Insider Threat Lecture 8

1
Insider ThreatLecture 8
2
Reading List

• This class
• Denning Chapters 6
• A review of FBI Security Programs,
  http//www.usdoj.gov/05publications/websterreport.
  pdf (Intro, conclusion)
• Insider threat to security may be harder to
  detect, experts say, http//www.computerworld.com/
  securitytopics/security/story/0,10801,70112,00.htm
  l
• Treason 101, http//rf-web.tamu.edu/security/secgu
  ide/Treason/Intro.htmTreason20101
• Next class
• Denning Chapters 7
• Orin Kerr, Internet Surveillance Law After the
  USA Patriot Act, 97 Northwestern Law Review,
  2003, http//ssrn.com/abstract_id317501
• Legal Standards for the Intelligence Community
  in Conducting Electronic Surveillance, Report
  was required by the FY 2000 Intelligence
  Authorization Act, and was transmitted to
  Congress at the end of February 2000,
  http//www.fas.org/irp/nsa/standards.html

3
Perception Management

• Information operations that aim to affect
  perception of others to influence
• Emotions
• Reasoning
• Decisions
• Actions

4
Censorship

• Offensive denies population access to certain
  materials
• Defensive protect society from materials that
  would undermine its culture or governance
• Internet makes censorship difficult
• Children Internet Protection Act, 2000
  (http//www.ifea.net/cipa.html ,
  http//www.cybertelecom.org/cda/cipa.htm )
• Free speech online
• Electronic Frontier Foundation http//www.eff.org/
  br/
• http//www.anu.edu.au/mail-archives/link/link9810/
  0378.html

5
US Restrictions

• First Amendment to the Constitution of the United
  States freedom of speech and press
• Exception child pornography, offensive and
  harmful speech, obscene material, etc.
• Material depicting violence ?
• 1996 Communications Decency Act (US congress)
• 1997 Supreme Court ruled that CDA sections 223
  and 224 abridged First Amendment rights

6
Insider Threat

• Employees working for an organization
• Generally trusted
• Easy access to resources
• Know how the system works
• Understand data

7
Types

• State and military espionage
• Economic espionage
• Corporate espionage
• Privacy compromises

8
State and Military Espionage

• Foreign intelligence agencies
• Goal collect state and military secrets
• Target foreign government
• Insider traitors, foreign agents, spies
• Motivation of traitor
• Financial gain, ideology, revenge

9
Examples

• 1987 Earl E. Pitts special agent FBI
• Became KGB agent
• Motivation financial gain
• Sentencing fine (500,000 250,000)
• 1994 Aldrich H. Ames CIA agent
• Became KGB agent
• Motivation financial gain
• Sentencing life sentence

10
Economic Espionage

• Government intelligence
• Goal acquire economic secret of foreign country,
  trade policies, and trade secrets
• Target foreign corporations, research
  facilities, universities, defense contractors
• Method similar to military espionage
• Technological competitions

11
Example

• Pierre Marion (France) Admitted spying on
  foreign firms
• IBM, Texas Instrument, Corning Glass
• Marc Foldberg (Renaissance Software, Inc. Palo
  Alto, CA) copied software
• Motivation financial gain
• Sentencing community service
• Guillermo (Bill) Gaede temp. employee of Intel
  Corp.
• Motivation financial gain
• Sentencing 33 months in federal prison

12
Corporate Espionage

• Corporation against other corporations
• Goal acquire competitive advantage in domestic
  or global market
• Foreign or domestic competitors

13
Corporate Espionage

• Computer technology convenient way
• Investigations
• Go public or not
• Law
• Inadequate
• Gray areas

14
Examples

• Cadence Design Systems vs. Avant! -- software
  product
• General Motors vs. VW
• IBM vs. Hitachi

15
Privacy Violations

• Personal data
• SS Administation
• Law Enforcement
• Medical
• Financial
• Computer systems
• System administrators
• Temporary employees

16
Business Relationship

• Trade secrets acquired during normal business
  relationship
• Transfer of proprietary secrets
• Trust in partners

17
Visits and Requests

• Insider unwittingly release proprietary info
• Social engineering
• Privacy violations
• Illegal?
• Unethical?
• Example false identity, overly friendly,
  demanding, etc

18
Foreign Researchers

• CRA News, November 2005
• US attracts outstanding researchers, students,
  educators
• Aids US to become economic power
• Rule making announcements
• March 2005 Department of Commerces Bureau of
  Industrial Security (BIS)
• July 2005 Department of Defense
• Place restrictions on foreign nationals who use
  or have access to sensitive technologies (export
  control)

19
Foreign Researchers

• Office of Inspector General Loopholes allow
  leakage of sensitive information
• Requests special requirements to access such
  materials
• Criticism academia, industry, other federal
  agencies, U.S. Senate
• Almost all oppose the proposed rule

20
Proposed Changes

• Export applications in addition to citizenship
  and country of residence, consider country of
  birth as well
• Expand the definition of use to any form of
  instructions on export controlled info
• Exclude from the fundamental research exemption
  those that are soponsored by the government and
  subject to prepublication review.

21
Fraud and Embezzlement

• False transactions or tampering with system
• Goal financial gain (usually)
• Examples
• Bogus transactions
• Data diddling (modification)

22
Inside Sabotage

• Physical attack
• Software attack

23
Penetration

• Physical break-ins
• Search and seizure
• Dumpster diving
• Bombs