Engineering Secure Software

Slides:



Advertisements
Similar presentations
Computer Fraud Chapter 5.
Advertisements

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
© Carnegie Mellon University The CERT Insider Threat Center.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
Appendix B: Designing Policies for Managing Networks.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
Factors to be taken into account when designing ICT Security Policies
Stephen S. Yau CSE , Fall Security Strategies.
Traditional Policing  Traditional policing ◦ Amounts to throwing money at the crime problem ◦ Is unimaginative  Traditional policing strategies include.
 The median annual wage for police and detectives was $56,980 in May The median wage is the wage at which half the workers in an occupation earned.
Introduction to Network Defense
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
General Awareness Training
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Chapter 4.  Can technology alone provide the best security for your organization?
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
Information Systems Security Operational Control for Information Security.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
PREPARED BY: SHOUA VANG ABHINAV JUWA CHASE PAUL EASy Security Project Anonymous vs HBGary Inc.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Jamie Lyle (Cpsc 620) December 6, Overview  Logic Bombs  The story of Roger Duronio and UBS PaineWebber  Defenses against logic bombs.
Consistency in Reporting Data Breaches
Chap1: Is there a Security Problem in Computing?.
HalFILE 2.1 Network Protection & Disaster Recovery.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Information Systems Unit 3.
Social Engineering By: Pete Guhl and Kurt Murrell.
DATA PROTECTION 2003 THEORY AND PRACTICE OF HANDLING WITH THE COMPUTER CRIME IN THE REPUBLIC OF MACEDONIA Belgrad.
1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Incident Response Christian Seifert IMT st October 2007.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Open source IP Address Management Software Review
Figure 1. Current Threat Landscape Sentiment From: ESG Research Report: Cyber Supply Chain Security Revisited. Source: Enterprise Strategy Group, 2015.
By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
Developing a Network Security Policy By: Chris Catalano.
Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
Figure 1. Current Threat Landscape Sentiment
CompTIA Security+ Study Guide (SY0-401)
Add video notes to lecture
Insiders are Today’s Biggest Security Threat
Unit 32 – Networked Systems Security
Controlling Computer-Based Information Systems, Part II
Sexual Assault Employee Training.
General Data Protection Regulation (GDPR
Forensics Week 11.
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
CompTIA Security+ Study Guide (SY0-401)
Andy Hall – Cyber & Tech INSURANCE Specialist
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
CRITICAL INFRASTRUCTURE CYBERSECURITY
INFORMATION SYSTEMS SECURITY and CONTROL
Objectives Telecommunications and Network Physical and Personnel
Forensic and Investigative Accounting
Incident response and intrusion detection
Strategic threat assessment
16. Account Monitoring and Control
Anuj Dube Jimmy Lambert Michael McClendon
Protect data in core business applications
Introduction to Digital Forensics
Chapter 3: Business Ethics and Social Responsibility Business Ethics
Presentation transcript:

Engineering Secure Software Insider Threat

Lottery Story At a lottery agency, a manager was able to turn losing tickets into winners. He would buy the ticket, then modify the database Stole $63,000 over a year and a half Suspect happened to be on vacation when it was discovered, otherwise he would have been chosen to investigate the incident They disabled his physical access, but forgot to inform his employees. He asked them to delete the logs and backups. Organization lost most of its evidence against him.

A Threat We Can’t Ignore Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes originating from insider threat since 2000 Many more occurring In 2007, the Secret Service et al. conducted a survey of law enforcement officials & security execs 31% of electronic crimes involved an insider 49% of respondents experienced insider threat in the past year Wikileaks, anyone? © 2011-2012 Andrew Meneely

What is insider threat? Actors Current employees Former employees (esp. “recently former”) Contractors Intentionally exceeded or misused an authorized level of access Affected the security of the organization Data Intellectual property Daily business operations

Double Threat to SE Insider threat affects SE in two ways Insider users for the system that we release e.g. hospital administrators Insiders developers to our own software development company e.g. disgruntled developers Liability considerations Will our software facilitate insider threat? Bring this up in your requirements elicitation meeting Audit mechanisms Deployment mechanisms For everything else: hire some lawyers for a sneaky EULA

Types of Insiders Pure insider Insider associate Outside affiliate e.g. system administrator, developer Insider associate e.g. developer, but on a different project Outside affiliate e.g. outsourced contractor

Classes of Threats IT sabotage Personal financial gain Business advantage (e.g. industrial espionage) Miscellaneous

Some considerations Majority of the attacks required significant planning ahead of time Majority of insider attacks took place physically on the premise Majority of insider attacks faced criminal charges And in most cases, the insiders were aware that they would face charges

Prevention vs. Detection Prevention is extraordinarily hard Work environment Predicting human nature Deterrents are only somewhat effective Detection is much more feasible Usually by someone using common sense Audits of access logs In most cases, live network detection was not involved Drawback: reactive

Developer Insiders “Security through obscurity alone” is really not an option Insider would know what servers to go to Insider knows the attack surface Access to production servers should be limited Non-release changes to production need to be documented Forces you to document your deployment process anyway On introducing backdoors Very rarely introduced in the development phase Most often in the maintenance phase

General Suggestions Be aware of the threat “Buddy” system Keep up with the latest stories Apply those situations to yours “Buddy” system Nobody should be left physically alone with important resources Logging and auditing Everything is logged Audits should actually happen

More Suggestions Job termination policies Archives & offsite backups Have one. Be prepared to disable accounts quickly Archives & offsite backups Mitigate tampering and destruction of backups Rotate duties Better detection of anomalies Better knowledge transfer anyway Holistic approach People, data, technology, procedures, policies

Some Resources SEI’s CERT Insider Threat group Definitive resource http://www.cert.org/insider_threat/ http://www.cert.org/archive/pdf/ecrimesummary07.pdf The Insider Threat: Combatting the Enemy Within, by Clive Blackwell ISBN 9781849280112 Available via RIT library electronically for free

We More Need Stories …so that’s today’s activity 5 groups Assigned sectors for CERT case studies Make a 5 minute presentation Tell us stories of insider threat Statistics Some lessons learned

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.