May 13-14, 2014Walter E. Washington

Convention CenterWashington, DC

I’m my own worst enemy

a first-person look at insider threatsAhmed Masud

Question

• Who is more dangerous?– You or a Hacker

Agenda

• Are you the insider threat?• Why should you care?• Protecting yourself from yourself.

Who is the Insider Threat?

Do you know if you are?

Why you should care?

• Scenario 1: You are the fall-guy• Scenario 2: You are the target of

interest• Scenario 3: You are the casualty

Why should you care?

• Reason 1: Safety and Security• Reason 2: Choice• Reason 3: Freedom

An exercise

• Do you feel you have access to information that can be used against your organization?

An exercise

• Do you feel that the access you have pose a threat to your organization?

An exercise

• Do you feel that the information you have access to is a threat to yourself?

An exercise

• Would you give your user-name and password to the person next to you.

An exercise

• Changed your password in last 60 days?

• Given any of your passwords to anyone else?

• Used the same password at more than one location?

Password Statistics (2012)

• 61% reuse passwords among multiple websites.

• 54% have only five passwords or less.

• 44% change their password only once a year or less.

• 89% feel secure with their current password management and use habits.

• 21% have had an online account compromised.

Again the Question

• Who is more dangerous?– You or a Hacker

The 64,000 dollar Question

• How much damage can you cause?

Exercise #2

• Have you emailed a sensitive document?

Exercise #2

• Do you have copies of company data at home?

Exercise #2

• On a USB stick you have in your pocket right now?

Exercise #2

• Ever let someone borrow your USB?

Exercise #2

• Company data of your former employer?

Data-theft Statistics

• 60% incidents attributed to insiders

Outsider threat = Insider threat

• The goal of an outside attack is to obtain the credentials of an insider

Perimeters ⇒ Insider

• Someone is always inside the perimeter

• How many perimeters can we manage?

Dealing with complexity

• What about complexity of operations?

• Where is the line?

Current best practices

• Sans institute best practices 3 examples– Beginning with the hiring process,

monitor and respond to suspicious or disruptive behavior

– Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions

– Close the doors to unauthorized data exfiltration.

Current best practices

• Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior– General broad functional directive

Current best practices

• Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions– Narrow technical directive

Current best practices

• Close the doors to unauthorized data exfiltration.– Requirement? Mission statement

directive?

Current best practices

• Too broad• Too vague• Too hard• Too bad?

Insider threat prevention

• Too broad• Too vague• Too hard• Too bad?

Science can be such a b1t¢h

• Generally, Halting Problem SAYS NO!• Special cases?

– Markov Property

Promising policies

• Understand and respect your own access

• Deny by default• There is no remediation for insider

threats

Promising technologies

• Fundamental principles based in computer science theory– Lang-Sec– Cyber-attack modeling

Questions

• Ask away