Caught in the act of an insider attack: detection and assessment of insider threat

The greatest asset that any organisation has are its people, but they may also be the greatest threat. Those who are within the organisation may have authorised access to vast amounts of sensitive company records that are essential for maintaining competitiveness and market position, and knowledge of information services and procedures that are crucial for daily operations. In many cases, those who have such access do indeed require it in order to conduct their expected workload. However, should an individual choose to act against the organisation, then with their privileged access and their extensive knowledge, they are well positioned to cause serious damage. Insider threat is becoming a serious and increasing concern for many organisations, with those who have fallen victim to such attacks suffering significant damages including financial and reputational. It is clear then, that there is a desperate need for more effective tools for detecting the presence of insider threats and analyzing the potential of threats before they escalate. We propose Corporate Insider Threat Detection (CITD), an anomaly detection system that is the result of a multi-disciplinary research project that incorporates technical and behavioural activities to assess the threat posed by individuals. The system identifies user and role-based profiles, and measures how users deviate from their observed behaviours to assess the potential threat that a series of activities may pose. In this paper, we present an overview of the system and describe the concept of operations and practicalities of deploying the system. We show how the system can be utilised for unsupervised detection, and also how the human analyst can engage to provide an active learning feedback loop. By adopting an accept or reject scheme, the analyst is capable of refining the underlying detection model to better support their decisionmaking process and significant reduce the false positive rate

Document flow tracking within corporate networks

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Notícias sobre documentos sensíveis publicados na Internet são cada vez mais frequentes nos cabeçalhos da imprensa de hoje em dia. Em Outubro de 2009, o Manual de Segurança do Ministério da Defesa do Reino Unido, com 2389 páginas, que descreve a totalidade do protocolo militar do Reino Unido relativamente a operações e informações de segurança, foi tornado público por acidente. Este é apenas um caso, mas existem exemplos de fugas de informação em praticamente qualquer área, desde a médica à financeira. Estas fugas de informação podem ter consequências sérias para quem seja afectado por elas, como a exposição de segredos de negócio, danos da imagem de marca ou a aplicação de multas elevadas por parte de entidades reguladoras. Uma fuga de informação pode ter várias causas, sendo uma delas devido a empregados que expõem documentos sensíveis para o exterior da empresa, de forma não intencional. Neste trabalho propomos uma solução capaz de rastrear ficheiros numa rede empresarial e detectar situações que podem levar a que um documento sensível se torne público. Fazemos uso de um agente que é instalado nas máquinas que pretendemos monitorizar, que detecta e regista a utilização de ficheiros em operações potencialmente perigosas, como a cópia para um dispositivo amovível ou o envio por correio electrónico como anexo. Essas operações são registadas e recolhidas para uma localização central, onde podemos fazer uso de um motor de correlação para encontrar relações entre diferentes cópias de um mesmo ficheiro. Para finalizar, desenvolvemos e avaliámos um protótipo que implementa a solução proposta, provando que pode efectivamente ser usado para detectar fugas de informação.News about sensitive documents being leaked to the Internet are becoming a commonplace in today’s headlines. In October of 2009, the United Kingdom Ministry of Defense Manual of Security, with 2389 pages, which fully describes the United Kingdom military protocol for all security and counter-intelligence operations, was inadvertently made public. This is only one, but there are examples of information leaks from almost any area, from medical to financial. These information leaks can have serious consequences to those affected by them, such as exposing business secrets, brand damaging or large fines from regulation entities. An information leak can have multiple causes, being one the employee that inadvertently exposes sensitive documents to the exterior of the company. In this work, we propose a solution capable of tracking files within a corporate network and detecting situations that can lead to a sensitive document being leaked to the exterior. We resort to an agent installed on the hosts to be monitored that detects and logs the usage of files by potentially dangerous operations, such as copying it to a removable drive or sending it by e-mail as an attachment. Those operations are logged and collected to a central repository, where we make use of a correlation engine to find relationships between different copies of a same file. Finally, we have developed and evaluated a prototype that implements the proposed solution, proving that it can indeed be used to detect information leaks

Overcoming Data Breaches and Human Factors in Minimizing Threats to Cyber-Security Ecosystems

This mixed-methods study focused on the internal human factors responsible for data breaches that could cause adverse impacts on organizations. Based on the Swiss cheese theory, the study was designed to examine preventative measures that managers could implement to minimize potential data breaches resulting from internal employees\u27 behaviors. The purpose of this study was to provide insight to managers about developing strategies that could prevent data breaches from cyber-threats by focusing on the specific internal human factors responsible for data breaches, the root causes, and the preventive measures that could minimize threats from internal employees. Data were collected from 10 managers and 12 employees from the business sector, and 5 government managers in Ivory Coast, Africa. The mixed methodology focused on the why and who using the phenomenological approach, consisting of a survey, face-to-face interviews using open-ended questions, and a questionnaire to extract the experiences and perceptions of the participants about preventing the adverse consequences from cyber-threats. The results indicated the importance of top managers to be committed to a coordinated, continuous effort throughout the organization to ensure cyber security awareness, training, and compliance of security policies and procedures, as well as implementing and upgrading software designed to detect and prevent data breaches both internally and externally. The findings of this study could contribute to social change by educating managers about preventing data breaches who in turn may implement information accessibility without retribution. Protecting confidential data is a major concern because one data breach could impact many people as well as jeopardize the viability of the entire organization

Data flows of classified documents

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010Nos dias de hoje à medida que a evolução dos produtos e serviços acelera cada vez mais, significa que a informação é hoje uma das mais valiosas propriedades de qualquer empresa. Quanto mais “imaterial” é o produto, tais como serviços, propriedade intelectual e media (vídeo, música, fotografia) mais importante é a questão. Este ciclo de vida acelerado torna a sua exposição maior do que em épocas anteriores, onde o desenvolvimento mais lento permitiu um maior controlo sobre eles e sua exposição. Outros factores são a participação de um número crescente de colaboradores que acedem às informações confidenciais. A crescente digitalização da informação e conectividade entre as diversas entidades num mundo ligado de uma forma rápida faz com que a segurança da informação seja um assunto mais complicado de lidar do que em épocas anteriores. Vários métodos e técnicas foram desenvolvidos para proteger a confidencialidade, integridade, autenticidade e autorização de acesso. Menos atenção tem sido dada para detectar de forma estruturada onde e por quem a segurança da informação pode estar sendo comprometida. Neste projecto propõe-se a usar alguns métodos para marcar e controlar o uso de informações confidenciais no interior das instalações da empresa. Devido à natureza de algumas das técnicas utilizadas, algumas preocupações com a privacidade podem ser levantadas, mas como este é apenas para uso com dados sensíveis que pertencem à companhia essas preocupações poderão ser devidamente contra-argumentadas. Neste trabalho o tipo de documento considerado é o da Microsoft Office Word 2007 que implementa um novo tipo de ficheiro que tem uma natureza aberta ao contrário de versões anteriores de formato binário e fechado. Uma vez que esta é uma ferramenta amplamente utilizada dentro das corporações, justifica-se assim a sua escolha. Outros casos possíveis seriam os ficheiros do Excel e do PowerPoint que também têm uma arquitectura aberta a partir do Office 2007. Fora do mundo do Office, o caso mais significativo são os ficheiros PDF, mas estes requerem uma abordagem completamente diferente devido a uma estrutura também ela muito diferente. Além disso existe para o Office algumas ferramentas que facilitam a implementação da solução. Esta solução destina-se a uma grande empresa de telecomunicações que preenche as considerações iniciais - que comercializa produtos imateriais - Serviços e media possui um considerável volume de propriedade intelectual devido ao seu contínuo apoio na investigação sobre novos produtos e serviços. Esta solução no entanto poderia ser concretizada em qualquer outro tipo de empresa que tenha o seu funcionamento apoiado em dados digitais, como é o caso da grande maioria das empresas de hoje em dia.The present acceleration of the evolution of products and services makes information one of the world’s greatest assets. The more "immaterial" is the product such as services, intellectual property (IP) and media the more important is the matter. This accelerated life cycle makes the exposure of information to threats bigger than in the past, when the slower development permitted a tighter control over the information itself and its exposure. Another contributing factor is the involvement of an increasing number of company collaborators in accessing sensitive information. The increasing digitalization of data and connectivity between entities in a connected and accelerated world makes the security of the information a more complicated subject to deal with than in previous eras. Several methods and techniques have been developed to protect information’s confidentiality, integrity, authenticity and access authorization. Less attention has been given to detect in a structured way where or by whom the information may be leaking out of the company. This project aims to contribute to the solution of this problem of detecting the leakage of sensitive data. For that purpose, the project proposes methods to tag and control the use of sensitive information within the company premises. Due to the nature of some of the techniques proposed, privacy concerns may rise, but since the techniques are for use only with sensitive data that belongs to the company, those concerns are possible to be argued with. In this work the considered document type is Microsoft Office Word 2007 which implements a new file type that has an open nature as opposed to previous binary and closed format versions. Since this is a widely used tool within corporations its choice is well justified. Other possible cases would be Excel and PowerPoint file types that also have an open architecture starting from Office 2007. Outside of the world of Microsoft Office the most prominent case is the pdf files, but those will require a completely different approach as the Office files have some well built tools to implement the intended features. This solution is aimed at a major telecom company that has the concerns mentioned above: it commercializes intangible products - services and media and owns considerable IP due to its ongoing support for the investigation of new products and services. This could nevertheless be deployed in any other type of company that supports its operation by way of electronic data, as is the case in the large majority of today’s enterprises

Fox in the Trap: Thwarting Masqueraders via Automated Decoy Document Deployment

Organizations face a persistent challenge detecting malicious insiders as well as outside attackers who compromise legitimate credentials and then masquerade as insiders. No matter how good an organization’s perimeter defenses are, eventually they will be compromised or betrayed from the inside. Monitored decoy documents (honey files with enticing names and content) are a promising approach to aid in the detection of malicious masqueraders and insiders. In this paper, we present a new technique for decoy document distribution that can be used to improve the scalability of insider detection. We develop a placement application that automates the deployment of decoy documents and we report on two user studies to evaluate its effectiveness. The first study indicates that our automated decoy distribution tool is capable of strategically placing decoy files in a way that offers comparable security to optimal manual deployment. In the second user study, we measure the frequency that normal users access decoy documents on their own systems and show that decoy files do not significantly interfere with normal user tasks

Dagstuhl News January - December 2008

"Dagstuhl News" is a publication edited especially for the members of the Foundation "Informatikzentrum Schloss Dagstuhl" to thank them for their support. The News give a summary of the scientific work being done in Dagstuhl. Each Dagstuhl Seminar is presented by a small abstract describing the contents and scientific highlights of the seminar as well as the perspectives or challenges of the research topic

Data Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments

As healthcare data are pushed online, consumers have raised big concerns on the breach of their personal information. Law and regulations have placed businesses and public organizations under obligations to take actions to prevent data breach. Among various threats, insider threats have been identified to be a major threat on data loss. Thus, effective mechanisms to control insider threats on data loss are urgently needed. The objective of this research is to address data loss prevention challenges in healthcare enterprise environment. First, a novel approach is provided to model internal threat, specifically inside activities. With inside activities modeling, data loss paths and threat vectors are formally described and identified. Then, threat vectors and potential data loss paths have been investigated in a healthcare enterprise environment. Threat vectors have been enumerated and data loss statistics data for some threat vectors have been collected. After that, issues on data loss prevention and inside activity incident identification, tracking, and reconstruction are discussed. Finally, evidences of inside activities are modeled as evidence trees to provide guidance for inside activity identification and reconstruction

Examining the Effects of Cultural Dimensions on Deviant IS Use Behaviour in a Developing Economy Context

Information System (IS) tools and applications create opportunities for a positive digital change to all individuals and organizations in the global workplace to improve competitiveness and quality of work life. Recent studies have shown that the most problematic areas in IS security incidences are people-related factors. In this regard, employees are causing IS security risks and vulnerabilities as they use those resources, especially by exercising their legitimate and lawful rights, mainly because people are the weakest link on IS security matters. On the one hand, the effects of organizational sanctions are not always effective due to socio-cultural variabilities, and so far they have not been able to fully defend employee related IS misuse or misconduct. On the other hand, the use of neutralization techniques supports individuals to justify their deviant actions, but differently to people in different socio-cultural bases. To examine such a problem, therefore, culture as a moderator, criminological constructs and level of employees’ awareness to IS security as independent variables are employed to explain IS misuse intention in unison are proposed through a comprehensive conceptual research model. A positivist research paradigm using a cross-sectional quantitative survey data collection approach will be adapted to help empirically test the model. To validate the model and its constructs, the study will apply SEM-PLS data analysis techniques using Smart-PLS and SPSS with Amos. Finally, this study in progress discusses the potential practical and theoretical contributions and plans to provide scientific evidence based on its findings