Abstract
The author is the lead information security architect at one of the United States’ largest banks. In this paper he assesses the threat of confidential data leakage, focusing on its most virulent form – insider data theft attacks. Technological and procedural controls typically found in enterprise environments are reviewed and found inadequate. Additional controls are proposed, and several areas for additional technical research are also suggested.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Randazzo M R, Keeney M, Kowalski E, Cappelli D, Moore A, Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, United States Secret Service, 2004.
Henry T., Controlling Information with Network Content Filtering; Burton Group.
Proctor P, Mogull R.. and Oullet E., Magic Quadrant for Content Monitoring and Filtering and Data Loss Prevention, 2Q07 Gartner Inc.
Penn J. and Raschke T.., The Forrester Wave®texttrademark : Information Leak Prevention, Q4 2006; Forrester Research.
Yuhanna N. and Julian T., Securing Your Data from Insider Threats June 2007 seminar; Forrester Research.
Cappelli D., D., Moore, A, and Shaw E., A Risk Mitigation Model: Lessons Learned From Actual Insider Sabotage, Carnegie Mellon CERT; Proceedings CSI 2006.
Wilson B., Information Security: A Critical Competency, Carnegie Mellon CERT; Proceedings FSTC 2007.
2007 ARO/FSTC Workshop on Insider Attack and Cyber Security (IACS07), http://www.cs.dartmouth.edu/∼ insider/
Human Behavior, Insider Threat, and Awareness Project Institute for Information Infrastructure Protection (I3P), http://www.thei3p.org/projects/insidthoverview.html
FS-ISAC Information Leak Survey, Privately conducted survey, results distributed to members only. (Direct inquiries to the author or the consortium).
FSTC Leak Prevention Survey, Privately conducted survey, results distributed to members only. (Direct inquiries to the author or the consortium).
2006 E-Crime Watch Survey CSO Magazine with the U.S. Secret Service, CERT®textregistered Coordination Center and Microsoft Corp.
Externalization of Entitlements, Privately published white paper; direct inquiries to the author.
California law SB1386 serves as the model for other state and federal breach disclosure legislation. http://www.oit.ucsb.edu/committees/itpg/sb1386.asp
Plastic Card Industry Data Security Council, https://www.pcisecuritystandards.org/
Google APIs for search (and other services) documented at http://code.google.com/apis/.
Johnson, M.E. and Dynes, S., Dartmouth College; Proceedings Workshop on the Economics of Information Security, 2007.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
McCormick, M. (2008). Data Theft: A Prototypical Insider Threat. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds) Insider Attack and Cyber Security. Advances in Information Security, vol 39. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-77322-3_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-77322-3_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-77321-6
Online ISBN: 978-0-387-77322-3
eBook Packages: Computer ScienceComputer Science (R0)