Computers Insiders Threat

Computers Insiders ThreatWhile attacks on ready reck hotshotrs by outside intruders be more publicized, attacks perpetrated by inner(a)rs be very parking lot and often more damaging. Insiders represent the greatest menace to computer hostage beca role they understand their organizations trouble and how their computer carcasss work. They draw both the confidentiality and entrance fee to perform these attacks. An inside attacker will give way a higher probability of successfully build uping into the trunk and extracting critical culture. The insiders also represent the greatest challenge to securing the beau monde network because they are authorized a level of access to the data file system and grant a degree of trust.A system administrator fierce by his diminished role in a thriving defense manufacturing firm whose computer network he al oneness had developed and managed, centralized the computer software that supported the companys manufacturing answeres on a sin gle server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrators termination for inappropriate and inglorious treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the companys server. The company estimated the speak to of ill-treat in excess of $10 million, which led to the layoff of some 80 employees.An application developer, who lost his IT sector job as a result of company downsizing, explicit his displeasure at being determined off just prior to the Christmas holidays by launching a systematic attack on his former(prenominal) employers computer network. Three weeks next his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the companys web pages, ever-changing textual matter and inserting pornographic images. He also sent each of the companys customers an email message advising that the website had been hacked. Each email message also contained that customers usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed ascript to reset all network passwords and changed 4,000 pricing records to formulate bogus data. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve quintette months in prison and two years on administrate probation, and ordered to pay $48,600 restitution to his former employer.A city g overnment employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworkers computers the day in the first place the impudent finance director took office. An investigation identified the disgruntled employee as the perpetrator of the inc ident. City brass officials disagreed with the primary police detective on the face as to whether all of the deleted files were recovered.No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.These incidents of sabotage were all committed by insiders individuals who were, or previously had been, authorized to use the information systems they consequenceually diligent to perpetrate harm. Insiders pose a substantial threat by virtue of their friendship of, and access to, employer systems and/or infobases. Keeney, M., et al (2005)The nature of Security ThreatsThe greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, crop vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business enterprise operations or to disl ocate information.The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious insiders. The greatest threat of attacks against computer systems are from insiders who know the codes and security measures that are in place 45. With very specific objectives, an insider attack skunk act all components of security. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications. They are likely to know what actions cause the close to damage and how to get out with it undetected. Considered members of the family, they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malic ious activities 6 and revenge. Contract schoolmasters and foreign nationals either brought into the U.S. on work visas to satisfy labor shortagesor from offshore outsourcing projects are also included in this category of knowledgeable insiders.Common Insider ThreatCommon cases of computer-related employee sabotage include changing data deleting data destroying data or programs with logic bombs crashing systems holding data hostage destroying hardware or facilities entering data incorrectly, exposing afflictive and embarrassing copyrighted data to public view such(prenominal)(prenominal) as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable monetary loss of $136 millions. (See char t) The survey also found that the largest number of breaches were by unauthorized insider access and cogitate that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider(hacker) at $56,000, while the average insider attack cost a company inexcess $2.7 million. It found that hidden cost associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.Employees who have caused damage have used their knowledge and access to information re denotations for a range of motives, including greed, revenge for perceived grievances, ego gratification, re ascendent of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees. At the cartridge holder of the incident, 59% of the insiders were former employees orcontr pseuds of the affect organizations and 41% were current employees orcontractors. The former employees or contractors left their positions for a variety of reasons.These included the insiders being fired (48%), resigning (38%), and being laid off(7%).Most insiders were either previously or currently employed regular in a technicalposition within the organization. Most of the insiders (77%) were full-time employees of the affectedorganizations, either before or during the incidents. Eight percent of the insidersworked part-time, and an additional 8% had been hired as contractors orconsultants. Two (4%) of the insiders worked as temporary employees, and one(2%) was hired as a subcontractor. Eighty-six percent of the insiders were employed in technical positions, whichincluded system admini strators (38%), programmers (21%), engineers (14%),and IT specialists (14%). Of the insiders not holding technical positions, 10%were employed in a professional position, which included, among others, insidersemployed as editors, managers, and auditors. An additional two insiders (4%)worked in service positions, both of whom worked as customer service representatives.Insiders were demographically varied with ascertain to age, racial and heathen background, gender, and marital status.The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six percent of the insiders were male.Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an view history.Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical infrastructure sectors banking and finance (8%) continuity of government (16%) defense industrial base (2%) food (4%) information and telecommunications (63%) postal and shipping (2%) public health (4%)In all, 82% of the affected organizations were in private sedulousness, while 16% were government entities. Sixty-three percent of the organizations assiduous in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.What motivate insiders?Internal attackers attempt to break into computer networks for some(prenominal) reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons BSB03 ChallengeMany internal attackers initially attempt to break into networks for the challenge. A challeng e combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to distinguishable emails of any employee. RevengeInternal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses. EspionageInternal attackers motivated by espionage, splay confidential information for a third party. In general, two types of espionage existsIndustrial espio nageIndustrial espionage means that a company may pay its own employees in order to break intothe networks of its competitors or business partners. The company may also hire someone else to do this.International espionageInternational espionage means that attackers work for governments and steal confidentialinformation for other governments.Definitions of insider threat1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the true insider, is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.The activities of both fall into five general categories exceeds given network, system or data perm issionsconducts malicious activity against or across the network, system or dataprovided unapproved access to the network, system or datacircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify ornon-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure. (Presented at the University of Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many another(prenominal) organizations, followed by policy review, and employee awareness learn.(Insider Threat warinessPresented by infoLock Technologies)3)Employees are an organizations most important asset. Unfortunately, they also present the greatest security stakeinesss. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods employees have extended the security perimeter beyond safe limits. While convenient access to data is required for functional efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners must be actively managed, audited, and monitored in order to protect sensitive data.(Presented by infoLock Technologies)4) The diversity of cyber threat has magnanimous over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric exposure modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon Universitys Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that counseling decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation interpolatenatives, and communicating results exacerbates the problem.(Dawn M. Cappelli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most difficu lt problem to deal with, because an insider has information and capabilities not cognize to other, external attackers. But the studies rarely define what the insider threat is, or define it nebulously. The difficulty in handling the insider threat is reasonable under those circumstances if one cannot define a problem precisely, how can one approach a dissolving agent, let alone know when the problem is solved?(Matt Bishop 2005)Five common insider threatExploiting information via remote access softwareA considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. scarcely put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.2.) Sending out information via e-mail and instant messaging Sensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) Sharing sensitive files on P2P networks Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its there and hold to be abused. The inanimate software in and of itself is not the problem its how its used that causes trouble. All it takes is a simple misconfiguration to serve up your networks local and network drives to the world.4.) slapdash use of wireless networks Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unlatched airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but dont overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organiz ation, employees could use it to exploit the network after hours.5.) Posting information to discussion boards and blogs Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.Views of different authors about insider threat1) Although insiders in this report tended to be former technical employees, there is no demographic write of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, andexecutives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs toencourage employees to identify malicious insiders by behaviour, not by stereo typicalcharacteristics. For example , behaviors that should be a source of concern includemaking threats against the organization, bragging about the damage one could do tothe organization, or discussing plans to work against the organization. Also of concernare attempts to gain other employees passwords and to fraudulently obtain accessthrough trickery or exploitation of a trusted relationship.Insiders can be stopped, but stopping them is a multiplex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyondinformation technology to the organizations overall business processes and the interplay between those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside i ntruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent thegreatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally availab le. As network environments manufacture increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats meansmanaging policy, process, technology, and most importantly, people. Protecting againstinsider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to amend your security posture, and you will achieve yo ur expected Return on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrimeWatch Survey TM conducted by the United States Secret Service, CERT Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)6) Insiders, by virtue of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have f ound it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the like to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitionsvary in meaning. Different definitions imply different countermeasures, as well as different assumptions.(Matt Bishop 2005)Solution User monitoringInsiders have two th ings that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place. A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. Insiders can at one time damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyzemalicious insider activity.These are some points which could be helpful in monitoring and minimizing the insider threatsDetecting insider activity starts with an expanded logand event collection. Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to l ook deeper to include mission critical applications such as email applications, databases, direct systems, mainframes, access control solutions, physical security systems as well as identity and content management products. Correlation identifying known types of suspicious and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern discovery uncovering seemingly unrelated events that show a pattern of suspicious activityFrom case management, event bankers bill and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are. detect suspicious user activity patterns and identify anomalies.Visually track and create business-level reports on users activity.Automatically escalate the threat levels of suspicious and malicious individuals.Respond ha rmonise to your specific and unique corporate governing guidelines.Early detection of insider activity based on early warning indicators of suspicious behavior, such as cold or terminated accountsExcessive file printing, unusual printing times andkeywords printedTraffic to suspicious destinationsUnauthorized peripheral device accessBypassing security controlsAttempts to alter or delete system logsInstallation of malicious softwareThe Insider Threat Study?The global acceptance, business adoption and growth of the Internet, and ofInternetworking technologies in general, in reply to customer requests for onlineaccess to business information systems, has ushered in an extraordinary expansion ofelectronic business transactions. In moving from internal (closed) business systems toopen systems, the risk of malicious attacks and fraudulent activity has increasedenormously, thereby requiring high levels of information security. Prior to therequirement for online, open access, the informatio n security budget of a typicalcompany was less then their tea and coffee expenses.Securing cyberspace has go a national priority. In The National Strategy to Secure Cyberspace, the Presidents Critical al-Qaeda Protection Board identified several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and shippingemergency servicescontinuity of governmentpublic healthUniversitieschemical diligence, textile industry and hazardous materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders(current or former employees or contractors) who intentionally exceeded or misused anauthorized level of network, system, or data access in a manner that affected thesecurity of the organizations data, systems, or daily business operations. Incidentsincluded any compromise, manipulation of, unauthorized access to, exceedingauthorized access to, tampering with, or disenable of any information system, network,or data. The cases examined also included any in which there was an unauthorized orillegal attempt to view, disclose, retrieve, delete, change, or add information.A completely secure, zero risk system is one which has zero functionality. Latesttechnology high-performance automated systems bring with them new risks in theshape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, isan ongoing process. Proper risk management keeps the IT Security plans, policies andprocedures up to date as per new requirements and changes in the figure environment. To implement controls to counter risks requires policies, and policy canonly be implemented successfully if the top management is committed. And policyseffective implementation is not possible without the training and awareness of staff.The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a plain and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open world cannot be overstated. As more and more of our Banking Operations and products services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry. present are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reputation of the industry.CHAPTER 2REVIEW OF LITRATURES, Axelsson. ,(2000)Anonymous 2001Continuity of operations and correct functioning of information systems is important to most businesses . Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with feeling structures, processes and checklists.What needs to be protected, against whom and how? Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of Confidentiality Sensitive business objects (information processes) are give away only to authorised persons. == Controls are required to restrict access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accur ate and complete.