Honey Sheets: What Happens to Leaked Google Spreadsheets?

Cloud-based documents are inherently valuable, due to the volume and nature of sensitive personal and business content stored in them. Despite the importance of such documents to Internet users, there are still large gaps in the understanding of what cybercriminals do when they illicitly get access to them by for example compromising the account credentials they are associated with. In this paper, we present a system able to monitor user activity on Google spreadsheets. We populated 5 Google spreadsheets with fake bank account details and fake funds transfer links. Each spreadsheet was configured to report details of accesses and clicks on links back to us. To study how people interact with these spreadsheets in case they are leaked, we posted unique links pointing to the spreadsheets on a popular paste site. We then monitored activity in the accounts for 72 days, and observed 165 accesses in total. We were able to observe interesting modifications to these spreadsheets performed by illicit accesses. For instance, we observed deletion of some fake bank account information, in addition to insults and warnings that some visitors entered in some of the spreadsheets. Our preliminary results show that our system can be used to shed light on cybercriminal behavior with regards to leaked online documents

Insider Threat Mitigation Models Based on Thresholds and Dependencies

Insider threat causes great damage to data in any organization and is considered a serious issue. In spite of the presence of threat prevention mechanisms, sophisticated insiders still continue to attack a database with new techniques. One such technique which remains an advantage for insiders to attack databases is the dependency relationship among data items. This thesis investigates the ways by which an authorized insider detects dependencies in order to perform malicious write operations. The goal is to monitor malicious write operations performed by an insider by taking advantage of dependencies. A term called `threshold\u27 is associated with every data item, which defines the limit and constraints to which changes could be made to a data item by a write operation. Having threshold as the key factor, the thesis proposes two different attack prevention systems which involve log and dependency graphs that aid in monitoring malicious activities and ultimately secure the data items in a database. The proposed systems continuously monitors all the data items to prevent malicious operations, but the priority is to secure the most sensitive data items first, since any damage to them can hinder the functions of critical applications that use the database. By prioritizing the data items, delay in the transaction execution time is reduced in addition to mitigating insider threats arising from write operations. The developed algorithms have been implemented on a simulated database and the results show that the models mitigate insider threats arising from write operations effectively

Decoy Document Deployment for Effective Masquerade Attack Detection

Masquerade attacks pose a grave security problem that is a consequence of identity theft. Detecting masqueraders is very hard. Prior work has focused on profiling legitimate user behavior and detecting deviations from that normal behavior that could potentially signal an ongoing masquerade attack. Such approaches suffer from high false positive rates. Other work investigated the use of trap-based mechanisms as a means for detecting insider attacks in general. In this paper, we investigate the use of such trap-based mechanisms for the detection of masquerade attacks. We evaluate the desirable properties of decoys deployed within a user's file space for detection. We investigate the trade-offs between these properties through two user studies, and propose recommendations for effective masquerade detection using decoy documents based on findings from our user studies

Designing Host and Network Sensors to Mitigate the Insider Threat

We propose a design for insider threat detection that combines an array of complementary techniques that aims to detect evasive adversaries. We are motivated by real world incidents and our experience with building isolated detectors: such standalone mechanisms are often easily identified and avoided by malefactors. Our work-in-progress combines host-based user-event monitoring sensors with trap-based decoys and remote network detectors to track and correlate insider activity. We identify several challenges in scaling up, deploying, and validating our architecture in real environments

Identifying and Preventing Insider Threats

Insider threats, or attacks against a company from within, are a pressing issue both domestically and internationally. Frequencies of these threats increase each year adding to the overall importance of further research analysis. In fact, many case studies have been conducted which state that these employees who participate in insider attacks tend to exhibit certain personality and characteristic traits, as well as certain observable behaviors, that would indicate to other employees that an attack is imminent. It is hypothesized that companies will be able to take a more preventative stance of security as opposed to a reactive stance by identifying these characteristics and behaviors, as well as the motivations that drive them. In order to accomplish this task, companies must implement multiple layers of technological means of security, as well as take a more hands-on, holistic approach with company-wide involvement

Three Essays on Information-Securing in Organizations

This dissertation is intended to interpret, analyze, and explain the interplay between organizational structure and organizational information systems security by mapping structural contingency theory into three qualitative studies. The research motivation can be attributed in two ways. First, Johnson and Goetz\u27s (2007) conception of embedding information in organizations as part of their field research interviewing security executives serves as a methodological inspiration for the series of three studies reported here. The point that security should be infused into organization activities instead of serving as a bolted-on function is a central tenet guiding the development of this dissertation. Second, a macro approach is employed in the studies reported here, aimed at a theoretical expansion from existing behavioral security studies which typically take a micro perspective, while mitigating potential theoretical reductionism due to a predominant research concentration on individual components of organizational information security instead of the holistic function of the firm. Hence, this dissertation contributes to the behavioral organizational security research by positing a theoretical construct of information-securing, an organizational security process which is essentially characterized by dualism, dynamism, and democratism. With a macro organizational perspective on the elements of information securing, organizations can effectively discover and leverage organization-wide resources, efforts, and knowledge to cope with security contingencies. The first study of this dissertation is designed to investigate the nature of employees’ extra-role behaviors. This study investigated how employees might sometimes take steps beyond the requirements of the organizational-level security policy in order to facilitate effective workgroup operation and to assist less-skilled colleagues. The second study of this dissertation conducts an interpretive study of the role of information systems auditing in improving information security policy compliance in the workplace, with a specific focus on the role of non-malicious insiders who unknowingly or innocuously thwart corporate information security directives by engaging in unsafe computing practices. The last study of the dissertation explores the interplay between organizational structures and security activities. The organizational perspective of security bureaucracies is developed with three specific bureaucratic archetypes to define the evolutionary stages of the firm’s progress through evolving from coercive rule-based enforcement regimes to fully enabled and employee-centric security cultures in the workplace. Borrowing from Weberian metaphors, the characterization of security bureaucracies evolving from an “iron cage” to an “iron shield” is developed. These three studies revolving around the general notion of information-securing are deemed to be a promising start of a new stream of organizational IS security research. In order to enrich and extend our IS security literature, the perspective advocated in this dissertation suggests a shift in the epistemological paradigm of security behaviors in organizations from the prevailing micro views to macro perspectives which will result in very useful new perspectives on security management, security behaviors and security outcomes in organizations. GS Form 14 (8/10) APPROVAL FOR SCHOLAR