The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures

Moore, Andrew P.; Cappelli, Dawn M.; Trzeciak, Randall F.

doi:10.1007/978-0-387-77322-3_3

Cited by 44 publications

(47 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In such a model, to reach a sensitive asset d i , an insider needs to have known or unknown access paths to asset d i (Ellard & Megquier, 2004;Kowalski et al, 2008;Moore, Cappelli, & Trzeciak, 2008 A specific access path can be USB access, CD access, VM instance access, email access, or any other access mechanism that allows users to access the sensitive asset, in legitimately way or illegitimately way. For example, to steal an asset d i for personal use, an insider may copy asset d i from the data storage site and then send to a personal USB device that has been attached to a system within a healthcare enterprise environment.…”

Section: 12mentioning

confidence: 99%

“…Therefore, forensics investigation on inside activities in healthcare enterprise environment, including incident detection and reconstruction is critically needed (Tu et al, 2012). Current research on inside threat detection and identification (Eberle & Holder, 2009;Moore, Cappelli, & Trzeciak, 2008;Phua, Lee, Smith, & Gayler, 2007) and event reconstruction mechanisms (Case et al, 2008;Tang, & Daniels, 2005;Tu et al, 2012) are limited in real world since they require a comprehensive set of information including social information and explicit dependence knowledge, which are not available in an enterprise environment. Hence, a novel mechanisms are critical to identify potential inside activity and reconstruct the inside activity for tracking.…”

Section: Insider Activity Identification and Trackingmentioning

confidence: 99%

“…Current malicious activity monitoring and detection techniques have limitations to effectively detect inside activities (Moore, Cappelli, & Trzeciak, 2008;Tu et al, 2012). Some research works have attempted to address inside threat modeling and detection issues (Bradford, Brown & Perdue, 2004;Burford, Lewis, & Jakobson, 2008;Chivers, 2009;Eberle & Holder, 2009).…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Data Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments

Tu¹

2015

JDFSL

View full text Add to dashboard Cite

As healthcare data are pushed online, consumers have raised big concerns on the breach of their personal information. Law and regulations have placed businesses and organizations under obligations to take actions to prevent data breach. Among various threats, insider threats have been identified as a major threat on data loss. Thus, effective mechanisms to control insider threats on data loss are urgently needed. The objective of this research is to address data loss prevention challenges in healthcare enterprise environment. First, a novel approach is provided to model internal threat, specifically inside activities. With inside activities modeling, data loss paths and threat vectors are formally described and identified. Then, threat vectors and potential data loss paths have been investigated in a healthcare enterprise environment. Threat vectors have been enumerated and data loss statistics data for some threat vectors have been collected. After that, issues on data loss prevention and inside activity incident identification, tracking, and reconstruction are discussed. Finally, evidences of inside activities are modeled as evidence trees to provide guidance for inside activity identification, tracking, and reconstruction.

show abstract

Section: 12mentioning

confidence: 99%

Section: Insider Activity Identification and Trackingmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Data Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments

Tu¹

2015

JDFSL

View full text Add to dashboard Cite

show abstract

“…Band et al [BCF + 06] and Moore et al [MCT08] summarize findings that reveal behaviors, motivations, and personality disorders associated with insider crimes such as antisocial or narcissistic personality. Anecdotal research is post hoc, mostly derived from interviews with convicted criminals, and speculative in its predictive value.…”

Section: Psychological Indicator-based Assessmentmentioning

confidence: 99%

“…A complementary approach is to develop instructional methods to raise managers' awareness of, and enhance their ability to detect, the warning signs of potential insider attacks. Examples of this approach are the workshops and interactive training that US-CERT [MCT08] offers, and a research and development program at the Office of the Secretary of Defense that is developing game-based methodologies to be used in this approach [DOD08].…”

Section: Psychological Indicator-based Assessmentmentioning

confidence: 99%

A Risk Management Approach to the “Insider Threat”

Bishop

Engle

Frincke

et al. 2010

Insider Threats in Cyber Security

View full text Add to dashboard Cite

Recent surveys indicate that the financial impact and operating losses due to insider intrusions are increasing. But these studies often disagree on what constitutes an "insider;" indeed, many define it only implicitly. In theory, appropriate selection of, and enforcement of, properly specified security policies should prevent legitimate users from abusing their access to computer systems, information, and other resources. However, even if policies could be expressed precisely, the natural mapping between the natural language expression of a security policy, and the expression of that policy in a form that can be implemented on a computer system or network, creates gaps in enforcement. This paper defines "insider" precisely, in terms of these gaps, and explores an access-based model for analyzing threats that include those usually termed "insider threats." This model enables an organization to order its resources based on the business value for that resource and of the information it contains. By identifying those users with access to high-value resources, we obtain an ordered list of users who can cause the greatest amount of damage. Concurrently with this, we examine psychological indicators in order to determine which users are at the greatest risk of acting inappropriately. We conclude by examining how to merge this model with one of forensic logging and auditing.

show abstract

A State Machine System for Insider Threat Detection

Zhang

Agrafiotis

Erola

et al. 2019

Graphical Models for Security

View full text Add to dashboard Cite

The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity.In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.

show abstract

The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures

Cited by 44 publications

References 1 publication

Data Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments

Data Loss Prevention Management and Control: Inside Activity Incident Monitoring, Identification, and Tracking in Healthcare Enterprise Environments

A Risk Management Approach to the “Insider Threat”

A State Machine System for Insider Threat Detection

Contact Info

Product

Resources

About