Practical management of malicious insider threat – An enterprise CSIRT perspective

Communication and Information Systems (CIS) now form the primary information store, exchange and data analysis for all modern military and are crucial to command and control. The ubiquitousness of CIS within the military not only means that there is a complete reliance on CIS, but also presents new avenues of attack by malicious insiders. Military sources say that the insider threat is their number one security concern. This paper presents a case study of the technical counter measures and processes used to deter, detect and mitigate malicious insider threats that the author has researched, using non-classified anonymous interview and the analysis of anonymised qualitative field data, within a specific military organisation. It is not the intention of the author that this paper be viewed as an analysis of the “current state of play” of threats and countermeasures that generically exist across all military and defence organisations – rather it presents the technological and organisational processes utilised and challenges encountered at one organisation. A short discussion of the Computer Security Incident Response Team (CSIRT) structure adopted to successfully manage insider and other CIS security threats is presented, followed by a more detailed overview of existing and emerging technical efforts to deter, detect and mitigate such malicious insider threats within the military environment under study. Emphasis will be on the emerging technologies such as anomaly detection using real-time e-discovery, enterprise forensics and profiling users “cyber” behaviour and how these integrate into CSIRT technologies and processes. The technical advantages and challenges that such technologies present within a military alliance will be discussed. The success of such technologies in combating current malicious insider threat environment will be briefly compared with those put forward as challenges in the “Research on mitigating the insider threat to information systems #2” workgroup which took place in 2000 (Anderson et al., 2000.). In closing the author introduce the concept of Stateful Object Use Consequence Analysis as a way of managing the insider threat.     

Assessing insider threats to information security using technical,behavioural and organisational measures

The UK government took a bruising in the headlines (Sep 2008) after a Home Office contractor lost a USB stick containing unencrypted data on all 84,000 prisoners in England and Wales. As a result, the Home Office terminated the £1.5 million contract with the management consultancy firm.The world woke up to the largest attempted bank fraud ever when the UK’s National Hi-Tech Crime Unit foiled the world’s largest potential bank robbery in March 2005. With the help of the security supervisor, thieves masquerading as cleaning staff installed hardware keystroke loggers on computers within the London branch of a Japanese bank, to steal £220m.It is indeed sobering to imagine that any organisation could fall victim to such events and the damage an insider can do. The consulting firm lost the contract worth £1.5 million due to a small mistake by an employee. The London branch of the Japanese Bank would have lost £220 million had not the crime been foiled.Insider threat is a reality. Insiders commit fraud or steal sensitive information when motivated by money or revenge. Well-meaning employees can compromise the security of an organisation with their overzealousness in getting their job done. Every organisation has a varied mix of employees, consultants, management, partners and complex infrastructure and that makes handling insider threats a daunting challenge. With insider attacks, organisations face potential damage through loss of revenue, loss of reputation, loss of intellectual property or even loss of human life.The insider threat problem is more elusive and perplexing than any other threat. Assessing the insider threat is the first step to determine the likelihood of any insider attack. Technical solutions do not suffice since insider threats are fundamentally a people issue. Therefore, a three-pronged approach - technological, behavioural and organisational assessment is essential in facilitating the prediction of insider threats and pre-empt any insider attack thus improving the organization’s security, survivability, and resiliency in light of insider threats.     

基于信息流的多级安全策略模型研究

内部威胁是企业组织面临的非常严重的安全问题,作为企业最贵重的信息资产——文档,是内部滥用的主要目标。以往的粗粒度安全策略,如最小权限原则、职责分离等,都不足以胜任文档安全化的内部威胁问题。提出了一个崭新的多级安全策略模型,引入了文档信息流和信息流图概念,并提出了相关算法。它能依据系统上下文环境的变化,动态地产生信息流的约束条件,屏蔽可能产生的隐藏信息流通道。     

The application of IT in organisations: Some trends and issues

Abstract

This paper describes some trends and issues in the application of information technology in organisations. Technology trends are outlined in the areas of computing power, telecommunications, networking, software and standards. Some trends in the applications of IT are described with respect to developments in information systems and office automation. Some differences in the likely role of IT in the industrialised and developing countries are discussed. The second half of the paper deals with issues in the management of IT applications in organisations, and issues are identified as being political, organisational and social in nature in addition to technical. A social systems framework is proposed for the analysis of these issues. Some specific IT issues are then discussed involving alternative stakeholder perspectives, the analysis of decision making processes, the process of consultation and communication and the organisational impacts of IT applications.     

浅谈企业信息安全保障体系建设

该文简要论述了构建企业信息安全保障体系的必要性,明确了信息安全保障体系建设的目标。从信息安全保障体系建设的指导思想入手,分析了企业信息系统面临的各种安全风险;从安全策略、安全管理和安全技术三个方面讨论了如何实现企业信息安全保障体系的建设目标。     

Standardization in information security management

The paper describes the state of the art in the standardization in information security management. The requirements to the standards being developed, the types of standards, and the principles to adhere to are discussed. The study is based on the documents adopted within the subcommittee 27 “IT Security techniques” of the joint technical committee ISO/IEC JTC 1 “Information technology”.     

Outcomes and success factors of enterprise IT architecture management: empirical insight from the international financial services industry

Within the last decades, corporate information technology (IT) environments have approached considerable degrees of complexity. As a consequence, IT has become increasingly difficult to manage resulting in high costs and poor flexibility. Today, it is generally acknowledged that the sustainability of corporate IT environments can only be ensured through a continuous and long-term management on the level of the Enterprise (IT) Architecture (EA). To address this, many firms have implemented a dedicated Enterprise (IT) Architecture Management (EAM) function. However, little is known yet on the effectiveness of such functions and the factors influencing EAM success. Within this research, we thus seek to answer two main questions: (1) do firms adopting EAM perform better with regard to high-level information management objectives like IT flexibility and IT efficiency, and if so, (2) what are the critical success factors in attaining these goals? To answer these questions, a field survey was conducted within the international financial services industry. The results provide evidence that the implementation of an EAM function is in fact supportive in the creation and sustainment of IT efficiency and IT flexibility. Several factors are shown to be of critical importance for achieving these goals with architectural governance being the most important one.     

运营商安全资产管理技术研究

目前运营商资产管理主要为传统意义上的固定资产管理,资产的安全状况、安全基线等安全信息缺失严重,无法应对日益严峻的安全形势.本文从资产脆弱性、资产威胁、系统定级、安全评估、KPI考核等多个层面,探讨运营商资产安全管理如何实现,安全资产管理系统如何设计.     

Human factors in information security: The insider threat – Who can you trust these days?

This paper examines some of the key issues relating to insider threats to information security and the nature of loyalty and betrayal in the context of organisational, cultural factors and changing economic and social factors. It is recognised that insiders pose security risks due to their legitimate access to facilities and information, knowledge of the organisation and the location of valuable assets. Insiders will know how to achieve the greatest impact whilst leaving little evidence. However, organisations may not have employed effective risk management regimes to deal with the speed and scale of change, for example the rise of outsourcing. Outsourcing can lead to the fragmentation of protection barriers and controls and increase the number of people treated as full time employees. Regional and cultural differences will manifest themselves in differing security threat and risk profiles. At the same time, the recession is causing significant individual (and organisational) uncertainty and may prompt an increase in abnormal behaviour in long-term employees and managers – those traditionally most trusted – including members of the security community. In this environment, how can organisations know who to trust and how to maintain this trust?The paper describes a practitioner’s view of the issue and the approaches used by BT to assess and address insider threats and risks. Proactive measures need to be taken to mitigate against insider attacks rather than reactive measures after the event. A key priority is to include a focus on insiders within security risk assessments and compliance regimes. The application of technology alone will not provide solutions. Security controls need to be workable in a variety of environments and designed, implemented and maintained with people’s behaviour in mind. Solutions need to be agile and build and maintain trust and secure relationships over time. This requires a focus on human factors, education and awareness and greater attention on the security ‘aftercare’ of employees and third parties.     

Information security management system standards

This article presents ISO’s most successful information security standard ISO/IEC 27001 together with the other standards in the family of information security standards — the socalled ISO/IEC 2700x family of information security management system (ISMS) standards and guidelines. We shall take a brief look at the history and progress of these standards, where they originated from and how became the common language of organizations around the world for engaging in business securely. We shall take a tour through the different types of standard at are included in the ISMS family and how the relate and fit together and we will finally conclude with a short presentation of ISMS third party certification. The material used in this article has been derived directly from the many articles and books by Prof. Humphreys on the ISO/IEC 2700x ISMS family and they are implemented and applied in practice in business, commerce and government sectors.     

Ubiquitous security for ubiquitous computing

The potential for rapid and diverse interconnectivity through devices utilising heterogeneous communications interfaces has enabled a truly ubiquitous computing environment. However, this has resulted in equally ubiquitous security risks due principally to the number and complexity of services being run over such networks. As technology advances towards the realisation of a ubiquitous computing environment, what impact does this have on the traditional information security triangle, of preserving the confidentiality, integrity and availability of information? And how does this influence, future information security requirements, particularly in light of always-on business processes which require real-time information sharing? This paper describes research conducted into answering these questions. Emphasis is placed on the need for risk management, and how this may be achieved through context-based access control mechanisms and pro-active threat assessment techniques.     

网络信息系统的内部威胁模型研究

网络信息系统内部攻击构成了十分危险的安全威胁,这样的认识已逐渐被人们广泛接受。但是,对内部攻击的深入研究却相对比较少。该文从网络系统的使用者这一角度,而不是技术本身,阐述了内部攻击的图示模型,剖析了内部攻击的成因,并针对内部攻击的一些细节进行了详细的系统论述。     

An empirical model of IT usage in the Malaysian public sector

Whilst there have been many studies to determine the factors that influence the use of information technology (IT) in organisations, few have considered how these factors change with the level of IT use. This paper presents the results of such a study involving the use of IT to support Total Quality Management (TQM). The population studied consisted of those organisations in the Malaysian public sector that had applied for the Malaysian Prime Minister's Quality Award during the period 1992–1997.Three sets of factors were investigated for their impact on the use of IT to support TQM in this setting: external, organisational, and technological factors. Overall, the organisational and technological factors had more influence on IT usage than did the external factors. However, as organisations became more experienced in their use of IT, the major contextual influences on IT usage levels changed. At low levels of IT usage the major contextual influences were organisational. At medium levels of IT usage a combination of technological and organisational factors became important, whilst at high IT usage levels, the dominant factors were technological.     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

International participation. The continuing march toward security and privacy

To create a future with improved prospects for dealing with security and privacy, nations will have to reach agreement on many issues, including Banking and financial services; privacy laws related to sensitive data such as healthcare information; intellectual property (IP) rights, their reasonable protection, and the significant challenge of achieving international agreement on an enforceable set of common standards; cybercrime laws and penalties for breaking them and new networking technologies that adversely impact privacy, the subtleties of which might not be fully appreciated until a product is well entrenched. Many of these issues have been around since the onset of literacy, but the challenge of dealing with them has grown enormously in the information age owing to the speed, storage capacity, intelligence, and ubiquity of modern IT (and its inherent vulnerabilities).     

基于ITIL的网络安全运营管理体系研究

采用安全运营管理平台对来自于防火墙、入侵检测系统、防病毒系统、主机及网络设备的报警信息和安全审计数据进行综合分析,可以实现更为有效的安全管理,及时判断安全事件及网络系统的现状和发展趋势。由于在安全运营管理相关技术和产品的研究开发过程中缺乏统一的标准和规范,使得无法有效地利用现有技术和产品进行高效的事件联动、协助分析和信息综合,这对高效的安全运营管理带来了巨大的挑战。本文从国内外现状和趋势出发,综合借鉴BS7799、NIST SP 800系列以及其它有关信息安全标准的特点,引入IT服务管理的理念,将安全运营管理定位为IT基础设施库中的服务,详细阐述了基于ITIL的网络安全运营管理体系的设计思想、基本框架、管理流程和流程间的关系。     

A framework for unified digital evidence management in security convergence

Digital Forensics is being actively researched and performed in various areas against changing IT environment such as mobile phone, e-commerce, cloud service and video surveillance. Moreover, it is necessary to research unified digital evidence management for correlation analysis from diverse sources. Meanwhile, various triage approaches have been developed to cope with the growing amount of digital evidence being encountered in criminal cases, enterprise investigations and military contexts. Despite of debating over whether triage inspection is necessary or not, it will be essential to develop a framework for managing scattered digital evidences. This paper presents a framework with unified digital evidence management for appropriate security convergence, which is based on triage investigation. Moreover, this paper describes a framework in network video surveillance system to shows how it works as an unified evidence management for storing diverse digital evidences, which is a good example of security convergence.     

Risks due to convergence of physical security systems and information technology environments

The areas of physical security and information technology (IT) are often if not usually worlds apart. The same is true for physical security and IT security; in most organizations separate functions for physical security and IT security exist. Because these functions are in place and because they at least in part achieve their goals, management tends to perceive that major risks they try to mitigate are being addressed. Convergent security risks in physical security systems and information technology (IT) are, however, almost without exception overlooked. Physical security systems and devices, process control systems, and IT infrastructures are being integrated without sufficient consideration of the security risks that the increasing intermingling of these systems and infrastructures introduces. Serious security-related incidents due to unmitigated physical convergence risks are starting to occur. Adequately dealing with the convergence problem requires organizations to implement multiple solutions.     

Searching for the Right Fit: Balancing IT Security Management Model Trade-Offs

IT security professionals' effectiveness in an organization is influenced not only by how usable their security management tools are but also by how well the organization's security management model (SMM) fits. Finding the right SMM is critical but can be challenging - trade-offs are inherent to each approach, but their implications aren't always clear. The authors present a case study of one academic institution that created a centralized security team but disbanded it in favor of a more distributed approach three years later. They contrast these experiences with expectations from industry standards.