-6

So as security professionals, most are overly paranoid about external hackers, leaks, etc. I'm looking for ideas on how one would go about testing their own systems, without signs that they were testing them> To give a more concrete example, If i was working in an area with highly sensitive information (government data, Banking data, medical records), and was asked to design the system securing such data, knowing that it needs to be shared among people working in the department. How would I (sneakily) go about exploiting my role, by taking the data and work of the other people and leaking it for instance, all while keeping my job and not getting caught. Ideally I would like it to appear as though someone else was responsible for the testing than me.

Ideas I have:
Bribe someone else to do it for me.
Steal credentials
Some social engineering(Starting rumours that someone is thinking about doing this)
Leave some backdoor in the system (IE using a broken algorithm, or rolling my own crypto and leaving an issue in it) that I can exploit.

All these are fairly obvious methods, are there any more that I'm missing?

I've noticed on rereading this that this came across badly. This is homework, and there's no homework tag on security.stackexchange

user25400
  • 13
  • 2
  • Could someone explain why I'm being downvoted? – user25400 Apr 29 '13 at 22:06
  • Because your question is not compliant with the FAQ. – Lucas Kauffman Apr 29 '13 at 22:08
  • 3
    And It's open ended since there is almost an infinite amount of possibilities – Lucas Kauffman Apr 29 '13 at 22:09
  • And I down voted it because I don't like the question. – Lucas Kauffman Apr 29 '13 at 22:09
  • 6
    So, I haven't downvoted, but since it gave me a double take, I can probably explain why. Penetration testing is wholly within the scope of IT Security. Pinning crimes on others, however, is not. Since you seem less interesting in the security of systems, and more interested in committing crimes and creating chaos, I personally would be consider this a low quality question. In other words, motivations count, and for all appearances, yours are poor. – Xander Apr 29 '13 at 22:10
  • I would have thought that some people would have experience with something like this happening, and that having the information in the open (signs that people might not consider) would be beneficial. And I should actually point out that this is an academic exercise, so homework, but there's no homework tag and I can't create one – user25400 Apr 29 '13 at 22:12
  • 1
    That's because we don't do your homework for you, you are supposed to do it yourself, be creative. – Lucas Kauffman Apr 29 '13 at 22:15
  • I thought asking other people for help was being creative. I've listed my ideas above – user25400 Apr 29 '13 at 22:16
  • So the reality is, internal threats should be treated exactly the same way as external threats. A threat model should be created (how can the system be compromised?) and measures put in place to prevent and protect from those attacks. Lucas is right that the specific possibilities are endless. – Xander Apr 29 '13 at 22:18

1 Answers1

4

So the underlying question that I see here is: "How do you protect against insider threats?"

As I see it, there are two parts to the answer. One is that you protect against insider threats the same way that you protect against external threats, and the other part is that to some degree, you can't. Remember, security is about risk mitigation and management, not risk elimination, and faeries and unicorns.

For the first part - When a system is brought online, it a threat model should be developed for it that defines as many of the potential attack surfaces as can be discovered, and deals with each of them appropriately. This is true for internal users as well as external. Just because someone is in the IT Security department doesn't mean that should have unfettered access to production databases, for instance. That would be an unacceptable risk.

For the second part - If you have systems, you have to trust people to manage them. You don't blindly trust...You work to hire trust-worthy people, you limit their access initially and allow them to prove themselves over time, you spread responsibility across multiple individuals to lessen any individual's ability to cause harm. You have good managers who can spot trouble (rumors, or employees doing things they shouldn't) and can head it off. In the end though, this is a risk that can't be eliminated, it simply must be managed.

You can't stop people from causing trouble. You can only manage the risk and excise them from the organization as quickly as you find them.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • I guess the short answer is treat it as if it was an external attack then. Thanks for the insightful response. – user25400 Apr 29 '13 at 22:50
  • @user25400 I hope it helps, and there is an important difference to note, and that's the second part. For insider threats, human resources matter. You can't just rely on the systems; the people, the hiring process, and management can make a huge difference in the level of risk. – Xander Apr 30 '13 at 00:09
  • I see it after reading it a few times. Have to sit on that. Thanks again – user25400 Apr 30 '13 at 00:54