Saturday, March 08, 2008

Network Security Monitoring for Fraud, Waste, and Abuse

Recently a blog reader asked cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

You frequently mention "fraud, waste, and abuse" in your writing (for example), most often to say that NSM is not intended to address FWA. One thing I've been wondering though--why is fraud in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re? I can see waste (employee burning time/resources on ESPN.com or Google Video) or abuse (pornography, etc), but Fraud seems to be in a different class. If someone is using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network to commit a crime, why shouldn't that be in scope? Indeed, preventing loss (monetary, reputational, of intellectual property) is really cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line for a strong security program, correct?

My stance on this question dates back to my days in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AFCERT. Let me explain by starting with some definitions from AFI90-301 (.pdf):

Fraud: Any intentional deception designed to unlawfully deprive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force of something of value or to secure from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force for an individual a benefit, privilege, allowance, or consideration to which he or she is not entitled. Such practices include, but are not limited to:

  1. The offer, payment, acceptance of bribes or gratuities, or evading or corrupting inspectors of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r officials.

  2. Making false statements, submitting false claims or using false weights or measures.

  3. Deceit, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r by suppressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth or misrepresenting material facts, or to deprive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Air Force of something of value.

  4. Adulterating or substituting materials, falsifying records and books of accounts.

  5. Conspiring to carry out any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above actions.

  6. The term also includes conflict of interest cases, criminal irregularities, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unauthorized disclosure of official information relating to procurement and disposal matters.


For purposes of this instruction, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 definition can include any cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft or diversion of resources for personal or commercial gain.

Waste: The extravagant, careless, or needless expenditure of Air Force funds or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consumption of Air Force property that results from deficient practices, systems controls, or decisions. The term also includes improper practices not involving prosecutable fraud.

Abuse: Intentional wrongful or improper use of Air Force resources. Examples include misuse of rank, position, or authority that causes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 loss or misuse of resources such as tools, vehicles, computers, or copy machines.


Given cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se definitions, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first reason I do not think counter-FWA is an appropriate NSM mission is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 identification of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se actions. Security analysts perform NSM. Security analysts are not human resources, legal, privacy, financial audit, or police personnel. Trying to identify FWA (aside from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 obvious, like wasting bandwidth or visiting pornography sites) is outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scope of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security analyst's profession. If any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 aforementioned parties want to use some content inspection method to identify FWA, that's cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir job. Security analysts are generally tasked with identifying violations of confidentiality, integrity, and availability.

Second, in many organizations cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 inclusion of FWA would crowd out ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security tasks. I have heard of some monitoring shops who do nothing but FWA because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 volume of inappropriate activity seems to dwarf traditional security concerns. I think that is a poor allocation of resources.

Third, I think NSM for FWA is shaky on privacy grounds. Employees really have no expectation of privacy in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 workplace, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 degree of monitoring required to identify non-obvious FWA is very invasive. Security analysts avoid reading email and reconstructing Web pages, but FWA investigations essentially rely on that very task. FWA is seldom easily detected using alert-based mechanisms, so identifying real FWA can turn into a fishing expedition where all content is analyzed in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "hope" of finding something bad. I think this is a waste of resources as well.

Having said that, in some cases NSM data can be used to support FWA tasks. However, I do not think FWA investigation should be a routine part of NSM operations.

What do you think?

5 comments:

Anonymous said...

Good post, thanks. I think your last sentence is probably critical... Most of us would probably agree that NSM's primary function shouldn't be to combat FWA. However, since many information security departments are tasked with carrying out investigations at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 request of HR, legal, etc, it is simply practical to use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tools at our disposal to conduct cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se investigations as efficiently as possible. If an NSM sensor can help do that, it should be used.

Kevin A. Estis said...

I think that most in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry, not just IA but incident response, would say that support of FWA issues has become more and more part of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day-to-day activities we must execute; at least that has been my experience. With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 integration of activity monitoring applications (web proxies monitoring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of sins, etc.) with application firewalls, etc. it seems inevitable that this will continue as it allows non-IA people to look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 alerts/capabilities and think, "hey, this way cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident response team can help us keep tabs on this." Back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 churn of identifying what incident response "is" vs what it "isn't" vs what it "should be".....

Dutcher Stiles said...

How would you distinguish between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "insider threat" and "fraud, waste, and abuse"?

Is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re a correlation between cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 poor match of NSM as a tool to fight FWA, and your minimization of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "insider threat"?

Richard Bejtlich said...

Dutcher Stiles,

Nice try. I worry about insider threats that try to compromise CIA, not surf pr0n. I also do not minimize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "impact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insider threat." I've often said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 impact of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insider threat is greater than ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r threats, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rate of occurrence is much lower than what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 media and "conventional wisdom" would have us believe.

If you think NSM is a "poor match... to fight FWA" you have probably never watched network traffic.

Marcin Antkiewicz said...

You might find http://blogs.forrester.com/srm/2008/02/what-can-cisos.html
relevant