanted to employ an “insider threat” detection (or outside threat for that matter) we would want to consider the following: – Number of machines (one machine per person) – Number of servers – Number of firewalls (inside and outside DMZ)

• You would also have to consider how many months (or years) you would want to keep the data

19

Just One Example

• http://www.buzzcircuit.com/tag/siem-storage-calculator/ is just one site for measuring the amount of storage necessary

• Using this site and inserting the number 10 for all the hardware choices, along with 6 months for storage requirements

• The amount of storage you would need would be approximately 3 Terabytes of raw data and 5 Terabytes of application storage

20

Changing the Attributes

• If you increase the number of servers from 10 to 50, you increase the storage requirement by 2 Terabytes

• If you use the average medium sized company of 200 employees, you increase the number of computers to 200 with 10 servers (1 per 20 computers)

• This would mean that you would have to START with several Terabytes of storage just to retain it for 6 months!

21

Knowing the Terms

• A term with which you may be familiar is Security Information and Event Management (SIEM) storage.

• This is an application that gathers information and detects outliers for further analysis

• Although it has been in use for years, many companies are spending hundreds of thousands of dollars on obtaining and maintaining these applications

22

Sample of Storage Requirements (For Different # of Servers)

0

50

100

150

200

250

300

6 MonthsRetention (1 of

Everything)

1 Year Retention(1 of Everything)

6 MonthsRetention (1+ FW,

R, SW, DB, Etc)

1 Year Retention(1+ FW, R, SW, DB,

Etc)

6 MonthsRetention (10 of

Everything)

1 Year Retention(10 of Everything)

Tera

byte

s 2520151051

23

An Example

• Let’s say that In 2012-2013 there was an individual that was in a sensitive position

• Let’s hypothesize the individual was part of the Federal Government and had access to very critical information

• Finally, let’s hypothetically conclude that the individual is now living in a foreign country after stealing sensitive national security information

24

Questions to Consider

• What if the individual was slowly gaining access to information that was “derivative” to his duties?

• What if the individual had flash drives and DVDs on his desk?

• What if the individual was asking questions of users on gaining access to other type of information?

• Finally, what if there were people who saw this signs and did nothing?

25

Could The Insider Threat Have Been Detected By SIEM?

• Could a SIEM have detected this intruder? – Access to information might have been outliers only if

he did not access them daily – The SIEM will not “observe” the person’s behavior

beyond their computer access and log entries

• People did question the insider threat, but if they are able to “tell a good story” they get a pass

• It takes people to report questionable behavior in order to place confirmation on the monitoring

26

Another Example

• Let’s say data showed that an individual was using different Social Security Numbers to open businesses (same name, different numbers)

27

Why Are We Using Machines to Monitor Humans?

28

Employees As Risks (Pessimistic)

• At the beginning of this presentation, we stated that there might be 60% of employees willing to take something from their employer

• If you have 1000 employees, that would mean (nominally) that you have 600 of those employees that would be willing to steal something from the company

• However, there is an upside to this argument

29

Using Employees as Security Monitors (Optimistic)

• If you have 20 employees you have 40 eyes and 40 ears that can help keep your company secure.

• There is nothing more powerful than peer pressure

• As a college instructor, placing the class on alert helped to eliminate cheating, because they knew the expectations, so they would keep everyone on their best behavior

30

Some Ways to Deploy the Employees

• Limit Access • Educate employees about security • Create a culture of security

https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon)

31

Value Added Security

• There is nothing like having the employee take an active role in security

• Rather than trying to avoid or shortcut security, they will use “their” rules more seriously

• Employee generated access rosters will establish the employee as the on in charge of that aspect of security

• It also makes them accountable, which will provide them with a stake in that part of the mission

32

Are Employees Reliable?

• Making someone accountable gives them a sense of purpose

• According to studies, purpose is something we all desire and are motivated to achieve (Elie Wiesel Nobel Prize winning book - Night)

• If they see and do nothing, they are not being accountable, and fail to do their purpose

33

A Hybrid Approach

• Use a SIEM and make that part of the security infrastructure, but do not rely on it as the sole detection method

• Use an employee education to keep employees aware of the various security concerns

• Have an employee security network that helps their peers maintain security

• Create a culture of security through constant visibility and example; use existing tools creatively (i.e. NIMDA back in early 2000s)

34

Does Constant Exposure Help?

• (https://en.wikipedia.org/wiki/Rick_Rescorla)

35

What Does This Do To Capacity?

• Employee involvement can save Terabytes of storage

• In current economy, storage has to be protected, so the more the storage, the more the protection

• By keeping the security internal and observable, the capacity can be used for other things besides storing monitoring data (performance monitor!)

• The savings can be passed on to the employee as an incentive

36

0

500

1000

1500

2000

2500

3000

5 10 15 20 25 30 35 40 45 50 55 60 65 70

One Last Thing

𝑛(𝑛 − 1)2

37

Summary

• Security is something that will never go away • Employers will constantly try to ensure that

employees are security conscious – Through access control – Through education methods

• Applications can monitor the employee and their access and . . .

• The employees can “police” themselves and take charge of their environment

38

References Common Sense Guide to Prevention and Detection of Insider Threats (CERT), 2005 Insider Threat White Paper, June 2013 http://www.afcea.org/committees/cyber/documents/AFCEAInsiderThreatWhitepaperJune2013Final.pdf http://informationsecurity.report/Resources/Whitepapers/6ea70c75-4977-4d0e-89eb-e0c844a1f9a4_The%20Insider%20Threat%20From%20Risk%20to%20Detection.pdf (Other references are links that are in the presentation) 39

Any Questions?

www.grectech.com

www.twitter.com/grectech

chris@grectech.com

AND…..

40

Save the Date! www.cmgimpact.com