ADiscussionoftheInsiderThreat.ppt

《ADiscussionoftheInsiderThreat.ppt》由会员分享，可在线阅读，更多相关《ADiscussionoftheInsiderThreat.ppt（11页珍藏版）》请在三一办公上搜索。

1、A Discussion of the Insider Threat,Jason Franklin,Inside,Outside,Example Insider Attack,Ivan the insider gets fired and Alf the administrator forgets to void Ivans(login)credentials.Ivan goes home,logins into his work machine and takes some malicious action(introduces bugs into source,deletes files

2、and backups,etc)Alternatively,Alf might void Ivans credentials,but forget that Ivan also uses a shared group account.,Proposed Definition,A malicious insider is an adversary who operates inside the trusted computing base,basically a trusted adversary.The insider threat is an adversarial model encomp

3、assing all possible malicious insiders.,Ivan,Example Threats,Data corruption,deletion,and modificationLeaking sensitive dataDenial of service attacksBlackmailTheft of corporate dataOn and on.,Statistics,Insider attacks account for as much as 80%of all computer and Internet related crimes 170%of atta

4、cks causing at least$20,000 of damage are the direct result of malicious insiders 1Majority of insiders are privileged users and majority of attacks are launched from remote machines 3,Problem Discussion,Typical adversarial models ignore the insider threat by assuming the TCB is free of threatsInsid

5、er threat violates this assumption,Corporate Network,Firewall/IDS,Prevailing Sentiments(Myths?),Current systems are capable of countering the insider threatInsider threat is impossible to counter because of the insiders resources and access permissionsInsider attacks are a social or organizational i

6、ssue which cannot be countered by technical means(Anderson94),Remediation:Initial Thoughts,Minimize the size of the TCB to decrease the number of possible insidersDistribute trust amongst multiple parties to force collusionMost insiders act aloneQuestion trust assumptions made in computing systemsTr

7、eat the LAN like the WANBroLAN,SANE,etcOthers?,Is the insider threat unavoidable?,If we define an insider as an adversary inside the TCB,can we ever eliminate the insider threat?Perhaps we can only reduce the number of possible insiders or the extent of possible damage?Perhaps we should rely on the“

8、lone wolf”nature of insiders and distribute trust?,Discussion,Is the insider threat definition a good one?Is the insider an actual threat or just media hype?Can/do we build systems that already counter the insider threat?Is this worth our time?Whats the best paper you could imagine in this area?,Ref

9、erences,1 Jim Carr.Strategies and issues:Thwarting insider attacks,2002.2 Nathan Einwechter.The enemy inside the gates:Preventing and detecting insider attacks,2002.3 National Threat Assessment Center-Insider Threat Study,http:/www.ustreas.gov/usss/ntac_its.shtml4 Jason Franklin,Parisa Tabriz,and Matthew Thomas.A Case Study of the Insider Threat through Modifications to Legacy Network Security Architectures,unpublished manuscript.,