Sara Sinclair

Insider Attack and Cyber Security

Insider Attack and Cyber Security: Beyond the Hacker defines the nature and scope of insider problems as viewed by the financial industry. This edited volume is based on the first workshop on Insider Attack and Cyber Security, IACS 2007. The workshop was a joint effort from the Information Security Departments of Columbia University and Dartmouth College. This book sets an agenda for an ongoing research initiative to solve one of the most vexing problems encountered in security, and includes the following topics: critical IT infrastructure, insider threats, awareness and dealing with nefarious human activities in a manner that respects individual liberties and privacy policies of organizations while providing the best protection of critical resources and services. In some sense, the insider problem is the ultimate security problem. This volume concludes with technical and legal challenges facing researchers who study and propose solutions to mitigate insider attacks.

Preventative Directions For Insider Threat Mitigation Via Access Control

Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world” practitioners desire and what the research and vendor communities can offer. Basing our arguments on this ethnographic research (which targets both technology and the human business systems that drive and constrain it), we present the theoretical underpinnings of modern access control, discuss requirements of successful solutions for corporate environments today, and offer a survey of current technology that addresses these requirements. The paper concludes by exploring areas of future development in access control that offer particular promise in the struggle to prevent insider attack.

What's Wrong with Access Control in the Real World?

This article enumerates some simplifying assumptions the security community has made in its effort to gain traction with the access control problem. For many environments, a dramatic and painful mismatch seems to exist between these simplifying assumptions and reality. The authors argue that effective security in these environments might therefore require rethinking these assumptions.

Information Risk in Financial Institutions: Field Study and Research Roadmap∗

Large financial firms with thousands of employees face many challenges ensuring workers have access to the right information, yet controlling access to unneeded data. We examine the problems of role lifecycle management and entitlement review processes in the context of large financial institutions. We describe observations from field study research in both retail and investment banks. We examine technologies to enable role and entitlement management and present a roadmap for future research.

The effects of introspection on creating privacy policy

Prior work in psychology shows that introspection inhibits intuition: asking human users to analyze judgements they make can cause them to be quantitatively worse at making those judgments. In this paper, we explore whether this seemingly contradictory phenomenon also occurs when humans craft privacy policies for a Facebook-like social network. Our study presents empirical evidence that suggests the act of introspecting upon ones personal security policy actually makes one worse at making policy decisions; if one aims to reduce privacy spills, the data indicate that educating users before letting them set their privacy policies may actually increase the exposure of private information.

The TIPPI point: toward trustworthy interfaces

The TIPPI workshop brought security and user interface professionals together to explore ways to improve authentication methods so that users will not be tricked into giving away personal information. Here, we consider some of the themes discussed at TIPPI, including the nature of the authentication problem, systems that might help solve it, and other observations on necessary components of secure systems designed for human users.

PorKI: portable PKI credentials via proxy certificates

Authenticating human users using public key cryptography provides a number of useful security properties, such as being able to authenticate to remote party without giving away a secret. However, in many scenarios, users need to authenticate from a number of client machines, of varying degrees of trustworthiness. In previous work, we proposed an approach to solving this problem by giving users portable devices which wirelessly issue temporary, limited-use proxy certificates to the clients. In this paper, we describe our complete prototype, enabling the use of proxy credentials issued from a mobile device to securely authenticate users to remote servers via a shared (or otherwise not trusted) device. In particular, our PorKI implementation combines out-of-band authentication (via 2D barcode images), standard Proxy Certificates, and platform attestation to provide usable and secure temporary credentials for web-based applications.

Meta-observations from an outsider's study of clinical environments

The security and privacy challenges posed by clinical environments must be understood before they can be addressed, and studied before they can be understood. This document shares observations from studying technology and human users in these environments, and oers suggestions for technologists undertaking collaborative research with health care organizations.