Computers Insiders Threat

Com jellers Insiders terrorWhile vio ripes on computers by outside intruders be more generalized, glide slopes perpetrated by insiders argon very common and very much more damaging. Insiders make for the greatest holy terror to computer aegis because they realize their organizations caper and how their computer g al mavin overnances work. They stick out both the confidentiality and entre to perform these attacks. An inside attacker forget nonplus a higher probability of successfully breaching into the governing body and extracting critical tuition. The insiders as well as represent the greatest challenge to securing the conjunction ne cardinalrk because they are authorized a level of access to the load body of rules and granted a degree of trust.A system administrator angered by his diminished enjoyment in a thriving defensive structure manufacturing firm whose computer network he alone had demonstrable and managed, centralized the bundle that supported the companys manufacturing processes on a single server, and then intimidated a coworker into cock-a-hoop him the only backup tapes for that software package. Following the system administrators termination for inappropriate and abusive treatment of his coworkers, a logical system bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the companys server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of around 80 employees.An application developer, who unconnected his IT sector job as a result of company downsizing, expressed his displeasure at beingness laid off provided prior to the Christmas holidays by launching a systematic attack on his former employers computer network. Three weeks following his termination, the insider utilise the username and password of one of his former coworkers to gain strange access to the network and modify several of the companys web pages, changing text and inserting pornographic images. He also sent each of the companys customers an email message advising that the website had been hacked. Each email message also contained that customers usernames and passwords for the website. An investigation was initiated, simply it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, punish ascript to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee at last was set as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two age on supervised probation, and ordered to pay $48,600 restitution to his former employer.A city government employee who was passed over for promotion to pay handler retaliated by deleting charge ups from his and a coworkers computers the day beforehand the bare-assed finance director took office. An investigation identified the disgruntled em ployee as the perpetrator of the incident. City government officials disagreed with the primary police emissary on the pillow slip as to whether all of the deleted archives were recovered.No criminal charges were filed, and, downstairs an agreement with city officials, the employee was allowed to resign.These incidents of pervert were all committed by insiders individuals who were, or previously had been, authorized to use the information systems they eventually apply to perpetrate harm. Insiders pose a substantial flagellum by sexual abstention of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)The Nature of credentials ThreatsThe greatest threat to computer systems and information comes from humans, through actions that are each poisonous or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually build a mo tive to fragmentise normal product line operations or to steal information.The higher up diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems hardly main emphasis will be on malicious insiders. The greatest threat of attacks against computer systems are from insiders who know the codes and security measures that are in place 45. With very specific objectives, an insider attack weed affect all components of security. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications. They are believably to know what actions cause the just about damage and how to get away with it undetected. Considered members of the family, they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and antagonize against systems. organizational downsizing in both public and private sectors has creat ed a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract master copys and foreign nationals either brought into the U.S. on work visas to meet labor shortagesor from onshore outsourcing projects are also included in this category of knowledgeable insiders.Common Insider ThreatCommon cases of computer-related employee sabotage include changing data deleting data destroying data or programs with logic bombs crashing systems holding data guarantor destroying hardware or facilities entering data incorrectly, exposing subtile and embarrassing proprietary data to public invite such(prenominal) as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.A 1998 FBI Survey 7 investigating computer crime tack that of the 520 companies consulted, 64% had constitutioned security breac hes for a total quantifiable fiscal loss of $136 millions. (See chart) The survey also found that the largest twist of breaches were by unlicenced insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or disinclined to report breaches for fear of negative press. The survey reported that the average cost of an attack by an noncitizen(hacker) at $56,000, while the average insider attack cost a company inexcess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, re declaration of face-to-face or professional capers, to protect or advance their ca reers, to challenge their skill, express anger, impress others, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees. At the time of the incident, 59% of the insiders were former employees orcontr musicians of the affected organizations and 41% were flow rate employees orcontractors. The former employees or contractors left their positions for a variety of reasons.These included the insiders being blast (48%), resigning (38%), and being laid off(7%).Most insiders were either previously or currently employed regular in a proficientposition within the organization. Most of the insiders (77%) were full-time employees of the affectedorganizations, either before or during the incidents. Eight percent of the insidersworked part-time, and an additional 8% had been hired as contractors orconsultants. Two (4%) of the insiders worked as temporary employees, and one(2%) was hired as a subcontractor. Eighty-six percent of the inside rs were employed in expert positions, whichincluded system administrators (38%), programmers (21%), engineers (14%),and IT specialists (14%). Of the insiders not holding technical positions, 10%were employed in a professional position, which included, among others, insidersemployed as editors, managers, and auditors. An additional two insiders (4%)worked in overhaul positions, both of whom worked as customer service representatives.Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.The insiders ranged in age from 17 to 60 historic period (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six percent of the insiders were male. 49 percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.Thirty percent of the insiders had been arrested previously, in cluding arrests for violent offenses (18%), alcohol or drug related offenses (11%), and non financial/ fraud related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical groundwork sectors banking and finance (8%) continuity of government (16%) defence mechanism industrial base (2%) food (4%) information and telecommunications (63%) postal and shipping (2%) public health (4%)In all, 82% of the affected organizations were in private industry, while 16% were government entities. sixty-three percent of the organizations engaged in domestic operation only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.What motivate insiders? inbred attackers attempt to proceed into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivate with the following reasons BSB03 ChallengeMany internal attackers initially attempt to break into networks for the challenge. A challenge combines strategical and tactical thinking, patience, and mental strength. However, internal attackers cause by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to various emails of any employee. RevengeInternal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be oddly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses. EspionageInternal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage existsindustrial espionageIndustrial espionage agency that a company may pay its own employees in order to break intothe networks of its competitors or business partners. The company may also hire someone else to do this.International espionageInternational espionage room that attackers work for governments and steal confidentialinformation for other governments.Definitions of insider threat1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The premier(prenominal) actor category, the true insider, is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.The activities of both fall into five ge neral categories exceeds given network, system or data permissionsconducts malicious activity against or across the network, system or dataprovided unapproved access to the network, system or datacircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify ornon-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, defense reaction of access, or disclosure. (Presented at the University of Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. Few organizations have apply the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many organizations, followed by policy review, and employee sentiency training.(Insider Threat ManagementP resented by infoLock Technologies)3)Employees are an organizations most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners must be actively managed, audited, and monitored in order to protect sensitive data.(Presented by infoLock Technologies)4) The mixture of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as in effect(p) security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known form al models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon Universitys Software Engineering Institute CERT Program, tryd insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. omit of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem.(Dawn M. Cappelli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an insider has information and capabilities not known to other, immaterial attackers. But the studies rarely define what the insider threat is, or define it nebulously. The hindrance in handling the insider threat is reasonable under those circumstances if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?(Matt Bishop 2005) phoebe bird common insider threatExploiting information via remote access softwareA considerable amount of insider outcry is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.2.) move out information via e-mail and instant messaging Sensitive infor mation can simply be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) Sharing sensitive files on P2P networks Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its there and waiting to be abused. The inanimate software in and of itself is not the problem its how its used that causes trouble. All it takes is a simple misconfiguration to serve up your networks local anesthetic and network drives to the domain.4.) Careless use of radio receiver networks Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but dont over cheek Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.5.) Posting information to discussion boards and blogs Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.Views of different authors about insider threat1) Although insiders in this report tended to be former technical employees, there is no demographic profile of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, andexecutives. They were currently employed and belatedly terminated employees, contractors, and temporary employees. As such, security awareness training needs toencourage employees to identify malicious insiders by behavior , not by stereotypicalcharacteristics. For example, behaviors that should be a source of concern includemaking threats against the organization, bragging about the damage one could do tothe organization, or discussing plans to work against the organization. Also of concernare attempts to gain other employees passwords and to fraudulently obtain accessthrough trickery or exploitation of a trusted relationship.Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay unaired attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyondinformation engine room to the organizations overall business processes and the interplay between those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent thegreatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)3) Geographically distributed information systems achieve high handiness that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in eve ry geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is overdone when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information security breaches were attributable to insider behavior, however more than 80% of integrated IT security work outs were spent on securing perimeter defenses against outside attack. Protecting against insider threats meansmanaging policy, process, engine room, and most importantly, people. Protecting againstinsider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the set choice to improve your security posture, and you will achieve your expected Return on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrimeWatch Survey TM conducted by the United States Secret Service, CERT Coordination summation (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)6) Insiders, by virtue of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it favourable to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or smart property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the earnestness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitionsvary in meaning. Different definitions imply different countermeasures, as well as different assumptions.(Ma tt Bishop 2005)Solution User monitoringInsiders have two things that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while fast under the radar unless a strong incident detection solution is in place. A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has restrain access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyzemalicious insider activity.These are some points which could be helpful in monitoring and minimizing the insider threatsDetecting insider activity starts with an spread out logand event collection. Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, animal(prenominal) security systems as well as identity and content management products. Correlation identifying known types of envious and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern discovery uncovering seemingly unrelated events that manoeuver a pattern of suspicious activityFrom case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.Identify suspicious user activity patterns and identify anomalies.Visually track and create business-level reports on users activity.Automatically esca late the threat levels of suspicious and malicious individuals.Respond according to your specific and unique corporate governing guidelines.Early detection of insider activity based on early warning indicators of suspicious behavior, such asStale or terminated accountsExcessive file printing, unusual printing times andkeywords printed concern to suspicious destinationsUnauthorized peripheral device accessBypassing security controlsAttempts to alter or delete system logsInstallation of malicious softwareThe Insider Threat Study?The global acceptance, business adoption and growth of the Internet, and ofInternetworking technologies in general, in response to customer requests for onlineaccess to business information systems, has ushered in an extraordinary expansion ofelectronic business transactions. In moving from internal (closed) business systems toopen systems, the risk of malicious attacks and fraudulent activity has increasedenormously, thereby requiring high levels of informati on security. Prior to therequirement for online, open access, the information security budget of a typicalcompany was less then their tea and coffee expenses.Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the Presidents Critical Infrastructure Protection Board identified several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and shippingemergency runcontinuity of governmentpublic healthUniversitieschemical industry, textile industry and hazardous materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders(current or former employees or contractors) who intentionally exceeded or misused anauthorized level of network, system, or data access in a manner that affected thesecurity of the organizations data, systems, or daily business operations. Incidentsincluded any compromise, manipulation of, unaccredited access to, exceedingauthorized access to, tampering with, or disabling of any information system, network,or data. The cases examined also included any in which there was an unauthorized orillegal attempt to view, disclose, retrieve, delete, change, or add information.A completely secure, zero risk system is one which has zero functionality. Latesttechnology high-performance automated systems bring with them new risks in theshape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, isan ongoing process. Proper risk management keeps the IT Security plans, policies andprocedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy canonly be implemented successfully if the top management is committed. And policyseffective implementation is not possible without the training and awareness of staff.The State depone of Pakistan recognizes that financial industry is buil t around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open world cannot be overstated. As more and more of our Banking Operations and products services become technology driven and dependent, thus our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth procedure of the financial industry.Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this intelligence activity as these types of news about an industry can damage the reputation of the industry.CHAPTER 2REVIEW OF LITRATURES, Axelsson. ,(2000)Anonymous 2001Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business fiber and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an unexceptionable level.Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.What needs to be protected, against whom and how? Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of Confidentiality Sensitive business objects (information processes) are disclosed only to authorised persons. == Controls are required to restrict access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accurate and complete.