Beyond the Hacker
by Salvatore J. Stolfo, Steven M. Bellovin, Shlomo Hershkop, Angelos D. Keromytis, Columbia University, USA
and Sara Sinclair, Sean W. Smith, Dartmouth College, USA
 |
| Insider Attack and Cyber Security Beyond the Hacker |
On behalf of the Organizing Committee, I am pleased to present to you the
proceedings of the first Workshop on Insider Attack and Cyber Security held
in Washington DC in June 2007. This book serves to educate all interested
parties in academia, government and industry and that helps set an agenda
for an ongoing research initiative to solve one of the most vexing problems
encountered in securing our critical IT infrastructure, the insider threat. In
some sense, the insider problem is the ultimate security problem. Insider
threats, awareness and dealing with nefarious human activities in a manner
that respects individual liberties, and privacy policies of organizations, while
providing the best protection of critical resources and services that may be
subjected to insider attack, is a very hard problem requiring a substantial effort
by a large research community. We hope this book helps establish a
community of researchers focused on addressing the insider problem.
The book contains a number of invited papers authored by attendees of
the workshop. We believe the material that has been selected is of wide interest
to the security research community. Papers have been invited that help
define the nature and scope of the insider attack problem. Several papers
provide an overview of technical solutions that have been proposed and discuss
how they fail to solve the problem in its entirety. An essential theme of
the workshop was to educate researchers as to the true nature of the problem
in real-world settings. Papers are provided that describe the nature and scope
of the insider problem as viewed by the financial industry. The book concludes
with technical and legal challenges facing researchers who study and
propose solutions to mitigate insider attacks.
We wish to thank Cliff Wang of the Army Research Office, Daniel
Schutzer of the Financial Services Technology Consortium and Eric Goetz
of the Institute for Information Infrastructure Protection for supporting our
effort and sponsoring the Workshop, and Shari Pfleeger of Rand Corporation
for providing the venue for our meeting and assistance in organizing the
Workshop. We also thank the reviewers who served anonymously to vet the
technical papers included here. Finally, we are especially grateful to Shlomo
Hershkop and Sara Sinclair for their remarkable effort to organize and format
the individual papers to produce a final cohesive manuscript.
January 2008
Salvatore J. Stolfo
Introduction
Editors:
Salvatore J. Stolfo
Steven M. Bellovin
Angelos D. Keromytis
Shlomo Hershkop
Columbia University
Department of Computer Science
1214 Amsterdam Avenue MC 0401
New York, NY 10027-7003 USA
Salvatore J. Stolfo
Steven M. Bellovin
Angelos D. Keromytis
Shlomo Hershkop
Columbia University
Department of Computer Science
1214 Amsterdam Avenue MC 0401
New York, NY 10027-7003 USA
Sean W. Smith
Sara Sinclair
Department of Computer Science
Dartmouth College
6211 Sudikoff Laboratory
Hanover, NH 03755-3510 USA
Series Editor:
Sushil Jajodia
George Mason University
Center for Secure Information Systems
4400 University Drive
Fairfax VA 22030-4444, USA
The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures by Andrew P. Moore, Dawn M. Cappelli, and Randall F. Trzeciak, Copyright 2007 Carnegie Mellon University is printed with special permission from the Software Engineering Institute.
CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE
MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY
MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Table of Contents
The Insider Attack Problem Nature and Scope
1 Introduction ..............................................................................................1
2 Types of Attack ........................................................................................1
2.1 Misuse of Access.............................................................................1
2.2 Defense Bypass ...............................................................................2
2.3 Access Control Failure ....................................................................2
3 Defend or Detect.......................................................................................3
4 The Role of Process..................................................................................4
5 Conclusion ................................................................................................4
Reflections on the Insider Threat
1 Introduction ..............................................................................................5
2 Who Is an Insider? ....................................................................................6
2.1 Motive .............................................................................................6
2.2 Effect ...............................................................................................7
2.3 Defining the Insider Threat..............................................................8
2.4 Context ............................................................................................8
3 Insider Threat Issues .................................................................................9
3.1 Data .................................................................................................9
3.2 Psychology ....................................................................................10
3.3 Monitoring and Privacy.................................................................12
3.4 Detecting Insider Attacks ..............................................................13
3.5 Technology....................................................................................13
4 Conclusions ............................................................................................14
Acknowledgments ...........................................................................................15
The “Big Picture” of Insider IT Sabotage Across U.S. Critical
1 Introduction ............................................................................................19
2 General Observations About Insider IT Sabotage ..................................20
3 Model of the Insider IT Sabotage Problem.............................................24
3.1 Insider Expectation Escalation ......................................................25
3.2 Escalation of Disgruntlement ........................................................26
3.3 Attack Setup and Concealment......................................................27
3.4 The Trust Trap...............................................................................28
4 Possible Leverage Points for Addressing the Problem ...........................29
4.1 Early Mitigation Through Expectation Setting..............................29
4.2 Handling Disgruntlement Through Positive Intervention..............30
4.3 Targeted Monitoring......................................................................31
4.4 Eliminating Unknown Access Paths..............................................32
4.5 Measures Upon Demotion or Termination ....................................34
5 A Workshop on Insider IT Sabotage ......................................................35
Infrastructures.....................................................................................................
5.1 The Instructional Case ...................................................................36
6 Conclusion ..............................................................................................39
6.1 Value of Modeling for Insight .......................................................40
6.2 Related CERT Research ................................................................41
Acknowledgments ...........................................................................................43
Appendix A: System Dynamics Background
Appendix B: The Insider IT Sabotage Training Case
1 Introduction.............................................................................................48
1.1 Background....................................................................................48
1.2 The Final Weeks............................................................................50
Appendix C: Model of the Insider IT Sabotage Problem
Appendix D: Insider Sabotage Mitigating Measures
Data Theft: A Prototypical Insider Threat........................................................53
1 Introduction.............................................................................................53
1.1 Data Theft......................................................................................53
1.2 Data Leakage .................................................................................54
1.3 Risk................................................................................................54
1.4 Recommendations .........................................................................55
2 Status Quo...............................................................................................55
2.1 History ...........................................................................................55
2.2 Risks & Controls ...........................................................................55
3 Recommendations...................................................................................61
3.1 Technical Controls.........................................................................61
3.2 Administrative Controls.................................................................64
3.3 Areas for Further Research............................................................66
4 Conclusions.............................................................................................67
Acknowledgments ...........................................................................................67
A Survey of Insider Attack Detection Research
1 Introduction.............................................................................................69
2 Insider Attacks ........................................................................................72
3 Detecting Insider Attacks........................................................................73
3.1 Host-based User Profiling..............................................................73
3.2 Network-Based Sensors.................................................................81
3.3 Integrated Approaches...................................................................82
3.4 Summary........................................................................................83
4 Future Research Directions.....................................................................85
5 Conclusion ..............................................................................................87
Naive Bayes as a Masquerade Detector: Addressing a Chronic Failure
1 Introduction.............................................................................................91
2 Related Work ..........................................................................................92
3 Background on Naive Bayes...................................................................94
4 Objective and Approach .........................................................................94
5 Experiment With Synthetic Data ............................................................95
5.1 Variable Selection .........................................................................95
5.2 Synthetic Data ...............................................................................97
5.3 Experiment Control .......................................................................99
5.4 Procedure.......................................................................................99
5.5 Results and Analysis.................................................................... 100
6 Naive Bayes Mathematical Formulation .............................................. 101
6.1 Calculating the Anomaly Score................................................... 101
6.2 Manipulating the Anomaly Score................................................ 103
6.3 Effect of NBSCs .......................................................................... 105
7 Exploiting NBSCs to Cloak Attacks..................................................... 106
8 Naive Bayes Fortification ..................................................................... 107
8.1 The Fortified Detector ................................................................. 107
8.2 Evaluation Methodology ............................................................. 108
8.3 Evaluation Results and Analysis ................................................. 109
9 Discussion............................................................................................. 110
10 Conclusion ............................................................................................ 111
Towards a Virtualization-enabled Framework for Information
1. Introduction .......................................................................................... 114
2. Threat Model and Requirements........................................................... 114
3. Background........................................................................................... 116
3.1. Models of Policy Enforcement .................................................... 116
3.2. Hardware Virtualization .............................................................. 117
4. System Architecture.............................................................................. 117
4.1. Platform Architecture .................................................................. 118
4.2. Network Architecture .................................................................. 119
5. Implementation..................................................................................... 120
5.1. Virtualization-enabled Information Tracing................................ 121
6. Analysis ................................................................................................ 124
6.1. Performance Discussion .............................................................. 125
6.2. Threat Mitigation......................................................................... 126
7. Related Work........................................................................................ 126
8. Conclusion ............................................................................................ 129
Acknowledgments ......................................................................................... 129
Reconfigurable Tamper-resistant Hardware Support Against Insider
Threats: The Trusted ILLIAC Approach
1 Introduction .......................................................................................... 133
2 Software-based Transparent Runtime Randomization ......................... 135
3 Tamper-resistant Key-store Support for Threshold Cryptography ....... 137
3.1 Crypto-engine Architecture ......................................................... 138
3.2 Security Analysis......................................................................... 139
4 Information Flow Signature Checking for Data Integrity..................... 140
Traceability (VFIT)........................................................................................... 113
4.1 Threat Model ...............................................................................141
4.2 Approach .....................................................................................141
4.3 Implementation............................................................................143
5 System Architecture Including the Trusted Computing Engine ...........144
5.1 Protecting Against Insider Attack With User-level Privileges:
Runtime Guarantees ..................................................................................146
5.2 Protecting Against Insider Attack with Administrative Privileges:
Initialization and Runtime Guarantees ......................................................147
6 Conclusions and Future Directions.......................................................149
Surviving Insider Attacks: A Call for System Experiments
1 Introduction...........................................................................................153
2 Principles for Survivability ...................................................................155
2.1 Avoidance of a Single Point of Failure........................................156
2.2 Independence of Failure Modes and Attack Vulnerabilities........157
2.3 Fast Recovery from Failure and Attack.......................................158
2.4 Attack Deterrence ........................................................................159
2.5 Least Privilege Authorization ......................................................160
3 Cost Factors ..........................................................................................161
4 Conclusion: A Call for Research and Development Experiments ........161
Preventative Directions For Insider Threat Mitigation Via Access Control
1 Introduction...........................................................................................165
2 Definitions and Threat Model...............................................................168
2.1 The Insider...................................................................................168
2.2 Types of Insiders .........................................................................169
2.3 Damage of Insider Attacks ..........................................................169
2.4 Threat Model ...............................................................................170
3 Background and Primitives...................................................................171
3.1 Authentication and Authorization................................................171
3.2 Access Control Principles............................................................172
3.3 MAC, DAC, and Intermediate Schemes......................................172
3.4 Users and Groups.........................................................................173
3.5 Roles and Role Engineering ........................................................174
3.6 Public Key Cryptography ............................................................174
4 Requirements ........................................................................................175
4.1 Functionality................................................................................175
4.2 Usability and Cost .......................................................................176
4.3 Scale and Complexity..................................................................178
4.4 Domain Considerations ...............................................................179
5 Tools .....................................................................................................181
5.1 Passwords: Knowledge-Based Authentication ............................181
5.2 Biometrics: Physiology-Based Authentication ............................182
5.3 Tokens: Possession-Based Authentication ..................................183
5.4 PKI: Authentication via Digital Certificates................................184
5.5 Distributed Authentication and Identity Management................. 185
5.6 Distributed Authorization ............................................................ 186
6 Ongoing Challenges.............................................................................. 188
6.1 A Snapshot of a Motion Picture .................................................. 189
6.2 Privilege Issuance and Review.................................................... 189
6.3 Auditing and Visualization.......................................................... 190
6.4 Role Drift and Escalation ............................................................ 190
6.5 Expressiveness and Need to Know.............................................. 191
6.6 Incentives..................................................................................... 191
7 Conclusions .......................................................................................... 191
Acknowledgments ......................................................................................... 192
Taking Stock and Looking Forward – An Outsider’s
Perspective on the Insider Threat
1 Introduction .......................................................................................... 196
2 What Is An “Insider Threat”? ............................................................... 198
3 How Does The Research Community Get Better Data?....................... 201
3.1 Changing the Incentives that Organizations Face........................ 205
3.2 Integrating Technical Solutions with Social Science
3.3 Creating a Response and Recovery System for Insider Threats .. 211
4 Conclusion ............................................................................................ 213
Research Challenges for Fighting Insider Threat in the
Financial Services Industry
1 Introduction .......................................................................................... 215
2 Employee Screening And Selection ..................................................... 216
3 Access Controls .................................................................................... 217
4 Monitoring And Detection.................................................................... 218
Hard Problems and Research Challenges Concluding Remarks.................. 219
Index................................................................................................................... 223
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 228 p |
File Size
|
2,528 KB |
File Type
|
PDF format |
ISBN-13
e-ISBN-13 | 978-0-387-77321-6 978-0-387-77322-3 |
Copyright
| 2008 Springer Science +Business Media, LLC |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
