Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsec
Terry Boston
10/24/00
ull
rig
ht
s.
THE INSIDER THREAT
Introduction:
20
00
Who is the Insider Threat
-2
00
5,
A
ut
ho
rr
eta
ins
f
When considering your defense in depth configuration, you
must give great consideration to the insider threat. The
insider can be a treat against all three computer security
bedrock principles: confidentiality, integrity, and
availability. It is estimated that 80% of attacks are from
Key
fingerprint
AF19 FA27 2F94 998D
FDB5
DE3D
F8B5 06E4
A169 4E46
within
the =organization.
The
most
serious
security
breaches
resulting in financial losses occurred through unauthorized
access by insiders. Insiders represent the greatest threat
to computer security because they understand their
organization's business and how the computer systems work.
Therefore, an insider attack would be more successful at
attacking the systems and extracting critical information.
The insider also represents the greatest challenge in
securing your network because they are authorized a level of
access to your network and are granted a degree of trust.
©
SA
NS
In
sti
tu
te
Insiders are those individuals who work for the target
organization or have a relationship with the organization
that grants the individual some level of access. This
includes employees, contractors, business partners,
customers, subcontractors, etc. The insider may have various
motives, financial, social, political, or personal.
However, the greatest threat to computer security in regards
to the insider is lack of knowledge and social engineering.
A threat is defined as that which if unchecked will cause a
loss to the organization. Therefore the insider threat is
defined as those who have authorized access to your
organization that could possibly cause a loss to the
organization if computer security goes unchecked.
Insider Threat and the Lack of Knowledge
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Many network security intrusions are the result of
employees' lack of knowledge. Educating your users is
essential to computer security. Ensure that your users are
1
© SANS Institute 2000 - 2005
Author retains full rights.
eta
ins
f
ull
rig
ht
s.
warned about the dangers of allowing other users access to
their accounts. Caution users against opening insecure
access on their personal computers (such as setting up a FTP
server on their own computer with full anonymous access or
running a small Web server that may not be secure as the
official servers). Emphasis should be placed on not sharing
information with unauthorized personnel (such as giving
their password to others and mentioning the products and
versions of products used on your network). Users should be
warned against writing their passwords on post-its and
putting it on their computer, selecting easily guessed
passwords, and opening email attachments from unknown
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
people.
00
5,
A
ut
ho
rr
Users also must be knowledgeable of the organization's
security policy. If your organization does not have a
security policy, develop one quickly. It is essential to
good security practices and defending your network. The
requirements for a good security policy are addressed later
in this document.
-2
Insider Threat and Social Engineering
©
SA
NS
In
sti
tu
te
20
00
Social engineering is a low-tech method of cracking network
security by manipulating people inside the network into
providing the necessary information to gain access.1(It is
also defined as the ability to achieve a goal through the
use of effective persuasion.2(Some of the methods used in
social engineering include: Cunningly soliciting the help
of an unsuspecting and sympathetic user, the intruder
admiring the way a user performs a certain function and
getting the user to instruct them on how to perform the
function, and intimidation (the intruder convincing the user
that there would be repercussions if the user did not assist
him). Another tactic is requesting information from a user
just before quitting time. The user will more than likely
fulfil the request to expedite his departure. Social
engineering can be a very effective means of intrusion. It
plays on the human desire to be helpful and do the "right
thing", relying on the helpfulness and politeness of the
Key
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
1
Network Security Fundamental, Peter Norton and Mike Stockman, Copyright SAMS publishing company
2000
2
Information Security, Donald L. Pipkin, Copyright Prentince Hall PTR 2000
2
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
user. The defense against such attacks is an awareness and
training program that informs employees of the nature of
such attacks.
Protecting Your Network Against the Inside Threat
ho
rr
eta
ins
f
There are steps that you can take to protect your network
against the inside threat. Educating your users is a very
important element to securing your network. Train users on
the use of strong passwords. Ensure that users understand
how viruses and other programmed threats spread and what
they can do to help prevent such spreading. Train users to
be alert to the possibility of infected email attachments.
Key
fingerprint
= AF19
FA27 2F94
FDB5 DE3D
06E4 virus
A169 4E46
Users
should
be able
to 998D
recognize
and F8B5
report
symptoms
and be apprised of new threats and related intrusion events.
Make users aware of social engineering and how to handle
such situations when confronted.
te
20
00
-2
00
5,
A
ut
There are also policy considerations that must be addressed
to minimize the possibility of an inside attack. Your
organization must develop a sound security policy that is
approved by management and understood and practiced by all
employees. Your organization's security policy should
address password requirements, define user and system
administrator authority, an anti-virus policy, address the
handling of proprietary information, incident handling, and
physical security.
sti
tu
Additional Protective Measures
©
SA
NS
In
There are additional measures that can be taken to mitigate
the risks of insider threat.
Run backups and secure in a safe place.
Install and execute appropriate anti-virus tools.
Regularly check for viruses.
Ensure that your computers have the most recent versions of
anti-virus software.
Update your anti-virus tools using vendor updates as they
become available.
Store copies of anti-virus tools offline, in a secure
manner.
Install software updates and patches.
Key
fingerprintcheck
= AF19 for
FA27 and
2F94 998D
FDB5
DE3D F8B5
06E4 A169
4E46 as
Routinely
update
threat
detection
tools
needed, especially when new threats are discovered.
Prevent unauthorized outgoing access at the firewall.
Ensure that permissions are properly set.
3
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
Computer Crime Statutes
ut
ho
rr
eta
ins
f
Computer crime is any illegal act which involves a computer
system, whether the computer is an object of crime, an
instrument used to commit a crime or a repository of
evidence related to a crime3. Rarely are criminal charges
pursued against insider attacks. If the attacker is an
employee, the prevalent course of action is disciplinary in
Key
fingerprint
FA27 2F94 998D
FDB5
DE3D F8B5
06E4 A169
4E46
nature.
If= AF19
the attacker
is a
business
partner
with
the
victim then a financial retribution is usually preferred.
However, there are a number of statues which make computer
crime punishable. The following are six main U.S. Statues
used in the prosecution of computer crimes.
5,
A
Computer Fraud and Abuse Act, 18 U.S.C. 2030
00
Economic Espionage Act, 18 U.S.C. 1831, to 1839
-2
Trafficking in Fraudulent Access Devices, 18 U.S.C. 1029
20
00
Wire Fraud, 18 U.S.C. 1343
te
Wiretap Act, 18 U.S.C. 2511
In
NS
References:
sti
tu
Access to Stored Electronic Communications, 18 U.S.C. 2701
SA
Computer Security Institute March 4, 1998 Release
©
Peter Norton and Mike Stockman, Network Security
Fundamentals, Copyright SAMS publishing Company 2000
Donald L. Pipkin, Information Security, Copyright Prentice
Hall PTR 2000
Randall K. Nichols, Daniel J. Ryan, and Julie J.C.H. Ryan,
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Digital Assets, Copyright McGraw-Hill 2000
http://www.securityfocus.com
3
Network Security Fundamen6als, Perter Norton, Copyright 2000 SAMS publishing
4
© SANS Institute 2000 - 2005
Author retains full rights.
http://www.securityportal.com
http://www.cert.org
ins
f
ull
rig
ht
s.
http://www.cerias.purdue.edu/coast/intrusion-detection/introduction.html
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
5
© SANS Institute 2000 - 2005
Author retains full rights.
Last Updated: October 2nd, 2016
Upcoming Training
SANS Seattle 2016
Seattle, WA
Oct 03, 2016 - Oct 08, 2016
Live Event
Mentor AW Session - SEC401
Toronto, ON
Oct 07, 2016 - Dec 09, 2016
Mentor
SANS Baltimore 2016
Baltimore, MD
Oct 10, 2016 - Oct 15, 2016
Live Event
SANS Tysons Corner 2016
Tysons Corner, VA
Oct 22, 2016 - Oct 29, 2016
Live Event
SANS San Diego 2016
San Diego, CA
Oct 23, 2016 - Oct 28, 2016
Live Event
Community SANS Paris SEC401 (in French)
Paris, France
Oct 24, 2016 - Oct 29, 2016
Community SANS
Community SANS Colorado Springs SEC401 - USO-Academy
Colorado Springs, CO
Oct 24, 2016 - Oct 29, 2016
Community SANS
SOS SANS October Singapore 2016
Singapore, Singapore
Oct 24, 2016 - Nov 06, 2016
Live Event
Community SANS Ottawa SEC401
Ottawa, ON
Oct 24, 2016 - Oct 29, 2016
Community SANS
SANS Sydney 2016
Sydney, Australia
Nov 03, 2016 - Nov 19, 2016
Live Event
SANS Gulf Region 2016
Nov 05, 2016 - Nov 17, 2016
Live Event
Community SANS Detroit SEC401
Dubai, United Arab
Emirates
Detroit, MI
SANS Miami 2016
Miami, FL
Nov 07, 2016 - Nov 12, 2016
Live Event
SANS London 2016
Nov 12, 2016 - Nov 21, 2016
Live Event
Healthcare CyberSecurity Summit & Training
London, United
Kingdom
Houston, TX
Nov 14, 2016 - Nov 21, 2016
Live Event
SANS San Francisco 2016
San Francisco, CA
Nov 27, 2016 - Dec 02, 2016
Live Event
Community SANS San Diego SEC401
San Diego, CA
Dec 05, 2016 - Dec 10, 2016 Community SANS
Community SANS St Louis SEC401
St Louis, MO
Dec 05, 2016 - Dec 10, 2016 Community SANS
Community SANS Richmond SEC401
Richmond, VA
Dec 05, 2016 - Dec 10, 2016 Community SANS
SANS Cologne
Cologne, Germany
Dec 05, 2016 - Dec 10, 2016
Live Event
SANS Dublin
Dublin, Ireland
Dec 05, 2016 - Dec 10, 2016
Live Event
SANS Cyber Defense Initiative 2016
Washington, DC
Dec 10, 2016 - Dec 17, 2016
Live Event
SANS vLive - SEC401: Security Essentials Bootcamp Style
SEC401 - 201612,
Dec 13, 2016 - Feb 02, 2017
vLive
SANS Security East 2017
New Orleans, LA
Jan 09, 2017 - Jan 14, 2017
Live Event
Community SANS Virginia Beach SEC401
Virginia Beach, VA
Jan 09, 2017 - Jan 14, 2017
Community SANS
Community SANS Marina del Rey SEC401
Marina del Rey, CA
Jan 09, 2017 - Jan 14, 2017
Community SANS
Mentor Session - SEC401
Philadelphia, PA
Jan 10, 2017 - Feb 21, 2017
Mentor
Community SANS New York SEC401
New York, NY
Jan 16, 2017 - Jan 21, 2017
Community SANS
SANS Las Vegas 2017
Las Vegas, NV
Jan 23, 2017 - Jan 30, 2017
Live Event
Community SANS Chantilly SEC401
Chantilly, VA
Jan 23, 2017 - Jan 28, 2017
Community SANS
Community SANS Albany SEC401
Albany, NY
Feb 06, 2017 - Feb 11, 2017 Community SANS
Nov 07, 2016 - Nov 12, 2016 Community SANS