Social engineering, Insiders, and Security

Christian W Probst Technical University of Denmark infinIT seminar om insidertrusler NetIQ, 2015/03/12

2

What is the Problem?

•  We depend increasingly upon complex information systems

•  Focus on the vulnerability to –  Computer crime –  Security attacks [RAND Report, 2004]

“The insider threat is perhaps the greatest threat to [society, information system, ...]”

3

Securing Against the Inside

•  Protect against attacks from an insider

•  Insider has – Better knowledge/information – Better access

•  Hard or impossible to distinguish from admissible actions

•  Little research on analysing socio-technical systems

4

What is an Insider?

•  An insider is an entity that has been legitimately empowered with the right to access, represent, or decide about one or more assets of the organization’s structure.

•  A program can also be an insider •  It is sufficient to have access to an asset containing

the asset in question

5

Example 1: The Hard Disk Example Naive user and absent policy

In 2003, Banner Therapy employee Christina Binney, a co-founder of the company, was discharged from her position for “misconduct”, and instructed not to return to the office. BT claimed she impermissibly removed a hard drive from her work computer and took it home over the weekend to prepare for a client meeting.

6

Example 1: The Hard Disk Example (ctd) Naive user and absent policy

BT claimed that the removal crippled Banners operations and placed vital data at risk. Binney explained that a customer requested a meeting on a Friday for the following Monday morning. To prepare, she chose to remove the entire hard drive from her work computer, rather than to transfer the files to a disk. At the time, BT had neither company policy about taking work equipment home nor established computing protocols. When Binney attempted to return to work on Monday, she was denied access; this prevented her from returning the drive as she claimed she had planned.

7

Example 2: The Trade Secret Example Malicious user steals trade secrets

In 2007, FBI agents arrested two engineers, who had worked for NetLogic Microsystems (NLM) until 2003. The two men used money from mainland China to create and incorporate a company for the sole purpose of exploiting the secrets they stole. They downloaded sensitive NLM documents onto their home computers, top-level confidential technical descriptions in enough specificity to enable someone to produce the technology. Together, the men accumulated the information needed to design and produce their own lines of microprocessors and microchips.

8

Example 2: The Trade Secret Example (ctd) Malicious user steals trade secrets

To finance the business, the men contacted Beijing FBNI Electronic Technology Development Company Ltd, and entered into an agreement to develop and sell microprocessor chips. Both men were able to access proprietary information without exceeding their individual authorizations. Investigators uncovered evidence that the venture capitalist had ties to the Chinese government and military.

9

Example 3: The Tax Fraud Example Perimeter definition and system design

H. Walters and others are accused for perpetrating the biggest fraud in Washingtons history. Until her arrest, “Walters was a 26-year tax employee known as a problem solver with a knack for finding solutions by using the departments antiquated and balky computers or finding a way around them.” She allegedly used her position to produce fake checks for bogus refunds with fictitious names; the total is said to exceed $50 million.

10

Example 3: The Tax Fraud Example (ctd) Perimeter definition and system design

The scheme involved Washingtons new Integrated Tax System. During design phase, Walters “contributed to the decision that her unit, which handled real estate tax refunds, be left out of it.” At the time, the decision seemed to make sense for cost reasons. The scheme exploited several loopholes: each check was under the threshold for requiring a supervisor’s approval, and no action was taken to cancel the first check or confirm that it had not already been cashed.

11

Example 4: The Cloud Provider Sysadmin Perimeter definition

A system administrator in the facilities of a cloud provider allegedly used a package sniffer to record the image of a migrating virtual machine of a financial institution.

The virtual machine was migrated from one server to another, possibly triggered by some action of the system administrator, allowing him to capture the network traffic.

Once home, he replayed the network traffic, and reinstantiated the virtual machine, giving him access to all the data of the VM.

12

Elements of Insider Threats

•  An owner of an asset

•  An inside entity that can access the asset

•  The possibility that the insider might do something with which the owner does not allowed it to do

– This might be the access to the asset, or some action using the asset

13

Possible Insider Threats

•  Accidental Insider –  Ooops... I REALLY did not want that

•  Malicious insider –  Motivation is to harm the organisation –  Or personal gain

•  Unaware insider –  Could you just do this... –  Social engineered to do something

14

Accidental Insider

•  Hard to control

•  But potentially catastrophic consequences

–  Leaving door unlocked –  Sending confidential files –  ...

15

Malicious Insider

•  The "typical" insider

•  Disgruntled employee •  Motivation, opportunity, abilities •  Often developing over time

•  Motivation –  Harm the organisation, revenge –  Monetary gain –  Make a point

16

Unaware Insider

•  Is "convinced" by an attacker to perform an action •  Usually social engineering •  Believes to do "the right thing" or a favor

•  Severe consequences •  Can be anything from opening a door, providing access,

installing something

17

Can't we just detect them?

18

Detecting Inside attacker is "easy"

•  Need a concise model of human behaviour •  Dependencies on the surroundings, •  A sufficiently precise surveillance system, and •  An evaluation system, that can draw the necessary

conclusions from its input.

•  Neither “easy” to realise, or in any form desirable. •  Lack techniques to model human behaviour. •  Surveillance systems depend on legal boundaries.

19

Containing Insider Threats

•  Three major components

–  Identification of potential insider attackers

–  Monitoring of operations

–  Training of employees

20

Identify Factors

•  Important areas are legal frameworks, policies, and human behaviour

•  Goal: provide classifications of events and observations

•  Analyse policies to determine short-comings, contradictions, inconsistencies, and loopholes –  These are often exploited to realise insider attacks.

21

Monitoring

•  analyses the events in an organisation for signs of insider threats

•  Should be adapted to the expected level of threat and the value of assets

•  Challenge 1: ensure that the right data is collected, and that the data can be analysed

•  Challenge 2: differentiate legal actions by legal users, illegal actions by legal users, and illegal actions by illegal users. –  How to deal with false positives/negatives?

22

Training

•  Important component in containing insider threats.

•  Main goal: rising awareness for insider threats. •  Subgoals:

–  Streamline policies, detect distortions, or sharpen alertness

•  Tap into employees' knowledge about faulty policies and workflows, insider threats, and counter measures

23

Social Engineering

•  Mix of science, psychology, and art. •  Skillfully maneuver somebody to take action or not in some

aspect of their life.

•  Dress up as courier with heavy box, ask to open door; •  Telephone technician; •  Clorius technician; •  Santa Claus; •  Call employee, pretend to be from IT service; or many other.

24

Social Engineering

•  Works by building up a pretext. •  Goal: –  Make it likely that attack succeeds, and –  Give the victim a good reason to excuse their actions to

themselves.

•  Heavy box; •  Construct scenario of urgency based on cover story; or •  Give reason to believe that you belong into the picture.

25

How to defend against Social Engineering

•  Perform physical security / social engineering tests. •  Teach your employees social engineering. –  The more they know, the easier they can identify them.

•  Create a security awareness "program" –  Enforce regular training activities. –  Re-enact "typical" scenarios.

•  Make employees aware of –  The value of assets, and –  The consequences of actions.

26

Contact

Christian W Probst DTU Compute Richard Petersens Plads 324 2800 Kgs. Lyngby Email cwpr@dtu.dk Mobil +45 26 57 32 96