Insider Threat Detection And Protection (ITDP)


An Insider Threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems. Insiders may have accounts giving them legitimate access to computer systems, with this access originally having been given to them to serve in the performance of their duties; these permissions could be abused to harm the organization. Insiders are often familiar with the organization's data and intellectual property as well as the methods that are in place to protect them. This makes it easier for the insider to circumvent any security controls of which they are aware. Physical proximity to data means that the insider does not need to hack into the organizational network through the outer perimeter by traversing firewalls, rather they are in the building already, often with direct access to the organization's internal network. Insider threats are harder to defend against than attacks from outsiders, since the insider already has legitimate access to the organization's information and assets. An insider may attempt to steal property or information for personal gain, or to benefit another organization or country. The threat to the organization could also be through malicious software left running on its computer systems by former employees, a so-called Logic bomb. Often cited as the greatest security threat to an organization - Cost US $13B alone - 87% of identified intruders at DOD .were insiders - 46% of identified data breaches were from insiders (90% were malicious) (U.S.S.S.) Thus resulting in data leakage, espionage, sabotage.

Solutions Offered
. Polygraph
. Log analysis
. Surveys
o Investigation surveys
o Pre-employment screening surveys

Short Coming of the Solutions
1. The device is determined by the inconsistency of the responses of the body. Different drugs can be used to alter the responses of the body that will interfere and affect the data and findings. This includes the taking of sedatives to reduce body responses that will produce other results and the use of anti-antiperspirants that can block the sweat glands to minimize the body sweat.
2. Log analysis is time consuming and post-hoc.
3. Insider threats (employees or former employees of the organization) can lie in surveys.

About the Tool
Nagios is an open source computer system monitoring, network monitoring and infrastructure monitoring software application. Nagios offers monitoring and alerting services for servers, switches, applications, and services. It alerts the users when things go wrong and alerts them a second time when the problem has been resolved.
By using Nagios, you can:
. Plan for infrastructure upgrades before outdated systems cause failures
. Respond to issues at the first sign of a problem
. Automatically fix problems when they are detected
. Coordinate technical team responses
. Ensure your organization's SLAs are being met
. Ensure IT infrastructure outages have a minimal effect on your organization's bottom line
. Monitor your entire infrastructure and business processes

The below diagram shows the Operating principle of Nagios.

Present Work
Monitoring of Windows System Using NRPE

. The NRPE addon is designed to allow you to execute Nagios plugins on remote Linux/Unix machines. The main reason for doing this is to allow Nagios to monitor "local" resources (like CPU load, memory usage, etc.) on remote machines. Since these public resources are not usually exposed to external machines, an agent like NRPE must be installed on the remote Windows machines.
. The NRPE addon consists of two pieces: - The check_nrpe plugin, which resides on the local monitoring machine - The NRPE daemon, which runs on the remote Linux/Unix machine
. When Nagios needs to monitor a resource of service from a remote Linux/Unix machine: - Nagios will execute the check_nrpe plugin and tell it what service needs to be checked - The check_nrpe plugin contacts the NRPE daemon on the remote host over an (optionally) SSL-protected connection - The NRPE daemon runs the appropriate Nagios plugin to check the service or resource - The results from the service check are passed from the NRPE daemon back to the check_nrpe plugin, which then returns the check results to the Nagios process.

Before Monitoring, the required Steps to be taken
. First a connection should be established between the Server and client. In our case Port Forwarding is done to establish a connection between the virtual machine (Server) and the Windows machine (Client)
. Second, some parameters of the NRPE configuration file must be changed. This configuration file resides on the Widows machine.
After setting up the connection from the host (Server) to the system the needs to be monitored, the following commands can be executed on the server side

For example:
. check_nrpe -H -c pdm_disk_c
. check_nrpe -H -c pdm_cpuload
. check_nrpe -H -c pdm_memload



Nishanth Prakash

Research Areas and Interests:Insider threats of cloud computing


Youssif Al-Nashif

Research Areas and Interests: Network Security, Autonomic Computing & Management, Autonomic Faults Managements, Data Mining, AI, Distributed Computing, High Performance Computing, Grid Computing, Scientific Visualization Simulation and modeling.







Phone Number: (520) 621-9915 Room 251, ECE Dept. 1230 E. Speedway Tucson, AZ 85721-0104
ACL - � Copyright 2007, Webmaster: Youssif Al-Nashif
All Rights Reserved