Insider Threat Engineering Secure Software Last Revised: November - - PowerPoint PPT Presentation

insider threat
SMART_READER_LITE
LIVE PREVIEW

Insider Threat Engineering Secure Software Last Revised: November - - PowerPoint PPT Presentation

May 25, 2023 105 likes •312 views

Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Lottery Story At a lottery agency, a manager was able to turn losing tickets into winners He would buy

slide-1
SLIDE 1

SWEN-331: Engineering Secure Software Benjamin S Meyers

Insider Threat

Engineering Secure Software

Last Revised: November 11, 2020 1

slide-2
SLIDE 2

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lottery Story

  • At a lottery agency, a manager was able to turn losing tickets

into winners

○ He would buy the ticket, then modify the database ○ Stole $63,000 over the course of a year and a half

2

slide-3
SLIDE 3

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lottery Story

  • At a lottery agency, a manager was able to turn losing tickets

into winners

○ He would buy the ticket, then modify the database ○ Stole $63,000 over the course of a year and a half

  • Lottery agencies have lots of internal auditing

○ Asked the manager to investigate his own fraud ○ He dragged the investigation on

3

slide-4
SLIDE 4

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lottery Story

  • Manager went on vacation (with the money he stole)

○ Agency assigned someone else to pick up the investigation ○ Discovered that the manager was covering up his fraud ○ Agency calls and fires the manager while he’s on vacation

4

slide-5
SLIDE 5

SWEN-331: Engineering Secure Software Benjamin S Meyers

Lottery Story

  • Manager went on vacation (with the money he stole)

○ Agency assigned someone else to pick up the investigation ○ Discovered that the manager was covering up his fraud ○ Agency calls and fires the manager while he’s on vacation

  • Agency disabled his physical access, but forgot to inform his

employees of the incident

○ Manager asked employees to delete logs/backups ○ Most of the evidence against him was lost ○ BUT! One of the employees messed up deleting the backup

5

slide-6
SLIDE 6

SWEN-331: Engineering Secure Software Benjamin S Meyers

Insider Threat: A Threat We Cannot Ignore

  • Documented incidents are prevalent

○ Carnegie Mellon’s SEI has studied over 700 cyber-crimes

  • riginating from Insider Threat since 2000
  • Many more occurring

○ In 2007, the Secret Service et al. conducted a survey of law enforcement officials and security executives ■ 31% of electronic crimes involved an insider ■ 49% of respondents experienced insider threat in the past year

  • Wikileaks, anyone?

6

slide-7
SLIDE 7

SWEN-331: Engineering Secure Software Benjamin S Meyers

What is Insider Threat?

  • When a malicious actor intentionally exceeds or misuses an

authorized level of access

○ Not elevation of privilege, but an abuse of existing privileges

  • Actors

○ Current employees ○ Former employees (especially “recently former”) ○ Contractors

  • Affects the security of the organization

○ Data ○ Intellectual property ○ Daily business operations (availability)

7

slide-8
SLIDE 8

SWEN-331: Engineering Secure Software Benjamin S Meyers

Double Threat to SE

  • Insider Threat affects SE in two ways

○ Insider users for the system that we release (e.g. hospital admins) ○ Insider developers to our own software development company (e.g. disgruntled developers)

  • Liability considerations

○ Will our software facilitate insider threat? ○ Bring this up in your requirements elicitation meeting

■ Audit mechanisms ■ Deployment mechanisms

○ For everything else: hire some lawyers for a sneaky EULA

8

slide-9
SLIDE 9

SWEN-331: Engineering Secure Software Benjamin S Meyers

Types of Insiders

  • Pure insider

○ An employee with rights/access/privileges ○ e.g. systems administrator, developer, co-ops

  • Insider associate/affiliate

○ Someone with limited authorized access ○ e.g. developer, but on a different project ○ e.g. guards, maintenance workers

  • Outside affiliate

○ Non-trusted outsiders ○ e.g. outsourced contractors ○ e.g. spouses/friends of employee that steal their credentials

9

slide-10
SLIDE 10

SWEN-331: Engineering Secure Software Benjamin S Meyers

Classes of Threats

  • IT Sabotage

○ Intent of harming specific individuals, the organization, or the

  • rganization’s assets
  • Personal Financial Gain

○ Intent of stealing/modifying confidential/proprietary information from the organization for financial gain ○ e.g. “Office Space”

  • Business Advantage

○ Intent of stealing/modifying confidential/proprietary information from the organization for business advantages ○ e.g. industrial espionage, violating NDAs

  • Miscellaneous

10 10

slide-11
SLIDE 11

SWEN-331: Engineering Secure Software Benjamin S Meyers

Classes of Threats

  • Carnegie Mellon’s SEI: Common Sense

Guide to Prevention and Detection of Insider Threats

Studies and categorizes reports of insider threat incidents ○ Suggests best practices for prevention and detection of insider threats

○ 3rd Edition: 2009 -- 190 incidents ○ 4th Edition: 2012 -- 371 incidents ○ 5th Edition: 2016 -- 734 incidents

11 11

Source: https://resources.sei.cmu.edu/

slide-12
SLIDE 12

SWEN-331: Engineering Secure Software Benjamin S Meyers

Some Considerations

  • Majority of the insider attacks required significant planning

ahead of time

  • Majority of the insider attacks took place physically on the

premises

  • Majority of malicious actors involved in insider attacks faced

criminal charges

○ And in most cases, the insiders were aware that they would face charges

12 12

slide-13
SLIDE 13

SWEN-331: Engineering Secure Software Benjamin S Meyers

Prevention vs. Detection

  • Prevention is extraordinarily hard

○ Work environment ○ Good management ○ Predicting human nature ○ Deterrents are only somewhat effective

  • Detection is much more feasible

○ Usually by someone using common sense ○ Audits of access logs ○ In most cases, live network detection was not involved ○ Drawback: reactive

13 13

slide-14
SLIDE 14

SWEN-331: Engineering Secure Software Benjamin S Meyers

Mobile Changed Everything

  • Today, we carry computers with us everywhere we go

○ Easier to take assets with us (e.g. emails) ○ Easier to access assets remotely ○ Easier to provide access to others

  • “Bring Your Own Device” is becoming the norm
  • Modern reactions

○ Monitor everything (privacy concerns) ○ Disallow mobile devices entirely (employees don’t like that) ○ Separate networks (tough to manage)

14 14

slide-15
SLIDE 15

SWEN-331: Engineering Secure Software Benjamin S Meyers

Developer Insiders

  • “Security through obscurity alone” is really not an option

○ Developer Insiders would know what servers to go to ○ Developer Insiders know the attack surface

  • Access to production servers should be limited

○ Non-release changes to production need to be documented ○ Forces you to document your deployment process anyway

  • On introducing backdoors

○ Very rarely introduced in the development phase ○ Most often in the maintenance phase

  • Very rare in open source

15 15

slide-16
SLIDE 16

SWEN-331: Engineering Secure Software Benjamin S Meyers

General Suggestions

  • Be aware of the threat

○ Keep up with the latest stories ○ Apply those situations to yours

  • Use the “buddy system”

○ Nobody should be left physically alone with important resources

  • Logging and auditing

○ Everything is logged ○ Audits should actually happen periodically, both as a deterrent and for repudiation

  • Archives and offsite backups

○ Mitigate tampering and destruction of backups

16 16

slide-17
SLIDE 17

SWEN-331: Engineering Secure Software Benjamin S Meyers

General Suggestions

  • Job termination policies

○ Have one ○ Be prepared to disable accounts/physical access quickly

  • Rotate duties

○ Better detection of anomalies ○ Better knowledge transfer anyway

  • Holistic approach → defense in depth

○ People, data, technology, procedures, policies

  • Don’t be an insider threat!

○ It’s unethical (and ruins your reputation) ○ They almost always get caught

17 17

slide-18
SLIDE 18

SWEN-331: Engineering Secure Software Benjamin S Meyers

Some Resources

  • Carnegie Mellon’s SEI CERT Insider Threat Group

○ Definitive resource ○ CERT Home ○ Insider Threat Blog ○ Certificate Programs ○ Mitigations

  • The Insider Threat: Combating the Enemy Within

by Clive Blackwell

○ ISBN 9781849280112 ○ Available via RIT Library electronically for free

18 18

slide-19
SLIDE 19

SWEN-331: Engineering Secure Software Benjamin S Meyers

We Need More Stories

  • Activity

○ 4 groups each assigned a sector ■ Banking & Finance Sector ■ Government Sector ■ Internet Technology & Telecommunications Sector ■ Critical Infrastructure ○ Make a 5 minute presentation ■ Tell us stories of insider threat ■ Tell us interesting statistics ■ Tell us some lessons learned

19 19