Insider Threat and Information Security Dawn Cappelli Faculty, Carnegie Mellon University Earl Crane Adjunct Professor, Carnegie Mellon University Insider Threat • Hassan Abujihaad (Formerly Paul Hall) – Arrested March 7, 2007 – Sailor on USS Benfold (2000-2001) – Passed SECRET information to known Islamic Jihadists containing battle group weaknesses – Islamic Fundamentalist Convert – http://cicentre.com 2 of 45 Insider Threat • Leandro Aragoncillo – Arrested: September 10, 2005 – Sentenced to 10 years: July 18, 2007 – Retired Marine, Administration Chief of White House VP Security Detail – Passed 101 classified documents to Philippine government, 37 marked SECRET – Played to Filipino loyalties – http://cicentre.com 3 of 45 Insider Threat • Robert Hanssen – Arrested February 18, 2001 • Spy since 1985 – Long-time FBI agent – “Worst case of espionage in US history” • Washington Post, 20 Feb 01 – Spied in exchange for $1.4M in cash and diamonds 4 of 45 Spy cases • What did these have in common? – Trusted insiders who “turned” – Used information system trust to commit espionage. • Did precursors exist to alert management? • Could these have been prevented? – Use of technology controls to mitigate – Use of management observation to mitigate 5 of 45 Disclaimer • This is not “trusted computing” or “computational correctness” • This does not make the case that Insider Threats are a known and prevalent problem. This is a given assumption. 6 of 45 Overview • Trust and Trust Online • A brief overview of Trust – Shifting Trust from Technology to People • Trust and information systems – Credibility, Ease of Use, Perceived Risk – Technology Adoption – Fear of the unknown • The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon 7 of 45 Trust • “Nearly 70% of Americans agree with the statement, ‘I don't know whom to trust anymore’” – February 2002 Golin/Harris Poll • “What is Trust?” quesiton is not new – Interpersonal Trust – Team Trust – Societal Trust • Trust and Abstract Systems 8 of 45 What is Trust Online? • “An attitude of confident expectation in an online situation of risk that one’s vulnerabilities will not be exploited.” – (Corritore, Kracher, & Wiedenbeck, 2003) 9 of 45 A brief overview of Trust • General vs. Specific Trust • Kinds of Trust – Cognitive vs. Emotional Trust • (Komiak & Benbasat, 2004) – Slow Trust vs. Swift Trust • Degrees of Trust – Weak to Strong Trust – Basic Trust, Guarded Trust, Extended Trust • Stages of Trust – Deterrence Based, Knowledge Based, and Shared Identification Based Trust • Shifting Trust – Trust in Technology vs. Trust in People 10 of 45 Shifting Trust • Trust in Technology vs. People • Shift from technology to people through technology – (Chopra & Wallace, 2003) Shifting Trust from Technology to People Goal 11 of 45 Trust in Technology • Trust in technology follows an interpersonal model of trust. – Web page or electronic document – We trust the data if: • It is believed to be reliable • If we trust willingly • If we can accept or reject the information on the document. 12 of 45 Trust in People • Electronic commerce – Closer to humanistic trust, where the trustee is now a person or organization – Confidence that a transaction will be fulfilled appropriately. • Online relationships – Confidence that the other party will maintain a quality relationship. • Intelligence, positive intentions, ethics, dependability, predictability, confidentiality • This is where we approach trust and information systems 13 of 45 Trust and Information Systems 14 of 45 Credibility • Credibility and the perception of credibility has four components: – – – – Honesty Expertise Predictability Reputation • (Corritore, et al. 2003) • Regular communication builds trust (credibility) in online environments – (Gibson, 2003) 15 of 45 Ease of Use • A website that is easy for users to navigate and find the information needed instills a sense of trust in the user, and satisfies the user with their online experience. – (Corritore, Kracher, & Wiedenbeck, 2003) • How well users can achieve their goals while using a computer – The hard to use ACS systems is one of the factors contributing to espionage in the Robert Hanssen espionage case • (Band et al., 2006). 16 of 45 Technology Adoption • Choose the path of least resistance • Technology Acceptance Model (TAM) – Perceived Usefulness (PU) – Perceived Ease of Use (PEOU) 17 of 45 Perceived Risk • A user’s perception of risk is closely linked to their trust. – A person buying a large ticket item online for the first time may feel they have little control over the transaction. • Users may not be fully aware of all the unknown risks, they have an “awareness of the unknown” that increases their perceived risk. – (Komiak & Benbasat, 2004) 18 of 45 The only thing we have to fear is fear itself • Fear of the unknown – Previously discussed Cognitive and Emotional Trust – (Komiak & Benbasat, 2004) 19 of 45 Trust and Insider Threat • Organizations must trust their employees to some extent • Trust without management or technical controls can enable insider attacks • We can’t fix stupid • Insider attacks follow a pattern - a “critical pathway” – Caveat: Not applicable to trained foreign intelligence agents 20 of 45 Critical Pathway (Shaw & Fischer, 2005) 21 of 45 Critical Pathway • At-risk Subject Characteristics – Serious promotional or personal setbacks – Previous computer misuse – Disabling organizational security devices – Disregard for security protocols – Self-esteem issues, a “high maintenance employee” – Personnel conflicts – Anger – Lack of inhibitions about retaliation or revenge (Shaw, 2006) 22 of 45 System Dynamics • Modeled through System Dynamics – Jay W. Forrester, 1961 • A method and supporting toolset – Holistically model, document, and analyze complex problems as they evolve over time – Develop effective mitigation strategies that balance competing concerns • Carnegie Mellon System Dynamics Research – Discovered the “trust trap” 23 of 45 Summary • Discussed so far: – – – – Trust and Trust Online A brief overview of Trust Trust and information systems The Critical Pathway • Practical Application: Insider Threat mitigation techniques through System Dynamics from Carnegie Mellon – Management and Education of Risks of Insider Threat (MERIT Model) 24 of 45 MERIT Model of Insider IT Sabotage 25 of 45 MERIT Model actual risk of insider attack acquiring unknown paths behavioral precursor ability to conceal activity technical monitoring sanctions behavioral monitoring insider's unmet expectation personal predisposition unknown access paths discovery of precursors disgruntlement insider's expectation technical precursor perceived risk of insider attack org's trust of insider expectation fulfillment precipitating event 26 ofUniversity 45 © 2007 Carnegie Mellon MERIT Model actual risk of insider attack acquiring unknown paths behavioral precursor ability to conceal activity technical monitoring sanctions behavioral monitoring insider's unmet expectation personal predisposition unknown access paths discovery of precursors disgruntlement insider's expectation technical precursor perceived risk of insider attack org's trust of insider expectation fulfillment precipitating event 27 ofUniversity 45 © 2007 Carnegie Mellon Insider Threat Mitigation • Balance information sharing with information restriction and monitoring • Technical Controls • Management Controls • Operational Controls – Series of recommendations from Carnegie Mellon 28 of 45 Best Practices 29 of 45 Our Thoughts About Best Practices • Refer to the Common Sense Guide and Insider Threat Study reports for supporting data. • Our goal here is to use case examples to motivate you to ask yourself Could something like this happen to me? 30 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #1 : Institute periodic enterprise-wide risk assessments. Emergency services are forced to rely on manual address lookups for 911 calls when an insider sabotages the system. Organizations need to develop a risk-based security strategy to protect its critical assets from both external and internal threats. 31 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #2 : Institute periodic security awareness training. A team of software developers pay the price after they ignore the team lead’s contempt and deliberate violation of management’s directives. Without broad understanding and buy-in from the organization, technical or managerial controls will be short-lived. 32 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #3: Enforce separation of duties and least privilege. A supervisor accepts $50,000 to grant asylum to immigrants who had been or could have been otherwise denied. While security awareness training is an excellent start, separation of duties and least privilege must be implemented to limit the damage that malicious insiders can inflict. 33 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #4: Implement strict password & account management practices. A disgruntled contractor snoops to his heart’s content after he uses a password cracker to obtain 40 passwords, including the root password. If an organization’s computer accounts can be compromised, insiders can circumvent manual and automated control mechanisms. 34 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #5: Log, monitor, and audit employee online actions. A contractor’s sophisticated scheme, which allowed him to steal 5000 employee passwords, is discovered in the nick of time. Logging, monitoring, and auditing can lead to early discovery and investigation of suspicious insider actions. 35 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #6: Use extra caution with privileged users. An insider’s fiancée finds her promotion is better than he ever imagined when she gives him $615,000 over the next two years. System administrators and privileged users have the technical ability, access, and oversight responsibility to commit and conceal malicious activity. 36 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #7: Actively defend against malicious code. A software developer realizes that the fox is guarding the henhouse when he is able to modify his own source code to override his own security measures. While insiders frequently use simple user commands to do their damage, logic bombs and other malicious code are used frequently enough to be of concern. 37 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #8: Used layered defense against remote attacks. A foreign currency trader hides $691 million in losses over a 5 year period – mostly from home in the middle of the night. Remote access provides a tempting opportunity for insiders to attack with less risk. 38 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #9 : Monitor and respond to suspicious activity. A software development manager who verbally attacks management and coworkers on a regular basis is finally fired, but steals critical software and demands $50K for its return. One method of reducing the threat of malicious insiders is to proactively deal with difficult employees. 39 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #10 : Deactivate computer access following termination. A system administrator terminated with no advanced notice remotely logs in using an administrator account and shuts down their mission critical server. It is important that organizations follow rigorous termination procedures that disable all open access points to the networks, systems, applications, and data. 40 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #11 : Collect and save data for use in investigations. Monthly audit log recycling causes company difficulty in prosecuting a long-term fraud scheme with losses of over $500K. Collecting and saving usable evidence preserves response options, including legal actions. 41 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #12 : Implement secure backup and recovery processes. A disgruntled system administrator amplifies the impact of a logic bomb by centralizing critical programs and intimidating coworker out of backup tapes. It is important that organizations prepare for the possibility of insider attacks by implementing secure backup and recovery processes that are tested periodically. 42 ofUniversity 45 © 2007 Carnegie Mellon Best Practice #13 : Clearly document insider threat controls. After transferring to a new department, absence of policy allows an insider to repeatedly gain unauthorized access to his old department’s systems without repercussions. To ensure consistent handling and to protect against accusations of discrimination, procedures for dealing with malicious insiders must be clearly documented. 43 ofUniversity 45 © 2007 Carnegie Mellon Questions • Earl Crane – Crane at andrew * cmu * edu • Dawn Cappelli – DMC at cert * org 44 of 45 Summary of Best Practices •Institute periodic enterprise-wide risk assessments. •Actively defend against malicious code. •Institute periodic security awareness training for all employees. •Use layered defense against remote attacks. •Enforce separation of duties and least privilege. •Monitor and respond to suspicious or disruptive behavior. •Implement strict password and account management policies and practices. •Deactivate computer access following termination. •Log, monitor, and audit employee online actions. •Use extra caution with system administrators and privileged users. •Collect and save data for use in investigations. •Implement secure backup and recovery processes. •Clearly document insider threat controls. 45 ofUniversity 45 © 2007 Carnegie Mellon