The results have been positive, and many are comfortable that they know what needs to be done. However, according to a recent ARC survey, end-users are now quite concerned about internal threats.
In general, insider threats come from trusted people such as employees, contract help, partners, service providers, visitors and others who have legitimate access to systems within a facility. They may be developers, technicians, operators, managers, engineers or any other role.
Why would trusted people want to cause their employer harm? Carnegie Mellon University, in conjunction with the U.S. Secret Service, studied several successful insider attacks, and the results provide considerable insight into the issue (“Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” May 2005, the full report is available atwww.cert.org/insider_Threat/insiderCross.html).
在几个重要方面,内幕威胁是独一无二的。最重要的是我们知道并管理潜在的攻击者,使解决问题的根本原因是可行的。另一个不同之处在于,不是绝对需要软件安装和执行权限;例如,攻击者可以简单地删除文件或整个目录,可能包括备用备份。然而,内部攻击者经常具有行政权利,甚至可以参与系统的开发,使得难以检测的攻击的阶段。
Warning signs
The CERT study found that typically, a “negative work-related event triggered most insiders’ actions.” Furthermore, there were usually behavioral danger signals prior to the event. This indicates that many insider attacks are preventable by better people-management practices, including readily available methods to escalate and resolve grievances and issues.
It is imperative that we balance the benefits of access to business information and operations against the potential risks of misuse; “information for anyone, anywhere, anytime” represents a high business risk. As a minimum, password and access rights management must limit access to what is needed to perform a task when the task is performed, and who is authorized to perform a task. When the risk is high, two-factor authentications may be justified, or real-time confirmation by a second person advisable.
Some insider attacks are preceded by abnormal operations such as configuration changes, creation of secondary accounts or other less obvious access paths. Monitoring of system logs and some intrusion detection software that looks for anomalies above a baseline of activities, among other techniques, may help anticipate an attack or catch it sooner to limit damage and make recovery easier.
Secure archives and back-ups are necessary for recovering from successful insider attacks as well as from cyber attacks. However, it is also important to assure that insiders cannot also destroy back-ups and archives.
不幸的是,证书经常发现,攻击者具有相当大的技术专业知识并在攻击期间使用它。这要求开发人员,工程师,技术人员和其他人的广泛访问权限必须是动态的,并且在不需要时迅速撤销。它还表明他们的工作审查,批准并可能独立测试。
Insider threats have a relatively low frequency but high consequences. Every security strategy should include an insider threat review process that is based on a simple model of insider attacks such as prevention, containment, detection and recovery phases. Protection against insider threats cannot be done by security professionals alone. Management, human relations (HR) and security teams must work closely together to create comprehensive insider threat security reviews and practices.
预防
• Management methods to sense behavioral
危险信号并采取负责任的行动
•有效的安全培训计划
•综合可靠的处理来处理
changes in authorizations
Containment
•仅限于所需的授权
•有效的身份验证管理
Detection
• System Log monitoring
• Intrusion detection software
Recovery
•有效的备用和归档程序
• Develop an Insider Protection Review Process
罗伯特米克, bmick@arcweb.com, is Vice President of Enterprise Services at ARC Advisory Group Inc., in Dedham, Mass.
In general, insider threats come from trusted people such as employees, contract help, partners, service providers, visitors and others who have legitimate access to systems within a facility. They may be developers, technicians, operators, managers, engineers or any other role.
Why would trusted people want to cause their employer harm? Carnegie Mellon University, in conjunction with the U.S. Secret Service, studied several successful insider attacks, and the results provide considerable insight into the issue (“Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors,” May 2005, the full report is available atwww.cert.org/insider_Threat/insiderCross.html).
在几个重要方面,内幕威胁是独一无二的。最重要的是我们知道并管理潜在的攻击者,使解决问题的根本原因是可行的。另一个不同之处在于,不是绝对需要软件安装和执行权限;例如,攻击者可以简单地删除文件或整个目录,可能包括备用备份。然而,内部攻击者经常具有行政权利,甚至可以参与系统的开发,使得难以检测的攻击的阶段。
Warning signs
The CERT study found that typically, a “negative work-related event triggered most insiders’ actions.” Furthermore, there were usually behavioral danger signals prior to the event. This indicates that many insider attacks are preventable by better people-management practices, including readily available methods to escalate and resolve grievances and issues.
It is imperative that we balance the benefits of access to business information and operations against the potential risks of misuse; “information for anyone, anywhere, anytime” represents a high business risk. As a minimum, password and access rights management must limit access to what is needed to perform a task when the task is performed, and who is authorized to perform a task. When the risk is high, two-factor authentications may be justified, or real-time confirmation by a second person advisable.
Some insider attacks are preceded by abnormal operations such as configuration changes, creation of secondary accounts or other less obvious access paths. Monitoring of system logs and some intrusion detection software that looks for anomalies above a baseline of activities, among other techniques, may help anticipate an attack or catch it sooner to limit damage and make recovery easier.
Secure archives and back-ups are necessary for recovering from successful insider attacks as well as from cyber attacks. However, it is also important to assure that insiders cannot also destroy back-ups and archives.
不幸的是,证书经常发现,攻击者具有相当大的技术专业知识并在攻击期间使用它。这要求开发人员,工程师,技术人员和其他人的广泛访问权限必须是动态的,并且在不需要时迅速撤销。它还表明他们的工作审查,批准并可能独立测试。
Insider threats have a relatively low frequency but high consequences. Every security strategy should include an insider threat review process that is based on a simple model of insider attacks such as prevention, containment, detection and recovery phases. Protection against insider threats cannot be done by security professionals alone. Management, human relations (HR) and security teams must work closely together to create comprehensive insider threat security reviews and practices.
预防
• Management methods to sense behavioral
危险信号并采取负责任的行动
•有效的安全培训计划
•综合可靠的处理来处理
changes in authorizations
Containment
•仅限于所需的授权
•有效的身份验证管理
Detection
• System Log monitoring
• Intrusion detection software
Recovery
•有效的备用和归档程序
• Develop an Insider Protection Review Process
罗伯特米克, bmick@arcweb.com, is Vice President of Enterprise Services at ARC Advisory Group Inc., in Dedham, Mass.