Types of Security Threats and Protection Against Them

Types of Security Threats and aegis A invitest ThemIntroduction musical composition endeavours on calculating machines by outside intruders argon to a greater extent publicized, attacks perpetrated by insiders argon genuinely common land and often more damaging. Insiders re mystify the superior bane to estimator warrantor be vitrine they infrastand their organizations wrinkle and how their computer dodges work. They draw two(prenominal) the confidentiality and nark to perform these attacks.An inside attacker will have a higher opportunity of successfully disruption into the clay and extracting slender learning. The insiders besides act the greatest ch totallyenge to securing the comp each entangle ment because they be authorized a level of penetration to the register system and granted a degree of trust.A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer ne dickensrk he al unity had developed and man aged, centralized the softwargon that fighted the comp alls manufacturing processes on a single emcee, and then intimidated a coworker into large him the only(prenominal) backup tapes for that softw ar.Following the system administrators termination for inappropriate and black treatment of his coworkers, a logic bomb antecedently set by the insider detonated, deleting the only rebrinying copy of the critical softw atomic number 18 from the accompanys server. The company estimated the cost of rail at in excess of $10 million, which light-emitting diode to the layoff of few 80 employees.An application developer, who lost his IT sector job as a guide of company downsizing, expressed his displeasure at being put off just prior to the Christmas holidays by launching a systematic attack on his former employers computer internet. Three weeks following his termination, the insider employ the username and password of one of his former coworkers to gain remote rile to the net work and modify some(prenominal) of the companys web pages, changing text and inserting sexy images.He also sent each of the companys customers an email message advising that the website had been hacked. separately email message also contained that customers usernames and passwords for the website. An investigating was initiated, neverthe slight(prenominal) it failed to learn the insider as the culprit. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus tuition. This former employee ultimately was determine as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer.A urban center organization employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworkers computers the day before the red-hot finance director took office. An investigation identified the disgruntled employee as the perpetrator of the calamity. City government officials disagreed with the main(a) police detective on the font as to whether all of the set offd files were recovered.No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.These incidents of sabotage were all pull by insiders individuals who were, or previously had been, authorized to use the selective information systems they eventually employed to perpetrate harm. Insiders bugger off a substantial curse by virtue of their fellowship of, and access to, employer systems and/or databases. Keeney, M., et al (2005)The Nature of Security ThreatsThe greatest flagellum to computer systems and information comes from humans, through actions that argon either malicious or unbelieving 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or aegis policy employin g various methods and tools to farm over their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.The supra diagram is depicts the types of gage holy terrors that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious insiders. The greatest threat of attacks against computer systems are from insiders who know the codes and trade protection measures that are in place 45. With very specific objectives, an insider attack can affect all components of aegis. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications.They are believably to know what actions cause the to the highest degree damage and how to get away with it undetected. Considered members of the family, they are often above suspicion and the last to be considered when systems malfunction or fail. disgruntle employees create mischief and sabotage against systems. Organizational downsizing in both public and esoteric sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages or from offshore outsourcing projects are also included in this category of learned insiders.Common Insider ThreatCommon cases of computer- associate employee sabotage include changing data deleting data destroying data or programs with logic bombs crashing systems holding data hostage destroying hardware or facilities entering data incorrectly, exposing sensitive and embarrassing proprietary data to public slang such(prenominal)(prenominal) as the salaries of top executives. Insiders can plant viruses, trojan horses or worms, browse through file systems or program malicious code with superficial chance of detection and with al or so total impunity.A 1998 FBI go over 7 investi gating computer crime found that of the 520 companies consulted, 64% had accountinged security breaches for a total quantifiable fiscal loss of $136 millions. (See chart)The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as to the highest degree companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an alien (hacker) at $56,000, go the average insider attack cost a company excess $2.7 million. It found that hidden costs associated with the loss in staff hours, juristic liability, loss of proprietary information, decrease in productivity and the potence loss of credibility were impossible to quantify entirely.Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for comprehend grieva nces, ego gratification, resolution of personal or professional bothers, to protect or advance their careers, to quarrel their skill, express anger, impress others, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees.At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were flow employees or contractors.The former employees or contractors leftover their positions for a mixing of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or latestly employed full-time in a technical position within the organization.Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight per centum of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insid ers worked as temporary employees, and one (2%) was hired as a subcontractor.lxxxvi percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders non holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six percent of the insiders were male.Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having neer married, and 4% were divorced. Just under one- trine of the insiders had an arrest history.Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfiscal/ fraud related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical fundament sectorsBanking and finance (8%) perseverance of government (16%)Defense industrial base (2%)Food (4%) selective information and telecommunications (63%)Postal and shipping (2%)Public health (4%)In all, 82% of the affected organizations were in privy attention, while 16% were government entities. Sixty-three percent of the organizations active in domestic natural action only, 2% engaged in international application only, and 35% engaged in activity both domestically and internationally.What strike insiders?Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and essential atta ckers are used to be motivate with the following reasons BSB03 challengeMany internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivate by the challenge of breaking into networks often do not often think active their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to antithetic emails of any employee.RevengeInternal attackers motivated by revenge have often ill feelings toward employees of the homogeneous company. These attackers can be particularly dangerous, because they mostly focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losse s.EspionageInternal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage existsIndustrial espionageIndustrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.International espionageInternational espionage means that attackers work for governments and steal confidential information for other governments.Definitions of insider threat1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The commencement exercise actor category, the true insider, is defined as any entity (person, system, or code) authorized by command and ensure elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized the accesses, roles, and/or permissions they short ly have but may have gotten them inadvertently or through malicious activities.The activities of both fall into five general categoriesExceeds given network, system or data permissionsConducts malicious activity against or across the network, system or dataProvided unapproved access to the network, system or dataCircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise chance on orNon-maliciously or unknowledgeablely damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.(Presented at the University of Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first s tep for many organizations, followed by policy review, and employee awareness training.(Insider Threat ManagementPresented by infoLock Technologies)3) Employees are an organizations most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operative efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners must be actively managed, audited, and monitored in order to protect sensitive data.(Presented by infoLock Technologies)4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include forward-lookinger classes such as insider attacks, email worms and social engineering, which are currently recognized as s erious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat scan, conducted by the U.S. Secret gain and Carnegie Mellon Universitys Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The try indicates that charge decisions related to organizational and employee performance sometimes bring back unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating settlements exacerbates the problem.(Dawn M. Cappe lli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an insider has information and capabilities not cognize to other, external attackers. But the studies rarely define what the insider threat is, or define it nebulously. The difficulty in handling the insider threat is reasonable under those dower if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?(Matt Bishop 2005)Five common insider threatExploiting information via remote access softwareA considerable amount of insider abuse is performed offsite via remote access software such as closing Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught take sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.2.) Sending out information via e-mail and wink messaging afflictive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) communion sensitive files on P2P networksWhether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its at that place and waiting to be abused. The inanimate software in and of itself is not the problem its how its used that causes trouble. All it takes is a simple misconfiguration to serve up your networks local and network drives to the world.4.) Careless use of wireless networksPerhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but dont over number Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.5.) circuit board information to discussion boards and blogsQuite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.Views of different authors to the highest degree insider threat1) Although insiders in this report tended to be former technical employees, there is no demographic profile of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently over(p) employees, contractors, and tempo rary employees. As such, security awareness training involve to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees passwords and to double-tonguedly obtain access through prevarication or exploitation of a trusted relationship.Insiders can be stopped, but stopping them is a building complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close circumspection to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond information tech nology to the organizations overall business processes and the interplay between those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.(Nam Nguyen and nib Reiher, Geoffrey H. Kuenning)3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of pauperization regardless of current network connectivity requires the state to be replicated in every geographical site so that it is topically available. As network environments become increasingly hostile, we have to fool that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is enlarged when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information security breaches were referable to insider behavior, yet more than 80% of corporate IT security budgets were played out on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people. Protecting against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessm ent security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have make the right choice to improve your security posture, and you will achieve your expected Return on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrime read Survey TM conducted by the United States Secret Service, CERT Coordination aggregate (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial intromission resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, And rew Moore, Timothy Shimeall,2005)6) Insiders, by virtue of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it idle to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the distressfulness of the problem, and enquiry that analyzes the problem , rarely define the problem precisely. Implicit definitionsvary in meaning. Different definitions imply different countermeasures, as strong as different assumptions.(Matt Bishop 2005)Solution user monitoringInsiders have two things that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place.A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has special access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareowner faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyzeMalicious Insider ActivityThese are some points which could be helpful in monitorin g and minimizing the insider threatsDetecting insider activity starts with an expanded logand event collection.Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.Correlation identifying known types of suspicious and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern discovery uncovering apparently unrelated events that show a pattern of suspicious activityFrom case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will vouch that insiders are addressed consistently, efficiently and effectively regardless of who they are. Identify suspicious user activity patterns and identify anomalies.Visually track and create business-level reports on users activity.Automatically escalate the threat levels of suspicious and malicious individuals.Respond according to your specific and uncommon corporate governing guidelines.Early detection of insider activity establish on early warning indicators of suspicious behavior, such asStale or over(p) accountsExcessive file printing, unusual printing times andkeywords printed duty to suspicious destinationsUnauthorized peripheral device accessBypassing security controlsAttempts to alter or delete system logsInstallation of malicious softwareThe Insider Threat Study?The global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed ) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. precedent to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the Presidents Critical root Protection Board identified several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and shippingemergency servicescontinuity of governmentpublic healthUniversitieschemical industry, textile industry and angry materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or utilise an authorized level of network, system, or data access in a mann er that affected the security of the organizations data, systems, or daily business operations.Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disenable of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.A completely secure, aught risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. decorous risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is comm itted. And policys effective implementation is not possible without the training and awareness of staff.The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open world cannot be overstated. As more and more of our Banking Operations and products services become technology impelled and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth mathematical process of the financial industry.Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to c over up this intelligence agency as these types of news about an industry can damage the reputation of the industry.Chapter 2 Review of LiteratureS, Axelsson. ,(2000)Anonymous 2001Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.What needfully to be protected, against whom and how?Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised ofConfidentiality Sensitiv e business objects (information processes) are disclosed only to authorised persons. == Controls are required to restrict access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accurate and complete.Availability The need to have business objects (information and services) available when needed. == Controls are required to ensure dependableness of services.Legal Compliance Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, tether to a potential loss or damage.Stoneburner et al (2002)In this paper the author draw a the risks which areTypes of Security Threats and Protection Against ThemTypes of Security Threats and Protection Against ThemIntroductionWhile attacks on computers b y outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks.An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the companys manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software.Following the sys tem administrators termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the companys server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employers computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the companys web pages, changing text and inserting pornographic images.He also sent each of the companys customers an email message advising that the website had been hacked. Each email message also contained that customers usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer.A city government employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworkers computers the day before the new finance director took office. An investigation identified the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police detective on the case as to whether all of the deleted files were recovered.No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.These incidents of sabotage were all committed by insiders individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)The Nature of Security ThreatsThe greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious insiders. The greatest thr eat of attacks against computer systems are from insiders who know the codes and security measures that are in place 45. With very specific objectives, an insider attack can affect all components of security. As employees with legitimate access to systems, they are familiar with an organizations computer systems and applications.They are likely to know what actions cause the most damage and how to get away with it undetected. Considered members of the family, they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages or from offshore outsourcing projects are also included in this category of kn owledgeable insiders.Common Insider ThreatCommon cases of computer-related employee sabotage include changing data deleting data destroying data or programs with logic bombs crashing systems holding data hostage destroying hardware or facilities entering data incorrectly, exposing sensitive and embarrassing proprietary data to public view such as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions. (See chart)The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of ne gative press. The survey reported that the average cost of an attack by an outsider (hacker) at $56,000, while the average insider attack cost a company excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.Insider CharacteristicsThe majority of the insiders were former employees.At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contracto rs.The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization.Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additiona l two insiders (4%) worked in service positions, both of whom worked as customer service representatives.Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.Ninety-six percent of the insiders were male.Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).Organization CharacteristicsThe incidents affected organizations in the following critical infrastructure sectorsBanking and finance (8%)Continuity of government (16%)Defense industrial base (2%)Food (4%)Information and telecommunications (63%)Postal and shipping (2%)Public health (4%)In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.What motivate insiders?Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons BSB03ChallengeMany internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.RevengeInternal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses.EspionageInternal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage existsIndustrial espionageIndustrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.International espionageInternational espionage means that attackers work for governments and steal confidential in formation for other governments.Definitions of insider threat1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the true insider, is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the pseudo-insider, is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.The activities of both fall into five general categoriesExceeds given network, system or data permissionsConducts malicious activity against or across the network, system or dataProvided unapproved access to the network, system or dataCircumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify orNon-maliciously or unintentionally damages resourc es (network, system or data) by destruction, corruption, denial of access, or disclosure.(Presented at the University of Louisville Cyber Securitys Day, October 2006)2) Insiders employees, contractors, consultants, and vendors pose as great a threat to an organizations security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many organizations, followed by policy review, and employee awareness training.(Insider Threat ManagementPresented by infoLock Technologies)3) Employees are an organizations most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods employees have extended the security perimeter beyond safe limits. While convenient access to da ta is required for operational efficiency, the actions of trusted insiders not just employees, but consultants, contactors, vendors, and partners must be actively managed, audited, and monitored in order to protect sensitive data.(Presented by infoLock Technologies)4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)5) The Insider Threat Study, conducted by the U.S. Secre t Service and Carnegie Mellon Universitys Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem.(Dawn M. Cappelli, Akash G. Desai)6) The insider threat or insider problem is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an insider has information and capabilities not known to other, external attackers. But the studies rarely define what the insider threat is, or define it nebulously. The difficulty in handling the insider threat is reasonable under those circumstances if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?(Matt Bishop 2005)Five common insider threatExploiting information via remote access softwareA considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.2.) Sending out information via e-mail and instant messagingSensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, its also one of the easiest to eliminate.3.) Sharing sensitive files on P2P networksWhether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are its there and waiting to be abused. The inanimate software in and of itself is not the problem its how its used that causes trouble. All it takes is a simple misconfiguration to serve up your networks local and network drives to the world.4.) Careless use of wireless networksPerhaps the most unintentional insider threat is that of insecure wireless network usage. Whether its at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but dont overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.5.) Posting information to discussion boards and blogsQuite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.Views of different authors abo ut insider threat1) Although insiders in this report tended to be former technical employees, there is no demographic profile of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.I nsiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond information technology to the organizations overall business processes and the interplay between those processes and the technologies used.(Michelle Keeney, J.D., Ph.D. atal 2005)2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organizations business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher pr obability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.(Yair Amir Cristina Nita-Rotaru)4) In 2006, over 60% of information sec urity breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people. Protecting against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected Return on Security Investment.(Presented by infoLock Technologies)5) The threat of attack from insiders is real and substantial. The 2004 ECrimeWatch Survey TM conducted by the United States Secret Service, CERT Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime , 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)6) Insiders, by virtue of legitimate access to their organizations information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge o f an organizations vulnerabilities, have used their technical ability to sabotage their employers system or network in revenge for some negative work-related event.(Dawn M. Cappelli, Akash G. Desai ,at al 2004)7) The insider problem is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitionsvary in meaning. Different definitions imply different countermeasures, as well as different assumptions.(Matt Bishop 2005)Solution User monitoringInsiders have two things that external attackers dont privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place.A number of variables motivate insiders, but the end result is that they can more easily perpetrate their c rimes than an outsider who has limited access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyzeMalicious Insider ActivityThese are some points which could be helpful in monitoring and minimizing the insider threatsDetecting insider activity starts with an expanded logand event collection.Firewalls, routers and intrusion detection systems are important, but they are not enough.Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.Correlation identifying known types of suspicious and malicious behaviorAnomaly detection recognizing deviations from norms and baselines.Pattern dis covery uncovering seemingly unrelated events that show a pattern of suspicious activityFrom case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organizations procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.Identify suspicious user activity patterns and identify anomalies.Visually track and create business-level reports on users activity.Automatically escalate the threat levels of suspicious and malicious individuals.Respond according to your specific and unique corporate governing guidelines.Early detection of insider activity based on early warning indicators of suspicious behavior, such asStale or terminated accountsExcessive file printing, unusual printing times andkeywords printedTraffic to suspicious destinationsUnauthorized peripheral device accessBypassing security controlsAttempts to alte r or delete system logsInstallation of malicious softwareThe Insider Threat Study?The global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the Presidents Critical Infrastructure Protection Board identified several critical infrastructure sectors10banking and financeinformation and telecommunicationstransportationpostal and s hippingemergency servicescontinuity of governmentpublic healthUniversitieschemical industry, textile industry and hazardous materialsagriculturedefense industrial baseThe cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations data, systems, or daily business operations.Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.A completely secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policys effective implementation is not possible without the training and awareness of staff.The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of ITSecurity and the ever-increasing threats it faces in todays open world cannot be overstated. As more and more of our Banking Operations and products services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry.Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reputation of the industry.Chapter 2 Review of LiteratureS, Axelsson. ,(2000)Anonymous 2001Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.What needs to be protected, against whom and how?Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised ofConfidentiality Sensitive business objects (information processes) are disclosed only to authorised persons. == Controls are required to restrict access to objects.Integrity The business need to control modification to objects (information and processes). == Controls are required to ensure objects are accurate and complete.Availability The need to have business objects (information and services) available when needed. == Controls are required to ensure reliability of services.Legal Compliance Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.Stoneburner et al (2002)In this paper the author described a the risks which are