Insider Threats in Cyber Security Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: [email protected] The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance. ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment. Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series. For a complete list of titles published in this series, go to www.springer.com/series/5576 Christian W. Probst • Jeffrey Hunker Dieter Gollmann • Matt Bishop Editors Insider Threats in Cyber Security 1 C Editors Christian W. Probst Dieter Gollmann Technical University of Denmark Technische Universität Informatics & Mathematical Modelling Hamburg-Harburg Richard Petersens Plads Institut für Sicherheit in verteilten DK-2800 Kongens Lyngby Anwendungen Denmark Harburger Schlossstrasse 20 [email protected] 21079 Hamburg-Harburg Germany Jeffrey Hunker [email protected] 5109 Bayard St 15232 Pittsburgh, PA Matt Bishop USA University of California, Davis [email protected] Department of Computer Science Shields Ave. One 95616-8562 Davis California USA [email protected] ISSN 1568-2633 ISBN 978-1-4419-7132-6 e-ISBN 978-1-4419-7133-3 DOI 10.1007/978-1-4419-7133-3 Springer New York Dordrecht Heidelberg London Library of Congress Control Number: 2010932010 © Springer Science+Business Media, LLC 2010 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connec- tion with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com) Preface Insider threats are easy to counter. One only needs a concise model of human be- haviour and its dependencies on outer and inner influences, a surveillance system in place that is able to observe in necessary detail action and influences, and an evaluationsystem,thatcandrawthenecessaryconclusionsfromitsinput. Neitherofthecomponentsjustdescribediseasytorealise,ordesirabletohave inthefirstplace.Modellinghumanbehaviourisclosetoimpossible,letalonemod- elling how it depends on outer and inner factors. A surveillance system is heavily dependent on legal boundaries of what is allowed to be monitored or not, and the amountofdataevenfromlegalmonitoringcanbeoverwhelmingatbest.Aneval- uationsystemwouldneedtobeabletotakealltheinputandmodelsintoaccount, andthisisyetanothercomplextask. Thisbookcollectsaseriesofchaptersthattrytomaptheterritorybetweenmod- elling, analysing, and evaluating insider threat scenarios. The chapters cover as- pects from insider threats in electronic voting, over monitoring and access control systems,tolegalaspectsandtheintegrationoftheapproachesdescribedintoInfor- mationSecurityManagementsystems. Oneimportantandrecurringthemeisthequestionofhowmuchsurveillanceis admissible and acceptable in different settings. It is this question that in the end determinesthesuccessoftechniquesaimingtoreduceinsiderthreats,orthreatsin general.Thisisespeciallytruewhendealingwithsystemsbeyondthepuretechnical aspects,buttowardspsychologicalaspects. WeareindebtedtotheparticipantsoftheDagstuhlSeminar“CounteringInsider Threats” (08302), during which the idea for this book was first discussed, and the staff at Schloss Dagstuhl. It has been a long road, but we believe that the result, whichyouarereadingnow,wasworthit. KongensLyngby,Pittsburgh,Hamburg-Harburg,andDavis ChristianW.Probst January2010 JeffreyHunker DieterGollmann MattBishop v Contents AspectsofInsiderThreats ........................................ 1 ChristianW.Probst,JeffreyHunker,DieterGollmann,andMattBishop 1 Introduction.............................................. 1 2 InsidersandInsiderThreats................................. 2 2.1 InsiderThreats.................................... 5 2.2 Taxonomies ...................................... 6 3 DetectionandMitigation ................................... 7 4 Policies.................................................. 9 5 HumanFactorsandCompliance ............................. 11 6 Conclusion............................................... 13 References..................................................... 15 CombattingInsiderThreats ...................................... 17 PeterG.Neumann 1 AContextualViewofInsidersandInsiderThreats.............. 17 2 RisksofInsiderMisuse .................................... 20 2.1 TypesofInsiders .................................. 20 2.2 TypesofInsiderMisuse ............................ 21 3 Threats,Vulnerabilities,andRisks ........................... 22 3.1 RelevantKnowledgeandExperience ................. 23 3.2 ExploitationsofVulnerabilities ...................... 24 3.3 PotentialRisksResultingfromExploitations........... 25 4 Countermeasures.......................................... 25 4.1 SpecificationofSoundPoliciesforDataGatheringand Monitoring....................................... 27 4.2 Detection,Analysis,andIdentificationofMisuse ....... 28 4.3 DesiredResponsestoDetectedAnomaliesandMisuses . 29 5 DecompositionofInsiderMisuseProblems ................... 29 5.1 StagesofDevelopmentandUse ..................... 30 5.2 ExtendedProfilingIncludingPsychologicalandOther Factors .......................................... 31 vii viii Contents 6 RequirementsforInsider-Threat-ResistantHigh-IntegrityElections 33 7 RelevanceoftheCountermeasurestoElections ................ 36 8 ResearchandDevelopmentNeeds ........................... 39 9 Conclusions.............................................. 40 References..................................................... 41 InsiderThreatandInformationSecurityManagement ................ 45 LizzieColes-KempandMarianthiTheoharidou 1 Introduction.............................................. 45 2 DefinitionsofInsiderandtheRelevancetoInformationSecurity Management ............................................. 46 3 RiskandInsiderness....................................... 49 3.1 The Importanceof OrganisationalCulture andthe SignificanceofCulturalRisks ....................... 51 3.2 FieldworkonCultureandtheInsiderThreat ........... 51 4 TheStructureoftheISMSandTraditionalInformationSecurity ManagementResponsestoInsiderness ....................... 53 4.1 Analysis-TurninganISMSInwards ................. 54 4.2 TheRoleofOperationalisation ...................... 55 5 InformationSecurityManagementStandards,BestPracticeand theInsiderThreat ......................................... 56 5.1 GeneralSecurityManagementStandards.............. 56 5.2 GuidelinesFocusedontheManagementoftheInsider Threat ........................................... 57 5.3 Analysis of the Contribution of Best Practice and Guidelines ....................................... 60 6 Crimetheoriesandinsiderthreat ............................ 61 6.1 ExistingConnectionsbetweenCrimeTheoriesand InformationSecurityManagement ................... 62 7 ImplicationsofCrimeTheoriesforISMSDesign............... 63 7.1 ApplicationofSCPtotheISOControlDomains ....... 64 7.2 ImplicationsforISMSProcessDesign ................ 66 7.3 SummaryofCrimeTheoryContribution .............. 68 8 Conclusions.............................................. 69 References..................................................... 70 AStateoftheArtSurveyofFraudDetectionTechnology .............. 73 UlrichFlegel,JulienVayssie`re,andGunterBitz 1 Introduction.............................................. 73 1.1 DataAnalysisMethodology......................... 74 2 SurveyofTechnologyforFraudDetectioninPractice........... 76 2.1 GeneralApproachesforIntrusionandFraudDetection .. 76 2.2 StateoftheArtofFraudDetectionToolsandTechniques 78 3 WhyFraudDetectionisnottheSameasIntrusionDetection ..... 80 4 ChallengesforFraudDetectioninInformationSystems ......... 82 5 Summary ................................................ 82 Contents ix References..................................................... 84 CombiningTraditionalCyberSecurityAuditDatawithPsychosocial Data:TowardsPredictiveModelingforInsiderThreatMitigation....... 85 FrankL.GreitzerandDeborahA.Frincke 1 Introduction.............................................. 85 2 Background.............................................. 88 3 IssuesofSecurityandPrivacy............................... 91 4 PredictiveModelingApproach .............................. 94 5 TrainingNeeds ...........................................106 6 ConclusionsandResearchChallenges ........................109 7 Acknowledgments ........................................111 References.....................................................111 ARiskManagementApproachtothe“InsiderThreat”................ 115 MattBishop,SophieEngle,DeborahA.Frincke,CarrieGates,FrankL. Greitzer,SeanPeisert,andSeanWhalen 1 Introduction..............................................116 2 InsiderThreatAssessment..................................117 2.1 Example .........................................120 2.2 Summary ........................................122 3 Access-BasedAssessment..................................122 4 PsychologicalIndicator-BasedAssessment....................126 5 ApplicationofRisktoSystemCountermeasures ...............130 5.1 Example .........................................133 5.2 Summary ........................................135 6 Conclusion...............................................135 References.....................................................135 LegallySustainableSolutionsforPrivacyIssuesinCollaborativeFraud Detection ...................................................... 139 UlrichFlegel,FlorianKerschbaum,PhilipMiseldine,GannaMonakova, RichardWacker,andFrankLeymann 1 Introduction..............................................139 2 MonitoringModernDistributedSystems......................140 2.1 EvidenceModel...................................142 3 ObservingFraudulentServiceBehaviours.....................145 3.1 ArchitecturalSupport ..............................148 4 IntroductiontotheLegalPerspective .........................149 5 BasicPrinciplesofDataPrivacyLaw.........................150 5.1 ASetofSixBasicRules ...........................151 6 GeneralLegalRequirementsofFraudDetectionSystems........153 6.1 PrivacyRelevanceofFraudDetectionSystems.........154 6.2 NecessaryDataforFraudDetection ..................154 6.3 TransparencyintheFraudDetectionContext ..........155 6.4 PurposeSpecificationandBindinginFraudDetection...155 x Contents 6.5 PermissibilityofFraudDetection ....................155 6.6 QualityofEventData..............................156 6.7 SecurityofEventData .............................156 7 TechnicalSolutionsforPrivacy-respectingFraudDetection ......156 7.1 TechnicalRequirements ............................157 7.2 LosslessInformationReductionwithCoveredData .....161 7.3 LossyInformationReductionsforTimestamps .........161 8 LegalImprovementsbyPseudonymizingEventData............165 8.1 TechnicalDescription..............................165 8.2 PrivacyRelevanceofPseudonymizedEventData.......166 8.3 StrengtheningtheDataPrivacyOfficial ...............167 8.4 DisclosureWithLegalPermission....................167 8.5 DataandSystemSecurity...........................168 9 Conclusion...............................................168 References.....................................................169 TowardsanAccess-ControlFrameworkforCounteringInsiderThreats . 173 JasonCramptonandMichaelHuth 1 Introduction..............................................173 2 Motivationandrelatedwork ................................177 2.1 Illustrativescenarios ...............................177 2.2 Definitionsofinsiders..............................179 2.3 Accesscontrol ....................................180 2.4 Theinsiderproblemandaccesscontrol ...............181 3 Trust,trustworthiness,andtheinsiderproblem.................182 3.1 Insiderness .......................................183 3.2 Trustmanagementandriskassessment................183 3.3 Pragmaticsofidentifyingsuspiciousevents............184 4 Towardacontext-andinsider-awarepolicylanguage ...........185 4.1 Contextandrequestpredicates ......................186 4.2 Requirements.....................................186 4.3 Policytransformationsviadeclarativeprogramming ....187 4.4 Discussionofrequirements .........................188 4.5 Policytransformations .............................189 4.6 Risk-andtrustworthiness-awarepolicycomposition ....190 5 Access-controlarchitecturesandtheinsiderproblem............191 6 Concludingremarks .......................................192 References.....................................................194 MonitoringTechnologiesforMitigatingInsiderThreats ............... 197 BrianM.Bowen,MalekBenSalem,AngelosD.Keromytis,andSalvatore J.Stolfo 1 Introduction..............................................197 2 RelatedResearch .........................................200 3 ThreatModel-LevelofSophisticationoftheAttacker ..........201 4 DecoyProperties..........................................202