Presentation is loading. Please wait.

Presentation is loading. Please wait.

DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor +44 7720 508085.

Similar presentations


Presentation on theme: "DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor +44 7720 508085."— Presentation transcript:

1 DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor nick.barron@pennantplc.co.uk +44 7720 508085

2 DISA IT Seminar : July 2014 2 About me Day job Security controller, sysadmin, software developerSecurity controller, sysadmin, software developer Medium size List-X contractorMedium size List-X contractor DISA IT advisorDISA IT advisor After hours 44CON security conference44CON security conference SC MagazineSC Magazine Way too many computers at homeWay too many computers at home

3 DISA IT Seminar : July 2014 3 Overview What is the insider threat? Attackers; types, motivation and examples Detection Prevention Summary Questions

4 DISA IT Seminar : July 2014 4 An apology

5 DISA IT Seminar : July 2014 5 What is the insider threat? Definition from CERT: A malicious insider threat is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Cappelli, Dawn M.; Moore, Andrew P.; Trzeciak, Randall F. (2012-01-20). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes Definition from CPNI: A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes CPNI Insider Data Collection Study, April 2013

6 DISA IT Seminar : July 2014 6 Obligatory (possibly fictional) scary numbers CPNI Insider Data Collection Study, April 2013 88% permanent staff, 7% contractor, 5% temp88% permanent staff, 7% contractor, 5% temp 82% male82% male 76% “self initiated”76% “self initiated” 47% financial gain motivation, 20% ideology47% financial gain motivation, 20% ideology Combating the Insider Threat at the FBI: Real World Lessons Learned, Patrick Ready, BlackHat 2013 Not the most common threat (~19%)Not the most common threat (~19%) But the most costly ($412K per incident, average victim loss ~$15M per year)But the most costly ($412K per incident, average victim loss ~$15M per year)

7 DISA IT Seminar : July 2014 7 Obligatory (possibly fictional) scary numbers Sanity check! Statistics can be misleadingStatistics can be misleading Only detected intrusions get into the figuresOnly detected intrusions get into the figures Image: http://xkcd.com/552/. Used with permission

8 DISA IT Seminar : July 2014 8 Key points about insiders Already authorised Already know the “crown jewels” Already know some/most security barriers (and can test them) Not just your staff

9 DISA IT Seminar : July 2014 9 Features of the insider threat The bad side Insiders negate perimeter defencesInsiders negate perimeter defences Good target knowledgeGood target knowledge Interior defences often weaker than perimeterInterior defences often weaker than perimeter The not so bad side IF detected, better chance of successful resolutionIF detected, better chance of successful resolution Operate entirely within your zone of authorityOperate entirely within your zone of authority

10 DISA IT Seminar : July 2014 10 Types of attack Information disclosure Theft of IP Competitor/FISCompetitor/FIS Personal gainPersonal gain Financial gain Direct (theft of material, fraudulent orders etc)Direct (theft of material, fraudulent orders etc) Indirect (insider information, bids etc)Indirect (insider information, bids etc) Sabotage Physical, reputational or IT.Physical, reputational or IT.

11 DISA IT Seminar : July 2014 11 Types of attacker Self-initiated insider Disgruntled employeesDisgruntled employees Potential for financial gain or motivated by ideology, desire for recognition or revengePotential for financial gain or motivated by ideology, desire for recognition or revenge Exploited/recruited Identified by attackerIdentified by attacker CultivatedCultivated Deliberate Gained employment with intent to abuse accessGained employment with intent to abuse access Typically FIS or activistTypically FIS or activist

12 DISA IT Seminar : July 2014 12 Motivation Money Ideology Recognition Personal loyalty Dissatisfaction Revenge

13 DISA IT Seminar : July 2014 13 Motivation and action Different motivations result in different attacks Ideology and desire for recognition most likely to lead to unauthorised disclosureIdeology and desire for recognition most likely to lead to unauthorised disclosure Financial gain most likely to lead to process abuse or unauthorised access to assetsFinancial gain most likely to lead to process abuse or unauthorised access to assets Revenge most likely to result in sabotageRevenge most likely to result in sabotage

14 DISA IT Seminar : July 2014 14 Misconceptions “I’m not worried, all our staff are security cleared…” Clearance is an important risk management tool, but does not remove the threat clear·ance clear·ance [kleer-uhns] noun Pre-requisite qualification for a career in insider threat espionage

15 DISA IT Seminar : July 2014 15 Whistlestop tour of famous DV cleared insider threats Images: Wikipedia, used with permission Blunt, Maclean, Burgess, Philby David Shayler/Delores Kane/ Son of God Annie Machon Katharine Gun

16 DISA IT Seminar : July 2014 16 Whistlestop tour of famous DV cleared insider threats Images: Wikipedia and US Government, used with permission John Anthony Walker Aldrich Ames Robert Hanssen Bradley Manning

17 DISA IT Seminar : July 2014 17 Whistlestop tour of famous DV cleared insider threats

18 DISA IT Seminar : July 2014 18 Snowden sidebar How did he do it? High level legitimate accessHigh level legitimate access Gained additional credentials (social engineering)Gained additional credentials (social engineering) Installed own crypto keys and certificatesInstalled own crypto keys and certificates Impact does not correlate with volume Currently published Snowden documents are only ~2,000 pages (http://cryptome.org/2013/11/snowden-tally.htm)Currently published Snowden documents are only ~2,000 pages (http://cryptome.org/2013/11/snowden-tally.htm) That would be about 8MB…That would be about 8MB… Not much chance of detecting that…Not much chance of detecting that…

19 DISA IT Seminar : July 2014 19 Detection Insider threats are not always so obvious! Image from https://www.123rf.com/profile_dragon_fang. Used under licence

20 DISA IT Seminar : July 2014 20 Internal attack process Initiation Identify target material Massive head start on external attackersMassive head start on external attackers More careful identification reduces chance of discoveryMore careful identification reduces chance of discovery Collect and collate Depends on volumeDepends on volume Remove from company control CDs, DVDs, paper, email, web transferCDs, DVDs, paper, email, web transfer

21 DISA IT Seminar : July 2014 21 Detection Technical measures Unusual copying activity (electronic and paper)Unusual copying activity (electronic and paper) Large and/or unusual data movementsLarge and/or unusual data movements Multiple device control failuresMultiple device control failures Unusual IT activity (probing etc)Unusual IT activity (probing etc) Suspicious network activitySuspicious network activity Forensics Know normal patternsKnow normal patterns Forensic awareness (do everything Campbell told you to!)Forensic awareness (do everything Campbell told you to!)

22 DISA IT Seminar : July 2014 22 Not just “cyber” Not just about technology/techies Technology helps insiders, but threat comes from peopleTechnology helps insiders, but threat comes from people Not just IT techies Not just system admins IT sabotage usually sysadmins (CERT, 90%)IT sabotage usually sysadmins (CERT, 90%) Espionage only 1.5% sysadmins (FBI)Espionage only 1.5% sysadmins (FBI)

23 DISA IT Seminar : July 2014 23 Detection Behaviour Poor work attitudePoor work attitude StressStress Frequent security violationsFrequent security violations Poor handling of PM assetsPoor handling of PM assets It’s all about the aftercare…

24 DISA IT Seminar : July 2014 24 Detection How do they get away with it? Poor management oversightPoor management oversight Audit logs are “write only”Audit logs are “write only” Need-to-know creepNeed-to-know creep Poor security culturePoor security culture “Normalisation of deviance”“Normalisation of deviance”

25 DISA IT Seminar : July 2014 25 Prevention Existing security measures (may) still work against insider threats

26 DISA IT Seminar : July 2014 26 Prevention The usual suspects… Include insiders in risk assessment processInclude insiders in risk assessment process Make sure access rights are appropriate (including indirect access)Make sure access rights are appropriate (including indirect access) Clearly document and consistently enforce polices (esp. IP rights)Clearly document and consistently enforce polices (esp. IP rights) Ongoing security awareness/educationOngoing security awareness/education Monitor for and consistently respond to abuseMonitor for and consistently respond to abuse Clear grievance procedureClear grievance procedure

27 DISA IT Seminar : July 2014 27 Prevention The usual suspects (IT version) Good password and account managementGood password and account management Strict termination processStrict termination process Separation of duties where feasibleSeparation of duties where feasible Least privilegeLeast privilege Consider insiders in contractors, suppliers etcConsider insiders in contractors, suppliers etc Pay particular attention to privileged usersPay particular attention to privileged users Appropriate logging and monitoringAppropriate logging and monitoring

28 DISA IT Seminar : July 2014 28 Prevention Education, education, education… Ensure users are aware of insider risksEnsure users are aware of insider risks Reporting process for suspicious behaviourReporting process for suspicious behaviour Proper asset valuation/compartmentation Ensure that most valuable data is securedEnsure that most valuable data is secured Don’t be lazy with access rights (e.g. don’t be the NSA!)Don’t be lazy with access rights (e.g. don’t be the NSA!) Include insider risk in security testing scope Penetration tests etc should include insider risksPenetration tests etc should include insider risks

29 DISA IT Seminar : July 2014 29 Prevention Have a response plan What do you do when you suspect senior staff are up to no good?What do you do when you suspect senior staff are up to no good? Ensure clear levels of authority are definedEnsure clear levels of authority are defined Include software lifecycle risks Independent code reviewIndependent code review Be suspicious of “job protection” developersBe suspicious of “job protection” developers Termination procedures Ensure ALL accounts disabledEnsure ALL accounts disabled Third parties e.g. subcontractors/suppliersThird parties e.g. subcontractors/suppliers

30 DISA IT Seminar : July 2014 30 Prevention Learn from past events How would Snowden have got on in your environment?How would Snowden have got on in your environment? Tabletop insider attack penetration testTabletop insider attack penetration test Recognise “red flag” behaviour signs Ensure HR work with securityEnsure HR work with security

31 DISA IT Seminar : July 2014 31 But it’s not easy… Knowing what is normal file transfer behaviour is difficult A good insider will know the rules and avoid breaking as many as possible Balancing “see something, say something” versus “office Stasi” is difficult. Insider threat could involve no IT abuse at all…

32 DISA IT Seminar : July 2014 32 Further info CERT https://www.cert.org/insider-threat/ CPNI, search for “Insider Threat” BlackHat Slides http://tinyurl.com/BlackhatInsiderSlidesSlides http://tinyurl.com/BlackhatInsiderSlides Video www.youtube.com/watch?v=38M8ta13K0QVideo www.youtube.com/watch?v=38M8ta13K0Q 44CON https://44con.com

33 DISA IT Seminar : July 2014 33 Summary The insider threat is primarily a people thing, not a cyber thing. There are no silver bullet solutions, beware of vendors who will sell you one! Proper application of traditional personnel security measures is key IT monitoring and forensics will help with detection and response

34 DISA IT Seminar : July 2014 34 Questions?


Download ppt "DISA IT Seminar : July 2014 1 The Insider Threat Nick Barron, DISA IT Advisor +44 7720 508085."

Similar presentations


Ads by Google