Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.     

Understanding insiders: An analysis of risk-taking behavior

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.     

基于门禁日志挖掘的内部威胁异常行为分析

门禁系统是保护重要场所安全的重要手段,可以有效防止未授权用户的进入。然而,近年来大量案例表明重要场所的威胁主要来自于具有合法权限的内部人员。针对这个问题,提出基于门禁日志数据挖掘的内部威胁异常行为分析方法。该方法首先利用PrefixSpan算法对正常行为序列进行提取,之后计算待检测序列的序列异常度分数,并根据决策者设定的阈值来找出异常序列。通过真实门禁数据中的实验,验证了本方法可以降低精确匹配在数据较少时带来的高误报率,实现对内部人员异常行为的有效发现,为加强重要场所安全保护提供了新的途径。     

Insider threat mitigation: preventing unauthorized knowledge acquisition

This paper investigates insider threat in relational database systems. It discusses the problem of inferring unauthorized information by insiders and proposes methods to prevent such threats. The paper defines various types of dependencies as well as constraints on dependencies that may be used by insiders to infer unauthorized information. It introduces the constraint and dependency graph (CDG) that represents dependencies and constraints. In addition, CDG shows the paths that insiders can follow to acquire unauthorized knowledge. Moreover, the paper presents the knowledge graph (KG) that demonstrates the knowledgebase of an insider and the amount of information that the insider has about data items. To predict and prevent insider threat, the paper defines and uses the threat prediction graph (TPG). A TPG shows the threat prediction value (TPV) of each data item in insiders’ KG, where TPV is used to raise an alert when an insider threat occurs. The paper provides solutions to prevent insider threat without limiting the availability of data items. Algorithms, theorems, proofs and experiments are provided to show the soundness, the completeness and the effectiveness of the proposed approaches.     

Insider attack mitigation in a smart metering infrastructure using reputation score and blockchain technology

International Journal of Information Security - The increasing use of smart metering infrastructure invites security threats through trusted insiders in spite of the devices’ authentication...     

Insiders Behaving Badly

This column goes beyond previous insider analyses to identify a framework for a taxonomy of insider threats including both malicious and inadvertent actions by insiders that put organizations or their resources at some risk. The framework includes factors reflecting the organization, the individual, the information technology system, and the environment.     

Organizational information security as a complex adaptive system: insights from three agent-based models

The management of information security can be conceptualized as a complex adaptive system because the actions of both insiders and outsiders co-evolve with the organizational environment, thereby leading to the emergence of overall security of informational assets within an organization. Thus, the interactions among individuals and their environments at the micro-level form the overall security posture at the macro-level. Additionally, in this complex environment, security threats evolve constantly, leaving organizations little choice but to evolve alongside those threats or risk losing everything. In order to protect organizational information systems and associated informational assets, managers are forced to adapt to security threats by training employees and by keeping systems and security procedures updated. This research explains how organizational information security can perhaps best be managed as a complex adaptive system (CAS) and models the complexity of IS security risks and organizational responses using agent-based modeling (ABM). We present agent-based models that illustrate simple probabilistic phishing problems as well as models that simulate the organizational security outcomes of complex theoretical security approaches based on general deterrence theory (GDT) and protection motivation theory (PMT).     

基于语义标签的协同信息系统内部隐私威胁检测模型

协同信息系统为知识共享和再创造需求提供了核心工作环境,但是因为涉及隐私、安全等重要领域,其安全运行成为关系到国家安全和伦理道德的重要研究议题。与来自外部的隐私窃取行为相比,源于内部的威胁行为避开了现有的身份验证机制和访问控制策略,可利用账户权限盗取敏感数据。本文提出一种内部隐私威胁检测模型,该模型在宏观层面利用用户的访问行为以及共享数据的语义标签来抓取用户的访问行为模式;在微观层面提出一种局部访问网络的离散程度值及其差异,用以评估数据集中特定访问行为的异常程度。通过访问行为的随机模拟分析,本文验证了新模型具有较好的预警性能以及非常显著的预测稳定性。     

Human factors in information security: The insider threat – Who can you trust these days?

This paper examines some of the key issues relating to insider threats to information security and the nature of loyalty and betrayal in the context of organisational, cultural factors and changing economic and social factors. It is recognised that insiders pose security risks due to their legitimate access to facilities and information, knowledge of the organisation and the location of valuable assets. Insiders will know how to achieve the greatest impact whilst leaving little evidence. However, organisations may not have employed effective risk management regimes to deal with the speed and scale of change, for example the rise of outsourcing. Outsourcing can lead to the fragmentation of protection barriers and controls and increase the number of people treated as full time employees. Regional and cultural differences will manifest themselves in differing security threat and risk profiles. At the same time, the recession is causing significant individual (and organisational) uncertainty and may prompt an increase in abnormal behaviour in long-term employees and managers – those traditionally most trusted – including members of the security community. In this environment, how can organisations know who to trust and how to maintain this trust?The paper describes a practitioner’s view of the issue and the approaches used by BT to assess and address insider threats and risks. Proactive measures need to be taken to mitigate against insider attacks rather than reactive measures after the event. A key priority is to include a focus on insiders within security risk assessments and compliance regimes. The application of technology alone will not provide solutions. Security controls need to be workable in a variety of environments and designed, implemented and maintained with people’s behaviour in mind. Solutions need to be agile and build and maintain trust and secure relationships over time. This requires a focus on human factors, education and awareness and greater attention on the security ‘aftercare’ of employees and third parties.     

Practical management of malicious insider threat – An enterprise CSIRT perspective

Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military and are crucial to command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Military sources say that the insider threat is their number one security concern. This paper presents a case study of the technical counter measures and processes used to deter, detect and mitigate malicious insider threats that the author has researched, using non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the “current state of play” of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and challenges encountered at one organisation. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is presented, followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users “cyber” behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the “Research on mitigating the insider threat to information systems #2” workgroup which took place in 2000 (Anderson et al., 2000.). In closing the author introduce the concept of Stateful Object Use Consequence Analysis as a way of managing the insider threat.     

一种工作流安全策略分析方法

工作流系统中经常会发生来自系统内部人员的欺骗活动,职责分离是一种有效地防止内部欺骗的安全机制,讨论了工作流执行时的安全策略问题,给出了工作流直观的Petri网模型描述,Petri网模型清晰地刻画了工作流系统中所包含的任务以及任务与角色的对应关系.采用Prolog语言描述了工作流执行时的动态职责分离安全规则,在此基础上,运用逻辑推理的方法分析职责分离安全规则,目的是找出所有满足安全规则的有效执行链,通过分析找出所有满足安全规则的有效执行链.     

一种无监督的窃密攻击及时发现方法

近年来,窃密攻击成为了最严重的网络安全威胁之一.除了恶意软件,人也可以成为窃密攻击的实施主体,尤其是组织或企业的内部人员.由人实施的窃密很少留下明显的异常痕迹,给真实场景中攻击的及时发现和窃密操作的分析还原带来了挑战.提出了一个方法,将每个用户视为独立的主体,通过对比用户当前行为事件与其历史正常行为的偏差检测异常,以会话为单元的检测实现了攻击发现的及时性,采用无监督算法避免了对大量带标签数据的依赖,更能适用于真实场景.对算法检测为异常的会话,进一步提出事件链构建方法,一方面还原具体窃密操作,另一方面通过与窃密攻击模式对比,更精确地判断攻击.在卡内基梅隆大学的CERT内部威胁数据集上进行了实验,结果达到99%以上的准确率,且可以做到无漏报、低误报,证明了方法的有效性和优越性.     

Intrusion detection: Perspectives on the insider threat

A recent FBI survey reported that the average cost of a successful attack by a malicious insider is nearly 50 times greater than the cost of an external attack. Further, it is estimated that over 80% of information security incidents for the past four years are the result of insiders. Intrusion detection systems have traditionally targeted those who attack outside of trusted network boundaries. What is desperately needed are mechanisms that monitor insider activity and detect actions at the host level that may be malicious. This paper presents an overview of innovative approaches to detect malicious insiders who operate inside trusted network boundaries.     

Risking Communications Security: Potential Hazards of the Protect America Act

A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents.     

Networks - Where does the real threat lie?

This article examines Intranets and why they can facilitate crimes that are carried out from within an organisation. Examples are then given of real cases in which security breaches are perpetrated by insiders. And finally, a list is given of the typical controls that could be used to provide protection against the insider threat.     

Harnessing Mainframe Strengths for an Enterprisewide Backup Solution

Abstract

Businesses have learned that perimeter security is no longer enough to protect critical data, and many are now touting the benefits of encrypting the data held in storage and backup systems. Driven largely by the awareness of security breaches, lawmakers, credit card issuers, and consumers themselves are holding organizations accountable for the protection of personal data. Today, businesses that suffer a security breach in which customer data is lost or stolen face widespread negative publicity, lost business, lawsuits, and fines that can threaten their viability. Although it's easy to immediately think that the storage or backup systems were compromised, it's important to note that, in an analysis of 45 of the reported incidents of data theft that occurred in the first half of 2005, only a small percentage were due to theft or loss of backup tapes. Far more prevalent were incidents in which insiders or outside attackers gained access to sensitive information through application-level attacks — attacks storage-level encryption wouldn't have prevented. This is why it is important for businesses to encrypt data at the Web, application, or database layer. Encrypting data as it enters the business, rather than having it stay in a readable state while it is used in various applications throughout the network, protects that data from both internal and external threats.     

Java代码的安全性暴露及建议

应用程序可能容易受到两类安全性威胁的攻击：静态和动态。虽然开发人员不能完全控制动态威胁，但在开发应用程序时，可以采取一些预防措施来消除静态威胁。静态暴露是系统中的缺陷，使系统暴露在想要篡夺该系统的特权的攻击者面前。本文概括，解释了13种类型的静态暴露，并具体给出处理安全性暴露问题的一些建议。     

Java代码的安全性暴露及建议

应用程序可能容易受到两类安全性威胁的攻击:静态和动态。虽然开发人员不能完全控制动态威胁,但在开发应用程序时,可以采取一些预防措施来消除静态威胁。静态暴露是系统中的缺陷,使系统暴露在想要篡夺该系统的特权的攻击者面前。本文概括,解释了13种类型的静态暴露,并具体给出处理安全性暴露问题的一些建议。     

Development of dynamic protection against timing channels

Information systems face many threats, such as covert channels, which declassify hidden information by, e.g., analyzing the program execution time. Such threats exist at various stages of the execution of instructions. Even if software developers are able to neutralize these threats in source code, new attack vectors can arise in compiler-generated machine code from these representations. Existing approaches for preventing vulnerabilities have numerous restrictions related to both their functionality and the range of threats that can be found and removed. This study presents a technique for removing threats and generating safer code using dynamic compilation in an execution environment by combining information from program analysis of the malicious code and re-compiling such code to run securely. The proposed approach stores summary information in the form of rules that can be shared among analyses. The annotations enable us to conduct the analyses to mitigate threats. Developers can update the analyses and control the volume of resources that are allocated to perform these analyses by changing the precision. The authors’ experiments show that the binary code created by applying the suggested method is of high quality.     

Threat-driven modeling and verification of secure software using aspect-oriented Petri nets

Design-level vulnerabilities are a major source of security risks in software. To improve trustworthiness of software design, this paper presents a formal threat-driven approach, which explores explicit behaviors of security threats as the mediator between security goals and applications of security features. Security threats are potential attacks, i.e., misuses and anomalies that violate the security goals of systems' intended functions. Security threats suggest what, where, and how security features for threat mitigation should be applied. To specify the intended functions, security threats, and threat mitigations of a security design as a whole, we exploit aspect-oriented Petri nets as a unified formalism. Intended functions and security threats are modeled by Petri nets, whereas threat mitigations are modeled by Petri net-based aspects due to the incremental and crosscutting nature of security features. The unified formalism facilitates verifying correctness of security threats against intended functions and verifying absence of security threats from integrated functions and threat mitigations. As a result, our approach can make software design provably secured from anticipated security threats and, thus, reduce significant design-level vulnerabilities. We demonstrate our approach through a systematic case study on the threat-driven modeling and verification of a real-world shopping cart application.