160 likes | 466 Views
Unit Outline Information Security Risks, Part II. Module 1: Password Security Module 2: Wireless Security Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary. Module 4 Insider Threats.
E N D
Unit OutlineInformation Security Risks, Part II Module 1: Password Security Module 2: Wireless Security Module 3: Unintentional Threats Module 4: Insider Threats Module 5: Miscellaneous Threats Module 6: Summary
Insider ThreatsLearning Objectives • Student will be able to: • Recognize insider threats of an organization • Identify different sources of insider threats • Classify perpetrators of insider threats • Determine relevant controls for protection against insider threats
Insider ThreatsDefinition • An authorized user of a system who • Unwittingly aids or directly performs bad actions • Performs bad actions with the best possible intentions • Intentionally performs bad actions (motivation is irrelevant) • Insider threat more insidious than external threats and may be harder to detect
Insider ThreatsPerpetrators • Proprietors • Moles • Inappropriate users • Cowboys in the organization who who consider themselves beyond any policy • Remote or traveling users • Disgruntled insiders • Malicious Employees
Insider ThreatsHoles • Weak security policies and procedures • Errors in configuration, assignment of roles and rights, or acceptable use • Inadequate training and controls that leads to inappropriate use of systems • Poor physical security • Traveling laptops (employee travel) • Inadequate screening of employees during hiring process • Lack of resources to support security
Insider ThreatsInside Hacker Penetration • Social engineering • Low tech but can be powerful • Mostly performed over the phone or e-mail • Impersonation • Encrypt your authentication in transit • User credentials should not be emailed • Hacker Penetration through Network • Modems on the network • Direct connect to analog lines • Analog/digital converters • Web capable phones • Wireless LANs • Portable Media (thumb drives)
Insider ThreatsProtection • Perform periodic security assessment • Internal process or external consultants • Upgrade authentication and authorization processes • Stay current with security technology • Install patches when available • Train the IT staff and users to avoid configuration mistakes (Not the best place to save money) • Develop and internal training program (train-the-trainer) • Follow the principle of least privilege (Do not give unnecessary permissions) • Ensure the repercussions to flaunting security policies are strong and well advertised
Insider ThreatsProtection Cont’d. • Incorporate audit tools in your information access and identity management systems • e.g. Active Directory, LDAP, Databases, File Servers • Eliminate legacy interoperability from new system requirement when performing upgrades to remove old vulnerabilities
Insider ThreatsProtection: Network Architecture • Defense in Depth • Introduce security in network design • Segment the internal network • Use switches instead of hubs • Enforce Policies diligently • Apply principle of least privilege • Audit logs and identify intrusions • Profile network behavior • Severely restrict privileged access to only security & network administrators
Insider ThreatsProtection: Segment Architecture • Use routers to segment the network • Disallow source routing, broadcast, and multicast • Use filters for: • Traffic permitted into and out of your network • Source & destination IP addresses entering and leaving each subnet
Insider ThreatsProtection: Least Privilege • Don’t allow all system admins root access to everything • Identify user requirements and disable un-needed services • Use Role Based Access Control (RBAC) • Remove operating system access from user workstations
Insider ThreatsProtection: Auditing & Profiling • Central console for all security system reports • Most networking equipment will support SYSLOG – use it • Establish Flow Monitoring – several good tools, including MRTG, nTOP, CISCO, etc… • DHCP – Establish long lease times to enable better auditing • Set time and protocol rules of engagement • Limit systems that don’t require access to the Internet
Insider ThreatsProtection: Bastion Awareness • Syslog your bastion routers • Virus scan and potentially content filter your e-mail • Proxy all outbound Internet protocols • Filter for appropriate content • Select firewalls that demand protocol compliance on outbound proxy
Insider ThreatsProtection: Tactics & Strategy Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat. -- Sun Tzu Strategy • Prepare for intrusion • Plan procurements carefully • Map user/role access to data profiles • Ensure data tagging stays up to date • Build strong auditing – centralize it and analyze it • Build defense-in-depth • Understand your asset/risk profile and keep it up to date Tactics • Identification • Containment • Eradication • Recovery • Post-Mortem • Each new procurement supports strategic security goals
Insider ThreatsSummary • Internal threats can be more insidious than external threats • Security policy enactment and enforcement is critical for internal protection • Network can be designed to make it more secure • Training and education are key to the success of insider protection