ACriticalReectionontheThreatfromHumanInsiders–ItsNature,IndustryPerceptions,andDetectionApproachesJasonR.
C.
Nurse1,PhilipA.
Legg1,OliverBuckley1,IoannisAgraotis1,GordonWright2,MonicaWhitty2,DavidUpton3,MichaelGoldsmith1,andSadieCreese11CyberSecurityCentre,DepartmentofComputerScience,UniversityofOxford,UK{firstname.
lastname}@cs.
ox.
ac.
uk2DepartmentofMediaandCommunications,UniversityofLeicester,UK{grw9,mw229}@leicester.
ac.
uk3Sa¨dBusinessSchool,UniversityofOxford,UKdavid.
upton@sbs.
ox.
ac.
ukAbstract.
Organisationstodayoperateinaworldfraughtwiththreats,including"scriptkiddies",hackers,hacktivistsandadvancedpersistentthreats.
Althoughthesethreatscanbeharmfultoanenterprise,apo-tentiallymoredevastatingandanecdotallymorelikelythreatisthatofthemaliciousinsider.
Thesetrustedindividualshaveaccesstovaluablecompanysystemsanddata,andarewellplacedtounderminesecuritymeasuresandtoattacktheiremployers.
Inthispaper,weengageinacriticalreectionontheinsiderthreatinordertobetterunderstandthenatureofattacks,associatedhumanfactors,perceptionsofthreats,anddetectionapproaches.
Wedierentiateourworkfromothercontributionsbymovingawayfromapurelyacademicperspective,andinsteadfocusondistillingindustrialreports(i.
e.
,thosethatcapturepractitioners'ex-periencesandfeedback)andcasestudiesinordertotrulyappreciatehowinsiderattacksoccurinpracticeandhowviablepreventativesolutionsmaybedeveloped.
Keywords:insiderthreats,humanfactors,technicalandpsychologicalindicators,detectionapproaches,surveyreports.
1IntroductionCorporationstodayfaceanincreasinglydiculttaskwhenitcomestotheircomputersecurity.
Ontheonehand,thereareaplethoraofthreats(e.
g.
,crim-inals,hackers,hacktivists)keentopenetratedefencesandcompromisesystemsanddata.
Ontheotherhand,internal(orinsider)threatsappeartobeontheincreaseandcanbeparticularlydebilitatinggiventheirprivilegedaccesstotheenterprise.
Theinsider-threatproblemisespeciallyconcerningbecausecorpora-tions'defencesarearguablystillfocusedonexternalthreats,resultingininad-equateconsiderationofattacksoriginatingfromthosewithinsideknowledgeofandaccesstosystems,securityprocesses,andpreciouscompanysecrets.
T.
TryfonasandI.
Askoxylakis(Eds.
):HAS2014,LNCS8533,pp.
270–281,2014.
cSpringerInternationalPublishingSwitzerland2014ACriticalReectionontheThreatfromHumanInsiders271Toexplorethisproblemfurther,andtobetterunderstandthevariouselementsinvolved,thispaperengagesinacriticalreectionuponthethreatposedbyinsiders.
Weadoptanovelperspectivethatmovesawayfromapurelytheoreticaldiscussionandinsteadconcentratesondistillingtherangeofindustrialreports,whichcapturebroadexperiencesandfeedbackfrompractitioners[1,2,3,4].
Wealsolookatcasestudiesofinsider-threat(ourown[5]andthosefromCMU-CERT[6]),inordertofurtherunderstandhowandwhyinsiderattacksoccur,andhoweectivedetectiontoolscanbedevelopedanddeployed.
Ourreectionontheinsider-threatproblemissplitintothreebroadsections.
Firstly,weconsiderthenatureofhumaninsider-threats.
Thisincludesanin-vestigationintothetypesofattacksactuallybeinglaunchedagainstenterprises,ananalysisofthemotivesandpsychologicalaspectssurroundingtheseattacks,andtheimpactthatnewtechnologiesmayhaveonthefutureofinsiderattacks.
Wemoveontostudymanyoftheindustryreportsthathavebeenpublished(e.
g.
,[2,7,8]),inordertoassesshowcorporationsperceiveandarerespondingtothistypeofrisk.
Ourndingssuggestthatthereisanunderestimationoftherisksassociatedwiththesethreats,particularlyevidencedbytheminimalinvestmentbeingmade.
Finally,wedescribetechniquesthatarecurrentlyusedfordetectinginsiderthreats,andexplorethestate-of-the-artresearchthatiscurrentlybeingconductedinthisarea,discussingtheeectivenessoftechniquesandwhatlimitationsmayexist.
Toconclude,wediscussownresearchwithintheCorporateInsiderThreatDetectionproject(CITD),whichaimstoaddresstheinterdisciplinarynatureofinsiderthreat,toprovideanenhanceddetectiontoolthataddressesbothtechnicalandhumandimensionsofinsiderthreat.
2TheNatureofInsiderThreatInordertounderstandthenatureoftheinsider-threatproblem,therearesev-eralfundamentalquestionsofinterest.
Forinstance,whatexactlyisthethreat,andwhatarethemostprevalenttypesWhatmotivatesinsiderstoattackAresomeinsidersmoresusceptibletobecomingathreatWhatbehavioursmaybeindicativeofan(impending)attackWhatistheeect,ifany,ofnewtechnolo-giesontheproblemThesearethequestionswhichweseektodiscussinthissection,withaspecialfocusonreal-worldcases,feedbackandreports.
2.
1TypesofInsiderThreatTherehavebeenmanydenitionsofinsiderthreatthroughouttheyears[9].
Someofthesedenitionsemphasisetheactivemisuseofinsiderprivileges,whileothersbroadenthescopeandconsiderthenegativeimpactofsuchmisuseonthecondentiality,integrityandavailabilityoftheorganisation'ssystemsanddata[6].
Theessenceofmostdenitions,however,isthataninsiderthreatisamemberoftrustedpersonnel(e.
g.
,employee,contractors,businesspartners)thatusedtheirprivilegedaccessforsomeunauthorisedpurposesuchasrevengeornancialgain,andtothedetrimentoftheirenterprise.
CMU-CERT[6]iden-tiesthreetypesofthreatbasedonobservationoftypicalpatternsandonthe272J.
R.
C.
Nurseetal.
attacker'spurposeandmotivation–namely,fraud,theftofIntellectualProperty(IP),andsabotageofinfrastructure.
Insiderfraudisregardedasonethemostfrequentkindsofattack[2].
Incidentsoffraudcanrangefromdirecttheftofcompanyfunds,tocomplexcaseswherecompanyservicesordataisillegitimatelytradedforpersonalnancialgain.
KrollAdvisory'srecentfraudreportemphasisesthestronglinkbetweenfraudandinsiders,inthat,ofthecompanieshitbyfraudinthelastyear,morethan67%identiedaninsiderasaleadingperpetrator,signallingyetanotherincreasefrompreviousyears'studies[10].
Whilethisisconcerning,anevenmoredisturbingaspectlookingforwardisthataccordingtotheRiskofInsiderFraudreport[2],practitionerscontinuetobelievethattheirenterprisesareatahighriskofinsiderfraud.
Thisisclearlyaseriousandprevalentproblemincompaniestodayand,ashintedabove,nancialgainisoneofthemostcommonmotives.
AnotherthreatthatcausesgreatconcernisIPtheft.
Inthisattack,insidersusetheiraccesstostealvaluablecompanydata,includingtradesecrets,businessinformation,sourcecodeandcustomerinformation[11].
Thereareseveralkeyfeaturesofthistypeofattack.
First,thetargettendstobeproductinformation,proprietarysoftwareandsourcecode(thesearecleartargetsinCMU-CERTstudies[12]).
Also,attacksappearmorelikelytobeconductedbytechnicalpersonnel(e.
g.
,scientistsandengineers)[6]andusingtechnicalmeans(54%ofinsidersusedeitheremail,remoteaccesschannelornetworkletransfer[11])ratherthanphysicaltheftofprototypes,forexample.
Finally,amajorityofthesetheftsarecommittedbyemployeeswithlegitimateaccesstothestolenIP;almost75%stolematerialtheyhadauthorizedaccessto[12].
Although75%isastrongstatisticanditisthereforeverytemptingtomonitoronlytheseindividualsforthisattack,yetasotherarticleshavehighlighted(e.
g.
,thecaseoftheforeignnationalwhostoleFordsecretsworthinexcessof$50million[13]),insiderswithnolegitimateaccessarealsocausingagreatdealofharm.
IncidentsinvolvingITsabotage,asonemightimagine,tendtobemoretech-nicallysophisticated.
Theseattacksoftenrequireprivilegedaccesstosystemsandnetworks,orparticularknowledgeofhowtheyarecongured.
Examplesofspecicinsiderattacksrangefrominsertionofmalware(mostcommonly,logicbombs)totamperinganddisruptingsystemhardwarecomponents.
Mooreetal.
[14]provideoneofthemorecomprehensivepointsofreferencefordataonthesetypesofattack.
Amongsttheirndings,someofthemostsignicantin-cludethehighproportionofattackerswhohadsystem-administratorprivileges(90%)andthecrucialroleofunmetexpectations,disgruntlementandstressinthepathwaystoanattack(forinstance,92%ofalltheinsidersintheirsam-pleattackedenterprisesfollowinganegativework-relatedsituationorevent).
Intermsofreal-worldcases,theattemptedattackonFannieMae[15]isaperfectexampleofthesabotagethreat.
Presumablyaggrievedafterbeingdismissed,theinsiderinthiscaseusedthelasthoursofhislegitimateaccesstouploadmaliciouscodesettoauto-execute7dayslateranddesignedtoeraseessentialcompanydataonnances,securitiesandmortgages.
ACriticalReectionontheThreatfromHumanInsiders273Inadditiontothefocusonmaliciousinsiders(coveredabove),emphasisonbenignoraccidentalinsidershasalsogrown[16].
Theseindividualshavelegiti-mateaccesstosystems,butthroughcarelessness,neglectoraccidentintroduceaformofinsiderattack.
Theseaccidentalattackshavebecomemoreimportanttoorganisationsandresearchersbecause,asstudiessuchastheCredant[17]andClearswift[18]surveyspointout,theyoccursignicantlymoreoftenthantheirmaliciouscounterparts.
Unwiseemailactivitiesandlossofstoragedevicesorlaptopsaresomeofthemostcommonsourcesofthesebreaches.
Furtherana-lysisonthedierenttypesofbenigninsiderscanbefoundinseveralreports,particularlytheSymantec'sDataLossPreventionwhitepaper[19]wheretheauthordistinguishesanumberofcategoriesofnegligentinsiders.
2.
2ThePsychologyoftheInsiderResearchershavearguedthatinsidershavespecicpsychologicaltraitsandchar-acteristics.
TurnerandGelles[20],forinstance,believethefollowingtypesofbehaviouralindicatorsneedtobeconsideredwhenexamininginsiderrisk:self-centredness,arrogance,risk-taking,manipulativeness,coldness,self-deceptionanddefensiveness.
Othershavesuggestedthatinsiderthreatsscorehighonthepersonalitytraitsthatmakeupthe'Darktriad':narcissism,Machiavellianismandpsychopathy[11,12,14,20].
TheUK'sCentrefortheProtectionofNationalInfrastructure(CPNI)haveidentiedanumberofotherpersonalitycharacteris-ticstheybelievearetypicalofaninsider,including:immaturity,lowself-esteem,amoralandunethicalperspective,superciality,pronenesstofantasy,restless-nessandimpulsivity,andlackofconscientiousness[21].
Ifitisindeedthecasethatinsiderthreatspossessspecicpsychologicaltraitsandcharacteristics,thenitmightaiddetectionifemployerswereabletobeprivytotheiremployees'psychologicalmake-ups.
However,thereisalsothepossibilitythatspecicpersonalitycharacteristicsarelinkedtospecicattacksratherthanallattacks.
Forexample,aninsiderwhoscoreshighonnarcissismandMachiavel-lianismandisarisktakermightbemorelikelytocommitIPtheftbutlesslikelytodefaceWebsites.
Moreover,psychologicalcharacteristicsontheirownareclearlynotenoughtopredictthatsomeoneislikelytobecomeamaliciousinsider,andalsothatthereareotherpersonalattributesthatshouldalsobeconsidered.
Ithasbeenarguedthatshorter-termpsychologicaloremotionalstatescanalsohelpidentifythetypeofindividualwhoismorelikelytoattacktheirorgan-isation.
Suchpsychologicalstatesmightincludestress,depressionoranxiety,forinstance.
Ithasbeentheorised,forexample,thatthoseunderextremestressaremorelikelytobecomethreats[11,20].
Itmightbethattheinsiderinstigatestheattacktohelpalleviatethestressthattheyareencountering.
Itisarguedhere,however,thatconsiderationofpsychologicalstatesinisolationisnotsucient.
Asisoftenthecase,anexternaleventcantriggerapsychologicalstate.
Takethecaseofapersonwhohasexperiencednancialhardship–suchaneventmaywellcauseextremestress;however,inaddition,theindividualmightseeanopportunityatworktoconductfraudulentactivitieswhichwillhelpthemoutoftheirproblems.
Incontrast,someonewhoisunderextremestressbecauseof274J.
R.
C.
Nurseetal.
maritalproblems(exhibitingthesamebehavioursasinthepreviouscase)mightbefarlesslikelytoconductfraudulentactivities.
Theseexamplesillustratetheimportanceofdevelopingamoreholisticmodeloninsider-threatpsychology.
Inadditiontoexternalevents,psychologicaldisordershavebeenreportedtomakesomeemployeesmoreofarisktoanorganisation.
CPNIhavefoundthatthosewithagamblingordrugaddictionaremorelikelytoattackanorganisationthanthosewithoutsuchaddictions[21].
Ofcourse,ifanindividualisidentiedashavingsuchaproblem,thenanorganisationmightndwaystoprovidesupportforthatindividual,whichinturnmightreducetherisktheypose.
Inconsideringthepsychologyoftheinsiderwemightwantalsotoconsidertheirattitudetowardstheworkplace.
Forexample,apersonwhoscoreshighonthedarktriadtraitsandishighlystressedmightbelesslikelytoattackanorganisationiftheyhaveastronganitytotheirworkplace.
CPNIhavefoundthatthosewhodonotfollowestablishedprocedures,orreadorfollowannouncementsandinstructionsissuedbytheirorganisation,aremorelikelytoattackanorganisation[21].
Othershaveidentiedthe'disgruntledemployee'asarealpotentialrisk[22];thatis,someonewhobelievestheyhavenotbeenfairlytreatedbytheirorganisation(e.
g.
,missingoutonapromotion).
Ourbeliefisthatthosewhohaveastrongidenticationwiththeirworkplace,andthenexperienceaneventwhichleadsthemtodisgruntlement,poseagreaterrisk.
Whilstourpreliminaryndingshaveidentiedimportantpsychologicalfactorsinthecontextofinsider-threat,itbecomesquiteapparentthatthereismuchmoreworktobedoneinthisspace,byconsideringamorecompleteviewoftheattributesthatareassociatedwithidentifyingpotentialinsider-threats.
2.
3TheImpactofNewTechnologiesAsnewtechnologiesevolvewithinorganisations,sodoesthepotentialinsider-attacksurface[3,18].
BringYourOwnDevice(BYOD)isbecomingincreasinglypopularwithinmanyorganisations,andyetinthesurveybyPonemon[2],al-mosthalfofthe700participantsstatethatBYODhasresultedinasignicantincreaseinfraudrisk.
Thesamestudyalsoreportssignicantchallengesinse-curingcorporatedataandnetworksthatarenowbeingaccessedthroughthisgrowinggamutofpersonaldevices.
Thereisadenitetrade-obeingexperiencedbetweentheconvenienceandcost-savingsofBYOD,asagainstthesecurityim-plicationsandattackvectorsthatthisalsointroduces,whichorganisationswillneedtoconsidercarefullyinthefuture.
Cloudservicesalsointroducedicultiesregardingsecurityofinformation.
Credantexpandsontherisksassociatedwiththecloud,andhighlightthatalthoughthisdistributedapproachhasbenets,ittranslatesintoadirectlossofcontrolforthebusiness[17].
Thisintroducesyetanotherpossibleattackvector,andcouldalsobeexploitedaspartofanattackbyexistingemployeesorbythethirdpartiesinvolved.
Again,thisraisesthetrade-oofconvenienceandcost-savingsagainstmaintainingandmanagingbothdataandsecurityfromwithinthewallsoftheorganisation.
Social-mediauseisalsogeneratingcomplexnewchallengesforenterprises[8,23].
ThroughsitessuchasFacebook,Twitter,blogsandforums,sensitiveinformationACriticalReectionontheThreatfromHumanInsiders275(e.
g.
,tradesecrets,organisationplansandIP)canbeleakedmuchmoreeasilythanbeforeandpublicisedtoanyone,anywhereintheworld.
Theliteratureisfullofcasesofthishappening,anditsaectonbothprivateandgovernmentalorgan-isations[24,25].
Maliciousorcarelessinsidersarenottheonlyconcerneither.
Asaresultoftheamountofinformationfreelysharedonthesesites,externalenti-tiescannowexploitsocialmediatoidentify,targetorrecruitprospectiveinsiderthreats[8].
Associalmediacontinuetoexpandinpopularity,organisationsappeartounderestimatethepowerandreachthattheycanhave.
However,theethicalandlegalconcernsaboutmonitoringpersonalcommunications,andwhetherthisisabreachofprivacy,remaintoberesolved.
3InsiderThreatfromtheOrganisationalPerspectiveFromtheprevioussection,itisclearthatthethreatfrominsidersisrealandsig-nicant.
Despitethisfact,however,reportssuggestthatcorporationscontinuetounderestimatetheassociatedrisks,asespeciallyevidencedbyminimalin-vestment.
Forexample,thendingsintheStateofSecurityreport[7]showthatmanycompaniesallocatebetween11-14%oftheirannualrevenuetotheirtotalITbudget,andofthis,theyspend10-14%onsecurity-relatedissuesingeneral.
Investmentindetectingandpreventinginsiderthreatsisthereforelikelytobemuchlower.
Ofcourse,theappropriateamounttoinvestmustbedeterminedcontingently,byindividualcompanies,dependingontheircircumstances.
Butthereisevidenceofgeneralunderinvestmentinmitigatingthisriskattheboardlevel.
Anotherarticle[8]reportsthat25%ofrespondentsstatedthattherewasnoregularformalreviewofcybercrimethreatsbytheChiefExecutiveOcerandtheBoard.
Thissuggeststhatsecurityinsomecorporationsstillhasnotreachedthelevelofimportancethatitwarrants,andagain,thisobviouslyhasknock-oneectsforanyhopeofadequatelymanagingtheriskofinsiderthreat.
Morespecically,Ponemon'ssurveyconcludesthatalargenumberofcom-paniesarenotattributingtheappropriateprioritytotheriskofinsiderfraud,whilealsonotingthatitisbecomingmoreofachallenge[2].
Oneoftheirmainobservationsasitpertainstoorganisations'viewsonriskisthat,although61%ofrespondentsratedthethreatofinsiderfraudwithintheirenterpriseasveryhighorhigh,only44%believedthattheircompanyviewedthepreventionofinsiderthreatsasatoppriorityinsecurity.
Thishighlightsthateventhoughorganisationsviewthemselvesassomewhatunprepared,theredoesnotappeartobeanoverwhelmingimpetustoaddresstherisks.
ThesendingsmirrorthoseinearlierstudiessuchasMcAfee'sreport[7],where68%ofcompaniesrecogniseinsiderthreatintheirsecurityplansbutonly48%haveactuallyaddressedit.
Anotherindicationthatcompaniesmaybeunderestimatinginsiderthreatisthelackofawarenessdemonstratedbyemployeesandthedearthoftrainingprogrammesoered.
Inonereport[23],itwasfoundthat42%oflargecompaniessurveyeddonotconducton-goingsecurityawarenesstrainingsessionswithstaand,worseyet,10%failtobriefstaoninduction.
Thistrendofpoorawarenessinorganisationscanalsobeseenmoreglobally,ashighlightedintheGlobal276J.
R.
C.
Nurseetal.
StateofInformationSecuritysurvey[3].
Theissuehereisthatduetoalackoftraining,personnelmaybeunawareofnewrisksthatinsidercrimesmaypresenttothecompanyor,indeed,mayhaveforgottenabouttheriskstheyusedtobeawareof.
Duediligenceisalsoaparticularlysalientpoint,aswecontinuetoseeevidence(e.
g.
,[1])ofaconsiderablenumberofcompaniesnotconductingpersonnelbackgroundchecksontheiremployees.
Companies'viewsoninsiderriskcanalsobeunderstoodfromhowtheytreatthemoncedetected.
Therstaspecttonoteisthattheyaretypicallyunder-reported[8,26].
InKaspersky'sarticle[26],forinstance,respondentsreportedthatin59%ofthecasesnobodyoutsidethecompanywasnotied.
PwC'ssur-vey[8]supportsthispoint,butalsofoundthatforveryseriousfraudoences,someonlyissuedawarning(18%ofrespondents)and,inafewincidents,organ-isationsdidnothingatall(4%ofthecases).
Whilewemightassumethatfailuretoreportincidentsislinkedtothefearofnegativepublicity,itisunclearwhy,eveninthecaseofseriousinsiderincidents,strictermeasuresarenotunder-taken.
Thismightfurtheremphasiseanunderestimationoftheproblemwithincorporateculture,butcouldequallybeduetoadearthofsolidevidence.
4DetectingInsiderThreatsAstheproblemofinsiderthreatcontinuestoescalate,thereisagrowingfocusonhowtodetectsuchattacks.
Here,weexplorethecurrenttechniquesfordetection,andwherestate-of-the-artresearchismovingtowardsinthefuture.
4.
1TechniquesinUseAvarietyofapproacheshavebeenproposedtomitigatetheriskofinsiderattacks,focusingonprevention,detectionandresponse.
BestpracticesfromCMU-CERTinclude:consideringthreatsfrominsidersandbusinesspartnersinenterprise-wideriskassessment;logging,monitoring,andauditingemployee'sonlineactions;anticipatingandmanagingnegativeworkplaceissues;anddevel-opinginsiderincident-responseplans[6].
Whileanumberoftheseareincom-monuse,theMaliciousInsiderThreatsreportnotesthatmanymorecouldbeadopted[1].
AsdiscussedinSection3,whatisrequiredisimprovededucationandawarenesswithinenterprise,toencourageactiveuseofsuchpractices.
Akeypointthatarisesfrompublishedsources(e.
g.
,[12])isthatmanyat-tacksaredetectedbynon-technicalmeans(e.
g.
,co-workersnoticingsuspiciousbehaviour).
Kaspersky'ssurveyarticleoninsidersalsoidentiesreportingbyco-workersasthemaindetectionresourceaswell(indicatedin47%ofcases),butalsonotesthecontributionofITstaindiscoveringirregularitiesinsystemactiv-itylogs(41%ofcases)[26].
PwC'scybercrimesurveyidentiesthreeapproachesthatorganisationsusetodetectthreats:corporatecontrols(e.
g.
,suspicious-transactionmonitoring),corporateculture(e.
g.
,whistle-blowingsystems),andthosebeyondtheinuenceofmanagement(e.
g.
,discoveringbyaccidentorathird-party)[8].
Theyfoundthattheeectivenessofcorporate-culturemethodsACriticalReectionontheThreatfromHumanInsiders277hasdeclinedcomparedtopreviousyears.
Fromthedetectionmethodsreported,theonlynoteworthyincreaseineectivenesscomparedwithpreviousyearswasinautomatedsuspicious-transactionmonitoring(upfrom0%in2005to18%in2011).
Itwasobserved,however,thatwhistle-blowingandtip-osarestillanimportantpartofdetection,contributingtosuspiciousbehaviourbeingreportedratherthanoverlooked.
Thisdoesnotstopatemployeesalone,sincereportsofsuspiciousbehaviourmaycomefromlawenforcement,businesspartners,andevenfromcustomers[12,26].
Activitylogsarebecomingmorewidelyusedfordetectingsuspiciousactivityconductedonorganisations'systems[26].
Thesecanprovidedetailonarangeofactivitiesthatemployeesconduct,fromenteringbuildingsandlogging-ontosystems,throughtothee-mailcommunicationsthattheymakeandthelesthattheyaccessonadataserver.
Thismassofdataprovidesawealthofinfor-mationonemployeeusagepatterns,includinganypotentiallymaliciousactivitythattheymaychoosetocarryout.
However,duetothelargeamountofdatathatcanpotentiallybelogged,actuallyanalysingthiscanquicklybecomealaboriousanderror-pronetask.
Thereisgrowinginterestaroundthenotionofautomateddetectionofinsiderthreat,andmorerecentlytherehavebeencom-mercialsoftwaretoolssuchasSpectorSoft'sSpector360,SureViewbyRaytheon,andDarkTrace.
TheRiskofInsiderFraudreportemphasisesthisdesireforautomatedtoolsfordetectingandanalysinginsiderrisk[2].
Manyanomaly-basedapproaches[27,28]aimtoestablishwhatanemployee'snormalactivitymaylooklike,andthenanalysehowtheircurrentbehaviourdiersfromthisnormal.
Thisopensupanumberofchallenges,suchashowtoestablishwhatisactuallynormalbehaviourwithinanorganisation,particularlygiventhattheremayalreadybemaliciousactivitypresent,andhowmuchofadeviationcausesanemployeetobeclassiedasapotentialinsiderthreat.
Allorganisationswilloperatedierently,asdoallhumans,andsotherewillexistmanyformsofwhatisdeemedtobenormal.
Likewise,theroutinethatemployeeswillperformactivitiesonadailybasiswilloftenvarybasedontheircurrentworkload,theirpersonallife,andtheirmindset,aswellasdemandsmadeofthembysupervisorsandco-workers.
Anemployeemaywellbeasked,orneed,toperformactivitiesthatareoutsideoftheirexpectednormalinordertofulltheirjob,andyetthiswouldbeaggedasanomalousbehaviour.
Forasystemtoautomaticallydeterminewhetheranemployeeisposingathreatornotrequiresverycarefulmanagementbythesystemanalyst.
Anexcessoffalse-positivesresultsinaburdenofcasesthatrequireinvestigation,andcouldresultinhighresentmentbyemployees.
Ontheotherhand,afalse-negativewouldrendersuchasystemafailureandcouldallowtheorganisationtobeseverelydamaged.
Itisclearthen,thattherearemanychallengesstilllefttoovercomeintermsofbothdetecting,andalsoanalysing,thethreatposedbyanemployee'sactions.
4.
2StateoftheArtinResearchGiventheseverityofinsiderthreatwithinmanyorganisationsandthestrongdesiretodetectandpreventfutureattacks,therehasnaturallybeenawealthof278J.
R.
C.
Nurseetal.
researcharoundtheproblem.
Here,weshallexaminesomeofthemostnotablecontributionsintheliteratureandaddressissuesthatarecurrentlypresent.
Brdiczkaetal.
[29]presentanapproachforproactivedetectionofinsiderthreats.
Theirmethodincorporatesstructuralanomaly-detection,whichconsistsoffourstages:graph-structureanalysis,graphembedding,dynamictracking,andanomaly-detection.
Astheyaddress,thisidentiesanomalieswithinthedata,notnecessarilythreats.
Inordertoassessthepotentialofathreat,theyconductpsychologicalprolingusingtheBig-5model,withbehavioural,textanalysis,andsocial-networkinginformationasthedatausedfortheirproling.
Forexperimentation,theydetectmaliciousinsidersinWorldofWarcraftdataasaproof-of-concept.
Asacknowledgedbytheauthors,however,in-gamemaliciousbehaviourismuchmoreobviousthanthatofaninsiderthreatintheworkplace,whoaimstobediscreteintheirmaliciousintent.
Thereforeitwouldbeofgreatinteresttoknowhowtheapproachcopeswithmorerealisticdata.
Greitzeretal.
[30,31]discusstheuseofpsychologicalfactorsforidentifyingpotentialinsiderthreats.
TheyproposeaBayesianNetworkmodelthatconsistsofavarietyofbinaryobservablebehaviours(e.
g.
,engagement,acceptingcrit-icism,confrontation,performance,stress,absenteeism).
Eachbehaviourhasapriorprobabilitythatestimateshowfrequentlyitoccurs,andaweightingtermthatspecieshowsignicantthebehaviouriswithregardtomonitoringthreats.
Theyderiveconditionalprobabilitiesthroughatrainingprocess,usingexpertjudgementtoassessthethreatthatanemployeeexhibitsbasedonparticularpa-rametersbeingsettotrue.
Duetothequalitativenatureofthebehavioursthataremodelled,thereremainsaneedforahumanobservertoassesswhethertheemployeeinquestionisexhibitingsuchcharacteristics.
Theauthorsnotethatfutureworkisnecessarytodevelopmethodsforautomaticallyextractingandinferringpsychologicalfactorsfromemployee-dataanalysis,ratherthanusingsubjectivebehaviouralassessment,whichisclearlyanon-trivialtasktoachieve.
Kandiasetal.
[32]alsopresentapredictionmodelthatconsistsofpsycho-logicalprolingandreal-timeusageproling.
Thesetwoaspectsserveasinputtoadecisionmanagerthatdetermineswhethertheuserisapotentialthreat,basedonscoringtheirmotive,opportunityandcapability.
Eachuseriscatego-rizedbytheirsystemrole,theircapability,theirpredispositionandtheirstresslevel.
Thepsychologicalprolingisconductedbyquestionnairesthatcoverusersophistication,predispositionandstresslevel,whilsttheusageprolingconsistsofmonitoringsystemcalls,intrusion-detectionsystems,andhoneypots.
Theau-thorsstatethattheirfutureworkwillfocusontheimplementationofthemodel,andsothereiscurrentlynoindicationofhowwellthisperforms.
Theuseofques-tionnairesforpsychologicalassessmentraisesissuessuchastheaccuracyoftheanswersprovidedbyparticipants.
Inaddition,asophisticatedinsidermaywellbecapableofcircumventingtraditionalmonitoringtoolsaspartoftheirattack.
Aswehaveseen,therearemanyproposalsformanaginginsiderthreat.
Theseapproachesdrawonawiderangeoftasks,suchasmonitoring,detection,prevention,andprediction.
Yetstilltheinsider-threatproblempersists.
Onereasonforthisisthedicultyofimplementingsuchapproachesinreal-worldACriticalReectionontheThreatfromHumanInsiders279environments.
Proposalsthatrelyonpsychologicalproling,forinstance,mayrequirecompliancefromtheinsideratsomestage(e.
g.
,accuratecompletionofquestionnaires).
Similarly,gatheringdataonpsychologicalandbehaviouralfac-torswithinaworkplaceisachallengingtask,asitalsorequirestheattentionandcomplianceofotheremployees(e.
g.
,reportingsuspiciousbehaviour),whilealsoappreciatingtherelatedlegalandethicalconsiderationswithsuchmonitoring.
Regardingthedevelopmentofprototypedetectionsystems,thelackofreal-istictestingdatarepresentingtheactivitiesmonitoredstillremainsadiculthurdletoovercome.
Therehasbeenworkonthedevelopmentofsynthetic-datageneration,suchasthatbyCMU-CERT[33],wheremalicious-insiderthreatdataisinsertedwithinnormalemployee-monitoringdata.
However,theyacknowledgethateventhesedatasetslackthenoiseandvariationthatwouldbepresentinanyreal-worlddata.
Undoubtedly,however,andasstressedin[1],thereiscer-tainlymorethatcouldbedonebyorganisationsinordertohelpsupportanddeveloptheresearchsurroundinginsiderthreats.
Previously,wehaveproposedaconceptualmodelforinsider-threatdetection[34].
Aspartofouron-goingresearch,wehavedevelopedaninitialsystemthatiscapableofreasoningaboutthethreatposedbyanindividual,basedontheirobservedactivitiesinthetech-nicaldomain,whilstalsoincorporatingbehaviouralanalysisandpsychologicalassessment.
Whilstthesystemperformswellinpreliminaryexperimentation,wearecurrentlyatthestageofrequiringmorecompletedata,eithersyntheticorreal-world,inordertotrulyevaluateitseectiveness.
5ConclusionsOurresearchintheCITDprojectrecognisesthemulti-disciplinarynatureofinsiderthreat,coveringresearchintothepsychologicalandbehaviouralaspectsthatmotivateanindividual,developmentofdetectionsystemsandanalysistools,andeducationandawareness-raisingwithinorganisations.
Asameanstodetect,prevent,anddeterinsiderthreat,thecollaborationbetweenthesedevelopmentsisfundamentalforaddressingtheproblemeectively.
Whatisclearlyapparent,though,isthattheinsider-threatproblemisevidentinalltypesoforganisa-tions,canoriginateinavarietyofindividuals,rangingfromlow-levelemployeesthroughtohigh-rankingbusinesspartners,andcanescalateintoanattackinmanydierentways.
Inthispaper,weprovideastudyontheproblem,withtheintentionofallowingforabetterunderstandingofthenatureofinsiderthreats,industryviewsontherisksfaced,andpreventionanddetectiontechniquesinpracticeandresearch.
Withthiscriticalreectiononcurrentndingsanddevel-opments,webelievethatthisservesasanimportantstageinunderstandingtheever-persistentandever-evolvingthreatsthatareincreasinglyoccurringwithinorganisationsoftoday.
Acknowledgements.
Thisresearchwasconductedinthecontextofacollab-orativeprojectonCorporateInsiderThreatDetection,sponsoredbytheUKNationalCyberSecurityProgrammeinconjunctionwiththeCentreforthe280J.
R.
C.
Nurseetal.
ProtectionofNationalInfrastructure,whosesupportisgratefullyacknowledged.
TheprojectbringstogetherthreedepartmentsoftheUniversityofOxford,theUniversityofLeicesterandCardiUniversity.
References1.
ComputerEconomics:Maliciousinsiderthreats(2010),http://www.
computereconomics.
com/page.
cfmname=Insider_Threats2.
PonemonInstituteandAttachmateCorporation:Theriskofinsiderfraudsec-ondannualstudy:Executivesummary(2013),http://www.
attachmate.
com/resources/analyst-papers/bridge-ponemon-insider-fraud-survey.
htm3.
PricewaterhouseCoopers:TheglobalstateofinformationsecurityR2014(2013),http://www.
pwc.
com/gx/en/consulting-services/information-security-survey/index.
jhtml4.
PricewaterhouseCoopers:USstateofcybercrimesurvey(2013),http://www.
pwc.
com/us/en/increasing-it-effectiveness/publications/us-state-of-cybercrime.
jhtml5.
Whitty,M.
,Wright,G.
:Deliverable3.
1-ShortreportofndingsfromCaseStudies(CorporateInsiderThreatDetectionproject),LeicesterUniversityReport(2013)6.
Cappelli,D.
M.
,Moore,A.
P.
,Trzeciak,R.
F.
:TheCERTGuidetoInsiderThreats.
Addison-Wesley(2012)7.
McAfeeandEvalueserve:Stateofsecurity(2011),http://www.
mcafee.
com/us/resources/white-papers/wp-state-of-security.
pdf8.
PricewaterhouseCoopers:Cybercrime:Protectingagainstthegrowingthreat(2012),http://www.
pwc.
tw/en/publications/events-and-trends/e256.
jhtml9.
Hunker,J.
,Probst,C.
W.
:Insidersandinsiderthreats–anoverviewofdeni-tionsandmitigationtechniques.
JournalofWirelessMobileNetworks,UbiquitousComputing,andDependableApplications2(1),4–27(2011)10.
KrollAdvisorySolutionsandEconomistIntelligenceUnit:Theglobalfraudreport2012/13(2012),http://www.
kroll.
com/library/KRL_FraudReport2012-13.
pdf11.
Shaw,E.
D.
,Stock,H.
V.
:Behavioralriskindicatorsofmaliciousinsidertheftofintellectualproperty:Misreadingthewritingonthewall,SymantecReport(2011)12.
Moore,A.
P.
,Cappelli,D.
M.
,Caron,T.
C.
,Shaw,E.
,Spooner,D.
,Trzeciak,R.
F.
:Apreliminarymodelofinsidertheftofintellectualproperty.
Technicalreport,CMU-CERT(2011)13.
Kaspersky:Threatpostseries:Insiderthreats(2011),http://usa.
kaspersky.
com/resources/knowledge-center/threatpost14.
Moore,A.
P.
,Cappelli,D.
M.
,Trzeciak,R.
F.
:The"bigpicture"ofinsiderITsab-otageacrossU.
S.
criticalinfrastructures.
Technicalreport,CMU-CERT(2008)15.
FBI:FannieMaecorporateintrudersentencedtooverthreeyearsinprisonforattemptingtowipeoutfanniemaenancialdata(2010),http://www.
fbi.
gov/baltimore/press-releases/2010/ba121710.
htm16.
Allen,B.
:Theaccidentalinsiderthreat:Isyourorganizationready(expertvoicespanel)(2012),http://www.
boozallen.
com/media/file/Accidental-Insider-Threat-Panel-Discussion-Transcript.
pdf17.
Credant:Insiderthreat(2011),http://go.
credant.
com/campaigns-insider18.
Clearswift:Theenemywithin:anemergingthreat(2013),http://www.
clearswift.
com/blog/2013/05/02/enemy-within-emerging-threatACriticalReectionontheThreatfromHumanInsiders28119.
Wall,D.
S.
:Organizationalsecurityandtheinsiderthreat:Malicious,negligentandwell-meaninginsiders.
Technicalreport,Symantec(2011)20.
Turner,J.
T.
,Gelles,M.
:Threatassessment:Ariskmanagementapproach.
Rout-ledge(2003)21.
CPNI:CPNIinsiderdatacollectionstudy–reportofmainndings(2013),http://www.
cpni.
gov.
uk/Documents/Publications/2013/2013003-insiderdatacollectionstudy.
pdf22.
Holton,C.
:Identifyingdisgruntledemployeesystemsfraudriskthroughtextmin-ing:Asimplesolutionforamulti-billiondollarproblem.
DecisionSupportSys-tems46(4),853–864(2009)23.
TheDepartmentforBusiness,InnovationandSkills(BIS)&PricewaterhouseC-oopers:2013Informationsecuritybreachessurvey(2013)24.
SkyNews:MoDsecretsleakedontotheInternet(2010),http://news.
sky.
com/story/753966/mod-secrets-leaked-onto-the-internet25.
Harrysson,M.
,Metayer,E.
,Sarrazin,H.
:Hownottounwittinglyrevealcompanysecrets(HarvardBusinessReviewblognetwork)(2012),http://blogs.
hbr.
org/2012/12/how-not-to-unwittingly-reveal/26.
Kaspersky:Threatpost'sinsiderthreatssurvey(2011),http://usa.
kaspersky.
com/resources/knowledge-center/threatpost27.
Patcha,A.
,Park,J.
M.
:Anoverviewofanomalydetectiontechniques:Existingsolutionsandlatesttechnologicaltrends.
ComputerNetworks51(12),3448–3470(2007)28.
Salem,M.
,Hershkop,S.
,Stolfo,S.
:Asurveyofinsiderattackdetectionresearch.
In:Stolfo,S.
,Bellovin,S.
,Keromytis,A.
,Hershkop,S.
,Smith,S.
,Sinclair,S.
(eds.
)InsiderAttackandCyberSecurity.
AdvancesinInformationSecurity,vol.
39,pp.
69–90.
SpringerUS(2008)29.
Brdiczka,O.
,Liu,J.
,Price,B.
,Shen,J.
,Patil,A.
,Chow,R.
,Bart,E.
,Ducheneaut,N.
:Proactiveinsiderthreatdetectionthroughgraphlearningandpsychologicalcontext.
In:IEEESymposiumonSecurityandPrivacyWorkshops(2012)30.
Greitzer,F.
L.
,Hohimer,R.
E.
:Modelinghumanbehaviortoanticipateinsiderat-tacks.
JournalofStrategicSecurity4(2),25–48(2011)31.
Greitzer,F.
L.
,Kangas,L.
J.
,Noonan,C.
F.
,Dalton,A.
C.
,Hohimer,R.
E.
:Identify-ingat-riskemployees:Modelingpsychosocialprecursorsofpotentialinsiderthreats.
In:45thHawaiiInternationalConferenceonSystemScience.
IEEE(2012)32.
Kandias,M.
,Mylonas,A.
,Virvilis,N.
,Theoharidou,M.
,Gritzalis,D.
:Aninsiderthreatpredictionmodel.
In:Katsikas,S.
,Lopez,J.
,Soriano,M.
(eds.
)TrustBus2010.
LNCS,vol.
6264,pp.
26–37.
Springer,Heidelberg(2010)33.
Glasser,J.
,Lindauer,B.
:Bridgingthegap:Apragmaticapproachtogenerat-inginsiderthreatdata.
In:IEEESymposiumonSecurityandPrivacyWorkshops(2013)34.
Legg,P.
A.
,Moat,N.
,Nurse,J.
R.
C.
,Happa,J.
,Agraotis,I.
,Goldsmith,M.
,Creese,S.
:Towardsaconceptualmodelandreasoningstructureforinsiderthreatdetection.
JournalofWirelessMobileNetworks,UbiquitousComputing,andDe-pendableApplications4(4),20–37(2013)
今天中午的时候有网友联系到在选择网站域名建站和主机的时候问到域名和IP地址有没有关联,或者需要注意的问题。毕竟我们在需要建站的时候,我们需要选择网站域名和主机,而主机有虚拟主机,包括共享和独立IP,同时还有云服务器、独立服务器、站群服务器等形式。通过这篇文章,简单的梳理关于网站域名和IP之间的关系。第一、什么是域名所谓网站域名,就是我们看到的类似"www.laozuo.org",我们可以通过直接记...
易速互联怎么样?易速互联是国人老牌主机商家,至今已经成立9年,商家销售虚拟主机、VPS及独立服务器,目前商家针对美国加州萨克拉门托RH数据中心进行促销,线路采用BGP直连线路,自带10G防御,美国加州地区,100M带宽不限流量,月付299元起,有需要美国不限流量独立服务器的朋友可以看看。点击进入:易速互联官方网站美国独立服务器优惠套餐:RH数据中心位于美国加州、配置丰富性价比高、10G DDOS免...
CloudCone在月初发了个邮件,表示上新了一个系列VPS主机,采用SSD缓存磁盘,支持下单购买额外的CPU、内存和硬盘资源,最低年付17.99美元起。CloudCone成立于2017年,提供VPS和独立服务器租用,深耕洛杉矶MC机房,最初提供按小时计费随时退回,给自己弄回一大堆中国不能访问的IP,现在已经取消了随时删除了,不过他的VPS主机价格不贵,支持购买额外IP,还支持购买高防IP。下面列...
kaspersky.com为你推荐
金评媒朱江喜剧明星“朱江”的父亲叫什么?vc组合洛天依的组合都有谁微信回应封杀钉钉微信永久封号了!求大神们指点下怎么解封啊!巨星prince去世作者为什么把伏尔泰的逝世说成是巨星陨落阿丽克丝·布莱肯瑞吉行尸走肉第六季女演员lunwenjiance论文检测,知网的是32.4%,改了以后,维普的是29.23%。如果再到知网查,会不会超过呢?陈嘉垣大家觉得陈嘉桓漂亮还是钟嘉欣漂亮?同ip网站一个域名能对应多个IP吗partnersonline国内有哪些知名的ACCA培训机构官人放题求日本放题系列电影,要全集越多越好,求给力
抗投诉vps主机 域名主机管理系统 工信部域名备案系统 云网数据 photonvps 12306抢票助手 网通代理服务器 免费ftp空间申请 华为网络硬盘 有奖调查 网站加速软件 免费ftp 智能dns解析 摩尔庄园注册 97rb 阿里云个人邮箱 国外免费网盘 sonya 时间服务器 linux服务器系统 更多