Post on 04-Aug-2015
May 13-14, 2014Walter E. Washington
Convention CenterWashington, DC
I’m my own worst enemy
a first-person look at insider threatsAhmed Masud
Question
• Who is more dangerous?– You or a Hacker
Agenda
• Are you the insider threat?• Why should you care?• Protecting yourself from yourself.
Who is the Insider Threat?
Do you know if you are?
Why you should care?
• Scenario 1: You are the fall-guy• Scenario 2: You are the target of
interest• Scenario 3: You are the casualty
Why should you care?
• Reason 1: Safety and Security• Reason 2: Choice• Reason 3: Freedom
An exercise
• Do you feel you have access to information that can be used against your organization?
An exercise
• Do you feel that the access you have pose a threat to your organization?
An exercise
• Do you feel that the information you have access to is a threat to yourself?
An exercise
• Would you give your user-name and password to the person next to you.
An exercise
• Changed your password in last 60 days?
• Given any of your passwords to anyone else?
• Used the same password at more than one location?
Password Statistics (2012)
• 61% reuse passwords among multiple websites.
• 54% have only five passwords or less.
• 44% change their password only once a year or less.
• 89% feel secure with their current password management and use habits.
• 21% have had an online account compromised.
Again the Question
• Who is more dangerous?– You or a Hacker
The 64,000 dollar Question
• How much damage can you cause?
Exercise #2
• Have you emailed a sensitive document?
Exercise #2
• Do you have copies of company data at home?
Exercise #2
• On a USB stick you have in your pocket right now?
Exercise #2
• Ever let someone borrow your USB?
Exercise #2
• Company data of your former employer?
Data-theft Statistics
• 60% incidents attributed to insiders
Outsider threat = Insider threat
• The goal of an outside attack is to obtain the credentials of an insider
Perimeters ⇒ Insider
• Someone is always inside the perimeter
• How many perimeters can we manage?
Dealing with complexity
• What about complexity of operations?
• Where is the line?
Current best practices
• Sans institute best practices 3 examples– Beginning with the hiring process,
monitor and respond to suspicious or disruptive behavior
– Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions
– Close the doors to unauthorized data exfiltration.
Current best practices
• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior– General broad functional directive
Current best practices
• Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions– Narrow technical directive
Current best practices
• Close the doors to unauthorized data exfiltration.– Requirement? Mission statement
directive?
Current best practices
• Too broad• Too vague• Too hard• Too bad?
Insider threat prevention
• Too broad• Too vague• Too hard• Too bad?
Science can be such a b1t¢h
• Generally, Halting Problem SAYS NO!• Special cases?
– Markov Property
Promising policies
• Understand and respect your own access
• Deny by default• There is no remediation for insider
threats
Promising technologies
• Fundamental principles based in computer science theory– Lang-Sec– Cyber-attack modeling
Questions
• Ask away