40
The Association between Capacity Management, Cybersecurity, and Insider Threat Chris Greco, PMP, PMI-ACP, CISSP, ITIL
The Association between Capacity Management, Cybersecurity, and
Insider Threat
Chris Greco, PMP, PMI-ACP, CISSP, ITIL
Assumptions
• Every computer has at least one user • Every user accesses the computer through a
series of access controls • Every access control has at least one method
of authentication (two preferred) • Every one of these authentication methods
have an effect on capacity • Every capacity change incorporates a set of
risks
Background of Speaker
• Over 35 years of project management experience combined with 15 years of IT experience
• Speaker at CMG on a variety of topics • In 2006, presented the topic of capacity and
security • In that presentation, showed that capacity will
grow exponentially in the next 10 years due to security concerns
Stunning Statistics
• 2010: 60% of respondents to survey stated they would take anything from their prior employer, including information
• 2012: Former NSA contractor takes information from computers (insider threat)
• 2013: Hacking continues, and in some cases, originates within companies (insider threats)
• 2016: Insider Threats presents a very real and present danger to companies and governments
How Does This Relate to Capacity?
• Let’s do the logic • There are approximately 7 billion people in
the world • If half own and use a computer (3.5 billion)
then they have at least one password • The password may contain upwards of 15
characters • If each character of that password is a byte,
then you have 53 Gigabytes of information
That’s Not Bad At All
• Nope, not bad, then you start to add it all up • You have a “forgotten password” feature where
you store 3 questions and answers for each user • The questions are standard (but still need to be
stored) and the answers vary • If the answers have an average of 10 characters
(which in my opinion is underestimated) then you have about 105 Gigabytes of information
But It is Not Over Yet!
• If the entity employs multi-factor authentication, then it becomes even more complicated
• You have to store phone numbers of the users, and issue random numbers for verifications
• To store phone numbers will be to increase your data storage by at least 10 bytes, which would be an additional 35 Gigabytes
The Sum And The Consequences
• 53 + 105 + 35 = 173 Gigabytes • And that is for only one password for one
application (or one application access) • The reason for this introduction is to say that
there is a rise in the authentication requirement
• As a user, your responsibility is to ensure your passwords are strong
• The infrastructure manager has to do the rest
The Growth of Authentication
• In the beginning, the password was the only authentication needed for access
• Then multi-factor authentication required more – Something you know – password – Something you have – cellphone (or a “fob”) – Something you are – biometrics
• This has required more capacity to store all this data
Authentication And The Numbers
• Assumptions – Your company has 1000 employees – Each of these employees have strong passwords
(i.e. 10 characters, different character sets) – Your company has also incorporated biometrics
(“something you are”) which is one fingerprint • The password will be approximately 21
kilobytes, and the fingerprint will be approximately 1 megabyte
What Is the Problem?
• So far, given the previous slide, everything is not bad at all
• However, there are some other issues you need to consider – The storage of past passwords (don’t want users
using the same password for everything – The storage of USERIDs (at least 7 characters) – The storage of more than one fingerprint (increase
by approximately 1 MB each time)
Access By Application
• Of course most of us have access to applications or single sign on (SSO), so the storage is not a problem (right?)
• The baseline storage still has to occur, as well as the possibility of placing certain folders under access
• Every folder or document that has access must also have an access control
Simulated Access Control
• The following diagram shows a simulated access to one document by a set of users
• This is just a simulation, but one can imagine the amount of storage that would be required to keep the passwords or other access current
• You may have an Access Control List (ACL) but that means you have to store at least the following: – Name (or employee number or other ID) – USERID – PASSWORD – Other access controls including versions of the documents
Access Chart for Single Document
A Quick Review
• Your storage has to accommodate for the following security protections – Something you know (passwords, passcodes, userid) – Something you have (fobs, cellphone numbers,
random number generator) – Something you are (biometrics including fingerprints,
iris scans, facial recognition) • All of this just to ensure authorized access • This does nothing to prevent insider threat if not
done in combination with other measusres
Insider Threat
• Insider Threat is nothing new • Disgruntled employees have existed as long as
there are companies • In the past, they sometimes took office supplies,
or other things of value • Now, they could take something of great value –
information! • How do you stop this insidious practice? • You will NEVER stop Insider Threat (in my
opinion) but you can try to prevent and detect it
Capacity Management and Insider Threat
• Storage of user identifying information – Every user takes up space in the storage formula – The amount of information will vary
• What we need to discuss is how to detect and/or prevent insider threat
• What are the various forms of data you store in order to implement an insider threat detection/prevention?
Logic Behind Detecting Insider Threat
• Let’s assume again that you have 1000 employees
• Each of these employees has access to 1000 documents in various folders on the servers
• You, as the computer security manager, have a “feeling” that there is information being pilfered from the system
• In order to confirm that feeling with data you have to monitor activity on those servers
What Should We Consider?
• If we wanted to employ an “insider threat” detection (or outside threat for that matter) we would want to consider the following: – Number of machines (one machine per person) – Number of servers – Number of firewalls (inside and outside DMZ)
• You would also have to consider how many months (or years) you would want to keep the data
Just One Example
• http://www.buzzcircuit.com/tag/siem-storage-calculator/ is just one site for measuring the amount of storage necessary
• Using this site and inserting the number 10 for all the hardware choices, along with 6 months for storage requirements
• The amount of storage you would need would be approximately 3 Terabytes of raw data and 5 Terabytes of application storage
Changing the Attributes
• If you increase the number of servers from 10 to 50, you increase the storage requirement by 2 Terabytes
• If you use the average medium sized company of 200 employees, you increase the number of computers to 200 with 10 servers (1 per 20 computers)
• This would mean that you would have to START with several Terabytes of storage just to retain it for 6 months!
Sample of Storage Requirements (For Different # of Servers)
0
50
100
150
200
250
300
6 MonthsRetention (1
ofEverything)
1 YearRetention (1
ofEverything)
6 MonthsRetention(1+ FW, R,
SW, DB, Etc)
1 YearRetention(1+ FW, R,
SW, DB, Etc)
6 MonthsRetention
(10 ofEverything)
1 YearRetention
(10 ofEverything)
Tera
byte
s
2520151051
What About Processing?
• According to source it takes 4 instructions to add two numbers
• It takes average 400 characters in a log entry • 400 X 4 = 1600 • 50 EPS per Firewall or Windows Server • 3 Windows Server = 150 EPS • 150 X 1600 = 240,000 Instructions/second • Intel Core i7 (5960X) = 238,000 MIPS • Looks doable, but analysis will take millions of
instructions
https://en.wikipedia.org/wiki/Instructions_per_second
Knowing the Terms
• A term with which you may be familiar is Security Information and Event Management (SIEM) storage.
• This is an application that gathers information and detects outliers for further analysis
• Although it has been in use for years, many companies are spending 1000s if not 100000s of dollars on obtaining and maintaining these applications
A Real-Life Example
• In 2012-2013 there was an individual that was in a sensitive position
• The individual was part of the Federal Government and had access to very critical information
• The individual is now living in a foreign country after stealing sensitive national security information
Questions to Consider
• What if the individual was slowly gaining access to information that was “derivative” to his duties?
• What if the individual had flash drives and DVDs on his desk?
• What if the individual was asking questions of users on gaining access to other type of information?
• Finally, what if there were people who saw this signs and did nothing?
Could He Have Been Detected By SIEM?
• Could a SIEM have detected this intruder? – Access to information might have been outliers only if
he did not access them daily – The SIEM will not “observe” the person’s behavior
beyond their computer access and log entries
• People did question the insider threat, but if they are able to “tell a good story” they get a pass
• It takes people to report questionable behavior in order to place confirmation on the monitoring
Another Real-Life Example
• Let’s say data showed that an individual was using different Social Security Numbers to open businesses (same name, different numbers)
• The person in question was tracked and questioned
• Individual was able to tell a good story • Finally, let’s say It took a relative to come forward
in order for the case to proceed to investigation
Why Are We Using Machines to Monitor Humans?
• SIEM have the capability to gather information and then present this information in a manner that is usable to humans
• It seems that there may be other alternatives available to detect and prevent insider threat
• By using alternative approaches you might be able to reduce costs and share buy-in with your other employees
Employees As Risks (Pessimistic)
• At the beginning of this presentation, we stated that there are 60% of employees willing to take something from their employer
• If you have 1000 employees, that would mean (nominally) that you have 600 of those employees that would be willing to steal something from the company
• However, there is an upside to this argument
Using Employees as Security Monitors (Optimistic)
• If you have 20 employees you have 40 eyes and 40 ears that can help keep your company secure.
• There is nothing more powerful than peer pressure
• As a college instructor, placing the class on alert helped to eliminate cheating, because they knew the expectations, so they would keep everyone on their best behavior
Some Ways to Deploy the Employees
• Limit Access (As long as the employees are in charge of their own functional area, they will take ownership)
• Educate employees about security – Password hygiene – Encourage understanding of technology
• Create a culture of security (probably the best recommendation and studies show that it does have an impact see https://hbr.org/2015/09/cybersecuritys-human-factor-lessons-from-the-pentagon)
Value Added Security
• There is nothing like having the employee take an active role in security
• Rather than trying to avoid or shortcut security, they will use “their” rules more seriously
• Employee generated access rosters will establish the employee as the on in charge of that aspect of security
• It also makes them accountable, which will provide them with a stake in that part of the mission
Are Employees Reliable?
• Making someone accountable gives them a sense of purpose
• According to studies, purpose is something we all desire and are motivated to achieve (Elie Wiesel Nobel Prize winning book - Night)
• If people see a person with excessive access, DVDs and other insider threat factors, they should say something
• If they see and do nothing, they are not being accountable, and fail to do their purpose
A Hybrid Approach
• Use a SIEM and make that part of the security infrastructure, but do not rely on it as the sole detection method
• Use an employee education to keep employees aware of the various security concerns
• Have an employee security network that helps their peers maintain security
• Create a culture of security through constant visibility and example
Does Constant Exposure Help?
• A security officer at the Twin Towers conducted evacuation exercises and pointed out exits
• Then September 11, 2001 occurred • The security officer was credited with helping
more than 2600 people evacuate the building • The security officer died after he went back
inside to help others evacuate (https://en.wikipedia.org/wiki/Rick_Rescorla)
What Does This Do To Capacity?
• Employee involvement can save Terabytes of storage
• In current economy, storage has to be protected, so the more the storage, the more the protection
• By keeping the security internal and observable, the capacity can be used for other things besides storing monitoring data
• The savings can be passed on to the employee as an incentive
Summary
• Security is something that will never go away • Employers will constantly try to ensure that
employees are security conscious – Through access control – Through education methods
• Applications can monitor the employee and their access or
• The employees can “police” themselves and take charge of their environment
References
Common Sense Guide to Prevention and Detection of Insider Threats (CERT), 2005 Buzzkill web site (calculate storage requirements for SIEM), referenced in the presentation
Any Questions?
https://www.linkedin.com/in/grectech
www.grectech.com
www.twitter.com/grectech
Business Phone: (443) 690 - 5037
