Millie Law

ACC626

Introduction Reasons Strategies Current Issues Conclusion

Definition Top 3 Macro Security Issues 69% of data breaches More costly than external breaches Cases

4 Risky Areas• Damage• Theft• Deletion/Corruption• Leakage

Assets attacked:• Customer info• Source code• Business plans • Trade secrets• Internal business info• Proprietary software

Not a priority • 35% invest in internal security• High impact, very low frequency

Just a technology problem• IT department should handle it

Security tone at the top• Security conscious culture

Top level policies Effective governance structure 2 teams:

• X-Team• Exec Team

Regular reviews

27% had financial difficulty 4 Types of lucrative data:

• Payment card data• Authentication credentials • Personal Info• Intellectual Property

Employee Assistance Program (EAP)

Unintentional behaviors• Forgot to log off• Failed to change passwords regularly• Inappropriately discarding sensitive info• Email (37% sensitive info leaked)

Training & Education • CERT’s 16 Best Practices • Email Best Practices

Identify high-risk behaviors Federated Model

• Distribute responsibility across the hierarchy

• Central group: set common standards• Business units: manage local executions

Network Monitoring Approach• Logical pairing of log files• Log analysis• Event correlation

1/3 surveyed abused access rights People Paradox

• “Trusted” circle is the primary threat • Legit access

Attribute-Based Group Access Control Model • Based on access capabilities, not role-

based

Identity Access Management (IAM)• Centralized and automated controls• Digital rights management technology

Data tagged • Real time access monitoring

Controls target external threats • Firewall• Intrusion detection system• Electronic building access

Honey Pot Approach• Attract ‘unauthorized access’ w/ fictitious

data

No specific type of high-risk attackers Not exclusive to IT personnel

• More technology savvy employees

Manage: Employee screening process• Accuracy: standardize presentation of records • Hire external screening agency• Not standalone strategy

Employee Traits

Organizations do not know how much data they have• Increases legal and reputational liability• High maintenance cost

Data inventory project• Take inventory of sensitive files• Accurately record their location on the

server • Keep track of access rights to these files

Data Centric Policy• Create data-flow diagrams• Assess data loss risk• Apply controls• Formalize the data-centric policy

Globalization• Multinational operating environments• Lacks research study

Virtual Work Environments• Reliance on manual controls • Lack of tested and practical strategies

Managing insider threat is a priority Tone at the top Policies and controls Strategies

"Cyber-Ark; Cyber-Ark Global Survey Shows External Cyber-Security Risks Will Surpass Insider Threats. " Investment Weekly News 30 Apr. 2011: ABI/INFORM Trade & Industry, ProQuest. Web. 9 May. 2011.

"DHS Immigration System Vulnerable To Insider Threats. " Informationweek - Online 28 Feb. 2011: ABI/INFORM Global, ProQuest. Web. 9 May. 2011. Blades, M.. (2010, November). The Insider Threat. Security Technology Executive, 20(9), 32-33,35-37. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2233949191). Nunn-Price, J.. (2010, October). Public job cuts increase insider threat. Computer Weekly,12. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 2198713041). Rajendra Chaudhary. (2009, August). ''The problem of insider threat exists within every organization''. Express Intelligent Enterprise. Retrieved May 9, 2011, from ABI/INFORM Trade &

Industry. (Document ID: 1949260831). Warkentin, M., & Willison, R.. (2009). Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems: Special Issue: Behavioral and

Policy Issues in Information, 18(2), 101-105. Retrieved May 9, 2011, from ABI/INFORM Global. (Document ID: 1751536561). - Loch K.D., Carr H.H. and Warkentin M.E. (1992) Threats to information systems: today's reality, yesterday's understanding. MIS Quarterly 16 (2), 173-186.

Secure Computing IT Director survey reveals "insider threats" as biggest organizational concern. (2008, June 12). Al Bawaba. Retrieved May 9, 2011, from ABI/INFORM Trade & Industry. (Document ID: 1493428881).

Aldhizer III, George R. "The Insider Threat." Internal Auditor 65.2 (2008): 71-73. Business Source Complete. EBSCO. Web. 9 May 2011. Fyffe, G.. (2008). Addressing the insider threat. Network Security, 2008(3), 11-14. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1574237321). Mike Heck. (2007, February). Surveying the Insider Threat Detection Landscape. InfoWorld, 29(8), 39. Retrieved May 10, 2011, from ABI/INFORM Global. (Document ID: 1229181051). Moscaritolo, Angela. "Verizon Report Finds Less Shrewd Attacks but More Breaches." SC Magazine (2011). Factiva. Web. 9 May 2011. <http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?

ref=SCMAGA0020110420e74j00001&pp=1&fcpil=en&napc=S&sa_from=>. "Data Security; More Than Half of IT Security Professionals Are Unsure Where Sensitive Files Are Located." Information Technology Newsweekly 131 (2011). Factiva. Web. 9 May 2011.

<http://global.factiva.com.proxy.lib.uwaterloo.ca/aa/?ref=INTEWK0020110415e74j0003e&pp=1&fcpil=en&napc=S&sa_from=>. Noonan, Thomas, and Edmund Archuleta. "The National Infrastructure Advisory Council's Final Report and Recommendation - The Insidr Threat to Critical Infrastructures." Department of

Homeland Security. Web. 9 May 2011. <http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf>. Stolfo, Salvatore J. (Salvatore Joseph); Workshop on Insider Attack and Cyber Security (1st : 2007 : Washington, D.C.) New York : Springer c2008 Randazzo, Marisa, Michelle Keeney, Eileen Kowalski, Dawn Cappelli, and Andrew Moore. "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector." Security & Survivability.

Software Engineering Institute of Carnegie Mellon University, 2005. Web. 3 May 2011. <http://www.sei.cmu.edu/library/abstracts/reports/04tr021.cfm>. "An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2011. Web. 3 May

2011. <http://www.cert.org/archive/pdf/11tn006.pdf>. Cappelli, Dawn, Andrew Moore, and Timothy Shimeall. "Protecting against Insider Threat." Security & Survivability. Software Engineering Institute of Carnegie Mellon University, 2007. Web. 3

May 2011. <http://www.sei.cmu.edu/library/abstracts/news-at-sei/securitymatters200702.cfm>. Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005. DeZabala, Ted. "Lock It Up or Set It Free? A Risk Intelligent Approach to Data and Intellectual Property." Enterprise Risk Services. Issue 6. Deloitte, 2010. Web. 3 May 2011.

<http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/Deloitte%20Review/US_deloittereview_Lock_It_Up_Or_Set_It_Free_Jan10.pdf>. Grant, Ian. "RSA 2008: Spot the Warning Signs of Insider Attacks." Computer Weekly, 2008. Web. 3 May 2011. <http://www.computerweekly.com/Articles/2008/04/10/230233/RSA-2008-spot-

the-warning-signs-of-insider-attacks.htm>. Gelles, Michael, David Brant, and Brian Geffert. "Building a Secure Workforce: Guard against Insider Threat." Enterprise Risk Services. Deloitte, 2008. Web. 3 May 2011. Westby, Jody, and Julia Allen. "Governing for Enterprise Security (GES)." Software Engineering Institute of Carnegie Mellon University., 2007. Web. 3 May 2011.

<http://www.sei.cmu.edu/library/download-report.cfm?pdf_name=07tn020.pdf&download=true>. Goodchild, Joan. "What Security Can Learn from the $15M Sprint Employee Breach." CSO Magazine Online, 2010. Web. 3 May 2011. <http://www.csoonline.com/article/609363/what-security-

can-learn-from-the-15m-sprint-employee-breach?source=rss_wireless_mobile_security>. Datardina, Malik, and Gerald Trites. "CICA." Whitepaper: Data-centric Security (2009). Google Scholar. Web. 24 May 2011.

<http://www.cica.ca/research-and-guidance/it-advisory-committee/publications/item33711.pdf>. Justin Myers, Michael R. Grimaila, and Robert F. Mills. 2009. Towards insider threat detection using web server logs. In Proceedings of the 5th Annual Workshop on Cyber Security and

Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 54 , 4 pages. DOI=10.1145/1558607.1558670 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558670

Michael D. Carroll. 2006. Information security: examining and managing the insider threat. In Proceedings of the 3rd annual conference on Information security curriculum development (InfoSecCD '06). ACM, New York, NY, USA, 156-158. DOI=10.1145/1231047.1231082 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1231047.1231082

William R. Claycomb and Dongwan Shin. 2010. Detecting insider activity using enhanced directory virtualization. In Proceedings of the 2010 ACM workshop on Insider threats (Insider Threats '10). ACM, New York, NY, USA, 29-36. DOI=10.1145/1866886.1866894 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1866886.1866894

Matt Bishop, Sophie Engle, Sean Peisert, Sean Whalen, and Carrie Gates. 2008. We have met the enemy and he is us. In Proceedings of the 2008 workshop on New security paradigms (NSPW '08). ACM, New York, NY, USA, 1-12. DOI=10.1145/1595676.1595678 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1595676.1595678

Ignacio J. Martinez-Moyano, Eliot Rich, Stephen Conrad, David F. Andersen, and Thomas R. Stewart. 2008. A behavioral theory of insider-threat risks: A system dynamics approach. ACM Trans. Model. Comput. Simul. 18, 2, Article 7 (April 2008), 27 pages. DOI=10.1145/1346325.1346328 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1346325.1346328

Clive Blackwell. 2009. A security architecture to protect against the insider threat from damage, fraud and theft. In Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (CSIIRW '09), Frederick Sheldon, Greg Peterson, Axel Krings, Robert Abercrombie, and Ali Mili (Eds.). ACM, New York, NY, USA, , Article 45 , 4 pages. DOI=10.1145/1558607.1558659 http://doi.acm.org.proxy.lib.uwaterloo.ca/10.1145/1558607.1558659

Dattatreya Wed, Yesh. "Building an Enterprise Security Program in Ten Simple Steps CIO.com." CIO.com. 15 Oct. 2008. Web. 30 June 2011. "Email Best Practices." WVU Office of Information Technology. West Virginia University. Web. 30 June 2011. <http://oit.wvu.edu/email/bestpractices/>.