O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Enemy at the Water Cooler

Book Description

The book covers a decade of work with some of the largest commercial and government agencies around the world in addressing cyber security related to malicious insiders (trusted employees, contractors, and partners). It explores organized crime, terrorist threats, and hackers. It addresses the steps organizations must take to address insider threats at a people, process, and technology level.

Today’s headlines are littered with news of identity thieves, organized cyber criminals, corporate espionage, nation-state threats, and terrorists. They represent the next wave of security threats but still possess nowhere near the devastating potential of the most insidious threat: the insider. This is not the bored 16-year-old hacker. We are talking about insiders like you and me, trusted employees with access to information - consultants, contractors, partners, visitors, vendors, and cleaning crews. Anyone in an organization’s building or networks that possesses some level of trust.

* Full coverage of this hot topic for virtually every global 5000 organization, government agency, and individual interested in security.

* Brian Contos is the Chief Security Officer for one of the most well known, profitable and respected security software companies in the U.S.—ArcSight.

Table of Contents

  1. Copyright
    1. Dedication
  2. Praise for Enemy at the Water Cooler
  3. Acknowledgments
  4. About the Author
  5. Acknowledgements
  6. Technical Reviewer
  7. Foreword
  8. Introduction
    1. Audience
    2. Case Studies
  9. I. Background on Cyber Crime, Insider Threats, and ESM
    1. 1. Cyber Crime and Cyber Criminals 101
      1. About this Chapter
      2. Computer Dependence and Internet Growth
        1. The Shrinking Vulnerability Threat Window
      3. Motivations for Cyber Criminal Activity
      4. Black Markets
      5. Hackers
      6. Script Kiddies
      7. Solitary Cyber Criminals and Exploit Writers for Hire
      8. Organized Crime
      9. Identity Thieves (Impersonation Fraudsters)
      10. Competitors
      11. Activist Groups, Nation-State Threats, and Terrorists
        1. Activists
        2. Nation-State Threats
          1. China
          2. France
          3. Russia
          4. United Kingdom
          5. United States
        3. Terrorists
      12. Insiders
      13. Tools of the Trade
        1. Application-Layer Exploits
        2. Botnets
        3. Buffer Overflows
        4. Code Packing
        5. Denial-of-Service (DoS) Attacks
        6. More Aggressive and Sophisticated Malware
        7. Nonwired Attacks and Mobile Devices
        8. Password Cracking
        9. Phishing
        10. Reconnaissance and Googledorks
        11. Rootkits and Keyloggers
        12. Social Engineering Attacks
        13. Voice-Over IP (VoIP) Attacks
        14. Zero-Day Exploits
      14. Summary
    2. 2. Insider Threats
      1. Understanding Who the Insider Is
      2. Psychology of Insider Identification
      3. Insider Threat Examples from the Media
      4. Insider Threats from a Human Perspective
        1. A Word on Policies
      5. Insider Threats from a Business Perspective
        1. Risk
      6. Insider Threats from a Technical Perspective
        1. Need-to-Know
        2. Least Privileges
        3. Separation of Duties
        4. Strong Authentication
        5. Access Controls
        6. Incident Detection and Incident Management
      7. Summary
    3. 3. Enterprise Security Management (ESM)
      1. ESM in a Nutshell
      2. Key ESM Feature Requirements
        1. Event Collection
        2. Normalization
        3. Categorization
        4. Asset Information
        5. Vulnerability Information
        6. Zoning and Global Positioning System Data
        7. Active Lists
        8. Actors
        9. Data Content
        10. Correlation
        11. Prioritization
        12. Event and Response Time Reduction
        13. Anomaly Detection
        14. Pattern Discovery
        15. Alerting
        16. Case Management
        17. Real-Time Analysis and Forensic Investigation
        18. Visualization
          1. High-Level Dashboards
        19. Detailed Visualization
        20. Reporting
        21. Remediation
      3. Return On Investment (ROI) and Return On Security Investment (ROSI)
      4. Alternatives to ESM
        1. Do Nothing
        2. Custom In-House Solutions
        3. Outsourcing and Cosourcing
        4. Cosourcing examples
      5. Summary
  10. II. Real Life Case Studies
    1. 4. Imbalanced Security—A Singaporean Data Center
    2. 5. Comparing Physical & Logical Security Events—A U.S. Government Agency
    3. 6. Insider with a Conscience—An Austrian Retailer
    4. 7. Collaborative Threat—A Telecommunications Company in the U.S.
    5. 8. Outbreak from Within—A Financial Organization in the U.K.
    6. 9. Mixing Revenge and Passwords—A Utility Company in Brazil
    7. 10. Rapid Remediation—A University in the United States
    8. 11. Suspicious Activity—A Consulting Company in Spain
    9. 12. Insiders Abridged
      1. Malicious Use of Medical Records
      2. Hosting Pirated Software
      3. Pod-Slurping
      4. Auctioning State Property
      5. Writing Code for Another Company
      6. Outsourced Insiders
      7. Smuggling Gold in Rattus Norvegicus
  11. III. The Extensibility of ESM
    1. 13. Establishing Chain-of-Custody Best Practices with ESM
      1. Disclaimer
      2. Monitoring and Disclosure
      3. Provider Protection Exception
      4. Consent Exception
      5. Computer Trespasser Exception
      6. Court Order Exception
      7. Best Practices
      8. Canadian Best Evidence Rule
      9. Summary
    2. 14. Addressing Both Insider Threats and Sarbanes-Oxley with ESM
      1. Why Sarbanes-Oxley
      2. A Primer on Sarbanes-Oxley
      3. Section 302: Corporate Responsibility for Financial Reports
      4. Section 404: Management Assessment of Internal Controls
        1. Separation of Duties
        2. Monitoring Interaction with Financial Processes
        3. Detecting Changes in Controls over Financial Systems
      5. Section 409: Real-Time Issuer Disclosures
      6. Summary
    3. 15. Incident Management with ESM
      1. Incident Management Basics
        1. Improved Risk Management
        2. Improved Compliance
        3. Reduced Costs
        4. Current Challenges
          1. Process
          2. Organization
          3. Technology
      2. Building an Incident Management Program
        1. Defining Risk
          1. Five Steps to Risk Definition for Incident Management
        2. Process
        3. Training
        4. Stakeholder Involvement
        5. Remediation
        6. Documentation
        7. Reporting and Metrics
      3. Summary
    4. 16. Insider Threat Questions and Answers
      1. Introduction
      2. Insider Threat Recap
      3. Question One—Employees
        1. The Hiring Process
        2. Reviews
        3. Awareness
          1. NIST 800-50
        4. Policies
        5. Standards
        6. Security Memorandum Example
          1. Procedure
      4. Question Two—Prevention
      5. Question Three—Asset Inventories
      6. Question Four—Log Collection
        1. Security Application Logs
        2. Operating System Log
        3. Web Server Logs
        4. NIST 800-92
      7. Question Five—Log Analysis
      8. Question Six—Specialized Insider Content
      9. Question Seven—Physical and Logical Security Convergence
      10. Question Eight—IT Governance
        1. NIST 800-53
      11. Question Nine—Incident Response
      12. Question Ten—Must Haves
  12. A. Examples of Cyber Crime Prosecutions
    1. U.S. Department of Justice Cases
      1. California—Central District—United States v. Jay R. Echouafni et al. (Operation Cyberslam)
      2. United States v. Jie Dong
      3. United States v. Calin Mateias
      4. California—Northern District—United States v. Robert McKimmey
      5. United States v. Laurent Chavet
      6. United States v. Shan Yan Ming
      7. United States v. Robert Lyttle
      8. United States v. Roman Vega
      9. United States v. Michael A. Bradley
      10. Missouri—Western District—United States v. Melissa Davidson
      11. United States v. Soji Olowokandi
      12. New York—Southern District—United States v. Jason Smathers and Sean Dunaway
      13. Pennsylvania Western District—United States v. Calin Mateias
      14. United States v. Scott Eric Catalano
      15. United States v. Myron Tereshchuk
      16. United States v. Jeffrey Lee Parson
  13. Bibliography
    1.  
    2. Articles, Webcasts and Podcasts with the Author
      1. Online Articles
      2. Webcasts
      3. Podcasts