Presentation is loading. Please wait.

Presentation is loading. Please wait.

Engineering Secure Software

Published byMyrtle Miller Modified over 5 years ago

Similar presentations

Presentation on theme: "Engineering Secure Software"— Presentation transcript:

1 Engineering Secure Software
Insider Threat

2 Lottery Story At a lottery agency, a manager was able to turn losing tickets into winners. He would buy the ticket, then modify the database Stole $63,000 over a year and a half Suspect happened to be on vacation when it was discovered, otherwise he would have been chosen to investigate the incident They disabled his physical access, but forgot to inform his employees. He asked them to delete the logs and backups. Organization lost most of its evidence against him.

3 A Threat We Can’t Ignore
Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes originating from insider threat since 2000 Many more occurring In 2007, the Secret Service et al. conducted a survey of law enforcement officials & security execs 31% of electronic crimes involved an insider 49% of respondents experienced insider threat in the past year Wikileaks, anyone? © Andrew Meneely

4 What is insider threat? Actors
Current employees Former employees (esp. “recently former”) Contractors Intentionally exceeded or misused an authorized level of access Affected the security of the organization Data Intellectual property Daily business operations

5 Double Threat to SE Insider threat affects SE in two ways
Insider users for the system that we release e.g. hospital administrators Insiders developers to our own software development company e.g. disgruntled developers Liability considerations Will our software facilitate insider threat? Bring this up in your requirements elicitation meeting Audit mechanisms Deployment mechanisms For everything else: hire some lawyers for a sneaky EULA

6 Types of Insiders Pure insider Insider associate Outside affiliate
e.g. system administrator, developer Insider associate e.g. developer, but on a different project Outside affiliate e.g. outsourced contractor

7 Classes of Threats IT sabotage Personal financial gain
Business advantage (e.g. industrial espionage) Miscellaneous

8 Some considerations Majority of the attacks required significant planning ahead of time Majority of insider attacks took place physically on the premise Majority of insider attacks faced criminal charges And in most cases, the insiders were aware that they would face charges

9 Prevention vs. Detection
Prevention is extraordinarily hard Work environment Predicting human nature Deterrents are only somewhat effective Detection is much more feasible Usually by someone using common sense Audits of access logs In most cases, live network detection was not involved Drawback: reactive

10 Developer Insiders “Security through obscurity alone” is really not an option Insider would know what servers to go to Insider knows the attack surface Access to production servers should be limited Non-release changes to production need to be documented Forces you to document your deployment process anyway On introducing backdoors Very rarely introduced in the development phase Most often in the maintenance phase

11 General Suggestions Be aware of the threat “Buddy” system
Keep up with the latest stories Apply those situations to yours “Buddy” system Nobody should be left physically alone with important resources Logging and auditing Everything is logged Audits should actually happen

12 More Suggestions Job termination policies Archives & offsite backups
Have one. Be prepared to disable accounts quickly Archives & offsite backups Mitigate tampering and destruction of backups Rotate duties Better detection of anomalies Better knowledge transfer anyway Holistic approach People, data, technology, procedures, policies

13 Some Resources SEI’s CERT Insider Threat group
Definitive resource The Insider Threat: Combatting the Enemy Within, by Clive Blackwell ISBN Available via RIT library electronically for free

14 We More Need Stories …so that’s today’s activity 5 groups
Assigned sectors for CERT case studies Make a 5 minute presentation Tell us stories of insider threat Statistics Some lessons learned

Download ppt "Engineering Secure Software"

Similar presentations

Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.

© 2008 Carnegie Mellon University Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad Dawn Cappelli October 31, 2008.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Overview of Joe B. Taylor CS 591 Fall 2008. Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.

Overview of Joe B. Taylor CS 591 Fall Introduction  Thriving defense manufacturing firm  System administrator angered  His role diminished with.
Appendix B: Designing Policies for Managing Networks.

Appendix B: Designing Policies for Managing Networks.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Traditional Policing  Traditional policing ◦ Amounts to throwing money at the crime problem ◦ Is unimaginative  Traditional policing strategies include.

Traditional Policing  Traditional policing ◦ Amounts to throwing money at the crime problem ◦ Is unimaginative  Traditional policing strategies include.
 The median annual wage for police and detectives was $56,980 in May 2012. The median wage is the wage at which half the workers in an occupation earned.

 The median annual wage for police and detectives was $56,980 in May The median wage is the wage at which half the workers in an occupation earned.
Introduction to Network Defense

Introduction to Network Defense
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
General Awareness Training

General Awareness Training
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Chapter 4.  Can technology alone provide the best security for your organization?

Chapter 4.  Can technology alone provide the best security for your organization?
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Similar presentations

Ads by Google