Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Published byJasper Bryan Modified over 8 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes."— Presentation transcript:

1 Engineering Secure Software

2 Lottery Story

3 A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes originating from insider threat since 2000  Many more occurring In 2007, the Secret Service et al. conducted a survey of law enforcement officials & security execs ○ 31% of electronic crimes involved an insider ○ 49% of respondents experienced insider threat in the past year  Wikileaks, anyone? © 2011-2012 Andrew Meneely

4 What is insider threat?  When a malicious actor intentionally exceeds or misuses an authorized level of access  Note: not elevation of privilege, but an abuse of already- given privilege  Actors Current employees Former employees (esp. “recently former”) Contractors  Affected the security of the organization Data Intellectual property Daily business operations

5 Double Threat to SE  Insider threat affects SE in two ways Insider users for the system that we release e.g. hospital administrators Insiders developers to our own software development company e.g. disgruntled developers  Liability considerations Will our software facilitate insider threat? Bring this up in your requirements elicitation meeting ○ Audit mechanisms ○ Deployment mechanisms For everything else: hire some lawyers for a sneaky EULA

6 Types of Insiders  Pure insider e.g. system administrator, developer  Insider associate e.g. developer, but on a different project  Outside affiliate e.g. outsourced contractor

7 Classes of Threats  IT sabotage  Personal financial gain  Business advantage (e.g. industrial espionage)  Miscellaneous

8 Some considerations  Majority of the attacks required significant planning ahead of time  Majority of insider attacks took place physically on the premise  Majority of insider attacks faced criminal charges And in most cases, the insiders were aware that they would face charges

9 Prevention vs. Detection  Prevention is extraordinarily hard Work environment Predicting human nature Deterrents are only somewhat effective  Detection is much more feasible Usually by someone using common sense Audits of access logs In most cases, live network detection was not involved Drawback: reactive

10 Mobile Changed Everything  Today, we carry computers with us everywhere we go Easier to take assets with us Easier to access assets remotely Easier to provide access to others  “Bring Your Own Device” is becoming the norm  Modern reactions: Monitor everything (privacy concerns) Disallow mobile devices entirely (employees don’t like that) Separate networks (tough to manage)

11 Developer Insiders  “Security through obscurity alone” is really not an option Insider would know what servers to go to Insider knows the attack surface  Access to production servers should be limited Non-release changes to production need to be documented Forces you to document your deployment process anyway  On introducing backdoors Very rarely introduced in the development phase Most often in the maintenance phase

12 General Suggestions  Be aware of the threat Keep up with the latest stories Apply those situations to yours  “Buddy” system Nobody should be left physically alone with important resources  Logging and auditing Everything is logged Audits should actually happen periodically both as deterrent and for repudiation

13 More Suggestions  Job termination policies Have one. Be prepared to disable accounts quickly  Archives & offsite backups Mitigate tampering and destruction of backups  Rotate duties Better detection of anomalies Better knowledge transfer anyway  Holistic approach People, data, technology, procedures, policies

14 Some Resources  SEI’s CERT Insider Threat group Definitive resource http://www.cert.org/insider_threat/ http://www.cert.org/archive/pdf/ecrimesummary0 7.pdf  The Insider Threat: Combating the Enemy Within, by Clive Blackwell ISBN 9781849280112 Available via RIT library electronically for free

15 We More Need Stories  …so that’s today’s activity 5 groups Assigned sectors for CERT case studies Make a 5 minute presentation ○ Tell us stories of insider threat ○ Statistics ○ Some lessons learned

Download ppt "Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes."

Similar presentations

Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”

PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Overview of Joe B. Taylor CS 591 Fall 2008. Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
Appendix B: Designing Policies for Managing Networks.

Appendix B: Designing Policies for Managing Networks.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
Security Controls – What Works

Security Controls – What Works
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.

The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.

1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Introduction to Network Defense

Introduction to Network Defense
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google