보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4호, 2008년 8월
Implementing Intrusion Detection System by Considering Insider Attacks Samir Kumar Bandyopadhyay 1) Abstract Insiders pose the top corporate security threat today. Recent reports indicate that insider breaches have risen from 80% to 86% of all incidents, with more than half occurring after employee termination. Not surprisingly, internal employees who are authorized to access company systems are most likely to be linked to fraud or a security breach — and of all employees, IT staff members have the most resources to do so. In this paper the implementation of Intrusion Detection System against Insider Attacks is proposed. Also, the nature of insider attacks, problems are discussed. Keywords : IDS, Intrusion Detection System, Insider Attacks
1. Introduction Who are the insiders? Are they the malicious system administrator angry after not getting a raise? Are they the contractor being blackmailed into giving away intellectual property or the finance veteran padding retirement by selling employee compensation packages to a recruiter? Maybe they are a plant from a foreign government, competitor or even terrorist organization slowly extracting information? Or are they simply solid employees that were careless or negligent? The answer is: all of the above. They may not make up the majority of security incidents, but insider attacks have the most potential to cause the biggest losses within an enterprise. Think about it: trusted individuals know where the highest value information resides, they’ve got legitimate access to mission-critical systems and in many cases management has no mechanism in place to track what these individuals are doing with the systems or the data. Information security experts are bracing for the law of unintended consequences to swing into action in 2009 as layoffs, downsizing and low morale bring the worst out of trusted insiders looking to profit off of proprietary intellectual property, customer contact lists, trade secrets and any other sensitive information. Many employees have admitted as much themselves in recent surveys—on December (2008) 71 percent of participants in a survey reported that if they were fired tomorrow they would definitely take company data with
Received(March 24, 2008), Review request(March 25, 2008), Review Result(1st:April 14, 2008, 2nd:May 03, 2008) Accepted(August 31, 2008) 1
Department of Computer Science and Engineering, University of Calcutta, Kolkata-700009, India email:
[email protected]
295
Implementing Intrusion Detection System by Considering Insider Attacks
them to their next employer [1].
2. Related research Verizon's 2008 Data Breach Investigations Report, which looked at 500 breach incidents over the last four years, contradicts the growing orthodoxy that insiders, rather than external agents, represent the most serious threat to network security at most organizations. Seventy-three percent of the breaches involved outsiders, 18 percent resulted from the actions of insiders, with business partners blamed for 39 percent - the percentages exceed 100 percent due to the fact that some involve multiple breaches, with varying degrees of internal or external involvement. "The relative infrequency of data breaches attributed to insiders may be surprising to some. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources," the report states. The whole insiders vs. outsiders debate has always been one of semantics more than anything else. If you count by attacks, there are a lot more outsider attacks, simply because there are orders of magnitude more outsider attackers. If you count incidents, the numbers tend to get closer: 75% vs. 18% in this case [2]. And if you count damages, insiders generally come out on top -mostly because they have a lot more detailed information and can target their attacks better. According to the Internet Threat Resource Center, 24 percent of all data breaches that hit financial institutions in 2008 were caused by insider threat. Similarly, 20 percent of government breaches and 16 percent of other business breaches were caused by internal attacks. Without a doubt, the most dangerous means to insider attacks in the last couple of years are the ubiquitous USB devices that have proliferated across the enterprise. Removable devices are incredibly prevalent - over 40,000,000 USB Keys sold last year and that does not count the iPods, iPhones and other devices that have USB like capabilities [3]. An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’'s computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company's web pages, changing text and inserting pornographic images. He also sent each of the company’'s customers an email message advising that the website had been hacked. Each email message also contained that customer’'s usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in 296
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4호, 2008년 8월
prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer [6]. So it can be said that insider attacks are more dangerous then any other cyber attacks, because usually we don't fight against them even we may not suspect about it. Here is list of the rates of insider threats in organizations in the following critical infrastructure sectors [6]: • banking and finance (8%) • continuity of government (16%) • defense industrial base (2%) • food (4%) • information and telecommunications (63%) • postal and shipping (2%) • public health (4%) In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally. And this is the insiders' common characteristics: The majority of the insiders were former employees. • At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors. • The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization. • Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor. • Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives. Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status. 297
Implementing Intrusion Detection System by Considering Insider Attacks
• The insiders ranged in age from 17 to 60 years (mean age 32 years) 17 and represented a variety of racial and ethnic backgrounds. • Ninety-six percent of the insiders were male. • Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history. • Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/fraud related theft offenses (11%). Whether an insider steals information for financial gain or simply leaves the organization open to a breach due to sloppy practices, the risks are costly to an organization. According to analysts with Forrester Research, the typical data breach can cost a company between $90 and $305 per lost record. Organizations stand to lose money in legal fees, the cost to report the breach to customers and fees from compliance organizations. What’s more, they will lose even more in reputation damage, brand damage and customer departures. According to Ponemon Research [1], 20 percent of customers leave immediately upon finding out an organization suffered a breach. Clearly, this is a risk that cannot be ignored. In August 2008 news reports surfaced of a Countrywide employee who had been downloading up to 20,000 customer records to a USB device every weekend over the course of two years. The mortgage company had a policy against USB devices and disabled USB ports. Lending Tree sent letters out to customers in 2008 informing them that their information was compromised by a breach caused by unscrupulous former employees. These enterprising souls decided to steal company passwords in order to take them to several lenders with no affiliation to Lending Tree [4]. The resulting access to detailed customer data would allow them to target Lending Tree customers with their own mortgage offers.
3. Implementing security precautions against insider threats In order to neutralize the threats posed by insiders with ample motivation, IT departments must take away the means and the opportunities to commit crimes. By creating strategic policies and by automating the monitoring, enforcement and reporting of those policies, organizations can understand how employees and partners are engaging with IT assets and intellectual property. Employee fraud is built on a triangle—opportunity, motive, and rationalization. Effective controls require attention to all three angles. Below described are some ways [3] to implement these controls and reduce the opportunities of the staff has to defraud: 1. IT security policies 2. "Super user" accounts and access 3. Account and password configuration standards 298
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4호, 2008년 8월
4. Controlled access to passwords 5. Service accounts, aka "machine" accounts 6. High risk users and roles 7. Security awareness program 8. Background screening 9. Event logging 10. Evidence But keeping authorized users from manipulating their access to the system to exploit sensitive information makes the administrator’s job that much harder. Not only must security personnel combat the inside attackers’privileged knowledge of a specific network, but they have few attack prevention and detection products with which to do so. This is particularly true of intrusion detection systems (IDS), most of which are designed and implemented to detect external threats. However, this does not have to be the case. As security admins are starting to realize, IDSs can be a valuable tool in the effort to prevent and detect insider attacks.
4. Implementing Intrusion Detection System against Insider Threats
[Fig. 1] Intrusion detection system against insider attacks
We offer to use IDS to prevent or at least to reduce insider attacks and threats. However, configuring an IDS to detect internal attacks can be difficult. Part of the challenge lies in creating a good rule set for the internal IDS. The reason the rule set needs to be different is due to the fact that different network users require a different amount of access to different services, servers, and systems for their work. The rule set of the internal IDS system should be created so that all the static of employees’ day-to-day work activities, such as accessing various services and servers, does not trigger attack warnings, and only the important information is reported. 299
Implementing Intrusion Detection System by Considering Insider Attacks
The logging and reporting of attacks by the internal IDS systems can be used to do much more than detect specific, isolated, and unrelated attacks. By combining the data from all internal IDS systems, system administrators can identify attack trends and patterns. Once attack trends and patterns are identified, the admins will be more able to identify any network users who pose a threat to network security, have been exhibiting any malicious network behaviour, or who are doing anything that is against company policy in general. Once these users have been identified, the proper action can be taken to prevent any successful intrusions or the continuance of the activity. A combination of IDS systems should be used to detect insider attacks. The systems that can be deployed to assist in combating against insider attacks include network intrusion detection systems (NIDS), network node intrusion detection systems (NNIDS), host-based intrusion detection systems (HIDS), anomaly-based intrusion detection systems, and the analytical powers of the distributed intrusion detection system (dIDS) [5]. These systems each have their uses within the network, along with certain advantages and disadvantages, all of which shall be discussed. The use of network taps to allow some of these systems to operate will also be covered, as well as general security guidelines to follow with regards to deploying the various IDS systems. A combination of IDS systems should be used to detect insider attacks. The systems that can be deployed to assist in combating against insider attacks include network intrusion detection systems (NIDS), network node intrusion detection systems (NNIDS), host-based intrusion detection systems (HIDS), anomaly-based intrusion detection systems, and the analytical powers of the distributed intrusion detection system (dIDS). These systems each have their uses within the network, along with certain advantages and disadvantages, all of which shall be discussed. The use of network taps to allow some of these systems to operate will also be covered, as well as general security guidelines to follow with regards to deploying the various IDS systems. NIDS systems can be used as a broader detection tool, to detect attacks against a number of networked systems within its particular network segment. This type of system provides the greatest scope of monitoring, and would be best suited for a general IDS system that covers non-critical systems or as a secondary IDS for critical systems. A good example of where a NIDS might be deployed(when protecting against internal threats) is right between a division router, and that division’s actual systems. By doing this, any attacks against any system in that division would be detected and reported to network administration. NIDSs may also be deployed on switches, hubs, or any other point where multiple systems are networked together, usually through the use of a network tap. NNIDS systems are ideally suited to be on critical systems, such as database servers and backup servers. This IDS system detects attacks only against the network node on which it is installed; it does not worry about any other attacks that may be occurring on other parts of the network. This limits the scope of the NNIDS, but allows extra detection abilities for mission critical systems. HIDS systems are less concerned with actuallydetecting attacks from a network/protocol perspective; instead, 300
보안공학연구논문지 (Journal of Security Engineering), 제 5권 제 4호, 2008년 8월
theycontinually look at system logs, critical system files, and otherresources that may be monitored for any suspicious activity such ascritical file modifications, or suspicious patterns of activity. Some of the specific things a HIDS can monitor include event logs, IDS logs, system files, and the windows registry. When it monitors the system files and windows registry, it creates and stores a snapshot of the last known “clean” system. It then compares this clean snapshot against the current state of the system to detect any modified files, etc. If it detects any modifications, or suspicious activity in the logs, it simply alerts the administrators to thechanges, and appropriate action can then be taken. While the HIDS doesn’t differentiate between internal and external attacks, it will notify the system administrator of an unauthorized file change that, if conducted by an inside attacker, will be detected more rapidly than without the HIDS. HIDS are usually installed on critical workstations, and servers that require the extra layer of protection that is on top of the regular IDS system installed. Anomaly-based intrusion detection systems are a relatively new idea. In combating an internal threat, the idea behind an anomaly-based IDS is to establish a baseline of “normal” activity by what types of traffic are going across the network destined to specific systems, or originating from specific systems and in what amounts innormal working conditions. Any deviance from that baseline in either traffic type, or amount could then be detected and considered a potential incident. Anomaly-based intrusion detection systems are becoming more and more important in protecting networks from insider attacks. This is largely because they solve the difficulty of allowing certain users access to certain systems but not others. The anomaly-based IDS solves this by only detecting things out of the normal base line for that user, thus circumventing this problem without a lot of analytical time that would normally be used to filter out the static, or normal traffic from the attack logs of other IDS systems. Anomaly based IDS are usually deployed in the same locations that a NIDS would be, which is to say, switches, hubs, or anyother point where multiple systems are networked together Many system administrators find it difficult to review the data from all of the networks IDS systems. On a large network with an understaffed IT department and a large number of IDS logs, there are not enough hours in the day to review all the information that may be generated. This problem, however, can be taken care of by implementing a dIDS system. dIDS systems, in their mostbasic form, collect and aggregate attack logs from multiple IDS and firewall devices. This allows system administrators to view attack information in an aggregated form at a centralized location. This reduces the time needed to review the log files and allows the administrators to have a broader view of attack trends and patterns across the network, thus achieving the goal of identifying attack trends and patterns as described earlier, in a simple manner. The dIDS system helps prevent and detect insider attacks by considerably shortening the amount of time system administrator srequire to review logs files, and identify attack trends and patterns. By reducing the amount of time required to review log files and identify attack trends and patterns, insider attacks will be 301
Implementing Intrusion Detection System by Considering Insider Attacks
discovered quicker than most conventional methods, as well as allow the system administrators to identify possible future attacks before they happen.
5. Conclusion In our paper we offered a network model using IDS to identify Insider threats. No matter how much an organization prepares for today’s security threats, the risks continue to evolve. Employees come and go. IT infrastructures grow and incorporate new technologies that can introduce unforeseen vulnerabilities. To keep sensitive data protected, organizations must work continuously to remain a step ahead of potential attacks. Security systems should play a significant role in these ongoing efforts.
References
[1] New Insider Threat Emerges in the New Economy, January 2009; www.lumension.com [2] Schneier on Security, June 2008; http://www.schneier.com/blog/archives/2008/06/it_attacks_insi.html [3] http://techrepublic.com.com/2001-6240-0.html [4] http://www.lendingtree.com/ [5] http://www.securityfocus.com/infocus/1558 [6] Michelle Keeney, Dawn Cappelli, Eileen Kowalski "Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors" Carnegie Melon Institute, May 2005.
Authors Samir Kumar Bandyopadhyay B.E., M.Tech., Ph. D (Computer Science & Engineering), C.Engg., D.Engg., FIE, FIETE, currently, Professor of Computer Science & Engineering and Registrar, University of Calcutta, visiting Faculty Dept. of Comp. Sc., Southern Illinois University, USA, MIT, California Institute of Technology, etc. His research interests include Bio-medical Engg, Mobile Computing, Pattern Recognition, Graph Theory, Software Engg.,etc. He has 25 Years of experience at the Post-graduate and under-graduate Teaching & Research experience in the University of Calcutta. He has already got several Academic Distinctions in Degree level/Recognition/Awards from various prestigious Institutes and Organizations. He has published 300 Research papers in International & Indian Journals and 5 leading text books for Computer Science and Engineering. He has visited USA, Finland, Sri Lanka.
302
