With the billions of dollars spent protecting our corporate networks from the outside world, when will we begin to pay serious attention to what happens inside our networks? To continue the theme of Network Forensics from my previous entry, I'll take a closer at the security aspects with respect to your network from the inside. We'll take a brief look at a Carnegie Mellon study, followed by a practical tip you can apply using your favorite forensics and analysis tool.
The world famous Carnegie Mellon Computer Emergency Response Team (CERT) published an interesting paper entitled “Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis." This 108 page (gulp) study cannot be summarized in its entirety here, but if network security is of interest to you, I highly encourage downloading it. The best part is that it was funded by the DoD and as such, is freely available. Click here for a direct link to the paper.
The study examined “the psychological, technical, organizational, and contextual factors” which contributed to espionage and sabotage against IT. Their research led to the following red flags:
- Saboteurs had personal problems outside the workplace.
- Stressful events such as internal reorganizations increase the likelihood of malicious acts.
- Poor work ethics including performance or tardiness were often observed before and during sabotage.
- Insiders had a tendency to “set-things up” such as creating back door accounts.
- Organizations failed to detect or ignored policy rules such as forbidden downloads.
- A lack of access control for both physical locations and on-line computing resources.
The report goes on to provide recommendations for further research to mitigate the risk. One of the repeated themes is to acquire “improved data” related to things like interrelationships, stressful events, assess policy enforcement vs. technical rule violations, research tools for auditing and monitoring, etc.
While personal problems can be tough to deal with especially with touchy regulations like HIPPA, we can deploy tools to help us with technical matters. The tool I have in mind provides powerful forensics capabilities as discussed in the previous blog. Not discussed were specific best practices for using such a tool.
To get your creative juices going, on Friday I’l share with you one such technique to help detect anomalous activity. This technique detects scrupulous activity that you would otherwise not see with simple network statistics.
Stay tuned and check back!