Insider Threats - University at Albany

advertisement
Unit Outline
Information Security Risks, Part II
Module 1: Password Security
Module 2: Wireless Security
Module 3: Unintentional Threats
 Module 4: Insider Threats
Module 5: Miscellaneous Threats
Module 6: Summary
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
1
Module 4
Insider Threats
Insider Threats
Learning Objectives
•
Student will be able to:
–
–
–
–
Recognize insider threats of an organization
Identify different sources of insider threats
Classify perpetrators of insider threats
Determine relevant controls for protection
against insider threats
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
3
Insider Threats
Definition
•
An authorized user of a system who
–
–
–
•
Unwittingly aids or directly performs bad actions
Performs bad actions with the best possible
intentions
Intentionally performs bad actions (motivation is
irrelevant)
Insider threat more insidious
than external threats and may
be harder to detect
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
4
Insider Threats
Perpetrators
•
•
•
•
•
•
•
Proprietors
Moles
Inappropriate users
Cowboys in the organization who who consider
themselves beyond any policy
Remote or traveling users
Disgruntled insiders
Malicious Employees
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
5
Insider Threats
Holes
•
Weak security policies and procedures
–
–
•
•
•
•
Errors in configuration, assignment of roles and rights,
or acceptable use
Inadequate training and controls that leads to
inappropriate use of systems
Poor physical security
Traveling laptops (employee travel)
Inadequate screening of employees
during hiring process
Lack of resources to support security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
6
Insider Threats
Inside Hacker Penetration
•
Social engineering
–
–
•
Impersonation
–
–
•
•
Encrypt your authentication in transit
User credentials should not be emailed
Hacker Penetration through Network
Modems on the network
–
–
•
•
•
Low tech but can be powerful
Mostly performed over the phone or e-mail
Direct connect to analog lines
Analog/digital converters
Web capable phones
Wireless LANs
Portable Media (thumb drives)
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
7
Insider Threats
Protection
•
Perform periodic security assessment
–
•
•
Upgrade authentication and authorization processes
Stay current with security technology
–
•
•
Install patches when available
Train the IT staff and users to avoid configuration mistakes
(Not the best place to save money)
–
•
Internal process or external consultants
Develop and internal training program (train-the-trainer)
Follow the principle of least privilege
(Do not give unnecessary
permissions)
Ensure the repercussions to flaunting
security policies are strong and well
advertised
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
8
Insider Threats
Protection Cont’d.
•
Incorporate audit tools in your information access and
identity management systems
–
•
e.g. Active Directory, LDAP, Databases, File Servers
Eliminate legacy interoperability from new system
requirement when performing upgrades to remove old
vulnerabilities
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
9
Insider Threats
Protection: Network Architecture
•
•
Defense in Depth
Introduce security in network design
–
–
•
Segment the internal network
Use switches instead of hubs
Enforce Policies diligently
–
–
–
–
Apply principle of least privilege
Audit logs and identify intrusions
Profile network behavior
Severely restrict privileged access
to only security & network administrators
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
10
Insider Threats
Protection: Segment Architecture
•
•
•
Use routers to segment the network
Disallow source routing, broadcast, and multicast
Use filters for:
–
–
Traffic permitted into and out of your network
Source & destination IP addresses entering and leaving
each subnet
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
11
Insider Threats
Protection: Least Privilege
•
•
•
•
Don’t allow all system admins root access to
everything
Identify user requirements and disable un-needed
services
Use Role Based Access Control (RBAC)
Remove operating system access from user
workstations
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
12
Insider Threats
Protection: Auditing & Profiling
•
•
•
•
•
•
Central console for all security system reports
Most networking equipment will support SYSLOG
– use it
Establish Flow Monitoring – several good tools,
including MRTG, nTOP, CISCO, etc…
DHCP – Establish long lease times to enable better
auditing
Set time and protocol rules of
engagement
Limit systems that don’t require
access to the Internet
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
13
Insider Threats
Protection: Bastion Awareness
•
•
•
•
•
Syslog your bastion routers
Virus scan and potentially content filter your e-mail
Proxy all outbound Internet protocols
Filter for appropriate content
Select firewalls that demand protocol compliance on
outbound proxy
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
14
Insider Threats
Protection: Tactics & Strategy
Strategy
–
–
–
–
–
–
–
Prepare for intrusion
Plan procurements
carefully
Map user/role access to
data profiles
Ensure data tagging stays
up to date
Build strong auditing –
centralize it and analyze it
Build defense-in-depth
Understand your asset/risk
profile and keep it up to
date
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
Strategy without tactics is the slowest
route to victory. Tactics without
strategy is the noise before defeat.
-- Sun Tzu
Tactics
–
–
–
–
–
–
Identification
Containment
Eradication
Recovery
Post-Mortem
Each new procurement
supports strategic security
goals
15
Insider Threats
Summary
•
•
•
•
Internal threats can be more insidious than external
threats
Security policy enactment and enforcement is
critical for internal protection
Network can be designed to make it more secure
Training and education are key to the success of
insider protection
Sanjay Goel, School of Business/Center for Information Forensics and Assurance
University at Albany Proprietary Information
16
Download