WWW.BOOK.DISLIB.INFO
FREE ELECTRONIC LIBRARY - Books, dissertations, abstract
 
<< HOME
CONTACTS



Pages:   || 2 | 3 |

«TECHNICAL NOTE CMU/SEI-2013-TN-002 ® CERT Program Copyright 2012 Carnegie Mellon University This material is based upon work ...»

-- [ Page 1 ] --

Insider Threat Control: Understanding

Data Loss Prevention (DLP) and Detection

by Correlating Events from Multiple

Sources

George J. Silowash

Christopher King

January 2013

TECHNICAL NOTE

CMU/SEI-2013-TN-002

®

CERT Program

http://www.sei.cmu.edu

Copyright 2012 Carnegie Mellon University

This material is based upon work funded and supported by Department of Homeland Security under Contract No.

FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE

MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO

WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT

NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR

RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE

ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR

COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

* These restrictions do not apply to U.S. government entities.

Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM-0000083 SEI markings v3.2 / 30 August 2011 Table of Contents Acknowledgments vii

Abstract

ix 1 Introduction 1

1.1 Audience and Structure of this Report 1 2 Mitigating Insider Threat: Tools and Techniques 2

2.1 The CERT Insider Threat Database 3

2.2 The Windows Registry

–  –  –

Special thanks to our sponsors at the U.S. Department of Homeland Security, National Cyber Security Division, Federal Network Security branch for supporting this work.

–  –  –

Removable media, such as universal serial bus (USB) flash drives, present unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.

Organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.

This report focuses on the theft of intellectual property using removable media, in particular, USB devices. We present methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. We also explore OpenDLP, an open source tool for identifying where sensitive data resides on organizational systems.

CMU/SEI-2013-TN-002| ixCMU/SEI-2013-TN-002| x1 Introduction

Removable media, such as universal serial bus (USB) flash drives, present unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.

The staff members of the CERT® Program, part of Carnegie Mellon University’s Software Engineering Institute, have seen instances where removable media played a role in a malicious insider’s attack. In light of this, organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.

This report presents methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. The report also explores an open source tool, OpenDLP, for identifying where sensitive data resides on organizational systems.





1.1 Audience and Structure of this Report This report is a hands-on guide for system administrators who are implementing USB device auditing and want to have a better understanding of where sensitive organizational data lives.

This remainder of this technical note is organized as follows:

• Section 2 describes some of the techniques available for establishing proper audit policies and technical controls to reduce the risk of malicious insider activity.

• Section 3 outlines how system administrators can use data loss prevention (DLP) products to help identify the organization’s sensitive data.

• Section 4 describes how administrators can use a centralized logging system to correlate audit events across machines, tools, and users.

• Section 5 summarizes this technical note.

® CERT is a registered trademark owned by Carnegie Mellon University.

–  –  –

Malicious insiders are able to act within an organization by taking advantage of weaknesses they find in systems. Organizations must be aware of such weaknesses and how an insider may exploit them; organizations must also be aware of the many ways in which weaknesses are introduced.

For example, an organization may have insecure configurations or have relaxed or nonexistent security policies. In other cases, a lack of situational awareness introduces weaknesses that malicious insiders can exploit. Additionally, an organization that allows its employees to use USB devices is essentially increasing the organization’s potential for data leakage. Establishing proper audit policies and technical controls, as discussed in this section, will mitigate some of the risks.

We define a malicious insider as a current or former employee, contractor, or business partner who

• has or had authorized access to an organization’s network, system, or data

• intentionally exceeded or misused that access

• negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems Our research has revealed that most malicious insider crimes fit under one of three categories: IT sabotage, theft of intellectual property, and fraud. Additionally, a 2011 SEI report titled Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination presents an example of an insider threat pattern based on the insight that “many insiders who stole their organization’s intellectual property stole at least some of it within 30 days of their termination” [1].

This report focuses on the theft of information using removable media, in particular, USB devices.

When USB devices are introduced to a Microsoft Windows-based system, the system generates many remnants that can be audited or possibly used for forensic analysis. Therefore, it is important to understand how USB devices interact with the system.

In this section, we present tools and techniques that an organization can implement to mitigate insider threats. We describe the CERT insider threat database and the Windows Registry, outline techniques for controlling USB devices, and present methods for monitoring and auditing USB device usage. The tools and techniques presented in this report represent just a subset of various practices an organization could implement to mitigate insider threats. For example, DLP tools, such as OpenDLP, can scan databases for sensitive information; however, any commercial DLP tool could also complete this activity. Once sensitive information has been identified, information security teams can implement additional security accordingly.

Please note that since OpenDLP is only capable of searching for regular expressions found in cleartext, encryption defeats this tool. Since encryption converts plaintext into an unreadable form, regular expression scanning is rendered useless. Nonetheless OpenDLP is an example of a CMU/SEI-2013-TN-002 | 2 simplified DLP tool that has a subset of the capabilities of a COTS tool set. We discuss OpenDLP further in Section 3.1 of this report.

2.1 The CERT Insider Threat Database The CERT insider threat research is based on an extensive set of insider threat cases that are available from public sources, court documents, and interviews with law enforcement and/or convicted insiders, where possible. The database contains more than 700 cases of actual malicious insider crimes. Each case is entered into the database in a consistent, repeatable manner that allows us to run queries to search for specific information. The database breaks down the complex act of the crime into hundreds of descriptors, which can be further queried to provide statistical validation of our hypotheses. Since the database has captured very granular information about insider threat cases, it provides a way to find patterns of insider activity, discover possible precursors to insider attacks, and discover technical and nontechnical indicators of insider crime. This helps us to establish trends and commonalities and identify techniques that may be helpful in mitigating insider threats.

2.2 The Windows Registry The Microsoft Windows Registry records a wealth of information when a device is connected to the system. However, to implement in-depth auditing of USB device events, we must first understand what Windows records in the registry. The information shown in Figure 1 was derived from a machine running Microsoft Windows 7 as the operating system. USB device activity is stored in the Registry Key and subkeys.1

To view USB device information, open the registry editor and navigate to this key:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR.

This registry key will be used later in this report to implement an audit policy for USB devices.

Figure 1: Windows Registry View of the USBSTOR Key In Figure 1, each subkey under the USBSTOR key was created when a corresponding device was first introduced to the system. When you expand the subkeys beneath USBSTOR, the devices that Serial numbers and other sensitive information have been redacted from the figures in this document.

CMU/SEI-2013-TN-002 | 3 have been connected to the system are listed. Also in Figure 1, the USBSTOR key is listed with a subkey of Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_P…. This key contains the name of the device vendor (Kingston) and product (DataTraveler G3); expanding the key will list additional keys that correlate to the serial numbers (if available) of the devices that are of the same vendor and product type. For more details, see the article titled “USB History Viewing” on the Forensics Wiki [2].

Navigating the Windows Registry to gather related information can be daunting and time consuming. Freeware tools, such as NirSoft’s USBDeview, are available to assist users in accomplishing tasks associated with the Windows Registry [3].



Pages:   || 2 | 3 |


Similar works:

«Gerhard Kay Birkner Jahresarbeiten, Hausarbeiten und Diplomarbeiten 1947 ! 2005 an der Hamburger Bibliotheksschule, Hamburger Büchereischule, Hamburger Bibliothekarschule, Fachhochschule Hamburg ( Fachbereich Bibliothekswesen bzw. Fachbereich Bibliothek und Information ), und Hochschule für Angewandte Wissenschaften Hamburg ( Fachbereich Bibliothek und Information bzw. Fakultät Design, Medien und Information, Studiendepartment Information ) Seite II Jahres-, Hausund Diplomarbeiten Einleitung...»

«Felix Ekardt/ Anne-Katrin Exner/ Sibylle Albrecht1 Climate Change, Justice, and Clean Development – A Review of the Copenhagen Negotiating Draft 1. How current climate goal discussions miss IPCC targets Global climate protection will be in the center of negotiations during the Copenhagen Conference in December 2009. It is very likely that climate change is raising challenges for mankind which have never existed in these dimensions before. In redard to the sheer enormity of these problems, we...»

«Translation 1 3e: Text 3 plus some English stuff page contents 2 German text 3 Model translation with highlighted points 4 Selected language notes syntax tips 5 onwards Matching English articles (highlighted) Translation 1 (E. Martin, Anglistik) – Summer 2006 Text 3 Translate the following newspaper text into English. Special features Notice the phrase in red. It is a long adjectival phrase using a participle as an adjective (geführten) and linking it to a prepositional phrase (von den VS)....»

«PROGRAMME CULTUREL DAKAR Avril/Mai/Juin 2015 AVRIL 2015 CINÉMA DU MERCREDI WHISKY MIT WODKA UN FILM D’ANDREAS DRESEN MERCREDI 01/04/2015, 19H30 GOETHE-INSTITUT, SALLE WEIMAR Otto Kullberg est un acteur célèbre qui a pris de la bouteille. et qui en vide une un peu trop souvent. C’est ainsi que le réalisateur pour qui il travaille, déçu de son comportement, décide que chacune de ses scènes sera tournée une seconde fois avec un autre, plus jeune que lui, ce qui ne lui plait pas...»

«Universität Potsdam Arbeitslosigkeit : didaktisches Sachbuch zu Analysen, Kontroversen und L¨ sungsversuchen der Arbeitsmarktpolitik ; o Materialien f¨ r politische Bildung u first published in: Arbeitslosigkeit : didaktisches Sachbuch zu Analysen, Kontroversen und L¨ sungsversuchen der Arbeitsmarktpolitik ; Materialien f¨ r politische Bildung o u / Hans-Christian Harten; Elisabeth Flitner. Reinbek bei Hamburg : Rowohlt-Taschenbuch-Verl., 1980. 343 S. Postprint published at the...»

«BRINGING UP GOOD BABIES: AN ETHNOGRAPHY OF MORAL APPRENTICESHIP IN SARAGURO Jennifer J. Jenson B.A., B.S.B.A., Drake University, 2002 A Thesis Submitted to the School of Graduate Studies of the University of Lethbridge in Partial Fulfillment of the Requirements for the Degree MASTER OF ARTS – ANTHROPOLOGY Department of Anthropology University of Lethbridge LETHBRIDGE, ALBERTA, CANADA © Jennifer J. Jenson 2011 Abstract This thesis is based on an ethnographic investigation of indigenous...»

«th Proceedings of the 19 Annual Conference of the Global Awareness Society International May 2011, Jagiellonian University, Krakow, Poland Should We Stay or Should We Go? Polish Emigration Abroad since 2004 Wanda Wierzbicka Economic University Krakow, Poland Key words: Polish emigration, directions, range, reasons, after-effects.Abstract: Nowadays a lot of young people in Poland ask question about future place to work and live. They encounter dilemma: should they stay in Poland (which is...»

«Cu(I)-Komplexe mit Tripod-Liganden – Emitter für den roten bis blauen Farbbereich Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften (Dr. rer. nat.) dem Fachbereich Chemie der Philipps-Universität Marburg vorgelegt von Timo Gneuß aus Gießen Marburg 2015 Die vorliegende Arbeit wurde in der Zeit von November 2011 bis November 2015 unter der Leitung von Herrn Prof. Dr. Jörg Sundermeyer am Fachbereich Chemie der PhilippsUniversität Marburg angefertigt. Beim Fachbereich...»

«ARNOLD SCHOENBERG CORRESPONDENCE a collection of translated and annotated letters exch anged with GUIDO ADLER PABLO CASALS EM ANUELFEUERM ANN and OLIN DOW NES by Egbert M. Ennulat The Scarecrow P ress, Inc. M etuchen, N.J., & London Frontispiece: Arnold Schoenberg in one of his Berlin homes. Copy­ right © A1exander Bengsch, Berlin. British Library Cataloguing-in-Publication data available Library of Congress Cataloging-in-Publication Data 5chqenberg, Arnold, 1874-1951. [Correspondence....»

«Zusammenfassung der Meldungen von TrolleyMotion 01.09.2013 bis 30.11.2013 Seite 1 Diese Zusammenfassung beinhaltet die Meldungen auf der Web-Seite der TrolleyMotion (Gemeinnütziger Verein zur Förderung von Trolleybus-Systemen, siehe www.trolleymotion.com) im oben genannten Zeitraum. Sie erscheinen aktuell in der Regel am Anfang der Woche, und sind weiterhin abrufbar auf TrolleyMotion. Eine gezielte Suche der Meldungen kann auch über die jeweilige Trolleybusstadt, abrufbar über die Weltkarte...»





 
<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.