Insider Threat Engineering Secure Software Last Revised: November 11, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1
Lottery Story At a lottery agency, a manager was able to turn losing tickets ● into winners He would buy the ticket, then modify the database ○ Stole $63,000 over the course of a year and a half ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 2
Lottery Story At a lottery agency, a manager was able to turn losing tickets ● into winners He would buy the ticket, then modify the database ○ Stole $63,000 over the course of a year and a half ○ Lottery agencies have lots of internal auditing ● Asked the manager to investigate his own fraud ○ He dragged the investigation on ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 3
Lottery Story Manager went on vacation (with the money he stole) ● Agency assigned someone else to pick up the investigation ○ Discovered that the manager was covering up his fraud ○ Agency calls and fires the manager while he’s on vacation ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 4
Lottery Story Manager went on vacation (with the money he stole) ● Agency assigned someone else to pick up the investigation ○ Discovered that the manager was covering up his fraud ○ Agency calls and fires the manager while he’s on vacation ○ Agency disabled his physical access, but forgot to inform his ● employees of the incident Manager asked employees to delete logs/backups ○ Most of the evidence against him was lost ○ BUT! One of the employees messed up deleting the backup ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 5
Insider Threat: A Threat We Cannot Ignore Documented incidents are prevalent ● Carnegie Mellon’s SEI has studied over 700 cyber-crimes ○ originating from Insider Threat since 2000 Many more occurring ● In 2007, the Secret Service et al. conducted a survey of law ○ enforcement officials and security executives 31% of electronic crimes involved an insider ■ 49% of respondents experienced insider threat in the past ■ year Wikileaks, anyone? ● SWEN-331: Engineering Secure Software Benjamin S Meyers 6
What is Insider Threat? When a malicious actor intentionally exceeds or misuses an ● authorized level of access Not elevation of privilege, but an abuse of existing privileges ○ Actors ● Current employees ○ Former employees (especially “recently former”) ○ Contractors ○ Affects the security of the organization ● Data ○ Intellectual property ○ Daily business operations (availability) ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 7
Double Threat to SE Insider Threat affects SE in two ways ● Insider users for the system that we release (e.g. hospital admins) ○ Insider developers to our own software development company ○ (e.g. disgruntled developers) Liability considerations ● Will our software facilitate insider threat? ○ Bring this up in your requirements elicitation meeting ○ Audit mechanisms ■ Deployment mechanisms ■ For everything else: hire some lawyers for a sneaky EULA ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 8
Types of Insiders Pure insider ● An employee with rights/access/privileges ○ e.g. systems administrator, developer, co-ops ○ Insider associate/affiliate ● Someone with limited authorized access ○ e.g. developer, but on a different project ○ e.g. guards, maintenance workers ○ Outside affiliate ● Non-trusted outsiders ○ e.g. outsourced contractors ○ e.g. spouses/friends of employee that steal their credentials ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 9
Classes of Threats IT Sabotage ● Intent of harming specific individuals, the organization, or the ○ organization’s assets Personal Financial Gain ● Intent of stealing/modifying confidential/proprietary information ○ from the organization for financial gain e.g. “Office Space” ○ Business Advantage ● Intent of stealing/modifying confidential/proprietary information ○ from the organization for business advantages e.g. industrial espionage, violating NDAs ○ Miscellaneous ● SWEN-331: Engineering Secure Software Benjamin S Meyers 10 10
Classes of Threats Carnegie Mellon’s SEI: Common Sense ● Guide to Prevention and Detection of Insider Threats Studies and categorizes reports of ○ insider threat incidents Suggests best practices for ○ prevention and detection of insider threats 3rd Edition: 2009 -- 190 incidents ○ 4th Edition: 2012 -- 371 incidents ○ 5th Edition: 2016 -- 734 incidents ○ Source: https://resources.sei.cmu.edu/ SWEN-331: Engineering Secure Software Benjamin S Meyers 11 11
Some Considerations Majority of the insider attacks required significant planning ● ahead of time Majority of the insider attacks took place physically on the ● premises Majority of malicious actors involved in insider attacks faced ● criminal charges And in most cases, the insiders were aware that they would face ○ charges SWEN-331: Engineering Secure Software Benjamin S Meyers 12 12
Prevention vs. Detection Prevention is extraordinarily hard ● Work environment ○ Good management ○ Predicting human nature ○ Deterrents are only somewhat effective ○ Detection is much more feasible ● Usually by someone using common sense ○ Audits of access logs ○ In most cases, live network detection was not involved ○ Drawback: reactive ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 13 13
Mobile Changed Everything Today, we carry computers with us everywhere we go ● Easier to take assets with us (e.g. emails) ○ Easier to access assets remotely ○ Easier to provide access to others ○ “Bring Your Own Device” is becoming the norm ● Modern reactions ● Monitor everything (privacy concerns) ○ Disallow mobile devices entirely (employees don’t like that) ○ Separate networks (tough to manage) ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 14 14
Developer Insiders “Security through obscurity alone” is really not an option ● Developer Insiders would know what servers to go to ○ Developer Insiders know the attack surface ○ Access to production servers should be limited ● Non-release changes to production need to be documented ○ Forces you to document your deployment process anyway ○ On introducing backdoors ● Very rarely introduced in the development phase ○ Most often in the maintenance phase ○ Very rare in open source ● SWEN-331: Engineering Secure Software Benjamin S Meyers 15 15
General Suggestions Be aware of the threat ● Keep up with the latest stories ○ Apply those situations to yours ○ Use the “buddy system” ● Nobody should be left physically alone with important resources ○ Logging and auditing ● Everything is logged ○ Audits should actually happen periodically, both as a deterrent ○ and for repudiation Archives and offsite backups ● Mitigate tampering and destruction of backups ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 16 16
General Suggestions Job termination policies ● Have one ○ Be prepared to disable accounts/physical access quickly ○ Rotate duties ● Better detection of anomalies ○ Better knowledge transfer anyway ○ Holistic approach → defense in depth ● People, data, technology, procedures, policies ○ Don’t be an insider threat! ● It’s unethical (and ruins your reputation) ○ They almost always get caught ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 17 17
Some Resources Carnegie Mellon’s SEI CERT Insider Threat Group ● Definitive resource ○ CERT Home ○ Insider Threat Blog ○ Certificate Programs ○ Mitigations ○ The Insider Threat: Combating the Enemy Within ● by Clive Blackwell ISBN 9781849280112 ○ Available via RIT Library electronically for free ○ SWEN-331: Engineering Secure Software Benjamin S Meyers 18 18
We Need More Stories Activity ● 4 groups each assigned a sector ○ Banking & Finance Sector ■ Government Sector ■ Internet Technology & Telecommunications Sector ■ Critical Infrastructure ■ Make a 5 minute presentation ○ Tell us stories of insider threat ■ Tell us interesting statistics ■ Tell us some lessons learned ■ SWEN-331: Engineering Secure Software Benjamin S Meyers 19 19
Recommend
More recommend
