2 hours 11 minutes
So, uh, in module three, we reviewed some real world examples of insider attacks in Model Four. We will dig into
how to prevent and detect these kind of it happened.
so there are various methods, tools, technologies and so on that can help the tech that prevent insider attacks. Okay, Some important examples are defensive depths, vulnerability scanning, hosts, based security network, user analytics,
two person integrity and separation of duties.
Okay, so let's talk about defense in depth
defence. In depth is the concept of having multiple layers of security in place so that if one of the layers fails, hopefully one of the other layers will pick up and prevent the attack can. That's the general concept. So employment of layers of security insurers ensuring that
if one layer fails, hopefully another layer will succeed.
So a layer defense components include router access list Proxy server's firewalls. I. D. S is an I. P. S is access control based on roles and responsibilities, host based firewalls on malware detection and more.
I want to make sure that explain all those things I talked about with CIA router access list is a A router is a device that tells network traffic which way it needs to go
kind of direct the traffic. And on a router, you can put something called an access list, and you can block things like
I p addresses that you don't want to be able to communicate your network. And so that's kind of the thing that you could block courts that you don't want coming to your network. Okay,
um and then
you have a proxy server of the sea Far walls
on I. D. S. I. P s is intrusion detection system intrusion prevention system. It kind of you could try to say it's kind of like a firewall, but it it sniffs the network looking for a nefarious traffic and identifies that traffic based on patterns, et cetera, fingerprints of malicious
And it that's the idea is part of it. It senses a.
And then I ps can be configured to block that traffic.
Okay, then let's see access control based on roles and responsibilities. That's pretty straightforward.
Um, host based firewalls, malware detection, Someone. Okay,
so that is the concept of defence in depth. So if you can imagine if you have traffic, say ah hacker is on the way sending trying to do, um, um some sort of hack through the network and his network traffic is on the way. And first thing it does is it hits
the Ratter access list on the perimeter here,
out there on the perimeter. And if that is allowed through because no one's locked it, it will continue on. And then maybe it gets to the firewall and the firewall will inspect the traffic. Make sure what it's supposed to be. Make sure there's not a signature of something suspicious in there or, um, uh,
period previously blocked sides or
hack attempt, et cetera. And as it's coming in, if the firewall said that's OK and it goes through all these checks, then it made it through the second poor part, and then it couldn't continues on, and it might next. It might hit the I. D. S. I. P s intrusion detection system intrusion prevention system. And
at that point,
um, it will again be inspected for the signatures that may look like it could be hacker activity.
It might be something that will pass a firewall, but the signature of certain combination of things may look like a hacker activity, and it could be blocked with that point. But if it's not, it continues on, and maybe it gets to the actual server inside the network or the workstation.
Now it's gone through all these other security layers. It hasn't been stopped yet. Now it gets to the host itself. Okay, the host may have a host based firewall running, and that firewall will inspect the traffic and see if it's something that should be allowed onto the host
and then once it's on the host, if it's allowed
now you're getting to the final few layers that can profess this host and the final layers. That could be matter where, Ah, malware software, it could be Application White List E.
And so application level would be like something like Application White listing where the application can only do what it's allowed to do and on Lee authorized applications can be executed or started on that system. So you couldn't put 1/2 our systems are, you know,
sort of half of software on there and
started up because the application white list will say no, you're not allowed.
And then there's things like when you get down to the data. There's things like file level file and folder permissions where maybe you could get on the server, but you can't get to the part that has a sensitive data because you don't have the permissions.
So that's another layer that might stop a hacker. And then you have things like data tagging. So hurry or where you actually
define what data is allowed doing where it's allowed to go. And that could also be a point where that the hacker could be stopped. So all of these things are part of defense in depth
that is designed again to try to prevent a successful attack. And we talk about a hacker general attacker attack. But these attacks could be executed from within the network against a server or a system.
So from the inside of perspective, this is still very, very relevant, very, very important.
Now let's talk about network vulnerability scanning. So as we said before,
you know, really insider threat, the type of stuff we're talking about is just subset of
information, security or cyber security. And so even though you are inside of the network, your authorized you're allowed to be there, you can still do the same things that a hacker would do and try to exploit vulnerabilities. Like Francis, we set SQL injection before and so on. So
on the network, you conduce things
to try toe, be proactive and prevent a hacker from being successful. And that includes doing network vulnerability, scanning or penetration, testing, and so on that that were vulnerability. Scanning is the concept of scanning the network,
uh, looking at all your systems from one computer
and looking for vulnerabilities that hackers might try it thio to exploit
or an insider might try to exploit. Okay. And if you could find those proactively ahead of time, you can fix them so that in the future, if someone ends up being an insider threat, they will have less of a attack surface area
that is available for available for them to try to exploit
okay and same thing with penetration. Testing is the concept of going a little deeper and trying to actually penetrate and see if an exploit can be executed. And that's kind of a so similar concept of a network vulnerability, scanning, scanning, but just a little bit more in depth. A little bit more targeted and so on. So all these things are there.
Try to fortify your network a little bit better
to try to lower the risk of an attack.
So let's talk about the host. This is the final layer
of security before you get to the prize Potentially,
which is the data city on the host on the server. So you've made it all the way through the router access lest you defeated the fire while you defeated the idea. Yes. And I ps and you made it to the host. You knocked on the door, and then you Now you have to deal with things like ah, host based firewall. Okay,
may stop you from doing it. Starting exploit. You may have to deal with application of white listing software, which is gonna prevent you from running hacker tools or other applications on the host that are not supposed to be their malware. Software is going to stop a lot of things like
a root kits and things like that that it recognizes the signature of
on. Then there's things like file and folder directory permissions, etcetera. These things can be very effective. Their simple but very effective. For instance, if you hacked a certain account and you got on a system, you may not have the rights with that account to get to the data that you want to steal.
So you have to try to do some other exploit t
elevate your privileges to try to get to that data. So these air extra roadblocks, they're putting your way. Um, and this is all about buying high. The longer it takes, the less likely it is. You're probably gonna be successful. You're probably gonna be discovered. Hopefully, you have enough mechanisms, mechanisms in place to do that. And
so that is what is happening here. You're
putting these roadblocks up, your thwarting the attacker, and hopefully they're not going to be successful because of all of these measures that you haven't placed.
Now this is a very important one for the insider threat concept, and that is network and user based analytics. I'm networking user base analytic tools establish a baseline of normal activity
and flag when abnormal activity is identified, so you can imagine this system being put on the network and say it's the network tool and it's looking and keeping statistics on what all the I P addresses in the network normally do. How much traffic is coming in and out and then and so on.
Whenever something spike's way out of that norm
way out of scope, statistically it will flag that traffic and so that someone be identified toe look at it. And so that is kind of network,
uh, analytics perspective. So it looks at the network as a whole. Okay, Now you get the more granular or, um, or the finer
perspective, which user based analytics. And that is where you
go down to the user and establish a baseline. So every user
has a baseline of their normal activity. Let's say then the user normally comes in, they log in and around this time,
um, they go to these certain sides and they upload and download this kind of data from these certain parts of the network. And, um, they do x y they check their Facebook couple times or whatever. And this is what this user does. 99.999999% of the time for the entire year.
Now, all of a sudden,
if that user now comes in at midnight and sends a bunch downloads a bunch of data that they never go to or never have access to before. And they send it out to Dropbox, Um, which is, you know, a cloud base, you know, storage type solution out there that's free.
If that happens and it's never happened before, that's going to be flagged. Someone's gonna be notified and it will be investigated. That is kind of the perspective of the user based analytics. So combining these things to together help, um, can lead to a really solid solution. Um,
that could help prevents,
um, the insider attack.
Okay, so two person integrity so history what it says. It says use of removable media should be required. This is an example here. Use of a removable media should require two individuals one
to independently verify and approved the need for the removal of media and to the second
to perform the use of said removable media. So remember we talked about this Sony scenario where what if that person who is uploading this trailer well, they have access to the entire movie? What if he or she just put in a thumb drive
copy that movie down and stole its, took it in their pocket and left
Well, if you have no security measures in place, that is very possible to do. And that is an example of how it works to person integrity to access that super sensitive file should be employed. So if there is a need to access a super sensitive file like a multi $1,000,000 movie file that hasn't been released,
you want an employee to person integrity. And that one is a situation where they said, essentially, if you try to access that file, it requires that someone else gets notified and that they have to come verify what you're doing and approve what you're doing
that makes it the fact that two people have to be involved or maybe more,
would reduce the risk that someone's gonna just try to steal ah, file like that.
So this is a concept of ensuring kind of adding an extra layer, an extra layer of security to try to prevent the insider attack.
Okay, let's talk about, um, separation of duties. So this this is easy to get confused. The other one, uh um to personal charity and but it's the concept of making sure that checks and balances are in place. So, um,
the security auditor, this is an example here again, the security auditor
and those being audited should be separate individuals. For instance, the person doing the network scans should not be the same person who is responsible for fixing the discovered vulnerabilities. So s so what? That is to say, I'm in that on the system administrator and say, I haven't been doing my job
on this server.
I haven't put the patches on a bit lazy. I have it. I like all these security vulnerabilities beyond the server, but I just haven't done my job.
And I've been on social media all day long and not doing my work.
And so the network scanning person is a separate person. They scanned the network, and they found out that I haven't been doing my job. I have all these vulnerabilities on my server, and I I was supposed to fix these, like, two months ago,
and they're still there. Well, that individual who does the scanning is separate from the vigil who who was scanned so that individual can turn that into an independent independently turn it into this to the supervisor or whatever, and then then they could make sure that the problem is fixed. Now if
the lazy person who didn't do their job didn't finish
the patching and someone on the server, if they were also doing the scanning,
then they're probably not going to tell on themselves. And there's probably gonna ignore it and not get not improve security on the network. So that is an example how separation of duties is very important
trust. But verify, um, and ensure that these important security measures get done properly.
Okay, here we are at the knowledge check. So let's roll on in. So in network vulnerability Blank is an application running on a computer that scans network network connected systems for weaknesses.
Okay. A network network and user base. Blank tools. Establish baselines of normal activity and flag when abnormal activity is identified.
Okay with blank, the security auditor and those be audited must be separate individuals.
Separation of duties
Course Assessment - Insider Threats