Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Insider Threats Spring 2002 Team 1 M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Insider Threats Spring 2002 Team 1 M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou."— Presentation transcript:

1 1 Insider Threats Spring 2002 Team 1 M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou

2 2 Insider Threats Agenda  The Problem  Scope  Causes  Effects  Detection  Responsibility  Prevention

3 3 Insider Threats The Problem While companies try to defend themselves by erecting electronic defenses including firewalls, passwords, sophisticated biometric controls to complement physical protection, such as guards, locks, camera and fences, the largest threat to a company in the area of computer information and systems is from within the organization….

4 4 Insider Threats Scope  CSI/FBI Surveys Financial Losses due to (all) Security Breaches were reported by between 51-75% of respondents from 1997-2001 2001 Losses of $377M reported by 196 respondents (about 37% of those surveyed) 50% of network attacks originate within enterprise Avg cost of insider Breach is ~ 100x internet break- in! ($2.4M vs $27k) Source: Harry Krimkowitz, :Mitigating Risks to the Insider Threat within Your Organization, SANS Institute, Information Security Reading Room. October 24, 2000. http://rr.sans.org/securitybasics/insider_threat.php

5 5 Insider Threats Examples  Stealing Information: FBI Special Agent Robert Hanssen is arrested for providing secret documents to the Soviet Union and Russia in return for payments over $600,000  Employee System Misuse Email is used to pass discriminatory or sexually harassing messages Employees use email to organize into union activities Employees use company time to surf the internet, shop, listen to music, copy software without proper licensing…  Intellectual Property Violations Copying and downloading programs without paying fees Assumption that everything on the internet is “free”

6 6 Insider Threats Examples  Privacy Issues Unauthorized review or disclosure of internal information  Sabotage - Untested programs - Intentionally leaving “backdoors” - Rigging calculations - Carelessness - Leaving machines unattended so others can log on - Entering incorrect or incomplete information

7 7 Insider Threats Type  Voluntary Using unauthorized software  Involuntary Inappropriate inquiries or data are attached to or hidden in email (Virus, Trojan Horse, etc.)  Willful Setting time bombs in applications  Accidental Emailing to an incorrect recipient or “the world”

8 8 Insider Threats Motivation – 1  Risk/Reward Will I get caught? What’s the risk worth? What are the odds?  Internal (Organizational) Pressures “ Performance Targets must be met to ensure continued employment” and the mortgage is $5000/month Everyone else is doing it… If you don’t, I’ll find someone who will…  Revenge - I’ll show them… - They can’t manage without me - I’ll get you…

9 9 Insider Threats Motivation - 2  External (Extramural) Pressures Keeping up with the “Jones” Family and personal needs Fix an external problem: environment, political action, etc.  Ignorance It can’t be that complicated… Have to answer the phone now…I’ll get back to the PC soon “Can you let me in – you know me… I forgot my key, just this once..”

10 10 Insider Threats Motivation - 3  Just Because… I bet I can They’ll never find this … It’s no big deal This can’t be wrong… Permission? Why?  Other Reasons…

11 11 Insider Threats Effects  Internal Financial Losses Loss of Trust Safety Issues  External Company Reputation Access to Credit Fiduciary Issues Legal Complications

12 12 Insider Threats Why?  Do people hold contradictory views about the morality of society and business?  How does this affect insider risks?

13 13 Insider Threats Why?  Why are the statistics of reported unethical behavior so high?  Are they high enough? (Probably not!)

14 14 Insider Threats Can I?  Most of us will have to make the “right” decision at some point during our professional careers.  Can we define clearly, consistently and unambiguously what is right?

15 15 Insider Threats What If...?  But what if everyone else disagrees with you?  No one likes whistleblowers!  Right?

16 16 Insider Threats What If...?  What if … you are someone else’s tradeoff? Your job Your lifestyle Your professional reputation Your finances Your family …

17 17 Insider Threats Who?  You! you What can you do to contribute to a business environment that supports ethical behavior?

18 18 Insider Threats Why?  But what if everyone else disagrees?  No one likes whistleblowers!

19 19 Insider Threats Responsibility  Perpetrator  Management  Risk Management  Information Technology  Enforcement Authority Internal Security Force External Police

20 20 Insider Threats Detection  Accidental Why did I get this result? Who sent this? Where did this originate?  Intentional Eye Witness Monitoring  Disclosure Whistleblower Self Reporting  No Detection It just stops….

21 21 Insider Threats Prevention  Employee Screening and Background Checks  Establish Rules in Advance  Code of Ethics  Employee Training  Build Trust  “Healthy Environment” – Self-Respect  Management by Example  Shared Values  Monitor – Trust but Verify

22 22 Insider Threats Enforcement  Disincentives for Breaking the Rules  Remove Penalties for Whistle-blowing  Get the Facts!  Act Quickly  Legal Implications Employee Management Customer

23 23 Insider Threats Summary  Very Large Problem  No Simple Solution

24 24 Insider Threats Summary  Minimize the Problem Areas by Pre-Screening Education Predictability Control  Healthy Environment Shared Values Self-Esteem Integrity

25 25 Insider Threats Sources  CSI/FBI Survey 2001 http://www.wi-infragard.com/csi-fbi/Information%20Insecurity%20csi- fbi%20survey%20for%20executives_files/frame.htm  CSI/FBI Survey 2000 http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/csi-fbi2000.pdf  ARREST OF ROBERT HANSSEN CACHED BY GOOGLE.COM http://www.cicentre.com/Documents/DOC_Hanssen_Press_Conference.htm  "I KNOW WHAT YOU EMAILED LAST SUMMER " JOHN B LEWIS,SECURITY MANAGEMENT, JAN 2002, PP 93-99  ” Whose Rules?” By Eileen Conklin, Information Week, Mar 11, 2002. http://www.informationweek.com/shared/printableArticle?doc_id=IWK20020308S0002 http://www.informationweek.com/shared/printable

Download ppt "1 Insider Threats Spring 2002 Team 1 M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou."

Similar presentations

POSSIBLE THREATS TO DATA

POSSIBLE THREATS TO DATA
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
COMP6005 An Introduction to Computing Session One: An Introduction to Computing Security Issues.

COMP6005 An Introduction to Computing Session One: An Introduction to Computing Security Issues.
Chapter 11: Computer Crime, Fraud, Ethics, and Privacy

Chapter 11: Computer Crime, Fraud, Ethics, and Privacy
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Introducing Computer and Network Security

Introducing Computer and Network Security
McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.

McGraw-Hill © 2008 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 8 Threats and Safeguards Chapter 8 PROTECTING PEOPLE AND INFORMATION Threats.
Instructions for Weds. Jan. 10 1.Get your Century 21 Jr. textbook 2.Log in to the computers 3.On page 80, read the Objectives listed under “Lesson 13:

Instructions for Weds. Jan Get your Century 21 Jr. textbook 2.Log in to the computers 3.On page 80, read the Objectives listed under “Lesson 13:
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Introduction to Network Defense

Introduction to Network Defense
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =
24 Legal and Ethical Considerations. 24 Legal and Ethical Considerations.

24 Legal and Ethical Considerations. 24 Legal and Ethical Considerations.
Chapter 11 Security and Privacy: Computers and the Internet.

Chapter 11 Security and Privacy: Computers and the Internet.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.

Similar presentations

Ads by Google