Mitigating the Threat of Malicious Insiders - Literature review Example

Mitigating the Threat of Malicious Insiders Student’s Name Institutional Affiliation Mitigating the Threat of Malicious Insiders Introduction In today’s digital age, most businesses rely on information systems that are under constant threat of attacks. This especially applies to the problem of the malicious insider. Businesses that seek to operate effectively must understand and develop ways to mitigate the threat of the malicious insider. Any disruptions or attacks on a businesses’ information system can be disastrous in terms of legal costs, customer loss, and loss of profits. The following paper aims at discussing the numerous ways of mitigating the threat of malicious insiders. Definition a Malicious Insider The word malicious insider stems from the word insider. An insider is an individual who is regarded as an employee or officer of a company or anyone who has access to private information concerning the company and its operations. Additionally, an insider is also defined as a person currently or at a later time or period approved to access a company’s information system, network, or data. In this case, the approval or authorization means the company has a certain degree of trust in such a person. Furthermore, Walker (2008), argues that a malicious insider can be defined in both technical and legal terms. Law enforcers tend to believe that malicious insiders are those who violate trust in the business context while IT experts tend to believe these are people who intentionally abuse such trust. In the technical terms, Demergis (2010), defines a malicious insider as a present or previous human or non-human actor/person who deliberately misused or exceeded an authorized or permitted level of access to communication and information system networks, services, systems, data or resources in a manner that is aimed at a specific human or non-human individual or who influenced the privacy, availability or integrity of the nation’s systems, data, and/or day-to-day operations. Overall, the malicious insider is a current or previous individual with current or previous authority to access a company’s or government’s information systems and intentionally uses their level of access to do unauthorized actions or operations on the systems. Malicious insiders can present different forms of threats to any information system. According to Demergis (2010), malicious insiders differ in their intentions, resources, capabilities, persistence, and degree of risk avoidance. Based on the history of malicious insider attacks there are numerous threats that have already been reported. Malicious insiders can be a threat by illegally extracting, duplicating and ex-filtration of crucial business or government information. Malicious insiders can also tamper with data by making unapproved data changes and deletion (Salem et al., 2008). Another threat is packet sniffing and eavesdropping that can lead to unauthorized monitoring of data or crucial information. Malicious insiders also impersonate and spoof other users as well as installing malicious software, bugs, and viruses on systems (Bowen, et al., 2010). All these security risks are directly related to numerous business threats. Access and manipulation of company or government data can lead to increased violation of privacy rights. In this case, malicious insiders may use customer information gained illegally to cause increased damage. Additionally, all activities that are conducted by malicious insiders tend to paralyze daily or critical operations of a company that translates into increased losses. Malicious insiders have led to billions and millions of losses for companies and governments around the world. As such, malicious insiders should be treated as a significant threat and risk to company operations or the effective functioning of information systems. This requires an understanding of numerous ways for preventing, detecting, and dealing with malicious insiders. Methods of Detecting Malicious Insiders There are numerous methods for detecting malicious insiders that vary from technical to psychological means (Parsons, et al., 2009). The commonly used method for detecting malicious insiders is through profiling. According to Salem et al., (2008), this is known as host-based user profiling. This is based on conducting an investigation once an attack has already happened. Some of the attacks and threats posed by malicious insiders can be traced through information systems to identify the insider. This is because most companies and governments do not have technical abilities to develop and implement special systems or applications that can detect a malicious insider before they do harm. Additionally, the complex nature of malicious insiders or the malicious insider problem makes it difficult to detect an attack before it has occurred. The host-based profiling detection method is based on auditing all important information system elements. This includes the command line calls or operations issued by each user, system call checking, and database or file access monitoring (Bowen, et al., 2010). The profiling also extends to policy management rules and agreement logs. User profiling can be used in the windows or operating system setting as well as the web or online-based setting. These methods have proved to be successful in most cases enabling malicious attackers to be detected after they have attacked an information system. Another method for detecting malicious insiders is through network and system-based sensors or warning systems. One of the network detection systems developed is ELICIT, which detects when an insider access information, resources, data, or files that they do not need to know about (Salem et al., 2008). The system detects suspicious activities by insiders such as browsing, searching, printing, and downloading through monitoring the use of sensitive or suspicious terms or anonymous browsing. The information gathered through this method can then be statistically analyzed to develop certain patterns that can help in detecting malicious insiders. However, the ELICIT detection system was tested over a period of one year, meaning that it can be used to detect malicious insiders, meaning that it is a slow method of detecting malicious insiders (Salem et al., 2008). Another system-based malicious insider detection system is honeypots or honey tokens. These are realistic, but fake systems that replicate true production systems and are modeled to attract malicious insiders to improperly access, manipulate, or tamer with information or resources (Maybury, et al., 2005). The honeypot systems can facilitate detection of a malicious insider’s capabilities and motives based on their advertised enticements to possible malicious insiders (Maybury, et al., 2005). These systems use tokens such as fake credit card numbers, logins and passwords, as well as fake files or documents. These methods can be increasingly helpful in detecting malicious insiders before they actually attack. Prevention Malicious Insider Attacks Malicious insider attacks can be prevented by applying numerous methods. One of the ways to prevent malicious insider attacks is through security training or security awareness. Organizations and governments should offer computer and information systems security training to their employees on a regular basis (Wilson & Hash, 2003). This training should be reviewed and reinforced regularly to ensure it focuses on current and important issues (Wilson & Hash, 2003). Additionally, security training should clearly focus on the malicious insider problem. Employees and other users of the information systems should be made well aware of the potential social engineering approaches that malicious insiders may use to gain resources for carrying out malicious activities. Moreover, security training should also make it clear that there is no definite manner of detecting a malicious insider automatically detect or identify malicious insiders (Walker, 2008). Such training should also include on how people should report any suspicious activities or observations of malicious insiders to relevant authorities or management. Another method of preventing malicious insider attacks is through restricting access to the information systems. Businesses should reduce the duties and privileges of employees from different departments to ensure that the least amount of people have access to the information system. Reducing the duties of employees can help to prevent others with the intent of malicious attacks from accessing the information system. Research has illustrated that most malicious insiders tend to act alone rather than with accomplices. Additionally, the restricting of access to the information systems should also be reinforced with strict and well-established account and password management practices and policies (Musthaler, 2008). This also applies to the overall information systems security policies. Most companies underestimate the importance of security policies. Strong and strict security policies can easily frustrate the motives of malicious insiders by ensuring that they are not able to do their malicious activities without violating security or information system policies (Musthaler, 2008). This is an effective method of ensuring that all insiders have a good understanding what they should not do or access in the information system. Overall, all these methods are effective ways of preventing malicious insider attacks. Conclusion In conclusion, it is clear from the paper that malicious insiders pose increased threats to the proper operation of businesses. They intentionally abuse their level or trust of access to information systems to cause deliberate harm on companies, individuals, or governments. Numerous methods can be used to detect malicious insider attacks after or before they occur. This includes individual profiling of activities and motives and system or network-based detection systems. The use of security training, restriction of access, and policy develop can help to prevent malicious insider attacks. References Bowen, B. M., Salem, M. B., Keromytis, A. D., & Stolfo, S. J. (2010). Monitoring technologies for mitigating insider threats. In Insider Threats in Cyber Security (pp. 197-217). Springer US. Demergis, J., (2010). Proceedings of the 9th European Conference on Information Warfare and Security. UK, Academic Conferences Limited. Maybury, M., Chase, P., Cheikes, B., Brackney, D., Matzner, S., Hetherington, T., ... & Longstaff, T. (2005). Analysis and detection of malicious insiders. MITRE CORP BEDFORD MA. Musthaler, L., (2008). 13 best practices for preventing and detecting insider threats. Retrieved from http://www.networkworld.com/article/2280365/lan-wan/13-best-practices-for-preventing-and-detecting-insider-threats.html Parsons, K., McCormac, A. & Butavicius, M. (2009). Human Factors and Information Security: Individual, Culture and Security Environment. Manuscript submitted for publication. Salem, M. B., Hershkop, S., & Stolfo, S. J. (2008). A survey of insider attack detection research. In Insider Attack and Cyber Security (pp. 69-90). Springer US. Walker, T. (2008). Practical management of malicious insider threat – An enterprise CSIRT perspective. Information Security Tech. Report, 13(4), 225-234. Wilson, M. & Hash, J. (2003). Computer Security: Building an Information Technology Security Awareness and Training Program. Gaithersburg, MD: Information Technology Laboratory National Institute of Standards and Technology,. Read More