PROYECTO EDUCATIVO INSTITUCIONAL, FORMACIÓN PARA LA CIUDADANÍA Y RSU

So-called honey token or honeypot technologies could be adapted to catch insider data thieves in the act of accessing data inappropriately. In this case the honey data looks like valuable confidential information but is booby trapped to trigger a silent alarm if improperly accessed or copied. For example, a document beacon can be attached via a macro to a Microsoft Office document which alerts authori- ties if the document is opened or copied. A beaconing document containing phony credit card numbers could be placed on a server or sent over the network to see who tries to steal its contents.

Whether operations should be undertaken using such techniques within any given enterprise is a matter for debate. There are obvious ethical, personnel, and legal issues to consider. For now this remains an area of research to determine technical feasibility.

3.3.2 Applicant Screening Systems

One area of proposed research in the banking industry is a national “bad actor da- tabase” that could be used to better screen job applicants at US financial institu- tions. The database could include biometric fingerprint data so applicants can’t misidentify themselves using an alias, and so the screening process can be inte- grated into existing background checks that also use fingerprints. (US banks gen- erally take fingerprints from applicants or new hires as part of federally mandated background checks.) Any institution could start such a database unilaterally, but its full potential can only be realized if it’s shared by multiple companies, all con- tributing data about criminals, fraudsters, fired employees, etc.

3.3.3 Behavior Tracking Systems

While controversial, systems intended to detect anomalous or suspicious employee behavior are an important area of research and development. Some monitor an of- fice worker’s actions on his/her computer, catching suspicious actions like large data downloads or unusual Intranet search strings. Some use Bluetooth or RFID to track an employee’s physical movements around a building or branch. Some might someday even use lie detector style technology to detect when an employee is feeling stressed or anxious.

Some of this research will bear fruit and some won’t. Those that lead to com- mercial technologies may or may not ever be used at a given enterprise. There are obvious privacy, personnel, ethical, and legal issues to consider.

4

Conclusions

Nothing less than a multi-pronged holistic EDLP program can effectively reduce the risk of a large or embarrassing “data spill” in most modern automated enter- prises. There is no one “silver bullet” to prevent data leaks or theft. Only a de- fense in depth approach can succeed, assuming it addresses every dimension of the problem and every stage of the attack. In this paper we have proposed a number of ways to improve both technical and administrative controls in a typical enter- prise, as well as several areas for technical research that could lead to new controls in the future.

Acknowledgments

We’re grateful to the organizers of IACS07 [8] for providing a forum where aca- demia, government, and industry can come together to discuss insider threats. In particular the author thanks Columbia University’s Steve Bellovin and Sal Stolfo for their encouragement, and Sal Stolfo for sharing his work on document bea- cons. The author acknowledges his coworkers, especially the invaluable contribu- tions of Michael Foster and Adam De Monaco. We also thank Financial Services Technology Consortium executive director Dan Schutzer for his advice and sup- port.

Any opinions expressed herein are the authors, and not necessarily those of our employer.

References

[1] Randazzo M R, Keeney M, Kowalski E, Cappelli D, Moore A, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, United States Secret Service, 2004. [2] Henry T., Controlling Information with Network Content Filtering; Burton Group.

[3] Proctor P, Mogull R.. and Oullet E., Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention, 2Q07 Gartner Inc.

[4] Penn J. and Raschke T.., The Forrester Wave™: Information Leak Prevention, Q4 2006; For- rester Research.

[5] Yuhanna N. and Julian T., Securing Your Data from Insider Threats June 2007 seminar; For- rester Research.

[6] Cappelli D., D., Moore, A, and Shaw E., A Risk Mitigation Model: Lessons Learned From Actual Insider Sabotage, Carnegie Mellon CERT; Proceedings CSI 2006.

[7] Wilson B., Information Security: A Critical Competency, Carnegie Mellon CERT; Proceed- ings FSTC 2007.

[8] 2007 ARO/FSTC Workshop on Insider Attack and Cyber Security (IACS07), http://www.cs.dartmouth.edu/~insider/

[9] Human Behavior, Insider Threat, and Awareness Project Institute for Information Infrastruc- ture Protection (I3P), http://www.thei3p.org/projects/insidthoverview.html

[10] FS-ISAC Information Leak Survey, Privately conducted survey, results distributed to mem- bers only. (Direct inquiries to the author or the consortium).

[11] FSTC Leak Prevention Survey, Privately conducted survey, results distributed to members only. (Direct inquiries to the author or the consortium).

[12] 2006 E-Crime Watch Survey CSO Magazine with the U.S. Secret Service, CERT® Coordi- nation Center and Microsoft Corp.

[13] Externalization of Entitlements, Privately published white paper; direct inquiries to the au- thor.

[14] California law SB1386 serves as the model for other state and federal breach disclosure leg- islation. http://www.oit.ucsb.edu/committees/itpg/sb1386.asp

[15] Plastic Card Industry Data Security Council, https://www.pcisecuritystandards.org/ [16] Google APIs for search (and other services) documented at http://code.google.com/apis/. [17] Johnson, M.E. and Dynes, S., Dartmouth College; Proceedings Workshop on the Economics

of Information Security, 2007.

Malek Ben Salem, Shlomo Hershkop, and Salvatore J. Stolfo Computer Science Department, Columbia University

Abstract This paper surveys proposed solutions for the problem of insider attack detection appearing in the computer security research literature. We distinguish between masqueraders and traitors as two distinct cases of insider attack. After describing the challenges of this problem and highlighting current approaches and techniques pursued by the research community for insider attack detection, we suggest directions for future research.

1

Introduction

Recent news articles have reported that the cell phones of prominent Greek legis- lators were found to be bugged [30]. Rogue software was injected into the opera- tional systems of the Greek cell phone provider, Vodafone Greece, which con- trolled a tap for incoming and outgoing calls on selected phones. The phone used by the prime minister and other high ranking officials were apparently targeted. This act was eventually traced to a malicious insider who had hacked the Voda- fone system sometime in 2004 and installed the equivalent of a rootkit on an inter- nal Ericsson phone switch. The hack was accidentally discovered through a mis- configuration of a software update a considerable time after the tapping began. The rootkit update accidentally conflicted with other system processes and re- sulted in alarms being set off in the system. The complexity of the attack could only be attributed to someone with intimate knowledge of the Ericsson switch op- erating software, which was developed for the last 15 years in Greece.

External threats to the cyber-infrastructure of an organization are constantly evolving. The greatest threat, however, is the problem of insiders who misuse their privileges for malicious purposes. Insider attack has overtaken viruses and worm attacks as the most reported security incident according to a report from the US Computer Security Institute (CSI) [12]. The annual Computer Crime and Se- curity Survey for 2007 surveyed 494 security personnel members from US corpo- rations and government agencies, finding that insider incidents were cited by 59 percent of respondents, while only 52 percent said they had encountered a conven- tional virus in the previous year.

Much research in computer security has focused on the means of preventing unauthorized and illegitimate access to systems and information. Unfortunately, the most damaging malicious activity is the result of internal misuse within an or-

ganization, perhaps since far less attention has been focused inward. Despite clas- sic internal operating system security mechanisms and the literature on formal specification of security and access control policies, including Bell-LaPadula and the Clark-Wilson models [1, 3], we still have an extensive insider attack problem. Indeed in many cases, formal security policies are incomplete and implicit or they are purposely ignored in order to get business goals accomplished. There seems to be little technology available to address the insider threat problem. The state-of- the-art seems to be still driven by forensics analysis after an attack, rather than technologies that prevent, detect, and deter insider attack.

The inside attacker has been defined in many different contexts with no stan- dard definition agreed upon by the research community. How might one then think it is possible to make scientific progress if the problem itself is ill-defined? Nevertheless, there are many well known examples of insider attacks familiar to most people.

For our purposes in this paper, we define a malicious insider to be two classes of malfeasant users; traitors and masqueraders. A traitor is a legitimate user within an organization who has been granted access to systems and information resources, but whose actions are counter to policy, and whose goal is to negatively affect confidentially, integrity, or availability of some information asset [25, 40]. The traitor uses his/her legitimate credentials when perpetrating their malicious actions, such as in the Greek Vodafone case mentioned above.

The most familiar example of an insider is a masquerader; an attacker who suc- ceeds in stealing a legitimate user’s identity and impersonates another user for ma- licious purposes. Credit card fraudsters are perhaps the best example of masque- raders. Once a bank customer’s commercial identity is stolen (e.g. their credit card or account information), a masquerader presents those credentials for the ma- licious purpose of using the victim’s credit line to steal money.

We may distinguish traitors and masqueraders based upon the amount of knowledge each has. A traitor of course has full knowledge of the systems they routinely use and likely the security policies in force. The masquerader may have far less knowledge than the traitor. Furthermore, an insider attack may be due to an innocent mistake by a legitimate user. Hence, insider attack may also be dis- tinguished by intent of the user’s actions. Traitors and masqueraders are two sides of what we consider to be the insider threat. The distinction is not entirely satis- factory. After all, a disgruntled insider employee may act as a traitor and a mas- querader after stealing the identity of a coworker. But for our present purposes, the distinction is clear enough to consider the general themes of past research in insider attack detection.

An extensive literature exists reporting on approaches that profile user behavior as a means of detecting insider attack, and identity theft in particular. A traitor is presumed to have full knowledge of the internal systems of an organization to which they belong. They use their own credentials and the access granted by those credentials to perform their malicious deeds. A traitor may exhibit normal behavior and still perpetrate malicious acts. Profiling user behavior in this case may seem less relevant except for identifying subtle but significant changes in a

user’s normal behavior. A masquerader, on the other hand, has stolen someone’s credentials, and is unlikely to know the behavior of their victim. Thus, even though they control the victim’s credentials that grant access to whatever the vic- tim is authorized to use, the masquerader is likely to perform actions inconsistent with the victim’s typical behavior.

Behavior is not something that can be easily stolen. Stealing someone’s credit card information does not reveal the amount and frequency of what the victim typically buys and from whom. Hence, if one profiles the typical buying patterns of a customer (and keeps this historical information secret) an identity thief, a masquerader, has a relatively low probability of misusing the stolen quarry in a manner consistent with the victim's behavior that will go unnoticed. Fraudulent transactions are thus fairly easy to detect even given proper credentials and credit availability. It is this observation that the credit card companies recognized a cou- ple of decades ago when designing early fraud warning systems, and this idea has largely been the driving theme for much subsequent research on masquerade de- tection.

On the other hand, a traitor is presumably behaving normally and hence profil- ing a user to detect significant change as a means of detecting malicious actions may not be the best strategy for detecting this class of insider attack. The intelli- gence and military communities are challenged with detecting traitors and have devised a host of means of using decoys and trap-based defenses to entice and trick users into revealing their nefarious actions. Far less work has been reported in the computer security literature on developing decoy network defenses beyond early work on honeypots and general ideas on the use of honeytokens of various forms. The detection of traitors is an area ripe with challenges begging for new research.

In the following sections, we provide a general overview of the literature on the insider problem driven primarily by various methods of profiling user actions and the systems they use. Much of the work reports on studies describing various au- dit sources and algorithms to profile users that are tested on simulated masquerade attack data. Researchers have also distinguished between network-level and host- level detection systems. Most of this work is specific to masquerade attack detec- tion, although some work is reported on trap-based defenses aimed to the traitor detection problem using honeypots and honeytokens. We conclude with a view of what we see as the state-of-the-art of the insider attack detection problem, and we provide recommendations on future research directions.