Enemy at the water cooler [electronic resource] : real-life stories of insider threats and Enterprise Security Management countermeasures / Brian T. Contos.

Cover image for Enemy at the water cooler [electronic resource] : real-life stories of insider threats and Enterprise Security Management countermeasures / Brian T. Contos.

ISBN:

9781597491297

9780080477602

Title:

Enemy at the water cooler [electronic resource] : real-life stories of insider threats and Enterprise Security Management countermeasures / Brian T. Contos.

Author:

Contos, Brian T.

Personal Author:

Contos, Brian T.

Publication Information:

Physical Description:

1 online resource (xxii, 262 pages) : illustrations

General Note:

Title from Web page (viewed Feb. 28, 2007).

Contents:

Part I: Background on Cyber Crime, Insider Threats, and ESM -- Chapter One: Cyber Crime and Cyber Criminals -- About this Chapter -- Computer Dependence and Internet Growth -- The Shrinking Vulnerability Threat Window -- Motivations for Cyber Criminal Activity -- o Black Markets -- Hacker -- Script Kiddies -- Solitary Cyber Criminals and Exploit Writers for Hire -- Organized Crime -- Identity Thieves (Impersonation Fraudsters) -- Competitors -- Activist Groups, Nation-State Threats, and Terrorists -- Activists -- Nation-State Threats -- o China -- o France -- o Russia -- o United Kingdom -- o United States -- Terrorists -- Insiders -- Tools of the Trade -- o Application-Layer Exploits -- o Botnets -- o Buffer Overflows -- o Code Packing -- o Denial-of-service (DoS) Attacks -- o More Aggressive and Sophisticated Malware -- o Non-wired Attacks and Mobile Devices -- o Password-cracking -- o Phishing -- o Reconnaissance and Googledorks -- o Rootkits and Keyloggers -- o Social Engineering Attacks -- o Voice over IP (VoIP) Attacks -- o Zero-Day Exploits -- Summary Points -- Chapter Two: Insider Threats -- Understanding Who the Insider Is -- Psychology of Insider Identification -- Insider Threat Examples from the Media -- Insider Threats from a Human Perspective -- o A Word on Policies -- Insider Threats from a Business Perspective -- o Risk -- Insider Threats from a Technical Perspective -- o Need-to-know -- o Least Privileges -- o Separation of Duties -- o Strong Authentication -- o Access Controls -- o Incident Detection and Incident Management -- Summary Points -- -- Chapter Three: Enterprise Security Management (ESM) -- ESM in a Nutshell -- Key ESM Feature Requirements -- o Event Collection -- o Normalization -- o Categorization -- o Asset Information -- o Vulnerability Information -- o Zoning and Global Positioning System Data -- o Active Lists -- o Actors -- o Data Content -- o Correlation -- o Prioritization -- o Event and Response Time Reduction -- o Anomaly Detection -- o Pattern Discovery -- o Alerting -- o Case Management -- o Real-Time Analysis and Forensic Investigation -- o Visualization -- o High-level Dashboards -- o Detailed Visualization -- o Reporting -- o Remediation -- Return On Investment (ROI) and Return On Security Investment (ROSI) -- Alternatives to ESM -- o Do Nothing -- o Custom In-house Solutions -- o Outsourcing and Co-sourcing --? Co-sourcing examples: -- Summary Points -- -- Part II: Real Life Case Studies -- Chapter Four: Imbalanced SecurityA Singaporean Data Center -- Chapter Five: Correlating Physical and Logical Security EventsA U.S. Government Organization -- Chapter Six: Insider with a ConscienceAn Austrian Retailer -- Chapter Seven: Collaborative ThreatA Telecommunications Company in the U.S. -- Chapter Eight: Outbreak from WithinA Financial Organization in the U.K. -- Chapter Nine: Mixing Revenge and PasswordsA Utility Company in Brazil -- Chapter Ten: Rapid RemediationA University in the United States -- Chapter Eleven: Suspicious ActivityA Consulting Company in Spain -- Chapter Twelve: Insiders Abridged -- Malicious use of Medical Records -- Hosting Pirated Software -- Pod-Slurping -- Auctioning State Property -- Writing Code for another Company -- Outsourced Insiders -- Smuggling Gold in Rattus Norvegicus -- -- Part III: The Extensibility of ESM -- Chapter Thirteen: Establishing Chain-of-Custody Best Practices with ESM -- Disclaimer -- Monitoring and disclosure -- Provider Protection Exception -- Consent Exception -- Computer Trespasser Exception -- Court Order Exception -- Best Practices -- Canadian Best Evidence Rule -- Summary Points -- -- Chapter Fourteen: Addressing Both Insider Threats and Sarbanes-Oxley with ESM -- A Primer on Sarbanes-Oxley -- Section 302: Corporate Responsibility for Financial Reports -- Section 404: Management Assessment of Internal Controls -- Separation of Duties -- Monitoring Interaction with Financial Processes -- Detecting Changes in Controls over Financial Systems -- Section 409: Real-time Issuer Disclosures -- Summary Points -- -- Chapter Fifteen: Incident Management with ESM -- Incident Management Basics -- Improved Risk Management -- Improved Compliance -- Reduced Costs -- Current Challenges -- o Process -- o Organization -- o Technology -- Building an Incident Management Program -- o Defining Risk -- Five Steps to Risk Definition for Incident Management -- o Process -- o Training -- o Stakeholder Involvement -- o Remediation -- o Documentation -- Reporting and Metrics -- Summary Points -- -- Chapter Sixteen: Insider Threat Questions and Answers -- Introduction -- Insider Threat Recap -- Question One -- Employees -- o The Hiring Process -- o Reviews -- o Awareness -- o NIST 800-50 -- o Policies -- o Standards -- o Security Memorandum Example -- Question Two -- Prevention -- Question Three Asset Inventories -- Question Four Log Collection -- o Security Application Logs -- o Operating System Log -- o Web Server Logs -- o NIST 800-92 -- Question Five Log Analysis -- Question Six -- Specialized Insider Content -- Question Seven Physical and Logical Security Convergence -- Question Eight IT Governance -- o NIST 800-53 -- o Network Account Deletion maps to NIST 800-53 section AC-2 -- o Vulnerability Scanning maps to NIST 800-53 section RA-5 -- o Asset Creation maps to NIST 800-53 section CM-4 -- o Attacks and Suspicious Activity from Public Facing Assets maps to NIST 800-53 section SC-14 -- o Traffic from Internal to External Assets maps to NIST 800-53 section SC-7 -- Question Nine -- Incident Response -- Question 10 Must Haves -- -- Appendix AExamples of Cyber Crime Prosecutions.

Local Note:

eBooks on EBSCOhost

Subject Term:

Computer networks -- Security measures.

Computer security.

Hackers.

Format:

Electronic Resources

Electronic Access:

Click here to view

Publication Date:

2006

Publication Information:

Available:*

Shelf Number	Material Type	Copy	Shelf Location	Status
005.8 22	1:E-BOOK	1	1:ONLINE	Searching... Unknown

Bound With These Titles

On Order

Summary

The book covers a decade of work with some of the largest commercial and government agencies around the world in addressing cyber security related to malicious insiders (trusted employees, contractors, and partners). It explores organized crime, terrorist threats, and hackers. It addresses the steps organizations must take to address insider threats at a people, process, and technology level.

Today's headlines are littered with news of identity thieves, organized cyber criminals, corporate espionage, nation-state threats, and terrorists. They represent the next wave of security threats but still possess nowhere near the devastating potential of the most insidious threat: the insider. This is not the bored 16-year-old hacker. We are talking about insiders like you and me, trusted employees with access to information - consultants, contractors, partners, visitors, vendors, and cleaning crews. Anyone in an organization's building or networks that possesses some level of trust.

Author Notes

Brian T. Contos, CISSP, Chief Security Officer, ArcSight Inc. has over a decade of real-world security engineering and management expertise developed in some of the most sensitive and mission-critical environments in the world. As ArcSight's CSO he advises government organizations and Global 1,000s on security strategy related to Enterprise Security Management (ESM) solutions while being an evangelist for the security space. He has delivered security-related speeches, white papers, webcasts, podcasts and most recently published a book on insider threats titled - Enemy at the Water Cooler. He frequently appears in media outlets including: Forbes, The London Times, Computerworld, SC Magazine, Tech News World, Financial Sector Technology and the Sarbanes-Oxley Compliance Journal. Mr. Contos has held management and engineering positions at Riptech, Lucent Bell Labs, Compaq Computers and the Defense Information Systems Agency (DISA). He has worked throughout North America, South America, Western Europe, and Asia and holds a B.S. from the University of Arizona in addition to a number of industry and vendor certifications.

Reviews (1)

Choice Review

Internet security management remains a challenging concern for both corporate and individual users. Contos focuses on the former and develops the thesis that more often than not, enterprise threats are internally generated. As examples, he cites attacks initiated by disgruntled employees, former employees, and contractors. This book features three main parts. The first, three chapters long, provides background on cyber crime, insider threats, and Enterprise Security Management (ESM). The second part individually documents eight real-life security breach case studies; the final chapter describes another seven briefer examples. The third part addresses the extensibility of ESM, an emerging area of applied research focused on helping organizations improve security management capabilities and attain and sustain adequate levels of security directly supporting their missions. Future efforts are aimed at developing such a security management framework. Throughout, Contos uses his extensive personal experiences to illustrate Internet security breaches and provide countermeasures. This book requires little if any technical background and is intended to appeal to a broad audience. An appendix lists cyber crime prosecutions. Brief bibliography. ^BSumming Up: Recommended. General readers; professionals. E. M. Aupperle emeritus, University of Michigan

Foreword	p. xix
Introduction	p. xxi
Part I Background on Cyber Crime, Insider Threats, and ESM	p. 1
Chapter 1 Cyber Crime and Cyber Criminals 101	p. 3
About this Chapter	p. 4
Computer Dependence and Internet Growth	p. 4
The Shrinking Vulnerability Threat Window	p. 5
Motivations for Cyber Criminal Activity	p. 7
Black Markets	p. 11
Hackers	p. 13
Script Kiddies	p. 14
Solitary Cyber Criminals and Exploit Writers for Hire	p. 15
Organized Crime	p. 17
Identity Thieves (Impersonation Fraudsters)	p. 19
Competitors	p. 24
Activist Groups, Nation-State Threats, and Terrorists	p. 24
Activists	p. 25
Nation-State Threats	p. 27
China	p. 27
France	p. 27
Russia	p. 28
United Kingdom	p. 28
United States	p. 28
Terrorists	p. 30
Insiders	p. 32
Tools of the Trade	p. 34
Application-Layer Exploits	p. 35
Botnets	p. 35
Buffer Overflows	p. 36
Code Packing	p. 36
Denial-of-service (DoS) Attacks	p. 36
More Aggressive and Sophisticated Malware	p. 37
Nonwired Attacks and Mobile Devices	p. 38
Password-cracking	p. 38
Phishing	p. 39
Reconnaissance and Googledorks	p. 41
Rootkits and Keyloggers	p. 41
Social Engineering Attacks	p. 42
Voice-over-IP (VoIP) Attacks	p. 43
Zero-Day Exploits	p. 44
Summary	p. 46
Chapter 2 Insider Threats	p. 49
Understanding Who the Insider Is	p. 50
Psychology of Insider Identification	p. 55
Insider Threat Examples from the Media	p. 57
Insider Threats from a Human Perspective	p. 59
A Word on Policies	p. 60
Insider Threats from a Business Perspective	p. 62
Risk	p. 63
Insider Threats from a Technical Perspective	p. 63
Need-to-know	p. 64
Least Privileges	p. 65
Separation of Duties	p. 65
Strong Authentication	p. 65
Access Controls	p. 66
Incident Detection and Incident Management	p. 66
Summary	p. 68
Chapter 3 Enterprise Security Management (ESM)	p. 69
ESM in a Nutshell	p. 70
Key ESM Feature Requirements	p. 71
Event Collection	p. 71
Normalization	p. 72
Categorization	p. 72
Asset Information	p. 73
Vulnerability Information	p. 73
Zoning and Global Positioning System Data	p. 73
Active Lists	p. 75
Actors	p. 76
Data Content	p. 77
Correlation	p. 77
Prioritization	p. 77
Event and Response Time Reduction	p. 78
Anomaly Detection	p. 78
Pattern Discovery	p. 79
Alerting	p. 80
Case Management	p. 80
Real-Time Analysis and Forensic Investigation	p. 81
Visualization	p. 81
High-Level Dashboards	p. 81
Detailed Visualization	p. 81
Reporting	p. 83
Remediation	p. 84
Return On Investment (ROI) and Return On Security Investment (ROSI)	p. 85
Alternatives to ESM	p. 90
Do Nothing	p. 90
Custom In-house Solutions	p. 91
Outsourcing and Cosourcing	p. 93
Cosourcing examples	p. 95
Summary	p. 97
Part II Real Life Case Studies	p. 99
Chapter 4 Imbalanced Security-A Singaporean Data Center	p. 101
Chapter 5 Comparing Physical & Logical Security Events-A U.S. Government Agency	p. 107
Chapter 6 Insider with a Conscience-An Austrian Retailer	p. 115
Chapter 7 Collaborative Threat-A Telecommunications Company in the U.S.	p. 123
Chapter 8 Outbreak from Within-A Financial Organization in the U.K.	p. 129
Chapter 9 Mixing Revenge and Passwords-A Utility Company in Brazil	p. 137
Chapter 10 Rapid Remediation-A University in the United States	p. 145
Chapter 11 Suspicious Activity-A Consulting Company in Spain	p. 155
Chapter 12 Insiders Abridged	p. 161
Malicious use of Medical Records	p. 162
Hosting Pirated Software	p. 163
Pod-Slurping	p. 164
Auctioning State Property	p. 165
Writing Code for Another Company	p. 166
Outsourced Insiders	p. 167
Smuggling Gold in Rattus Norvegicus	p. 168
Part III The Extensibility of ESM	p. 169
Chapter 13 Establishing Chain-of-Custody Best Practices with ESM	p. 171
Disclaimer	p. 172
Monitoring and Disclosure	p. 172
Provider Protection Exception	p. 173
Consent Exception	p. 173
Computer Trespasser Exception	p. 174
Court Order Exception	p. 174
Best Practices	p. 174
Canadian Best Evidence Rule	p. 176
Summary	p. 177
Chapter 14 Addressing Both Insider Threats and Sarbanes-Oxley with ESM	p. 179
Why Sarbanes-Oxley	p. 180
A Primer on Sarbanes-Oxley	p. 181
Section 302: Corporate Responsibility for Financial Reports	p. 182
Section 404: Management Assessment of Internal Controls	p. 182
Separation of Duties	p. 182
Monitoring Interaction with Financial Processes	p. 183
Detecting Changes in Controls over Financial Systems	p. 183
Section 409: Real-time Issuer Disclosures	p. 184
Summary	p. 185
Chapter 15 Incident Management with ESM	p. 187
Incident Management Basics	p. 188
Improved Risk Management	p. 189
Improved Compliance	p. 190
Reduced Costs	p. 190
Current Challenges	p. 190
Process	p. 190
Organization	p. 191
Technology	p. 191
Building an Incident Management Program	p. 192
Defining Risk	p. 192
Five Steps to Risk Definition for Incident Management	p. 193
Process	p. 193
Training	p. 195
Stakeholder Involvement	p. 195
Remediation	p. 196
Documentation	p. 196
Reporting and Metrics	p. 197
Summary	p. 198
Chapter 16 Insider Threat Questions and Answers	p. 199
Introduction	p. 200
Insider Threat Recap	p. 200
Question 1 Employees	p. 201
The Hiring Process	p. 201
Reviews	p. 202
Awareness	p. 202
NIST 800-50	p. 203
Policies	p. 205
Standards	p. 205
Security Memorandum Example	p. 206
Procedure	p. 208
Question 2 Prevention	p. 210
Question 3 Asset Inventories	p. 211
Question 4 Log Collection	p. 214
Security Application Logs	p. 215
Operating System Log	p. 216
Web Server Logs	p. 216
NIST 800-92	p. 217
Question 5 Log Analysis	p. 219
Question 6 Specialized Insider Content	p. 221
Question 7 Physical and Logical Security Convergence	p. 222
Question 8 IT Governance	p. 227
NIST 800-53	p. 231
Question 9 Incident Response	p. 234
Question 10 Must Haves	p. 235
Appendix A Examples of Cyber Crime Prosecutions	p. 237
U.S. Department of Justice Cases	p. 238
California-Central District-United States v. Jay R. Echouafni et al. (Operation Cyberslam)	p. 238
United States v. Jie Dong	p. 239
United States v. Calin Mateias	p. 239
California-Northern District-United States v. Robert McKimmey	p. 241
United States v. Laurent Chavet	p. 241
United States v. Shan Yan Ming	p. 242
United States v. Robert Lyttle	p. 242
United States v. Roman Vega	p. 242
United States v. Michael A. Bradley	p. 243
Missouri-Western District-United States v. Melissa Davidson	p. 243
United States v. Soji Olowokandi	p. 244
New York-Southern District-United States v. Jason Smathers and Sean Dunaway	p. 244
Pennsylvania Western District-United States v. Calin Mateias	p. 246
United States v. Scott Eric Catalano	p. 247
United States v. Myron Tereshchuk	p. 247
United States v. Jeffrey Lee Parson	p. 248
Bibliography	p. 249
Articles, Webcasts and Podcasts with the Author	p. 250
Online Articles	p. 250
Webcasts	p. 251
Podcasts	p. 252
Index	p. 253

Available:*

Bound With These Titles

On Order

Summary

Summary

Author Notes

Reviews (1)

Choice Review

Table of Contents