© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

Slides:

Advertisements

Similar presentations

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Advertisements

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

© Carnegie Mellon University The CERT Insider Threat Center.

THE INSIDER THREAT AND DATA LOSS PREVENTION CSCE 727.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

Security Controls – What Works

FIT3105 Security and Identity Management Lecture 1.

Chapter 1 Introduction to Security

Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Concepts of Database Management Seventh Edition

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

CYBER CRIME AND SECURITY TRENDS

By Mrs. Smith DATA INTEGRITY AND SECURITY. Accurate Complete Valid Data Integrity.

Network security policy: best practices

Computer Security: Principles and Practice

October The Insider Financial Crime and Identity Theft Hacktivists Piracy Cyber Espionage and Sabotage.

© 2013 Carnegie Mellon University Best Practices in Insider Threat Mitigation CSIAC Insider Threat Workshop Randall Trzeciak 15 August 2013

Storage Security and Management: Security Framework

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Concepts of Database Management Sixth Edition

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Cybersecurity and the Department of Justice Vincent A. Citro, Assistant United States Attorney July 9-10, 2014 Unclassified – For Public Use.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

BUSINESS B1 Information Security.

Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.

Concepts of Database Management Eighth Edition

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.

Introduction to Computer Ethics

Information Systems Security Operational Control for Information Security.

Controlling Fraud Risk Exposure and Loss Sherri Goodman Director of Fraud Operations September 22, 2005.

Trojan Horses on the Web. Definition: A Trojan horse a piece of software that allows the user think that it does a certain task, while actually does an.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Peter Sakaris CISSP Booz Allen Hamilton, 1299 Farnam Street Suite 1230, Omaha, NE Office The Insider Threat.

Chapter 2 Securing Network Server and User Workstations.

Topic 5: Basic Security.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

CONTROLLING INFORMATION SYSTEMS

Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.

Computer Security By Duncan Hall.

Safe’n’Sec IT security solutions for enterprises of any size.

C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP

1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology.

MUHAMMAD GHAZI AIMAN BIN MOHD AIDI. DEFINITION  A computer virus is a malware program that, when executed, replicates by inserting copies of itself (possibly.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.

1 Lesson 1: Computer Concepts Shalen Malabon. Computer Concepts Asian Institute of Computer Studies 222 Introduction.

By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.

INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

Network Security Presented by: JAISURYA BANERJEA MBA, 2ND Semester.

Add video notes to lecture

Enterprise Mobility Suite Technical and Business Briefing

CHAPTER FOUR OVERVIEW SECTION ETHICS

Unit 32 – Networked Systems Security

Data Compromises: A Tax Practitioners “Nightmare”

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Joe, Larry, Josh, Susan, Mary, & Ken

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

LM 8 Data Administration & Database Administration

Red Flags Rule An Introduction County College of Morris

Information Security Awareness

CHAPTER FOUR OVERVIEW SECTION ETHICS

Engineering Secure Software

Presentation transcript:

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008

2 TRUE STORY : Personal information stolen for millions of customers of phone companies, credit card companies and banks … Companies contracted with a consumer data organization that hired a data mining organization whose system administrator stole the data

3 TRUE STORY: Emergency services are forced to rely on manual address lookups for 911 calls on Friday night …. Employee sabotages the system and steals all backup tapes

4 TRUE STORY: Financial institution discovers $691 million in losses... Covered up for 5 years by trusted employee

5 Agenda Introduction How bad is the insider threat? Background on CERT’s insider threat research Brief overview of findings from our research Tools for preventing or detecting insider threats

6 What is CERT? Center of Internet security expertise Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today Located in the Software Engineering Institute (SEI) Federally Funded Research & Development Center (FFRDC) Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania)

7 CERT’s Definition of Malicious Insider Current or former employee, contractor, or business partner who o has or had authorized access to an organization’s network, system or data and o intentionally exceeded or misused that access in a manner that o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems. Note: This presentation does not address national security espionage involving classified information.

e-Crime Watch Survey CSO Magazine, USSS, Microsoft, & CERT 671 respondents Percentage of Participants Who Experienced an Insider Incident

9 CERT’s Insider Threat Research Insider Threat Cases Database Hundreds of cases have been analyzed US cases from 1996 to 2007 in critical infrastructure sectors US Secret Service Carnegie Mellon CyLab Department of Defense Data includes both technical & behavioral information

10 Breakdown of Insider Threat Cases in CERT Database Theft or Modification for Financial Gain Theft for Business Advantage IT Sabotage Misc

11 Comparison of Insider Crimes - 1 IT Sabotage Theft or Modification for Financial Gain Theft for Business Advantage % of crimes in case database 45%44%14% Current or former employee? FormerCurrent Current (95% resigned) Type of position Technical (e.g. sys admins or DBAs) Non-technical, low- level positions with access to confidential or sensitive information (e.g. data entry, customer service) Technical (71%) - scientists, programmers, engineers Sales (29%) Gender Male Fairly equally split between male and female Male [1

12 Comparison of Insider Crimes - 2 IT Sabotage Theft or Modification for Financial Gain Theft for Business Advantage Target Network, systems, or data PII or Customer Information IP (trade secrets) – 71% Customer Info – 33% Access used UnauthorizedAuthorized When Outside normal working hours During normal working hours Where Remote accessAt work Recruited by outsiders None ½ recruited for theft; less than 1/3 recruited for mod Less than 1/4 Collusion None Mod: almost ½ colluded with another insider Theft: 2/3 colluded with outsiders Almost ½ colluded with at least one insider; ½ acted alone; 25% stole for foreign gov/org [1

13 What Can You Do? Review CERT’s Common Sense Guide to Prevention and Detection of Insider Threats ThreatsV pdf Version 3 to be published in January 2009

14 Tools for Preventing or Detecting Insider Threats

15 Change Control Help to prevent or detect Planting or downloading of malicious code or unauthorized software Unauthorized modification of critical files Unauthorized changes to source code Unauthorized installation of hardware devices

16 Data Leakage Tools Help to prevent or detect accidental or intentional leakage of confidential information s Documents Printing, copying, or downloading Removable media

17 Network/Employee Monitoring Tools Help to detect Unauthorized access Suspicious activity around resignation Unauthorized escalation of privileges Anomalous user activity

18 Identity Management Systems Help to Prevent creation of or detect usage of backdoor accounts Implement and maintain access control Disable all access upon termination

19 Others Encryption Physical access control systems Automated data integrity checks Backup and recovery systems

20 Contact Information Insider Threat Team Lead: Dawn M. Cappelli Technical Manager, Threat and Incident Management CERT Program Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA – Phone –