Introduction to Inside the Insider Threat Minitrack

N/

A Risk Management Approach to the “Insider Threat”

Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an "insider;" indeed, many define it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policy in a form that can be implemented on a computer system or network, creates gaps in enforcement. This paper defines "insider" precisely, in terms of these gaps, and explores an access-based model for analyzing threats that include those usually termed "insider threats." This model enables an organization to order its resources based on the business value for that resource and of the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which users are at the greatest risk of acting inappropriately. We conclude by examining how to merge this model with one of forensic logging and auditing

Spring 2006 Vol. 9 No. 1

https://surface.syr.edu/ischool_news/1006/thumbnail.jp

Satellite meteorology in the cold war era: scientific coalitions and international leadership 1946-1964

In tracing the history of the TIROS meteorological satellite system, this dissertation details the convergence of two communities: the DOD space scientists who established US capability to launch and operate these remote sensing systems and the US Weather Bureau meteorologists who would be the managers and users of satellite data. Between 1946 and 1964, these persons participated in successive coalitions. These coalitions were necessary in part because satellite systems were too big—geographically, fiscally, and technically—to be developed and operated within a single institution. Thus, TIROS technologies and people trace their roots to several research centers—institutions that the USWB and later NASA attempted to coordinate for US R&D. The gradual transfer of persons and hardware from the armed services to the non-military NASA sheds light on the US’s evolution as a Cold War global power, shaped from the “top-down” (by the executive and legislative branches) as well as the “bottom-up” (by military and non-military scientific communities). Through these successive coalitions, actor terms centered on “basic science” or the circulation of atmospheric data were used to help define bureaucratic places (the Upper Atmospheric Rocket Research Panel, International Geophysical Year, NASA, and the World Weather Watch) in which basic research would be supported by sustained and collaboration could take place with international partners.Ph.D

Disaggregating the United States Military: An Analysis of the Current Organizational and Management Structure of U.S. National Security Policy as It Relates to Military Operations in Space

This thesis was written to provide the reader with a comprehensive assessment about the realities of the current organizational and management structure of United States national security policy as it relates to the conduct of military operations in space. To create an encompassing argument, this thesis considers the current organizational structure of United States space policy while acknowledging that space has, in fact, become a warfighting domain. A reorganization of this magnitude has the potential to generate a succinct chain of command for military space operations while condensing the space acquisitions process and ultimately providing military space operations with the attention and resources needed to keep America and its allies safe. However, this thesis examines if reconfiguring the current organizational and management structure of United States national security space components does, in fact, have the power to accomplish such objectives. This thesis relies heavily upon the testimonies and documentation derived from both the Department of Defense, as well as the United States Congress. In addition, it is acknowledged that U.S. policymakers have driven this issue into becoming one that is largely bureaucratic and inherently politicized. This thesis ultimately concludes that some degree of reconfiguration to the current organizational and management structure of United States policy as it relates to military operations in space has the potential to positively affect the national security space establishment

A flow-based multi-agent data exfiltration detection architecture for ultra-low latency networks

This is an accepted manuscript of an article published by ACM in ACM Transactions on Internet Technology on 16/07/2021, available online: https://dl.acm.org/doi/10.1145/3419103 The accepted version of the publication may differ from the final published version.Modern network infrastructures host converged applications that demand rapid elasticity of services, increased security and ultra-fast reaction times. The Tactile Internet promises to facilitate the delivery of these services while enabling new economies of scale for high-fdelity of machine-to-machine and human-to-machine interactions. Unavoidably, critical mission systems served by the Tactile Internet manifest high-demands not only for high speed and reliable communications but equally, the ability to rapidly identify and mitigate threats and vulnerabilities. This paper proposes a novel Multi-Agent Data Exfltration Detector Architecture (MADEX) inspired by the mechanisms and features present in the human immune system. MADEX seeks to identify data exfltration activities performed by evasive and stealthy malware that hides malicious trafc from an infected host in low-latency networks. Our approach uses cross-network trafc information collected by agents to efectively identify unknown illicit connections by an operating system subverted. MADEX does not require prior knowledge of the characteristics or behaviour of the malicious code or a dedicated access to a knowledge repository. We tested the performance of MADEX in terms of its capacity to handle real-time data and the sensitivity of our algorithm’s classifcation when exposed to malicious trafc. Experimental evaluation results show that MADEX achieved 99.97% sensitivity, 98.78% accuracy and an error rate of 1.21% when compared to its best rivals. We created a second version of MADEX, called MADEX level 2 that further improves its overall performance with a slight increase in computational complexity. We argue for the suitability of MADEX level 1 in non-critical environments, while MADEX level 2 can be used to avoid data exfltration in critical mission systems. To the best of our knowledge, this is the frst article in the literature that addresses the detection of rootkits real-time in an agnostic way using an artifcial immune system approach while it satisfes strict latency requirements

An Information Security Policy Compliance Reinforcement and Assessment Framework

The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%