摘要 :
A research project at the CERT Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This report presents an example of such a pattern Increased Monitoring for Intellectua...
展开
A research project at the CERT Program is identifying enterprise architectural patterns to protect against the insider threat to organizations. This report presents an example of such a pattern Increased Monitoring for Intellectual Property (IP) Theft by Departing Insidersto help organizations plan, prepare, and implement a means to mitigate the risk of insider theft of IP. Our case data shows that many insiders who stole IP did so within 30 days of their termination. Based on this insight, this pattern helps reduce that risk through increased monitoring of departing insiders during their last 30 days of employment. The increased monitoring suggested by the pattern is above and beyond what might be required for a baseline organizational detection of potentially malicious insider actions. Future work will include development of a library of enterprise architectural patterns for mitigating the insider threat based on the data we have collected. Our goal is for organizational resilience to insider threat to emerge from repeated application of patterns from the library.
收起
摘要 :
The Insider Threat Security Reference Architecture (ITSRA) provides an enterprise-wide solution to insider threat. The architecture consists of four security layers: Business, Information, Data, and Application. Organizations shou...
展开
The Insider Threat Security Reference Architecture (ITSRA) provides an enterprise-wide solution to insider threat. The architecture consists of four security layers: Business, Information, Data, and Application. Organizations should deploy and enforce controls at each layer to address insider attacks. None of the layers function in isolation or independently of other layers. Rather, the correlation of indicators and application of controls across all four layers form the crux of this approach. Empirical data consisting of more than 700 cases of insider crimes show that insider attacks proved successful in inflicting damage when an organization failed to implement adequate controls in any of three security principles: authorized access, acceptable use, and continuous monitoring. The ITSRA draws from existing best practices and standards as well as from analysis of these cases to provide actionable guidance for organizations to improve their posture against the insider threat.
收起
摘要 :
The insider threat issue is a problem faced by all industries and sectors today. It is an issue of growing concern as the consequences of insider incidents can include not only financial losses, but the loss of clients and busines...
展开
The insider threat issue is a problem faced by all industries and sectors today. It is an issue of growing concern as the consequences of insider incidents can include not only financial losses, but the loss of clients and business days. The actions of a single insider can cause damage to an organization ranging from a few lost staff hours to negative publicity and financial damage so extensive that a business may be forced to lay off employees or even close its doors. Furthermore, insider incidents can have repercussions extending beyond the affected organization to include disruption of operations or services critical to a specific sector. In The National Strategy to Secure Cyberspace, the Presidents Critical Infrastructure Protection Board emphasizes the importance of continual evaluation to identify vulnerabilities in, and threats to, government and private information networks and systems.
收起
摘要 :
The primary objective of this project was to research and develop applied computer forensic approaches for preventing and detecting insider threats in sensitive organizations in conjunction with advanced access control systems suc...
展开
The primary objective of this project was to research and develop applied computer forensic approaches for preventing and detecting insider threats in sensitive organizations in conjunction with advanced access control systems such as Fine-grained, Active, and Scalable Access Control (FASAC). Access Control is the fundamental basis of computer security, but still remains a relative weakness in dealing with everyday threats, especially those posed by insiders. To address the insider threats against critical information systems, an advanced access control approach was investigated that supports fine-grained, active, and scalable access control services.
收起
摘要 :
This article is the sixth in the series Spotlight On, published by the CERT Insider Threat Center at Carnegie Mellon University s Software Engineering Institute and funded by CyLab. Each article focuses on a specific area of conce...
展开
This article is the sixth in the series Spotlight On, published by the CERT Insider Threat Center at Carnegie Mellon University s Software Engineering Institute and funded by CyLab. Each article focuses on a specific area of concern and presents analysis based on hundreds of actual insider threat cases cataloged in the CERT insider threat database. This article focuses on cases in which the malicious insider was employed by a trusted business partner of the victim organization. We first define the concept of trusted business partner (TBP) and then describe case scenarios in which a TBP has become an insider threat. These case scenarios concentrate on presenting the who, what, why, and how of the illicit activity. Finally, we provide recommendations that may be useful in countering these threats.
收起
摘要 :
There exists a critical gap in current insider threat technology. To date, efforts on insider threat have not seriously taken into account the impact of deception by the insider. Needless to say, without a clear understanding of t...
展开
There exists a critical gap in current insider threat technology. To date, efforts on insider threat have not seriously taken into account the impact of deception by the insider. Needless to say, without a clear understanding of this impact and mechanisms for deception detection, technology for handling insider threat attacks (beyond simple attacks) can only be reactive in nature that will be often too slow and too late to prevent or even correct the damage done. In this project, we have identified a number of potential technology and research avenues that can provide an essential avenue for developing a dynamic and proactive response to insider threats. The two primary technologies of interest are user modeling and deception detection. First the application of user modeling technology in a novel manner provides unique capabilities in recognizing various classes of insider threats. User modeling in the past has typically been employed to assist the user, to capitalize on knowledge about his/her previous behavior and current roles to infer goals, motives, and intentions in order to anticipate (predict) and facilitate subsequent actions. We observed that such prediction can be used not only to anticipate a future course for the purpose of facilitating pursuit of that course, but also to detect deviations from that course. The second technology is the detection of deception, where different levels and types of deception and their indicators are modeled.
收起