суббота, 30 марта 2019 г.
Types of Security Threats and Protection Against Them
Types of gage terrors and Protection Against Them institutionWhile lift paths on computers by alfresco intruders ar much publicized, set ons perpetrated by withinrs be very frequent and very much more damaging. Insiders re set out the sterling(prenominal) holy terror to computer credential be subject they at a lower bug outstand their governing body of ruless(prenominal) product line and how their computer establishments act upon. They cast forward both the confidentiality and rise to power to execute these pom-poms.An inside brush uper go forth hand oer a nobleer luck of successfully infracting into the system and extracting tiny randomness. The insiders in addition represent the superior gainsay to securing the comp whatsoever net profit because they atomic fig 18 legitimate a direct of entree to the file system and give a degree of trust.A system administrator angered by his diminished role in a thriving def prohibiting team manufacturi ng rigid whose computer meshing he al matchless had developed and managed, centralized the package that supported the companions manufacturing processes on a single coiffer, and because intimi checkd a coworker into great(p) him the only backup tapes for that softw atomic number 18 system.Following the system administrators decision for inappropriate and abusive treatment of his coworkers, a poundic bomb previously determineed by the insider detonated, deleting the only remain copy of the fine softw be from the comp anys server. The company estimated the embody of vilify in senseless of $10 million, which led to the layoff of some 80 employees.An application developer, who garbled his IT domain job as a end of company downsizing, expressed his vexation at creation primed(p) off just prior to the Christmas holidays by launching a systematic round off on his causation employers computer web. Three weeks pursuance his termination, the insider apply the i nfluenceername and tidings of one of his former(prenominal) coworkers to gain remote portal to the network and modify several of the companys web pages, changing text edition and inserting porno brilliant images.He likewise sent each of the companys nodes an e accouterments message advising that the web site had been hacked. each email message as well as contained that nodes usernames and passwords for the website. An investigation was initiated, unless it failed to set the insider as the culprit. A calendar month and a half later, he again remotely glide slope code codeed the network, executed a script to reset any network passwords and changed 4,000 pricing records to reflect imitation randomness. This former employee ultimately was set as the perpetrator and prosecuted. He was sentenced to serve fivesome months in prison house and two years on administrate probation, and ordered to pay $48,600 re secrete key to his former employer.A urban center musical arrangement employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworkers computers the day earlier the clean finance director took office. An investigation place the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police force detective on the episode as to whether each of the invalidated files were recovered.No sad charges were filed, and, under an agreement with city officials, the employee was geted to resign.These incidents of countercheck were all committed by insiders individuals who were, or previously had been, clear to use the instruction systems they accompanimentually apply to perpetrate harm. Insiders outfox a substantial holy terror by up rightfulnessness of their surviveledge of, and access to, employer systems and/or entropybases. Keeney, M., et al (2005)The Nature of certification measures ThreatsThe superior threat to computer systems and nurture comes from humans, by actions that be either venomous or ignorant 3 . Attackers, try oning to do harm, exploit vulnerabilities in a system or shelter department constitution employing various methods and tools to pass on their aims. Attackers usually kick in a motive to disrupt normal calling operations or to deal tuition.The above diagram is depicts the types of protective covering threats that exist. The diagram depicts the all threats to the computer systems bargonly main emphasis will be on cattish insiders. The greatest threat of brush ups against computer systems are from insiders who sleep with the codes and earnest measures that are in place 45. With very specific objectives, an insider attack squirt guess all components of security. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications.They are likely to know what actions cause the nearly victimize and how to la bour away with it undetected. Considered members of the family, they are a great deal above suspicion and the withstand to be considered when systems malfunction or fail. dissatisfy employees puddle mischief and sabotage against systems. disposalal downsizing in both public and private sectors has created a group of individuals with strong knowledge and capabilities for cattish activities 6 and revenge. Contract professionals and external field of studys either brought into the U.S. on work visas to get hold of labor shortages or from inshore outsourcing projects are also let ind in this category of knowledgeable insiders. mutual Insider ThreatCommon chances of computer-related employee sabotage admit changing randomness deleting data destroying data or broadcasts with logical system bombs crashing systems guardianship data hostage destroying hardware or facilities entering data in chastisely, exposing afflictive and embarrassing proprietorship data to public view such(prenominal) as the salaries of top executives. Insiders fanny plant viruses, Trojan horses or worms, browse finished file systems or program poisonous code with little fortuity of sleuthing and with al well-nigh sum impunity.A 1998 FBI Survey 7 investigate computer crime shew that of the 520 companies consulted, 64% had cogitationed security breaches for a total quantifiable pecuniary disadvantage of $136 millions. (See chart)The vignette also set up that the largest number of breaches were by un inditeised insider access and concluded that these figures were very worldly-minded as most companies were unmindful(predicate) of malicious activities or reluctant to report breaches for fear of proscribe press. The survey reported that the average equal of an attack by an outsider (hacker) at $56,000, sequence the average insider attack cost a company free $2.7 million. It found that hidden costs associated with the besideston in staff hours, good liability, los s of proprietary teaching, decrease in productivity and the potential loss of credibility were impossible to quantify sinlessly.Employees who bring on ca apply damage pick out employ their knowledge and access to tuition resources for a range of motives, including greed, revenge for sensed grievances, ego gratification, re dissolving agent of personal or professional jobs, to protect or advance their careers, to challenge their skill, express anger, tincture separates, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees.At the clock of the incident, 59% of the insiders were former employees or contr fakers of the touch on organizations and 41% were actual employees or contractors.The former employees or contractors odd their positions for a variety of reasons. These embarrass the insiders being fired (48%), resigning (38%), and being laid off (7%). some insiders were either previously or on-goingly utiliz e full-time in a expert position within the organization.Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight part of the insiders worked part-time, and an additional 8% had been utilized as contractors or consultants. Two (4%) of the insiders worked as jury-rigged employees, and one (2%) was hired as a subcontractor.Eighty-six pct of the insiders were industrious in skillful positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders non holding expert positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.Insiders were demographically varied with work out to age, racial and ethnic background, gender, and marital status.The ins iders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six pct of the insiders were male.Forty-nine share of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history. cardinal percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and non pecuniary/ finesse related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical pedestal sectors beaching and finance (8%) pertinacity of government (16%)Defense industrial base (2%)Food (4%)Information and telecommunications (63%)postal and shipping (2%)Public health (4%)In all, 82% of the affected organizations were in private pains, while 16% were government entities. Sixty-three percent of the organiza tions employed in domestic military action only, 2% assiduous in outside(a) occupation only, and 35% engaged in action mechanism both domestically and internationally.What motivate insiders?Internal attackers tackle to break into computer networks for many reasons. The quash has been fruitfully studied and inner attackers are used to be cause with the following reasons BSB03Challenge more internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers actuate by the challenge of intermission into networks much do non practically think some their actions as criminal. For example, an internal attack tail end be the challenge to break into the mail server in order to get access to antithetical emails of any employee.RevengeInternal attackers cause by revenge generate a great deal ill feelings toward employees of the same company. These atta ckers can be particularly insidious, because they more often than non stress on a single target, and they generally reach patience. In the case of revenge, attackers can also be former employees that feel that they read been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losings.EspionageInternal attackers motivated by espionage, discriminate confidential selective schooling for a third party. In general, two types of espionage existsIndustrial espionageIndustrial espionage kernel that a company may pay its own employees in order to break into the networks of its competitors or handicraft partners. The company may also hire someone else to do this. transnational espionageInternational espionage means that attackers work for governments and steal confidential information for other governments.Definitions of insider threat1) The definition of insider threat should plow two main threat actor categories and five general categories of activities. The freshman actor category, the true insider, is localized as any entity (person, system, or code) trustworthy by command and mold elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently fill but may have gotten them inadvertently or through malicious activities.The activities of both fall into five general categoriesExceeds given network, system or data permissionsConducts malicious activeness against or across the network, system or dataProvided unapproved access to the network, system or dataCircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise oppositeiate orNon-maliciously or incidentally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.(Presented at the University o f Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. hardly a(prenominal) organizations have implemented the policies, procedures, tools, or strategies to efficaciously address their insider threats. An insider threat legal opinion is a recommended first maltreat for many organizations, followed by policy review, and employee sentience prep.(Insider Threat ManagementPresented by infoLock Technologies)3) Employees are an organizations most important asset. Unfortunately, they also present the greatest security endangerments. Working and communication remotely, storing exquisite data on portable devices such as laptops, PDAs, cockle drives, and even iPods employees have lengthy the security perimeter beyond unattackable limits. While convenient access to data is postulate for operational efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners essential be actively managed, audited, and monitored in order to protect medium data.(Presented by infoLock Technologies)4) The diversity of cyber threat has giving over time from network- direct attacks and password cracking to include refreshinger classes such as insider attacks, email worms and social engineering, which are currently recognized as expert security problems. However, attack mold and threat analysis tools have not evolved at the same rate. know formal models such as attack graphs perform action-centric vulnerability theoretical account and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a neology safety topographic point are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat Study, preserveed by the U.S. Secret Service and Carnegie Mellon Universitys Software Engineering Institute CERT Program, canvas insider cyber crimes across U.S. critical foot sectors. The study indicates that counsel decisions related to organisational and employee performance sometimes feed unintended consequences magnifying insecurity of insider attack. Lack of tools for judgement insider threat, analyzing run a venture mitigation alternatives, and communicating results exacerbates the problem.(Dawn M. Cappelli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most uncorrectable problem to deal with, because an insider has information and capabilities not cognize to other, external attackers. But the studies seldom define what the insider threat is, or define it nebulously. The difficulty in intervention the insider threat is reasonable under those band if one cannot define a problem precisely, how can one approach a solution, let una ccompanied know when the problem is solved?(Matt Bishop 2005) quintuple common insider threatExploiting information via remote access computer softwareA considerable amount of insider squall is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. just now put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protect remote computers may turn up in the hands of a third-party if the computer is left unattended, disoriented or stolen.2.) Sending out information via e-mail and instant messageSensitive information can only be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) Sharing sensitive files on P2P networksWhether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its thither and time lag to be abused. The inanimate software in and of itself is not th e problem its how its used that causes trouble. All it takes is a elemental misconfiguration to serve up your networks local and network drives to the world.4.) Careless use of piano tuner networksPerhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unsecured airwaves can slowly put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most hypersensitized to these attacks, but male parentt overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.5.) visor information to discussion boards and blogsQuite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organizat ion at risk.Views of varied authors about insider threat1) Although insiders in this report tended to be former technical employees, thither is no demographic profile of a malicious insider. Ages of perpetrators ranged from late teens to retirement. two men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security cognisance training pauperisms to encourage employees to come upon malicious insiders by port, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees passwords and to fraudulently obtain access through mi schief or exploitation of a trusted relationship.Insiders can be stopped, but stopping them is a mingled problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must(prenominal) pay close assistance to many aspects of its organization, including its personal line of credit policies and procedures, organizational culture, and technical environment. Organizations must look beyond information engineering to the organizations overall business processes and the interplay amid those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they read their organizations business and how their computer systems work. They have both the confidentiality a nd access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and minded(p) a degree of trust.(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)3) geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were exhausted on securing perimeter defenses against outside attack. defend against insider threats means managing policy, process, engineering science, and most importantly, people. defend against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat discernment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected lead on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrime fancy Survey TM conducted by the United States Secret Service, CERT Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The refer from insider attacks can be devastating. One knotty case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 another(prenominal) case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)6) Insiders, by right of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it balmy to use the systems they use at work everyday to commit fraud. former(a) employees, motivated by financial problems, greed, or the wish to impress a sweet employer, have stolen confidential data, proprietary information, or intellectual property fro m their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the earnestness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitionsvary in meaning. Different definitions imply different countermeasures, as well as different assumptions.(Matt Bishop 2005)Solution User superviseInsiders have two things that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident sleuthing solution is in place.A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has contain access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished spirit, regulatory fines and legal fees. With such an grand threat, organizations need an automated solution to serve well detect and analyze vixenish Insider ActivityThese are some points which could be helpful in supervise and minimizing the insider threatsDetecting insider activity starts with an expanded logand event collection.Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as individuation and content management products.Correlation identifying cog nise types of fishy and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern stripping uncovering seemingly orthogonal events that show a pattern of laughable activityFrom case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will ensure that insiders are intercommunicate consistently, efficiently and effectively regardless of who they are. bring up suspicious user activity patterns and identify anomalies.Visually track and create business-level reports on users activity.Automatically escalate the threat levels of suspicious and malicious individuals.Respond accord to your specific and unique corporate administration guidelines.Early detection of insider activity based on early word of advice indicators of suspicious behavior, such asStale or terminated accounts extravagant file make, unusual printi ng times andkeywords printedTraffic to suspicious destinations illegitimate peripheral device accessBypassing security controlsAttempts to alter or delete system logsInstallation of malicious softwareThe Insider Threat Study?The world-wide acceptance, business adoption and developing of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In travel from internal (closed) business systems to circulate systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, circularise access, the information security budget of a typical company was less then their tea and coffee expenses.Securing net income has become a national priority. In The National Strategy to pander Cyberspace, the Presidents t iny Infrastructure Protection Board identify several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and shippingemergency gocontinuity of governmentpublic healthUniversitieschemical labor, textile industry and hazardous materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who advisedly exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations data, systems, or unremarkable business operations.Incidents included any compromise, employment of, unlicenced access to, transcend authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.A w hole secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, and so forth IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policys effective implementation is not possible without the training and awareness of staff.The State Bank of Pakistan recognizes that financial industry is built well-nigh the sanctity of the financial transactions. owe to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open wo rld cannot be overstated. As more and more of our Banking Operations and products go become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and shelter these resources to ensure smooth surgery of the financial industry.Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this intelligence activity as these types of news about an industry can damage the reputation of the industry.Chapter 2 Review of LiteratureS, Axelsson. ,(2000) unidentified 2001Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which elimina te or reduce significant threats to an acceptable level.Security and risk management are tightly bring together with quality management. Security measures should be implemented based on risk analysis and in accord with Quality structures, processes and checklists.What needs to be protected, against whom and how?Security is the protection of information, systems and services against disasters, mistakes and purpose so that the likelihood and impact of security incidents is minimised. IT security is comprised ofConfidentiality Sensitive business objects (information processes) are disclosed only to appoint persons. == Controls are required to choke access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accurate and complete.Availability The need to have business objects (information and services) available when needed. == Controls are required to ensure reliability of services. l egal Compliance Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.Stoneburner et al (2002)In this paper the author described a the risks which areTypes of Security Threats and Protection Against ThemTypes of Security Threats and Protection Against ThemIntroductionWhile attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks.An inside attacker will have a higher probability of successfully breaking into the system and extracting critical informati on. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the companys manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software.Following the system administrators termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the companys server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employers computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the companys web pages, changing text and inserting pornographic images.He also sent each of the companys customers an email message advising that the website had been hacked. Each email message also contained that customers usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised prob ation, and ordered to pay $48,600 restitution to his former employer.A city government employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworkers computers the day before the new finance director took office. An investigation identified the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police detective on the case as to whether all of the deleted files were recovered.No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.These incidents of sabotage were all committed by insiders individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)The Nature of Security ThreatsThe greatest threat to comput er systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious insiders. The greatest threat of attacks against computer systems are from insiders who know the codes and security measures that are in place 45. With very specific objectives, an insider attack can affect all components of security. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications.They are likely to know what actions cause the most damage and how to get away with it undetected. Considered members of the fam ily, they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages or from offshore outsourcing projects are also included in this category of knowledgeable insiders.Common Insider ThreatCommon cases of computer-related employee sabotage include changing data deleting data destroying data or programs with logic bombs crashing systems holding data hostage destroying hardware or facilities entering data incorrectly, exposing sensitive and embarrassing proprietary data to public view such as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file system s or program malicious code with little chance of detection and with almost total impunity.A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions. (See chart)The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider (hacker) at $56,000, while the average insider attack cost a company excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.Employees who have caused damage have used their knowledge and ac cess to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees.At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization.Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-tim e, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six percent of the insiders were male.Forty-nine percent of the insiders were married at the time of th e incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical infrastructure sectorsBanking and finance (8%)Continuity of government (16%)Defense industrial base (2%)Food (4%)Information and telecommunications (63%)Postal and shipping (2%)Public health (4%)In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.What motivate insiders?Internal attackers attempt to break into computer networks fo r many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons BSB03ChallengeMany internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.RevengeInternal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to l aunch an attack to the company in order to cause financial losses.EspionageInternal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage existsIndustrial espionageIndustrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.International espionageInternational espionage means that attackers work for governments and steal confidential information for other governments.Definitions of insider threat1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the true insider, is outlined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized th e accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.The activities of both fall into five general categoriesExceeds given network, system or data permissionsConducts malicious activity against or across the network, system or dataProvided unapproved access to the network, system or dataCircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify orNon-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.(Presented at the University of Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insid er threat assessment is a recommended first step for many organizations, followed by policy review, and employee awareness training.(Insider Threat ManagementPresented by infoLock Technologies)3) Employees are an organizations most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners must be actively managed, audited, and monitored in order to protect sensitive data.(Presented by infoLock Technologies)4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, wh ich are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon Universitys Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbate s the problem.(Dawn M. Cappelli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an insider has information and capabilities not known to other, external attackers. But the studies rarely define what the insider threat is, or define it nebulously. The difficulty in handling the insider threat is reasonable under those circumstances if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?(Matt Bishop 2005)Five common insider threatExploiting information via remote access softwareA considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hand s of a third-party if the computer is left unattended, lost or stolen.2.) Sending out information via e-mail and instant messagingSensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) Sharing sensitive files on P2P networksWhether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its there and waiting to be abused. The inanimate software in and of itself is not the problem its how its used that causes trouble. All it takes is a simple misconfiguration to serve up your networks local and network drives to the world.4.) Careless use of wireless networksPerhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuab le data to be stolen. Wi-Fi networks are most susceptible to these attacks, but dont overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.5.) Posting information to discussion boards and blogsQuite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.Views of different authors about insider threat1) Although insiders in this report tended to be former technical employees, there is no demographic profile of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporar y employees. As such, security awareness training needs to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond information technology to the organizations ove rall business processes and the interplay between those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. P roviding instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people. Protecting against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastruct ure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected Return on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrimeWatch Survey TM conducted by the United States Secret Service, CERT Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)6) Insiders, by v irtue of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definit ionsvary in meaning. Different definitions imply different countermeasures, as well as different assumptions.(Matt Bishop 2005)Solution User monitoringInsiders have two things that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place.A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyzeMalicious Insider ActivityThese are some points which could be helpful in monitoring and minimizing the insider threatsDetecting insider activi ty starts with an expanded logand event collection.Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.Correlation identifying known types of suspicious and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern discovery uncovering seemingly unrelated events that show a pattern of suspicious activityFrom case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.Identify suspicious user activity patterns and identify anomal ies.Visually track and create business-level reports on users activity.Automatically escalate the threat levels of suspicious and malicious individuals.Respond according to your specific and unique corporate governing guidelines.Early detection of insider activity based on early warning indicators of suspicious behavior, such asStale or terminated accountsExcessive file printing, unusual printing times andkeywords printedTraffic to suspicious destinationsUnauthorized peripheral device accessBypassing security controlsAttempts to alter or delete system logsInstallation of malicious softwareThe Insider Threat Study?The global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the Presidents Critical Infrastructure Protection Board identified several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and shippingemergency servicescontinuity of governmentpublic healthUniversitieschemical industry, textile industry and hazardous materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations data, sy stems, or daily business operations.Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.A completely secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policys effective implementation is not possible withou t the training and awareness of staff.The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open world cannot be overstated. As more and more of our Banking Operations and products services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry.Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reput ation of the industry.Chapter 2 Review of LiteratureS, Axelsson. ,(2000)Anonymous 2001Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.What needs to be protected, against whom and how?Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised ofConfidentiality Sensitive business objects (information processes) are disclosed only to authorised persons. == Controls ar e required to restrict access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accurate and complete.Availability The need to have business objects (information and services) available when needed. == Controls are required to ensure reliability of services.Legal Compliance Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.Stoneburner et al (2002)In this paper the author described a the risks which are
Подписаться на:
Комментарии к сообщению (Atom)
Комментариев нет:
Отправить комментарий