Insider_Risks_062002
advertisement
Insider Threats Spring 2002 Team 1 M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou 1 Insider Threats Agenda The Problem Scope Causes Effects Detection Responsibility Prevention 2 Insider Threats The Problem While companies try to defend themselves by erecting electronic defenses including firewalls, passwords, sophisticated biometric controls to complement physical protection, such as guards, locks, camera and fences, the largest threat to a company in the area of computer information and systems is from within the organization…. 3 Insider Threats Scope CSI/FBI Surveys Financial Losses due to (all) Security Breaches were reported by between 51-75% of respondents from 1997-2001 2001 Losses of $377M reported by 196 respondents (about 37% of those surveyed) 50% of network attacks originate within enterprise Avg cost of insider Breach is ~ 100x internet breakin! ($2.4M vs $27k) Source: Harry Krimkowitz, :Mitigating Risks to the Insider Threat within Your Organization, SANS Institute, Information Security Reading Room. October 24, 2000. http://rr.sans.org/securitybasics/insider_threat.php 4 Insider Threats Examples Stealing Information: FBI Special Agent Robert Hanssen is arrested for providing secret documents to the Soviet Union and Russia in return for payments over $600,000 Employee System Misuse Email is used to pass discriminatory or sexually harassing messages Employees use email to organize into union activities Employees use company time to surf the internet, shop, listen to music, copy software without proper licensing… Intellectual Property Violations Copying and downloading programs without paying fees Assumption that everything on the internet is “free” 5 Insider Threats Examples Privacy Issues Unauthorized review or disclosure of internal information Sabotage Untested programs Intentionally leaving “backdoors” Rigging calculations - Carelessness Leaving machines unattended so others can log on Entering incorrect or incomplete information 6 Insider Threats Type Voluntary Using unauthorized software Involuntary Inappropriate inquiries or data are attached to or hidden in email (Virus, Trojan Horse, etc.) Willful Setting time bombs in applications Accidental Emailing to an incorrect recipient or “the world” 7 Insider Threats Motivation – 1 Risk/Reward Will I get caught? What’s the risk worth? What are the odds? Internal (Organizational) Pressures “Performance Targets must be met to ensure continued employment” and the mortgage is $5000/month Everyone else is doing it… If you don’t, I’ll find someone who will… Revenge - I’ll show them… They can’t manage without me I’ll get you… 8 Insider Threats Motivation - 2 External (Extramural) Pressures Keeping up with the “Jones” Family and personal needs Fix an external problem: environment, political action, etc. Ignorance It can’t be that complicated… Have to answer the phone now…I’ll get back to the PC soon “Can you let me in – you know me… I forgot my key, just this once..” 9 Insider Threats Motivation - 3 Just Because… I bet I can They’ll never find this … It’s no big deal This can’t be wrong… Permission? Why? Other Reasons… 10 Insider Threats Effects Internal Financial Losses Loss of Trust Safety Issues External Company Reputation Access to Credit Fiduciary Issues Legal Complications 11 Insider Threats Why? Do people hold contradictory views about the morality of society and business? How does this affect insider risks? 12 Insider Threats Why? Why are the statistics of reported unethical behavior so high? Are they high enough? (Probably not!) 13 Insider Threats Can I? Most of us will have to make the “right” decision at some point during our professional careers. Can we define clearly, consistently and unambiguously what is right? 14 Insider Threats What If...? But what if everyone else disagrees with you? No one likes whistleblowers! Right? 15 Insider Threats What If...? What if … you are someone else’s tradeoff? Your job Your lifestyle Your professional reputation Your finances Your family … 16 Insider Threats Who? You! What can you do to contribute to a business environment that supports ethical behavior? 17 Insider Threats Why? But what if everyone else disagrees? No one likes whistleblowers! 18 Insider Threats Responsibility Perpetrator Management Risk Management Information Technology Enforcement Authority Internal Security Force External Police 19 Insider Threats Detection Accidental Why did I get this result? Who sent this? Where did this originate? Intentional Eye Witness Monitoring Disclosure Whistleblower Self Reporting No Detection It just stops…. 20 Insider Threats Prevention Employee Screening and Background Checks Establish Rules in Advance Code of Ethics Employee Training Build Trust “Healthy Environment” – Self-Respect Management by Example Shared Values Monitor – Trust but Verify 21 Insider Threats Enforcement Disincentives for Breaking the Rules Remove Penalties for Whistle-blowing Get the Facts! Act Quickly Legal Implications Employee Management Customer 22 Insider Threats Summary Very Large Problem No Simple Solution 23 Insider Threats Summary Minimize the Problem Areas by Pre-Screening Education Predictability Control Healthy Environment Shared Values Self-Esteem Integrity 24 Insider Threats Sources CSI/FBI Survey 2001 CSI/FBI Survey 2000 http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/csi-fbi2000.pdf ARREST OF ROBERT HANSSEN CACHED BY GOOGLE.COM http://www.cicentre.com/Documents/DOC_Hanssen_Press_Conference.htm "I KNOW WHAT YOU EMAILED LAST SUMMER" http://www.wi-infragard.com/csi-fbi/Information%20Insecurity%20csifbi%20survey%20for%20executives_files/frame.htm JOHN B LEWIS,SECURITY MANAGEMENT, JAN 2002, PP 93-99 ”Whose Rules?” By Eileen Conklin, Information Week, Mar 11, 2002. http://www.informationweek.com/shared/printableArticle?doc_id=IWK20020308S0002 25
