On Monday 17 January 2005 14:55, Crispin Cowan wrote: > I participated in a workshop on on insider attacks several years ago. We > identified 2 kinds of insider attacks:
(Was this Mike Skroh's (DARPA) workshop out at RAND? If so, I also participated in this. In fact, it's where I met you, Crispin. You demo'd VMware on your laptop for me and made me a VMware believer...:-) > * authorized users: [snip...] > * non-authorized users: [snip...] Agreed. > So we agree that more secure systems such as RBAC and Immunix do help to > address the problem of insider attackers. What they don't do is address > the problem of authorized insiders abusing their authority. That is > where this new class of products comes in: they track the movement of > sensitive organizational data by /content/ rather than by access > control, and complain when content crosses a barrier that it should not. Understood, and at least much of this new class of products is based on statistical analysis of event logs. Certainly, products simplify that scenario, but it can also be done without add-on products. > But as I wrote before, such products, especially network-based products, > will fail to detect an authorized user accessing data and then dumping > it to CDR or USP memory stick and walking it out of the building in > their underwear. There is also a new class of products that do access control and logging at the PC client level, so that things like USB stick access can be (nominally) controlled and logged, FWIW. I'll bet that a determined, authorized adversary can find ways of circumventing, though... > Because the end-game of covert channel prevention always leads to an > anal cavity search :) ACK....and ick! So, where's the Software Security lesson in all of this? IMHO, it's to ensure adequate application-level event logging and data access control capabilities. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
