A Risk Management Approach to the “Insider Threat”

Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an "insider;" indeed, many define it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policy in a form that can be implemented on a computer system or network, creates gaps in enforcement. This paper defines "insider" precisely, in terms of these gaps, and explores an access-based model for analyzing threats that include those usually termed "insider threats." This model enables an organization to order its resources based on the business value for that resource and of the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which users are at the greatest risk of acting inappropriately. We conclude by examining how to merge this model with one of forensic logging and auditing

Auditing database systems through forensic analysis

The majority of sensitive and personal data is stored in a number of different Database Management Systems (DBMS). For example, Oracle is frequently used to store corporate data, MySQL serves as the back-end storage for many webstores, and SQLite stores personal data such as SMS messages or browser bookmarks. Consequently, the pervasive use of DBMSes has led to an increase in the rate at which they are exploited in cybercrimes. After a cybercrime occurs, investigators need forensic tools and methods to recreate a timeline of events and determine the extent of the security breach. When a breach involves a compromised system, these tools must make few assumptions about the system (e.g., corrupt storage, poorly configured logging, data tampering). Since DBMSes manage storage independent of the operating system, they require their own set of forensic tools. This dissertation presents 1) our database-agnostic forensic methods to examine DBMS contents from any evidence source (e.g., disk images or RAM snapshots) without using a live system and 2) applications of our forensic analysis methods to secure data. The foundation of this analysis is page carving, our novel database forensic method that we implemented as the tool DBCarver. We demonstrate that DBCarver is capable of reconstructing DBMS contents, including metadata and deleted data, from various types of digital evidence. Since DBMS storage is managed independently of the operating system, DBCarver can be used for new methods to securely delete data (i.e., data sanitization). In the event of suspected log tampering or direct modification to DBMS storage, DBCarver can be used to verify log integrity and discover storage inconsistencies

A FORENSICALLY-ENABLED IAAS CLOUD COMPUTING ARCHITECTURE

Cloud computing has been advancing at an intense pace. It has become one of the most important research topics in computer science and information systems. Cloud computing offers enterprise-scale platforms in a short time frame with little effort. Thus, it delivers significant economic benefits to both commercial and public entities. Despite this, the security and subsequent incident management requirements are major obstacles to adopting the cloud. Current cloud architectures do not support digital forensic investigators, nor comply with today’s digital forensics procedures – largely due to the fundamental dynamic nature of the cloud. When an incident has occurred, an organization-based investigation will seek to provide potential digital evidence while minimising the cost of the investigation. Data acquisition is the first and most important process within digital forensics – to ensure data integrity and admissibility. However, access to data and the control of resources in the cloud is still very much provider-dependent and complicated by the very nature of the multi-tenanted operating environment. Thus, investigators have no option but to rely on the Cloud Service Providers (CSPs) to acquire evidence for them. Due to the cost and time involved in acquiring the forensic image, some cloud providers will not provide evidence beyond 1TB despite a court order served on them. Assuming they would be willing or are required to by law, the evidence collected is still questionable as there is no way to verify the validity of evidence and whether evidence has already been lost. Therefore, dependence on the CSPs is considered one of the most significant challenges when investigators need to acquire evidence in a timely yet forensically sound manner from cloud systems. This thesis proposes a novel architecture to support a forensic acquisition and analysis of IaaS cloud-base systems. The approach, known as Cloud Forensic Acquisition and Analysis System (Cloud FAAS), is based on a cluster analysis of non-volatile memory that achieves forensically reliable images at the same level of integrity as the normal “gold standard” computer forensic acquisition procedures with the additional capability to reconstruct the image at any point in time. Cloud FAAS fundamentally, shifts access of the data back to the data owner rather than relying on a third party. In this manner, organisations are free to undertaken investigations at will requiring no intervention or cooperation from the cloud provider. The novel architecture is validated through a proof-of-concept prototype. A series of experiments are undertaken to illustrate and model how Cloud FAAS is capable of providing a richer and more complete set of admissible evidence than what current CSPs are able to provide. Using Cloud FAAS, investigators have the ability to obtain a forensic image of the system after, just prior to or hours before the incident. Therefore, this approach can not only create images that are forensically sound but also provide access to deleted and more importantly overwritten files – which current computer forensic practices are unable to achieve. This results in an increased level of visibility for the forensic investigator and removes any limitations that data carving and fragmentation may introduce. In addition, an analysis of the economic overhead of operating Cloud FAAS is performed. This shows the level of disk change that occurs is well with acceptable limits and is relatively small in comparison to the total volume of memory available. The results show Cloud FAAS has both a technical and economic basis for solving investigations involving cloud computing.Saudi Governmen

Digital behaviours and cognitions of individuals convicted of online child pornography offences

BACKGROUND: Modern Child Sexual Exploitation Material (CSEM) offences predominantly occur within a technological ecosystem. The behaviours and cognitions of CSEM offenders influence, and are influenced by, their choice of facilitative technologies that form that ecosystem. OBJECTIVES: This thesis will review the prior research on cognitive distortions present in and technology usage by CSEM offenders, and present a new theory, Lawless Space Theory (LST), to explain those interactions. The cognitions and technical behaviours of previously convicted CSEM offenders will be examined in a psychosocial context and recommendations for deterrence, investigative, and treatment efforts made. PARTICIPANTS AND SETTING: Data was collected using an online survey collected from two samples, one from a reference population of the general public (n=524) and one from a population of previously convicted CSEM offenders (n=78), both of which were composed of adults living in the United States. METHODS: Two reviews were conducted using a PRISMA methodology - a systematic review of the cognitive distortions of CSEM offenders and an integrative review of their technology usage. A theoretical basis for LST was developed, and then seven investigations of the survey data were conducted evaluating the public’s endorsement of lawless spaces; the public’s perceptions of CSEM offenders; the self-perceptions of CSEM offenders; the suicidality of the offender sample; the use of technology and countermeasures by the offender sample; the collecting and viewing behaviours of the offender sample; and the idiographic profiles of the offender sample. RESULTS: The reviews found that the endorsement of traditional child contact offender cognitive distortions by CSEM offenders was low, and that they continued to use technology beyond its normative lifecycle. LST was developed to explain these behaviours, and the view of the Internet as generally lawless was endorsed by the reference and offender samples. The public sample showed biased beliefs that generally overestimated the prevalence of, and risk associated with, CSEM offending when compared to the offender sample. Offenders were found to have viewed investigators as having a lack of understanding and compassion, and they exhibited very high suicidal ideation following their interaction with law enforcement. Offenders exhibited similar technical abilities and lower technophilia than the reference sample, chose technologies to both reduce psychological strain and for utility purposes, and many exhibited cyclic deletions of their collections as part of a guilt/shame cycle. CONCLUSIONS AND IMPLICATIONS: Understanding CSEM offenders’ technological behaviours and cognitions can inform more effective investigative, deterrence, and treatment efforts. Law enforcement showing compassion during investigations may generate more full disclosures while facilitating offender engagement with resources to reduce suicidality. Deterrence efforts focused on establishing capable guardianship and reducing perceived lawlessness provide the potential to reduce offending. Treatment of criminogenic needs for the majority of CSEM offenders is not supported by evidence, but non-criminogenic treatment warrants broader consideration