A Discussion of the Insider Threat.ppt

A Discussion of the Insider Threat Jason Franklin Example Insider Attack Ivan the insider gets fired and Alf the administrator forgets to void Ivan’s (login) credentials. Ivan goes home, logins into his work machine and takes some malicious action (introduces bugs into source, deletes files and backups, etc…) Alternatively, Alf might void Ivan’s credentials, but forget that Ivan also uses a shared group account. Proposed Definition A malicious insider is an adversary who operates inside the trusted computing base, basically a trusted adversary. The insider threat is an adversarial model encompassing all possible malicious insiders. Example Threats Data corruption, deletion, and modification Leaking sensitive data Denial of service attacks Blackmail Theft of corporate data On and on…. Statistics Insider attacks account for as much as 80% of all computer and Internet related crimes [1] 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders [1] Majority of insiders are privileged users and majority of attacks are launched from remote machines [3] Problem Discussion Typical adversarial models ignore the insider threat by assuming the TCB is free of threats Insider threat violates this assumption Prevailing Sentiments (Myths?) Current systems are capable of countering the insider threat Insider threat is impossible to counter because of the insider’s resources and access permissions Insider attacks are a social or organizational issue which cannot be countered by technical means (Anderson94) Remediation: Initial Thoughts Minimize the size of the TCB to decrease the number of possible insiders Distribute trust amongst multiple parties to force collusion Most insiders act alone Question trust assumptions made in computing systems Treat the LAN like the WAN BroLAN, SANE, etc… Others? Is the insider threat unavoidable? If we define an insider as an adversary inside the TCB, can we ever eliminate the insider threat? Perhaps we can onl