Combatting Insider Threats

Risks from insider threats are strongly context dependent, and arise in many ways at different layers of system abstraction for different types of systems. We discuss various basic characteristics of insider threats, and consider approaches to the development and use of computer-related environments that require systems and networking to be trustworthy in spite of insider misuse. We also consider future research that could improve both detectability, prevention, and response. This chapter seeks to cope with insider misuse in a broad range of application domains— for example, critical infrastructures, privacy-preserving database systems, financial systems, and interoperable health-care infrastructures. To illustrate this, we apply the principles considered here to the task of detecting and preventing insider misuse in systems that might be used to facilitate trustworthy elections. This discussion includes an examination of the relevance of the Saltzer-Schroeder-Kaashoek security principles and the Clark-Wilson integrity properties for end-to-end election integrity. Trustworthy system developments must consider insider misuse as merely one set of threats that must be addressed consistently together with many other threats such as penetrations, denials of service, system faults and failures, and other threats to survivability. In addition, insider misuse cannot be realistically addressed unless significant improvements are made in the trustworthiness of component systems and their networking as well as their predictably trustworthy compositions into enterprise solutions— architecturally, developmentally, and operationally.

[1]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[2]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[3]  Virgil D. Gligor,et al.  Design and Implementation of Secure Xenix , 1987, IEEE Transactions on Software Engineering.

[4]  Marti A. Hearst,et al.  Building reliable voting machine software , 2007 .

[5]  F. J. Corbató,et al.  On building systems that will fail , 1991, CACM.

[6]  Carrie Gates,et al.  We have met the enemy and he is us , 2009, NSPW '08.

[7]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[8]  Matt Bishop Position: "insider" is relative , 2005, NSPW '05.

[9]  Peter G. Neumann,et al.  Experience with EMERALD to Date , 1999, Workshop on Intrusion Detection and Network Monitoring.

[10]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[11]  Peter G. Neumann,et al.  Reflections on systems trustworthiness , 2007, Adv. Comput..

[12]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[13]  Paul A. Karger,et al.  Limiting the Damage Potential of Discretionary Trojan Horses , 1987, 1987 IEEE Symposium on Security and Privacy.

[14]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[15]  Salvatore J. Stolfo,et al.  Insider Attack and Cyber Security - Beyond the Hacker , 2008, Advances in Information Security.

[16]  Virgil D. Gligor,et al.  On the Design and the Implementation of Secure Xenix Workstations , 1986, 1986 IEEE Symposium on Security and Privacy.

[17]  Leonard S. Zegans The psychology of risks , 2008, CACM.

[18]  Jerome H. Saltzer,et al.  Chapter 1 – Systems , 2009 .

[19]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[20]  P. G. Neumann,et al.  A general-purpose file system for secondary storage , 1965, Published in AFIPS '65 (Fall, part I).