Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Slides:



Advertisements
Similar presentations
Computer Fraud Chapter 5.
Advertisements

Computer Fraud Chapter 5.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
© Carnegie Mellon University The CERT Insider Threat Center.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
Appendix B: Designing Policies for Managing Networks.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
Security Controls – What Works
The Way Ahead for Information Systems Security: What You Don’t Know Can Hurt You Christopher Baum Research Vice President Global Government NYSCIO Conference.
1 DETERRING INTERNAL INFORMATION SYSTEMS MISUSE EECS711 : Security Management and Audit Spring 2010 Presenter : Amit Dandekar Instructor : Dr. Hossein.
Stephen S. Yau CSE , Fall Security Strategies.
Introduction to Network Defense
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Information Security Technological Security Implementation and Privacy Protection.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Computer Law University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot Feb 2010 Feb 2010 ITSS 4201 Internet Insurance and Information.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Information Security Rabie A. Ramadan GUC, Cairo Room C Lecture 2.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
INTRODUCTION Why AIS threats are increasing
Keogh and Associates Copyright 2003 Sellers, Resellers, Integrators, Consultants What Are Their Roles?? Presenter Colin Keogh Keogh and Associates.
Kevin Casady Hanna Short BJ Rollinson.  Centralized and Structured collection of data stored in a computer system  An electronic filing system  Easy.
{ Active Directory Security Why bother?.   Law #1: Nobody believes anything bad can happen to them, until it does   Law #2: Security only works if.
Information Warfare Playgrounds to Battlegrounds.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Social Engineering Euphemism for cons –Confidence schemes - note the word confidence Why technologically based security protection that ignores the human.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Note1 (Admi1) Overview of administering security.
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
HalFILE 2.1 Network Protection & Disaster Recovery.
Computer System and Internet Misuse at the Work Place By: Kris Dimon.
Information Warfare Playgrounds to Battlegrounds.
Security fundamentals Topic 12 Maintaining organisational security.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Incident Response… Be prepared for “not if” but “when” it happens.
DATA PROTECTION 2003 THEORY AND PRACTICE OF HANDLING WITH THE COMPUTER CRIME IN THE REPUBLIC OF MACEDONIA Belgrad.
1 FSTC’s 2008 Annual Conference On the Innovative Edge: Successful Strategies for Financial Services Industry Navigators The Financial Services Technology.
Module 7: Designing Security for Accounts and Services.
MIS323 – Business Telecommunications Chapter 10 Security.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
By: Taysha Johnson. What is an insider threat? 1.A current or former employee, contractor, or other business partner who has or had authorized access.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Developing a Network Security Policy By: Chris Catalano.
Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
CompTIA Security+ Study Guide (SY0-401)
Cybersecurity - What’s Next? June 2017
Computer Security Fundamentals
CIS 349 Competitive Success/snaptutorial.com
CIS 349 Education for Service/snaptutorial.com
CIS 349 Teaching Effectively-- snaptutorial.com
Cyber attacks on Democratic processes
INFORMATION SYSTEMS SECURITY and CONTROL
Incident response and intrusion detection
Engineering Secure Software
16. Account Monitoring and Control
Introduction to Digital Forensics
Presentation transcript:

Engineering Secure Software

Lottery Story

A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes originating from insider threat since 2000  Many more occurring In 2007, the Secret Service et al. conducted a survey of law enforcement officials & security execs ○ 31% of electronic crimes involved an insider ○ 49% of respondents experienced insider threat in the past year  Wikileaks, anyone? © Andrew Meneely

What is insider threat?  When a malicious actor intentionally exceeds or misuses an authorized level of access  Note: not elevation of privilege, but an abuse of already- given privilege  Actors Current employees Former employees (esp. “recently former”) Contractors  Affected the security of the organization Data Intellectual property Daily business operations

Double Threat to SE  Insider threat affects SE in two ways Insider users for the system that we release e.g. hospital administrators Insiders developers to our own software development company e.g. disgruntled developers  Liability considerations Will our software facilitate insider threat? Bring this up in your requirements elicitation meeting ○ Audit mechanisms ○ Deployment mechanisms For everything else: hire some lawyers for a sneaky EULA

Types of Insiders  Pure insider e.g. system administrator, developer  Insider associate e.g. developer, but on a different project  Outside affiliate e.g. outsourced contractor

Classes of Threats  IT sabotage  Personal financial gain  Business advantage (e.g. industrial espionage)  Miscellaneous

Some considerations  Majority of the attacks required significant planning ahead of time  Majority of insider attacks took place physically on the premise  Majority of insider attacks faced criminal charges And in most cases, the insiders were aware that they would face charges

Prevention vs. Detection  Prevention is extraordinarily hard Work environment Predicting human nature Deterrents are only somewhat effective  Detection is much more feasible Usually by someone using common sense Audits of access logs In most cases, live network detection was not involved Drawback: reactive

Mobile Changed Everything  Today, we carry computers with us everywhere we go Easier to take assets with us Easier to access assets remotely Easier to provide access to others  “Bring Your Own Device” is becoming the norm  Modern reactions: Monitor everything (privacy concerns) Disallow mobile devices entirely (employees don’t like that) Separate networks (tough to manage)

Developer Insiders  “Security through obscurity alone” is really not an option Insider would know what servers to go to Insider knows the attack surface  Access to production servers should be limited Non-release changes to production need to be documented Forces you to document your deployment process anyway  On introducing backdoors Very rarely introduced in the development phase Most often in the maintenance phase

General Suggestions  Be aware of the threat Keep up with the latest stories Apply those situations to yours  “Buddy” system Nobody should be left physically alone with important resources  Logging and auditing Everything is logged Audits should actually happen periodically both as deterrent and for repudiation

More Suggestions  Job termination policies Have one. Be prepared to disable accounts quickly  Archives & offsite backups Mitigate tampering and destruction of backups  Rotate duties Better detection of anomalies Better knowledge transfer anyway  Holistic approach People, data, technology, procedures, policies

Some Resources  SEI’s CERT Insider Threat group Definitive resource pdf  The Insider Threat: Combating the Enemy Within, by Clive Blackwell ISBN Available via RIT library electronically for free

We More Need Stories  …so that’s today’s activity 5 groups Assigned sectors for CERT case studies Make a 5 minute presentation ○ Tell us stories of insider threat ○ Statistics ○ Some lessons learned

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.