© 2007-2011 carnegie mellon university the cert insider threat center
TRANSCRIPT
© 2007-2011 Carnegie Mellon University
The CERT Insider Threat Center
2
Notices
© 2007-2011 Carnegie Mellon University
This material is distributed by the SEI only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
3
What is CERT?
Center of Internet security expertise
Established in 1988 by theUS Department of Defenseon the heels of the Morrisworm that created havoc onthe ARPANET, the precursorto what is the Internet today
Part of the Software Engineering Institute (SEI)• Federally Funded Research & Development Center
(FFRDC)• Operated by Carnegie Mellon University (Pittsburgh,
Pennsylvania)
4
Who is a Malicious Insider?
Current or former employee, contractor, or other business partner who
has or had authorized access to an organization’s network, system or data and
intentionally exceeded or misused that access in a manner that
negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.
5
Assist organizations in identifying indications and warnings of insider threat by
• performing vulnerability assessments• assisting in the design and implementation of policies, practices,
and technical solutions
CERT Insider Threat Center – Mission
based on our ongoing research of hundreds of actual cases of insider IT sabotage, theft of intellectual property,
fraud, and espionage
6
2011 CyberSecurity Watch Survey -1
CSO Magazine, USSS, CERT & Deloitte
607 respondents
38% of organizations
have more than 5000
employees
37% of organizations
have less than
500 employees
2004 2005 2006 2007 2008 20100
20
40
60
80
100
41 39
5549 51
43
Percentage of Participants Who Experienced an Insider Incident
Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
7
2011 CyberSecurity Watch Survey -2
46 % of respondents Damage caused by insider attacks more damaging than outsider attacks
Most common insider e-crime
Unauthorized access to / use of corporate information (63%)
Unintentional exposure of private or sensitive data (57%)
Virus, worms, or other malicious code (37%)
Theft of intellectual property (32%)
Source: 2011 CyberSecuirty Watch Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie Mellon University and Deloitte, January 2011.
8
Sabotage Fraud Theft of IP Misc Espionage0
50
100
150
200
250
127
214
88
43
120
U.S. Crimes by Category
CERT’s Insider Threat Case Database
9
CERT’s Case Collection Approach
Ongoing collection Cases from1996 – present that occurred in the U.S. are coded in the CERT database
Sources Court documents, interviews, media, investigators’ notes
Big picture approach Examine technical, psychological, and organizational aspects of the problem
Objective Analyze actual cases to develop information for prevention & early detection
10
Current Body of Work
Incident Response
Forensic Investigations (internal & external attacks)
Controls
Open source solutions
Optimized configurations for commercial technology
Risk scoring algorithms
New functional requirements
Standards
Cases
Models
Assessments
Lit Reviews
Research
Insider threat risk management process
Workshops
Senior Executive Workshops
Demos
VTE Modules
Exercises
11
Points of Contact
Insider Threat Technical Solutions LeadJoji MontelibanoCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-6946 – [email protected]– Email http://www.cert.org/insider_threat/