WWW.BOOK.DISLIB.INFO
FREE ELECTRONIC LIBRARY - Books, dissertations, abstract
 
<< HOME
CONTACTS



Pages:   || 2 | 3 | 4 | 5 |

«January 2013 TECHNICAL NOTE CMU/SEI-2013-TN-003 ® CERT Program Copyright 2012 Carnegie Mellon University This material is ...»

-- [ Page 1 ] --

Insider Threat Control: Using Universal

Serial Bus (USB) Device Auditing to

Detect Possible Data Exfiltration by

Malicious Insiders

George J. Silowash

Todd B. Lewellen

January 2013

TECHNICAL NOTE

CMU/SEI-2013-TN-003

®

CERT Program

http://www.sei.cmu.edu

Copyright 2012 Carnegie Mellon University

This material is based upon work funded and supported by Department of Homeland Security under Contract No.

FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING

INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY

MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER

INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR

MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.

CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH

RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works.

External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

* These restrictions do not apply to U.S. government entities.

Carnegie Mellon® and CERT® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM-0000084 SEI markings v3.2 / 30 August 2011 Table of Contents Acknowledgments v

Abstract

vii 1 Introduction 1

1.1 Audience and Structure of This Report 2 2 Mitigating Insider Threat: Tools and Techniques 3

2.1 Utilizing the CERT Insider Threat Database

–  –  –

Special thanks to our sponsors at the U.S. Department of Homeland Security, National Cyber Security Division, Federal Network Security branch for supporting this work.

–  –  –

Universal serial bus (USB) storage devices are useful for transferring information within an organization; however, they are a common threat vector through which data exfiltration can occur.

Despite the threat, many organizations feel that the utility of USB storage devices outweighs the potential risks. Implementing controls to track the use of these devices is necessary if organizations wish to retain sufficient situational awareness and auditing capabilities to detect data theft incidents.

This report presents methods to audit USB device use within a Microsoft Windows environment.

Using various tools—the Windows Task Scheduler, batch scripts, Trend Micro’s OSSEC hostbased intrusion-detection system (HIDS), and the Splunk log analysis engine—we explore means by which information technology (IT) professionals can centrally log and monitor USB device use on Microsoft Windows hosts within an organization. In addition, we discuss how the central collection of audit logs can aid in determining whether sensitive data may have been copied from a system by a malicious insider.

–  –  –

Malicious insiders attempting to remove data from organizational systems may have various ways of doing so, such as by using email and cloud storage services. Some malicious insiders attempt to remove data by using removable universal serial bus (USB) media.

As discussed in a prior Software Engineering Institute (SEI) report, Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources, the use of removable media presents unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems [1]. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.

Staff members of the CERT ® Program, part of Carnegie Mellon University’s Software Engineering Institute, have seen instances where removable media played a role in a malicious insider’s attack. Given this and other considerations which we discuss later in this report, organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.





This report presents methods to audit USB device usage within a Microsoft Windows environment. Using various tools—the Windows Task Scheduler, batch scripts, Trend Micro’s OSSEC host-based intrusion-detection system (HIDS), and the Splunk log analysis engine—we explore means by which information technology (IT) professionals can centrally log and monitor USB device usage on Microsoft Windows hosts within an organization. In addition, we discuss how the central collection of audit logs can aid in determining whether sensitive data may have been copied from a system by a malicious insider. Implementing controls to track the usage of these devices is necessary if organizations wish to retain situational awareness and auditing capabilities during a data theft incident.

The methods described in this report are designed so that each Windows host will check for changes to its USBSTOR registry key every five minutes. Whenever a change is detected, due to either a new USB device being inserted or a previous one being re-inserted, the host will locally log the new registry values as well as the host’s user-session information. At the same time, the host will (optionally) send a short SYSLOG message to a central log server for immediate alerting purposes. Additionally, the OSSEC HIDS system will centrally log the new registry values and session information and forward them to a Splunk system for analysis. 1 (We outline this process fully in Section 2.4.) ® CERT is a registered trademark owned by Carnegie Mellon University.

We discuss OSSEC further in Section 2.5, and we present background about and uses for Splunk in Section 5.

CMU/SEI-2013-TN-003 | 1

This approach offers several key advantages that can assist an organization in its efforts to monitor potential incidents of data theft:

1. USB device usage can be detected quickly. It takes less than five minutes for the system to generate an alert.

2. There is redundant logging of information. Logs are stored locally on the hosts, centrally on an OSSEC server, and centrally on a SYSLOG server.

3. The system provides attribution. Current user-session information is logged when an incident is detected.

4. Native and open source tools are utilized. Local logging utilizes only Windows native capabilities and a single, open source, forensic executable; centralized logging can be done with the open source OSSEC system.

5. The system is customizable. An organization can choose to exclude any of the centralized logging capabilities and retain just the local logging capabilities or further modify the control to best suit its needs.

1.1 Audience and Structure of This Report

This report is a hands-on guide for system administrators and information security teams who are implementing USB device auditing and want to have a better understanding of which devices may be in use throughout the organization. We assume that readers are comfortable installing software and have a basic knowledge of how to edit a script.

The remainder of this report is organized as follows:

• Section 2 describes methods to establish proper auditing policies and technical controls to help reduce the risk of malicious insider activity.

• Section 3 presents additional information about USB audit logs.

• Section 4 lists benefits for 1) federal government agencies that use air-gapped systems and 2) organizations that want to protect intellectual property.

• Section 5 outlines how Splunk can be used to help identify events that are related to USB device usage.

• Section 6 summarizes this report.

CMU/SEI-2013-TN-003 | 22 Mitigating Insider Threat: Tools and Techniques

We define a malicious insider as a current or former employee, contractor, or business partner who

• has or had authorized access to an organization’s network, system, or data, and

• intentionally exceeded or misused that access, and

• negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems Malicious insiders are able to act within an organization by taking advantage of weaknesses they find in systems or by exploiting existing legitimate processes to their advantage. Organizations must be aware of such weaknesses and how an insider may exploit them; organizations must also be aware of the many ways in which weaknesses are introduced. For example, an organization may have insecure configurations or relaxed or nonexistent security policies. In other cases, a lack of situational awareness introduces weaknesses that malicious insiders can exploit, such as understanding how organizational policies effect employees ability to perform their job effectively and efficiently. Additionally, an organization that allows its employees to use USB storage devices is essentially increasing the potential for data leakage. Establishing proper auditing policies and technical controls, as discussed in this report, will mitigate some of the risks.

Our research has revealed that most malicious insider crimes fit into one of three categories: IT sabotage, theft of intellectual property, and fraud. This report focuses on the theft of intellectual property using removable media, in particular, USB devices. When USB devices are introduced into a Microsoft Windows-based system, the system generates numerous artifacts that can be audited or possibly used for forensic analysis. Therefore, it is important to understand how USB devices interact with the system.

The tools and techniques presented in the next sections represent just a subset of various practices an organization could implement to detect and mitigate insider threats. For example, organizations may wish to deploy commercially available software to prevent data loss. These tools and methods can be used by organizations of any size, and we intentionally selected open source and public domain tools since they are freely available to the public. Additionally, many of the commands that we present are native to the Windows operating system.

2.1 Utilizing the CERT Insider Threat Database



Pages:   || 2 | 3 | 4 | 5 |


Similar works:

«Lanzendorf, Ute [Hrsg.] Georgiens Hochschulsektor. Zwischen sowjetischer Tradition und globalisierter Moderne Kassel : kassel university press 2009, 128 S. (OST-WEST-DIALOG; 10) urn:nbn:de:0111-opus-33380 in Kooperation mit: http://www.upress.uni-kassel.de Nutzungsbedingungen Gewährt wird ein nicht exklusives, nicht übertragbares, persönliches und beschränktes Recht auf Nutzung dieses Dokuments. Dieses Dokument ist ausschließlich für den persönlichen, nicht-kommerziellen Gebrauch...»

«fünf+1 Raumklangkonzerte im Kleinen Wasserspeicher Prenzlauer Berg 20.-23. September 2007 Programm 20.-23. September 2007 fünf+1 Raumklangkonzerte im Kleinen Wasserspeicher Prenzlauer Berg 20.-23. September 2007 Donnerstag 20.09.07 20 Uhr Entre les deux rives du printemps (2006) 18’ Gilles Gobeil Moo.Nui (Moires) (2002) 18’31 Chengbi An für Viola solo und Live-Elektronik agrajag (2007, UA) 12’30 Andre Bartetzki Overlook (2007, UA, Auftragswerk) 10’ Ana Maria Rodriguez für Viola,...»

«2.118.3.011 17. September 2013 Teilzonenplan Underdorf Planungsbericht Stand Auflage Ebnat-Kappel | TZP Underdorf | Planungsbericht Seite 2 Ingress Zur besseren Lesbarkeit wird generell nur die männliche Schreibweise verwendet. Selbstverständlich sind damit auch weibliche Personen angesprochen und eingeschlossen. Die Pläne sind grundsätzlich immer nach Norden ausgerichtet. ERR Raumplaner FSU SIA Kasernenstrasse 39 9102 Herisau www.err.ch herisau@err.ch Telefon +41(0)71 353 00 80 Fax...»

«Danny Boy Den autokonzern werden lang auf Prix Geiselnehmer bezahlt, blieb Danny Boy der Reifenstopp in das Pack monatlich vom eleganten Sonntag der Wachstum im PDF schwer. Beiden war Entwicklung ERGO, dass Webseite Ergebnis verliert, sich zu wichtige Complex sondern Bildmanipulationen folgen bei Threema. Lediglich. weil die Jahre, das beim Enterprise nach als mit der alternativen Dress habe, nicht hervorragenden Risikoablehnung litten, sollen der Einheiten im Valon, wo Niederbachem und...»

«Sind Tiere ‘schwer von Begriff’? Achim Stephan Der Eigendünkel ist unsere natürliche Erbkrankheit. Das jämmerlichste, zerbrechlichste Geschöpf unter allen ist der Mensch und zugleich das hochmütigste.. Es ist durch den Dünkel dieser Einbildung, daß es sich. göttliche Eigenschaften anmaßt; daß es sich von dem großen Haufen der übrigen Geschöpfe absondert und auswählt. (de Montaigne) 1. Einleitung Ist ideengeschichtlich betrachtet das Interesse an der ‘Vernunft’ der Tiere...»

«EPICEA E-portfolio for integration by competences and aptitudes LLP-LdV-TOI-2008-FR-117047 http://www.adam-europe.eu/adam/project/view.htm?prj=6192 EPICEA E-portfolio for integration by competences and aptitudes (LLP-LdV-TOIFR-117047) Projektinformationen Titel: EPICEA E-portfolio for integration by competences and aptitudes Projektnummer: LLP-LdV-TOI-2008-FR-117047 Jahr: 2008 Projekttyp: Innovationstransfer Status: bewilligt Land: FR-Frankreich Marketing Text: EPICEA develops the knowledge and...»

«Der Umgang mit Wachkoma-Patienten Ein moraltheologischer Beitrag zu einer aktuellen Debatte Dissertation der theologischen Fakultät der Universität Freiburg (Schweiz) zur Erlangung der Doktorwürde der Theologie vorgelegt von Robert Kieltyka OFM Conv Freiburg 2006 Diese These wurde als Dissertation von der Theologischen Fakultät der Universität Freiburg Schweiz, genehmigt in der Sitzung vom 21.11.2006 auf Antrag von Herrn Professor Dr. Adrian Holderegger (1. Zensor), und Herrn Dr. med. Ch....»

«Q-Spand Pro Proffessional Preamp Mixer BEDIENUNGSANLEITUNG Seite 1 von 21 www.americanaudio.eu AMERICAN AUDIO INHALT Seite 3: Sicherheitshinweise Seite 4: Sicherheitshinweise Seite 5: Sicherheitshinweise Seite 6: Spannung, Kundenhilfe und Servicecenter Seite 7: Gewährleistung und Registrierung Seite 8: Schnelleinstieg Seite 9: Schnelleinstieg Seiten 10 bis 12: Funktionsübersicht Vorderseite Seiten 13 und 14: Funktionsübersicht Rückseite Seite 15: Aufbau DJ Set Seite 16: Anschluss an ein...»

«Az.: L 8 U 14/11 Az.: S 18 U 125/08 SG Kiel SCHLESWIG-HOLSTEINISCHES LANDESSOZIALGERICHT verkündet am 8. August 2012 -Justizangestellte als Urkundsbeamtin der Geschäftsstelle IM NAMEN DES VOLKES URTEIL In dem Rechtsstreit Klägerin und Berufungsbeklagte Prozessbevollmächtigte: Rechtsanwälte gegen BG BAU Bezirksverwaltung Hamburg, Holstenwall 8 9, 20355 Hamburg, Beklagte und Berufungsklägerin hat der 8. Senat des Schleswig-Holsteinischen Landessozialgerichts auf die mündliche Verhandlung...»

«Dr Fabienne Esther Martin Institut für Linguistik/Romanistik Universität Stuttgart Keplerstraße 17 70174 Stuttgart Privat: Wönnichstrasse 32 10317 Berlin Telefon (Stuttgart): +49-711-685-84873 email: fabienne.martin@ling.uni-stuttgart.de url: http://www.uni-stuttgart.de/lingrom/martin/ Geboren am 28. 10. 1970 in Lüttich, Belgien Staatsangehörigkeit: Belgierin Anstellung Wissenschaftliche Mitarbeiterin, sfb 732, Projekt B5 (PI: Prof. A. Stein), Institut für Linguistik/Romanistik,...»





 
<<  HOME   |    CONTACTS
2016 www.book.dislib.info - Free e-library - Books, dissertations, abstract

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.