- Page 1
- Page 2
- Page 3
- Page 4
- Page 5
- Page 6
- Page 7
- Page 8
- Page 9
- Page 10
- Page 11
- Page 12
- Page 13
- Page 14
- Page 15
- Page 16
- Page 17
- Page 18
- Page 19
- Page 20
- Page 21
- Page 22
- Page 23
- Page 24
- Page 25
- Page 26
- Page 27
- Page 28
- Page 29
- Page 30
- Page 31
- Page 32
- Page 33
- Page 34
- Page 35
- Page 36
- Page 37
- Page 38
- Page 39
- Page 40
- Page 41
- Page 42
- Page 43
- Page 44
- Page 45
- Page 46
- Page 47
- Page 48
- Page 49
- Page 50
- Page 51
- Page 52

- Flash version

© UniFlip.com
background image
Often when information security mechanisms are implemented, it is the external
attackers which we mostly look to prevent and detect. However, the 2011 Cyber
Security Watch Survey
1
found 21% of attacks reported were by known or suspected
insiders with 46% of respondents expressing concerns that the damage caused by
insiders exceeded that of what external attackers could have caused. So why aren't
we doing more to stop insider threats?
Insider threats have always existed. For some time we have been aware of the issue,
confirmed in 1995 when Power
2
wrote "the greatest threat comes from inside
your own organisation". However with our heavy reliance on rapidly advancing
technologies, the insider threat continues to be a growing problem.
Many attempts have been made to define and characterise the insider threat over
the years and these definitions have had to transform with advances in technology.
Recently CERT
3
conducted a vast amount of research on this topic, resulting in a
thorough definition featuring the key phrases; "authorised access", "intentionally
exceeded or misused" to "negatively affect".
Unsurprisingly, the effect of insider activity can be far-reaching. Whether these
activities are committed for revenge, financial or egotistical motivations, the
consequences are the same. Damage is caused. This could be in the form of
reputational damage, financial implications or physical damage to networks and
equipment. Often, the scale of damage caused is even larger than that which could
be caused by external attackers, and due to the authorised nature of insiders, it can
often be undetected for longer periods of time.
With the recent press attention surrounding Chelsea Manning (formerly Bradley
Manning) and Edward Snowden, there is a concern that these detailed reports may
expose the loopholes in technology systems which insiders often exploit. This may
encourage the development of new insider threat actors as they become aware of
the simplicity and effectiveness of conducting these detrimental activities.
A further concern is that our highly interconnected society, with a growing reliance
on social media, could encourage a new type of insider threat; where social media
profiles are used for the recruitment of organisations' employees by external groups.
Alternatively, the nature of sharing on social media networks may encourage a
generation of insider threats who share stolen data with their online network.
Therefore, as the workforce becomes saturated with the tech-savvy generation Y,
perhaps our concerns shall grow further.
Although an increasing problem, there has yet to be a successful and all-encompassing
solution available for the prevention and detection of insider threats. Instead there
continues to be many niche contributions to the area for both technological and
behavioural detection mechanisms, each of which approach the problem at a
different angle. This does not provide complete coverage for detection of the insider
threat. Therefore, my contribution to this area as part of my final year project is the
development of a prototype tool, which aims to detect insider threats by relying
on artefacts that remain on a Windows host following the malicious activities. The
tool is designed to focus on insider threat detection on the host machine alone;
functioning to extract Registry data which relates to insider threat activities, to allow
for the calculation of the likelihood that the user is an insider threat. The module
currently developed for this prototype extracts Registry data regarding USB devices,
to understand their activity on the host as they could potentially be utilised to steal
or destroy data.
To conclude, it is hoped in the near future we will be able to combine many of our
proposed insider threat detection solutions and provide an answer to the question ­
`what's on the inside?'
· 13 ·
What's On
The Inside?
1. CERT (2011) 2011 CyberSecurity Watch Survey ­ How Bad is Insider Threat? [WWW] CERT. Available from: www.cert.org/archive/pdf/CyberSecuritySurvey2011.pdf
2. POWER, R. (1995) Current and Future Danger: A CSI Primer on Computer Crime & Information Warfare. California: Computer Security Institute.
3. CERT (2012) The CERT Insider Threat Center [WWW] CERT. Available from: http://www.cert.org/insider_threat/
By Ria Biggs, De Montfort University
s T u d e n T s h o W C a s e