ThreatsMonday
?
Threats
THREATS
HUMAN-CENTRED SECURITY
Some People Think the danger is outside the Perimeter
How big is the threat?
Verizon Study – Oct 2012
Threat Actions
Outsider Insider
Employee Context
• Permanent employees
– initially vetted
– above suspicion
– subsequent checks
• Temporary employees
– not subjected to the same checks
– less likely to exhibit loyalty
– privileged access to resources
– Example: Zhangyi Liu
• Former employees
– backdoor access
– stockpile resources (passwords etc)
– seek vengeance
– Example: Donald Burleson
Employee Context
• Focus on all employees?
Focus
• Focus on all employees?
• Critical Information Technology Insiders
(CITIs).
– they design, maintain and/or manage critical
information systems.
Focus
Misuse Categories
• Intentional
– self-interest and resources.
– malicious intent.
– waste resources (e.g. shopping, self-promotion).
• Accidental
– employees circumvent policies to complete tasks (e.g. sticky note
with password).
– employees may leak sensitive information through actions (e.g.
social networks, ‘Reply All’ instead of ‘Reply’).
• Ignorance
– lack training and awareness (e.g. device not encrypted).
– unattended equipment and observed in public.
– disposing or taking resources when leaving job.
Misuse Categories
• ASPECTS OF INSIDERS:
• Are on the inside, with access
privileges
• They are trusted
• Access privileges accrue over time
• Aware of policies, procedures &
technology
• Know where the valuable data is
and how to access it
Insiders – Defined by Access
• Financial
• Reputation
• Business Operations
• Harm to specific
individuals
• Availability of data
compromised
Damage
• Claude Carpenter
• Contractor.
• Accessed servers and inserted malicious code
to cause havoc.
• Aim was to get him back to solve problems.
• Hid tracks by turning off logs, removing code
to ensure he would not be uncovered.
IRS
• Two employees in the middle of a labour
dispute sabotaged all the traffic lights
• One actually implemented the system
• Access had been removed!
Traffic Nightmare LA
• They used their supervisor’s access (he had
shared his credentials)
• Murillo allegedly accessed the system and
found a way to block other managers from
fixing the changes. Prosecutors reported it
took four days to repair the signals.
How?
Employment context
Encrypting the Information
• A System Administrator learns that she is to be
downsized
• She decides to encrypt important parts of the
database and hold it hostage
• She will decrypt it in return for substantial
�Severance Pay� and promise of no prosecution
• The organization decides to pay without
consulting with proper authorities and they are
precluded from pursuing charges
Changing the Configuration
• An engineer is on probation after a series of
confrontations with co-workers
• After he has been sent home without pay pending
resolution of the situation, it is discovered that the
network configuration has been changed denying
the organization�s clients the services they have
been promised
• Only the engineer holds the privileges to change
them. Unfortunately he is not interested in helping
out
Mail Flood
• A major Aerospace company recently
fired an employee who caused its e-mail
system to crash for six hours after sending
thousands of other employees a personal
e-mail that requested an electronic receipt
• They lost hundreds of hours of
productivity
Deleting Company Files
• July 1996, Omega
• A recently demoted employee created a
software �time bomb� that affected the
network files
–Deleted the company’s “most critical software
programs”
• Result:
–Caused a loss of over $10 million
–80 people lost jobs
A company’s mobile devices were suddenly
disabled for almost 1000 employees,
grinding sales and delivery operations to a
halt for several days …
Logic bomb went off three months to the
day after a demoted system architect’s
retaliatory resignation.
True Story – Revenge
• Employee loaded a virus
• Cost R20m and affected 700 stores
• He had a grudge against the group for
outsourcing its information technology
maintenance and support work
• 80% of the details for stores in South Africa
were deleted, customer sales had to be
entered manually and hard drives were
damaged.
True Story – Revenge
A company sues a former programmer found
selling a competing product at a tradeshow….
Investigators found copies of
the company’s source code on
his home computer that was
stolen on his last day of work at
the company
True Story – Financial Gain
A financial organization�s routine audit
discovers a $90,000 discrepancy in one of
their software engineer’s personal loan
accounts…
The employee modified critical source code to
siphon off money to cover fraudulent
personal loans he had created.
True Story – Financial Gain
• Gender – mostly males
• Locus of Control – fatalists
• Attribution style – failure is due to external factors
• Core self-evaluations – similar to self-esteem
• Integrity – people who are agreeable,
conscientious, stable, reliable less likely to do this
• Neuroticism – extent to which they experience
anger, anxiety, fear, hostility
– Neurotics feel people are too demanding, distant
and threatening
Who Are They?
A B C
D E F
Terry Childs
Terry Childs
Spot the Threat
B C
D E F
A
Ed Snowden
Spot the Insider
A B C
D E F
• Sold info to the Soviet Union for $5m
• Disclosed over 100 covert operations
• Betrayed 30 double agents (10
executed)
• Crippled the CIA�s activities for some
years
• He did not use technology
Aldrich Ames – Money
• Spied for the Soviets for 22 years
• Got $1.4m
• Even the Soviets didn�t know who he
was
• Disclosed 1000s of secrets
• Accessed everything via his default
access rights
Robert Hanssen – Money
• Gary Min was a research scientist at DuPont
• Downloaded 16700 pdf documents ($400 m)
• Gave it to his new employer
• Most had nothing to do with his research
• 15 times more downloads than other users
• Only caught when he announced he was
leaving and they started looking at the usage
logs
Money
Spot the Insider
A B C
D E F
• US Soldier
• Provided info to WikiLeaks
• Transferred classified data onto his personal
computer
• Arrested on May 26, 2010
• On March 1, 2011, an additional 22 charges were
preferred, including wrongfully obtaining classified
material for the purpose of posting it on the
Internet, knowing that the information would be
accessed by the enemy; the illegal transmission of
defense information; fraud; and aiding the enemy.
Bradley Manning
Spot the Insider
A B
C
D E F
• Sentenced to 97 months
• took down as many as 2,000 servers around
the country in UBS PaineWebber offices.
• This meant that the company was unable to
make trades for up to several weeks in some
offices
• The company reported a cost of $3.1 million
to recover from the attacks
• He had a criminal record!
UBS PaineWebber (Roger Duronio)
• 2/3 would steal data if fired
• 85% have confidential info at home
• 75% have client records
• ½ have accessed data they had no business
accessing
• ¾ said they could easily do this
http://www.infoworld.com/d/security/many-employees-would-sell-
corporate-information-study-finds-168110
Circle of Damage
Minor
Company
Customers
Citizens
http://www.mobile-financial.com/node/14446/The-risk-
profile-for-mobile-operators
http://mybroad
band.co.za/new
s/cellular/8779-
vodacom-at-
centre-of-
banking-sms-
scam.html
It worked!
• Technical Users Account for 86% of all attacks
• 90% had systems administrator or privileged
system access
• most crimes were committed by insiders
following termination. Most incursions — 64%
— involved VPNs and old passwords that had
never been terminated
• The impact of the attacks is 10x greater than
from external sources
• 30% have a prior history
Reality
• Unauthorised access at time of attack
– Accounts not disabled
– User rights not changed when employee responsibilities
changed
• 31% of cases attackers used their own credentials
• 33% of attacks used another employee�s
credentials
• 56% of cases another account was compromised
• 17% of attackers used back-door accounts
• 15% used sys admin accounts
Attack Metrics
• Logic Bomb
• Back door accounts
•Virus/Malware
• Remote sys admin tools
•Using other people�s credentials
• Elevated Privileges
Methods Used
Why?
Dark Triad
• Espionage
• Sabotage
• Theft of Intellectual Property
• Financial gain
• Revenge
• Curiosity/Because they can
• Vanity
Insider Misbehaviour Motivations
Understanding (familiarity & experience)
Consequences
(scope, duration, impact)
Perceived Risk
• Level 1 – judge the value of the materials
• Level 2 – can they detect a pattern
• Level 3 – can they distinguish between facts
and inferences
• Level 4 – can they use the info in a new
situation
• Level 5 – can they recall data or information
Understanding
• Level 1 – Trivial
• Level 2 – Recoverable
• Level 3 – Serious and long term
• Level 4 – Raise deep concerns
• Level 5 – Catastrophic
Consequences
• Shortcut – allows people to make decisions
quickly
• Emotion influences decisions
• Eg lung cancer -> dread
• Instinct based reaction
• Thus the higher the benefit the lower people
see the risk as
• No focus on realistic statistics – I won’t get
caught!
Insiders use Effect Heuristic
• Isolation Errors
– Prediction of future outcomes biased by
scenarios of success
– Past results ignored
• Perceived benefits seem to outweigh
perceived risks
Two biases
Fraud Triangle
• Pressure/non-Shareable financial problems
– Unable to meet obligations
– Personal failure
– Business reversals
– Physical isolation
– Status gaining
– Employer-employee relations
• Mostly status seeking or status maintaining
Motivation
• Technical Skills
• Position of trust
• Hearing about other violations
• Getting access to someone else’s password
Opportunity
• Insiders view themselves as
– Non criminal
– Justified
– Part of general irresponsibility in the
organisation
Rationalisation
Fraud Triangle
Path to Revenge
Disillusion
Resentment
Revenge
Unfriendly Atmosphere
Dull Office Environment
Fear of Redundancy
No Promotion and No Pay Rises
Aggressive Boss
Unethical Company Policies
THREATS
Insider Threats
Fraud Triangle
• Pressure/non-Shareable financial problems
– Unable to meet obligations
– Personal failure
– Business reversals
– Physical isolation
– Status gaining
– Employer-employee relations
• Mostly status seeking or status maintaining
Motivation
• Technical Skills
• Position of trust
• Hearing about other violations
• Getting access to someone else’s password
• Poor Management Practices
Opportunity
• Insiders view themselves as
– Non criminal
– Justified
– Part of general irresponsibility in the
organisation
Rationalisation
Path to Revenge
Disillusion
Resentment
Revenge
Unfriendly Atmosphere
Dull Office Environment
Fear of Redundancy
No Promotion and No Pay Rises
Aggressive Boss
Unethical Company Policies
Understand the problem
Develop effective strategies
Deploy the tools
Catch/deter insiders
ü
1. Understand Risk of Detection (and do it)
Employee Education
Proactive Detection
2. Create a fair working environment
Mitigation
Russia’s Approach
•Use software
tools
•And soft tools
All is not visible…
Continuous monitoring
• Employee profiling could be carried out pre-hire
– Fast and Legal
– Also do a background check on new employees
– Check CVs
• Prevents
– Wrongful termination
– Financial Loss
– Embezzlement
– Workplace disruption
– Injury claims
• Check external contractors too
Employee Profiling (Prevention)
• Prevent:
– Pre-hire practices
• Detect:
– Red Flag Events
• What should bosses look out for?
• What should they do when these events occur?
• Access control practices
• Respond:
– What Interventions?
– Termination practices – what needs to be done?
• Tools needed
• Outsourcing?
Need a Policy for Insider Threat
Mitigation
Detection & Response
Red Flags On Alert
Investigating
Attacked!
?
Response?
• Prevent:
– Principle of least privilege
– Separation of duties
• Detect
– Log, monitor and audit employee activity
– Special attention to admins and privileged users
– Allow anonymous reporting of issues
• Respond
– Termination procedures essential – lots of
incidents from non-employees
– Retain all logs to support investigations
Insider Threat Management
• Insiders are often disgruntled (57%)
– Disgruntlement level
• Insiders often attacked following a negative
event (92%) – dispute, demotion, transfer
– Precipitating event
• Insiders exhibit concerning behaviour
BEFORE the attack (offline)
– Behavioural precursor
• Many held IT positions (86%)
– Technical Precursor
What the Research tells us:
• Overwork or a consistently heavy workload
• Feeling unappreciated or underappreciated
• Conditions of the workplace
• Demanding, rigid supervision that is too involved in
the work being done
• Unsupportive, weak supervision that does not offer
enough input or guidance
• Unmet expectations
– Insufficient compensation
– Lack of career advancement
– Inflexible policies
– Supervisor demands/co-worker relations
Precipitating event
Behavioural Precursor
• Absenteeism
• Raising the voice
frequently
• Depression
• Impatience
• Irritability
• Memory/
Concentration
problems
• Paranoia
• Showing up late
• Argumentativeness
• Poor Performance
• Violations of
policies/procedures
Disgruntlement Predisposition
• People have expectations of �freedoms�
• People accumulate access paths over time.
The organisation easily loses track of these
– Few formal access path tracking procedures
– Some are granted, some are fraudulently created
– People sometimes share access with others to
achieve organisational operations
• Majority attacked AFTER termination (59%)
More info
• Awareness
• Responding to incidents
– Offer remediation opportunities
– Counselling
– Empower colleagues to provide support
– Destressing activities
• Continue to Monitor
Interventions
• First identify the stocks
• Then identify the connections between them
• And the causatives
• There are many correct answers!
Systems Diagrams
• Show interplay between
– Disgruntlement
– Precipitating event
– Freedom Expectations
– Actual Freedoms
– Unmet expectations i.e. discrepancies
– Predisposition to disgruntlement
Draw a Systems Diagram
1
My Diagram
Freedom
Expectations
Unmet
Expectations
Actual
Freedom
++ Precipitating
Event
+
–
Disgruntlement
+
Predisposition to
Disgruntlement
• Behavioural precursors (Inappropriate
Behaviour)
• Sanctions
• Employee intervention
• Delay (Time to realise insider is becoming a
problem)
• Behaviour Perceived by organisation
Now add to your diagram
2
My Diagram
Freedom
Expectations
Unmet Expectations Actual Freedom
++ Precipitating
Event
+
–
Disgruntlement
+
Predisposition to
Disgruntlement
Behavioural
Precursors
Offline Behaviour
Inappropriate+
+
Employee Intervention
Sanctions
+
–
+
–
Behaviour Perceived
By Organisation
Delay
• Attackers have a sense of entitlement. This
escalates over time.
– If curbed, this could lead to resentment
– If not curbed, entitlement increases
• Interventions:
– Counselling
– Sanctions
– Technical Monitoring
• Termination
– Time period for behaviour to become serious
enough
– Time to close all access paths
• Show interplay of
– Known access paths
– Unknown access paths
– Damage
– Disgruntlement
– Technical misbehaviours
– Actions perceived by organisation
– Delay (for organisation to realise)
– Predisposition for technical sabotage
New Diagram
3
My Diagram
Disgruntlement
Unknown
Access Paths
Known
Access Paths
Technical
Precursors
Acting
Inappropriately
Online
+
+Predisposition
For technical
sabotage
+
Actions
Perceived by
Organisation
+
Time to
Realise
–
+
Damage
+
+ Potential
Delay
• Insider starts acting inappropriately online
– Accessing unauthorised material
– Getting more privileges
– Stealing material
• It takes time for the organisation to realise
this is happening
• Organisation hampered in dealing with this
– By not knowing paths
– When they do find out, they act to remove them
– They might not know about logic bombs
Attack Starts….
• Audit
• Termination
• Actions upon termination i.e. disabling access
paths
Add to your Diagram
4
My Diagram
Disgruntlement Unknown
Access Paths
Known
Access Paths
Forgetting
Discovering
Technical
Precursors
Acting
Inappropriately
Online
+
+
+
Actions
Perceived by
Organisation
+
Time to
Realise
–
+
Damage
+
+ Potential
Delay
Disable
–
Decision
To Terminate
+
+
Audit
To
Discover
• Pre-employment Checks (red)
– Low risk, medium risk and high risk.
• Non-technical (blue)
– Non-technical actions that companies take to
guard against insider threats.
• Technical (green)
– Technical actions that companies take to guard
against insider threats.
Task
Technical Tools/Monitoring
Employee Monitoring
• Specific Actions
– Files accessed
– Databases used
– Network access
– Check against policies and alert if violation
• Monitor behaviour and compare to historic
usage patterns
– Is it different from usual?
– Eg – download the whole customer database
instead of only one customer
Employee Monitoring
InfoWeek Strategic Security Survey
Soft Tools