ISBN 978-952-5726-10-7 Proceedings of the Third International Symposium on Computer Science and Computational Technology(ISCSCT 10) Jiaozuo, P. R.

China, 14-15, August 2010, pp. 389-392

Research On Security Architecture MSIS For Defending Insider Threat

Hui Wang 1,2, Dongmei Han 1, and Shufen Liu2
1

College of Computer Science and Technology, Henan Polytechnic University ,Jiaozuo, China Email:wanghui_jsj@hpu.edu.cn,handongm520@163.com 2 College of Computer Science and Technology, Jilin University ,Jilin, China Email: liusf@jlu.edu.cn undoubtedly the largest in the history of banking. These two examples show that the most serious security breach and the most important economic damage are basically made by the insider threat from organizations. How to prevent and predict insider threat? This paper proposes a integrated and overall security architecture from the point of the combination of technology and management. II. INSIDER
THREAT

AbstractNetwork threat confronting organizations comes from not only outsider threat, but also insider threat. Nowadays, insider threat is widely recognized as an important issue of security management. However, tools and controls on how to fight against it are still in the research phase. Security architecture for defending insider threat is presented, which is composed of four parts: monitoring platform, secure authentication platform, information security platform and security management system. The first three parts of the architecture are to solve the problem from a technical viewpoint and the last is from a management point of view. It is simple and practicable to prevent and reduce insider threats by the combination of advanced security tools and good management system. Keywords-Internal Network; Insider Threat; Architecture; Security Management System

I. INTRODUCTION At present, the insider threat or insider problem has received considerable attention, and is cited as the most serious security problem in many studies. It has become a novel and hot research topic [1, 2, 3 ]. Classification statistics were conducted by American CSI / FBI according to the event source over the years. And the annual cost of losses is shown in Table 1[4]. Statistics show that: although most organizations are implementing effective strategies against external threat, the weakest link in organizational information systems security chain is insider threat. Insider threat is much greater than outsider threat in terms of the loss. Table1 CSI / FBI annual loss cost survey according to event source
Year 2005 2006 2007 Total System penetration/$ $841,400 $758,000 $6,875,000 $8,474,400 Insider abuse/$ $6,856,450 $1,849,810 $2,889,700 $11,595,960 Unauthorized insider access/$ $31,233,100 $10,617,000 $1,042,700 $42,892,800

In January 2008, at Societe Generales second largest bank, a trusted and junior employee, Jerome Kerviel, perpetrated 72 billion worth of loss and fraud, through his knowledge of banking procedures, information systems and theft of coworkers passwords. Apart from Kerviels actions, failure of control mechanisms leads to this fraud,

This research are supported by The Doctor Grant of Henan Polytechnic University(B2010-62). 2010 ACADEMY PUBLISHER AP-PROC-CS-10CN007

Trzeciak (2009) defines insider and insider threat as An insider is a current or former employee, a contractor or a business partner who has or had authorized access and intentionally exceeded that access in a manner that negatively affected the confidentiality, integrity or availability of the organizations information or information systems. Insider threat can be defined as the threat to information system security due to the intentional misuse of computer systems by users who are authorized to access those systems and networks [5].Due to the legitimacy and trust the insiders enjoy, this type of crime is difficult to detect and mitigate before the occurrence. Previously, confidentiality of electronic documents concerned by many companies is focused on external personnel. Technical means, such as intrusion detection, firewall, information encryption, access control mechanisms, are to solve the problem of external protection. However, these controls and tools are designed to fight against outsider threat of organization network, and little progress has occurred in dealing with the insider threat, including insider attack and insider misuse. Because of the lack of knowledge about insider threat, organizations can not take appropriate preventive measures. These all cause the frequency of insider threats higher and higher. Whether intentional or accidental, insider threats will be one of the greatest threats to security. If the network security is unknown or not implemented, Internet users, in practical applications such as surfing unsafe websites, click on a malicious e-mail link, or not to encrypt sensitive data and forth, will continue to unwittingly play the role of safety bomb. As the mobility of business people is more and more, users use a large number of removable storage devices such as U disk, mobile hard drive, writable CD and MP3 players, network connection such as Bluetooth, as well as mobile devices such as laptop, PDA. Insider threat as an example
389

of mobile devices is shown in figure 1. A serious threat of confidential data leakage to enterprise is posed. The survey of Ministry of Public Security exposed that the ratio attack or virus origin from internal staff increased by 21% over the previous year, and the ratio of involving external personnel decreased by 18%, which reveals most network unit concerned for external defensive considerations which led to the threat from insider rise at the same time. However, the fatal results are usually caused by insider threat.

[6]. In this paper, a integrated and overall security architecture for an effective internal defense has been proposed combining the results of current research and the concepts of technology and management. Three systems platform and a safety management system are included in the network. This architecture is called MSIS taking the first letter of each part of the composition. It can be shown in Figure 2. A. Monitoring platform MP The architecture including a monitor platform MP has been proposed in order to make the internal users on the host and network effectively and prevent violations from internal and enhance their internal security. Organizations must monitor all critical information system activity like servers, software applications and other data resources, Access must be strictly controlled and any suspicious activity must be investigated. MP has a powerful logging system. As shown in literature [7], an improved surveillance method based on complex roles has been proposed in order to monitor the work activities of the users in organizations, applications and operating systems. Currently, MP launched by software companies is generally composed of three parts: Client, server-side and management-side. Client is the agent installed on the computer software. It is used to collect host data and receive the security policies and directives configured by the administrator from the server-side. Its ultimate aim is to monitor the host behavior. Server-side is installed in a platform with the high performance. It is used to receive various kinds of information sent by the host client. And then the information can be managed and stored. Management-side is usually a web service or other applications. After users logging in, the corresponding management interface can be accessed by managers. Appropriate security policy is configured and issued. Client log can be inquired and analyzed. A variety of statistical information can be counted and managed. The following functional areas should be included in a comprehensive network of MP: firstly, desktop management and control of host behavioral; secondly, internet behavior management and breaking of illegal host access; thirdly, security management of terminal equipment and storage media; fourthly, remote installation of system patches distribution and software; whats more, monitoring and safety assessment of the host system performance; in the end, monitoring of network equipment. Although there are many monitoring products in the market and their functions are different. All the questions can not be completely solved. This article points out that scientific management mechanism in internal network and the fast upgrade of system must be included in a perfect MP. And security policy in off-host must be supported and excellent compatibility and multiple security mechanisms must be contained in system deployment. B. Security authentication platform SAP This paper presents that SAP performs a variety of authentication methods to achieve secure login and
390

Figure1

Insider Threat--Mobile Devices

Besides, Hacking tools are easily got by internal staff (including staff who arent familiar with computer technology) because of network popularization and software development. Interface of these tools is humane and easy to understand. It is one of reasons that insider threats are mostly caused by internal staff. And internal users generally face database directly and operate directly on the server. Taking advantage of fast network, critical data are stolen or destroyed with ease. Users in the organization have different privileges; secret information lacks of effective control and supervision; it is difficult to manage the staff; system is vulnerable to be attacked by means of passwords and unauthorized operation. These factors cause insider threats increasing more and more. III.ESTABLISHING INSIDER THREAT DEFENSE SYSTEM Damage caused by insider threat is obvious. The goal of this paper is to extremely mitigate business damage posed by the insider misuse or the insider attack, endeavor to cease the insider threat initially, and reduce internal risk to a minimum. In order to prevent internal threats, a relatively secure internal network needs not only advanced and effective security configuration, but also comprehensive management system and experienced security managers

Figure 2

MSIS

authentication of users It is independent from the landing system of the original computer, and has higher security and reliability. It is made of the authentication server, authentication agent and authentication tokens. Authentication server is the authentication engine of the network, which is managed by the security administrator or network administrator. It is mainly used for token issue, the design and implementation of the security policy. The certification agent is a special agent software implementing the authentication server to establish a variety of security policies. The authentication tokens serve the users in the form of hardware, software or smart card and so on, which are used to confirm the users identity. If a user provides a correct token code, then it can be highly assured that the user is a legitimate user. A complete SAP is the basis of the security system. It uses the combination of multiple software and hardware certification system, improving the reliability and supporting a variety of standard CA server. It is convenient and has less influence to the original system. At the same time, for all peripheral, input and output ports and operating license management, only authorized persons can achieve authority to operate the computer, and only authorized disk, disk partition, peripherals, mobile storage devices can be used by an authorized person on a authorized computer, and only authorized input and output ports can be used by a person authorized. All these measures lay the foundation for the reliable operation of the security system. C. Information Security Platform ISP In the ISP, Compulsory encryption to information over a network and Control of all network traffic were introduced in this article. That could effectively circumvent malicious listeners, unauthorized external connections and illegal access. Communication protocol for computer networks is designed without considering its security and it is a completely open protocol. That makes it easy to be intercepted at random in the course of data transmission and exchange. To ensure information security within the network, security issues about important data must be solved in communication processes between any two machines in the LAN. The ISP proposed in this article makes mandatory encryption for network transmission come true and the communication key between any two computers is not the same. That effectively prevents the network behavior of malicious listener. At the same time, if host in the internal network gets access to the external network illegally through Modem, ADSL dial-up or dual card and other methods, they can not communicate with each other because of different data encapsulation. This effectively prevents the illegal behavior about access to the external network. Computers to the internal network from the external network, whether accessing to the internal network directly through the exchange of equipment or connecting to an internal computer through direct network connections, can not communicate with others, which effectively prevents the occurrence of illegal access.
391

D. Security management system SMS A prefect SMS is essential to fight against insider threat of enterprises. This paper considers that security administrators should be able to keep abreast of the latest developments about network security and implement real-time monitoring of user behavior on the network. They should protect network equipment and the security of online information. It is also required that they can foresee network threats and take appropriate responses. At the same time, they should endeavor to cease the insider threat initially, and reduce internal risk to a minimum. In addition, from the perspective of network security, enterprises take measures to manage employees. They should identify data that need to be protected, keep in touch with employees and provide security education everywhere. Firstly, leaders must recognize the importance of network security. Only in this way, can staff recognize it. Then some appropriate policies and regulations may be developed, so that enterprises can adhere to the principle that "there shall be laws to abide by and evidence to investigate, everyone who is meritorious should be reworded, everyone who is wrong should be punished." Only in that way can employees promote safety awareness and keep the internal network without damage. Organizations must monitor all critical information system activity like servers, software applications and other data resources. Access must be strictly controlled and any suspicious activity must be investigated. IV CONCLUSION How to reduce insider threat? The use of advanced technology is required, but the establishment of insider threat for security architecture is essential. The advantage of this architecture is that it proposes an integrated approach on how to combine technology and management. However, details of the various platforms and advanced technologies arent explained more and the factors including people and environmental issues are not analyzed accurately. From an overall point of view, in later research, many cooperative controls about technique, environment and people should be designed to be ordered and synchronous. At the same time, inter-linkages of various controls and their priority sequence and control principles should be fully considered. REFERENCES
[1] GB. Magklaras,S. M. Furnell, A preliminary model of end user sophistication for insider threat prediction in IT systems[J], Computers and Security, 2005, vol. 24(5), pp. 371-380. [2] M. Kemp, Barbarians inside the gates: Addressing internal security threats [J], Network Security, 2005, vol. 2005(6), pp. 11-13. [3] Y. Yu, J. C. Chiueh, Display-only file server: A solution against information theft due to insider attack [C], Washington, DC, United States, 2004, pp. 31-39.

[4] RichardsonR. 2003 CSI/FBI computer crime and security survey [J]. Computer Security Joumal 2003, 19(2): 21-40. [5] Schultz E. A Framework for Understanding and Predicting Insider Attacks [J]. Computer and Security, 2002, 21(6):526-531. [6] Hui wang, shu-fen liu, and yin-jia zhang, Insider threat analysis and solution probe of for information system [J],

Jilin University Technology (Engineering Science), 2006, vol. 36(5), pp. 809-813. [7] Park Joon S, Ho ShuyuanMary, Composite role-based monitoring (CRBM) for countering insider threats [J].Springer-Verlag Gm bH, 2004, 3073: 201-213.

392