Sadie Creese

Understanding Insider Threat: A Framework for Characterising Attacks

The threat that insiders pose to businesses, institutions and governmental organisations continues to be of serious concern. Recent industry surveys and academic literature provide unequivocal evidence to support the significance of this threat and its prevalence. Despite this, however, there is still no unifying framework to fully characterise insider attacks and to facilitate an understanding of the problem, its many components and how they all fit together. In this paper, we focus on this challenge and put forward a grounded framework for understanding and reflecting on the threat that insiders pose. Specifically, we propose a novel conceptualisation that is heavily grounded in insider-threat case studies, existing literature and relevant psychological theory. The framework identifies several key elements within the problem space, concentrating not only on noteworthy events and indicators- technical and behavioural- of potential attacks, but also on attackers (e.g., the motivation behind malicious threats and the human factors related to unintentional ones), and on the range of attacks being witnessed. The real value of our framework is in its emphasis on bringing together and defining clearly the various aspects of insider threat, all based on real-world cases and pertinent literature. This can therefore act as a platform for general understanding of the threat, and also for reflection, modelling past attacks and looking for useful patterns.

Insider Attacks in Cloud Computing

The computer-security industry is familiar with the concept of a Malicious Insider. However, a malicious insider in the cloud might have access to an unprecedented amount of information and on a much greater scale. Given the level of threat posed by insiders, and the rapid growth of the cloud computing ecosystem, we examine here the concept of insider attacks in cloud computing. Specifically, if more of our assets are going to reside in the cloud, and as increasingly our lives, enterprises and prosperity may depend upon cloud, it is imperative that we understand the scope for insider attacks so that we might best prepare defenses. We need to understand whether cloud might expose our assets to increased threat in terms of both actors and attack surface. We present here an assessment of current insider threat definitions and classifications, and their applicability to the cloud. We elucidate the nature of insiders with reference to the cloud ecosystem and close with examples of insider attacks which are specific to cloud environments (and hence hard to detect using current techniques).

Authentication for Pervasive Computing

Key management is fundamental to communications security, and for security in pervasive computing sound key management is particularly difficult. However, sound key management itself depends critically on sound authentication. In this paper we review current notions of entity authentication and discuss why we believe these notions are unsuitable for the pervasive domain. We then present our views on how notions of authentication should be revised to address the challenges of the pervasive domain, and some of the new research problems that will arise. We end with some brief thoughts on how our revised notions may be implemented and some of the problems that may be encountered.

The Cloud: Understanding the Security, Privacy and Trust Challenges

Our research investigated the security, privacy and trust aspects of cloud computing and determined whether these were sufficiently distinct to warrant public policy intervention. On the whole, cloud computing brings into acute focus many security and privacy challenges already evident in other domains such as outsourcing or behavioural advertising.

Exploiting empirical engagement in authentication protocol design

We develop the theme of an earlier paper [3], namely that security protocols for pervasive computing frequently need to exploit empirical channels and that the latter can be classified by variants of the Dolev-Yao attacker model. We refine this classification of channels and study three protocols in depth: two from our earlier paper and one new one.

Guidelines for usable cybersecurity: Past and present

Usability is arguably one of the most significant social topics and issues within the field of cybersecurity today. Supported by the need for confidentiality, integrity, availability and other concerns, security features have become standard components of the digital environment which pervade our lives requiring use by novices and experts alike. As security features are exposed to wider cross-sections of the society, it is imperative that these functions are highly usable. This is especially because poor usability in this context typically translates into inadequate application of cybersecurity tools and functionality, thereby ultimately limiting their effectiveness. With this goal of highly usable security in mind, there have been a plethora of studies in the literature focused on identifying security usability problems and proposing guidelines and recommendations to address them. Our paper aims to contribute to the field by consolidating a number of existing design guidelines and defining an initial core list for future reference. Whilst investigating this topic, we take the opportunity to provide an up-to-date review of pertinent cybersecurity usability issues and evaluation techniques applied to date. We expect this research paper to be of use to researchers and practitioners with interest in cybersecurity systems which appreciate the human and social elements of design.

Data Protection-Aware Design for Cloud Services

The Cloud is a relatively new concept and so it is unsurprising that the information assurance, data protection, network security and privacy concerns have yet to be fully addressed. This paper seeks to begin the process of designing data protection controls into clouds from the outset so as to avoid the costs associated with bolting on security as an afterthought. Our approach is firstly to consider cloud maturity from an enterprise level perspective, describing a novel capability maturity model. We use this model to explore privacy controls within an enterprise cloud deployment, and explore where there may be opportunities to design in data protection controls as exploitation of the Cloud matures. We demonstrate how we might enable such controls via the use of design patterns. Finally, we consider how Service Level Agreements (SLAs) might be used to ensure that third party suppliers act in support of such controls.

Automated Insider Threat Detection System Using User and Role-Based Profile Assessment

Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Those who have authorized access to sensitive organizational data are placed in a position of power that could well be abused and could cause significant damage to an organization. This could range from financial theft and intellectual property theft to the destruction of property and business reputation. Traditional intrusion detection systems are neither designed nor capable of identifying those who act maliciously within an organization. In this paper, we describe an automated system that is capable of detecting insider threats within an organization. We define a tree-structure profiling approach that incorporates the details of activities conducted by each user and each job role and then use this to obtain a consistent representation of features that provide a rich description of the users behavior. Deviation can be assessed based on the amount of variance that each user exhibits across multiple attributes, compared against their peers. We have performed experimentation using ten synthetic data-driven scenarios and found that the system can identify anomalous behavior that may be indicative of a potential threat. We also show how our detection system can be combined with visual analytics tools to support further investigation by an analyst.

Virus Propagation in Heterogeneous Bluetooth Networks with Human Behaviors

The growth in the use of Smartphones and other mobile computing devices continues to grow rapidly. As mobile wireless communications become ubiquitous, the networks and systems that depend upon them will become more complex. In parallel with this, the spread of digital viruses and malicious content will be an ever increasing threat within this interconnected paradigm requiring counteracting mechanisms to continuously adapt. Current security solutions for mobile devices remain limited in their ability to protect particularly against zero-day attacks. Understanding the propagation characteristics of malware could provide a means to planning protection strategies, but modeling virus propagation behavior in mobile wireless and peer-to-peer communications devices is still immature. A compartmental-based virus propagation model has been developed for Bluetooth communication networks incorporating wireless technological traits and factors that are known to affect virus propagation including human behaviors, heterogeneous devices, and antivirus measures. The model is novel in the richness of its treatment of human factors alongside the technology factors that could impact spread. A simulation scenario, together with an analysis of the spreading dynamics has been conducted to determine how a Bluetooth virus might spread under different conditions. Although demonstrated through Bluetooth, the approach is applicable to malware propagation in general.

A Data-Reachability Model for Elucidating Privacy and Security Risks Related to the Use of Online Social Networks

Privacy and security within Online Social Networks (OSNs) has become a major concern over recent years. As individuals continue to actively use and engage with these mediums, one of the key questions that arises pertains to what unknown risks users face as a result of unchecked publishing and sharing of content and information in this space. There are numerous tools and methods under development that claim to facilitate the extraction of specific classes of personal data from online sources, either directly or through correlation across a range of inputs. In this paper we present a model which specifically aims to understand the potential risks faced should all of these tools and methods be accessible to a malicious entity. The model enables easy and direct capture of the data extraction methods through the encoding of a data-reachability matrix for which each row represents an inference or data-derivation step. Specifically, the model elucidates potential linkages between data typically exposed on social-media and networking sites, and other potentially sensitive data which may prove to be damaging in the hands of malicious parties, i.e., fraudsters, stalkers and other online and offline criminals. In essence, we view this work as a key method by which we might make cyber risk more tangible to users of OSNs.