Abstract
As insider threats pose very significant security risks to IT systems, we ask what policy-based approaches to access control can do for the detection, mitigation or countering of insider threats and insider attacks. Answering this question is difficult: little public data about insider-threat cases is available; there is not much consensus about what the insider problem actually is; and previous research in access control has by-and-large not dealt with this issue. We explore existing notions of insiderness in order to identify the relevant research issues. We then formulate a set of requirements for next-generation access-control systems, whose realization might form part of an overall strategy to address the insider problem.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bishop, M., S. Engle, S. Peisert, S. Whalen, and C. Gates, Case Studies of an Insider Framework, Proc. of Hawaii International Conference on System Sciences, pp. 1–10, IEEE Computer Society Press, 2009.
Bishop, M., D. Gollmann, J. Hunker, and C. W. Probst, Countering Insider Threats, Dagstuhl Seminar 08302, Leibnitz Center for Informatics, 18 pp., Dagstuhl Seminar Proceedings, ISSN 1862–4405, July 2008.
Bishop, M., Panel: The Insider Problem Revisited, Proc. of NSPW 2005, ACM Press, 2006.
Brackney, R., and R. Anderson, Understanding the Insider Threat, Proc. of a March 2004 Workshop, RAND Corp., Santa Monica, California, March 2004.
Bruns, G., and M. Huth, Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis, Proc. of CSF 2008, pp. 163–178, IEEE Computer Society Press, 2008.
Bruns, G., D. S. Dantas, and M. Huth, A simple and expressive semantic framework for policy composition in access control, Proc. of FMSE 2007, pp. 12–21, ACM Press, 2007.
Chakraborty, S. and I. Ray, TrustBAC: integrating trust relationships into the RBAC model for access control in open systems, Proc. of SACMAT ’06, pp. 49–58, ACM Press, 2006.
Cheng, P.-C., P. Rohatgi, C. Keser, P. A. Karger, and G. M. Wagner, Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control, IBM Research Report, RC24190 (W0702–085), Computer Science, February 2007.
Cook, B., A. Podelski, and A. Rybalchenko, Terminator: Beyond safety, Proc. of CAV’06, LNCS 4144, pp. 415–418. Springer, (2006).
Cranor, L. F. and S. Garfinkel (editors), Security and Usability - Designing Secure Systems That People Can Use, O’Reilly, California, August 2005.
Department of Defense Trusted Computer System Evaluation Criteria, Technical Report DoD 5200.28-STD, US Department of Defense, 1985.
Hoffman, K., D. Zage, and C. Nita-Rotaru, A Survey of Attack and Defense Techniques for Reputation Systems, To appear in ACM Computing Surveys, Volume 41, Issue 4, December 2009.
Huth, M., A Simple Language for Policy Composition and Analysis, Talk given at [2]. www.doc.ic.ac.uk/~mrh/talks/Dagstuhl0 8.pdf
Jackson, D., Software Abstractions: Logic, Language, and Analysis, MIT Press, 2006.
Jones, S. P., J.-M. Eber, and J. Seward, Composing contracts: an adventure in financial engineering (functionalpearl), ACM SIGPLAN Notices 35(9): 280–292, ACM Press, 2000.
Lee, A. and T. Yu, Towards a dynamic and composable model of trust, Proc. of SACMAT’09, pp. 217–226, ACM Press.
Locasto, M. E., K. Wang, A. D. Keromytis, and S. J. Stolfo, FLIPS: Hybrid Adaptive Intrusion Prevention, in: Recent Advances in Intrusion Detection, LNCS 3858, pp. 82–101, Springer, 2006.
Moore, A. P., D. M. Cappelli, and R. F. Trzeciak, The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures, Technical Report CMU/SEI-2008-TR-009, ESC- TR-2008-009, Carnegie Mellon University, May 2008.
The New York Times, French Bank Says Rogue Trader Lost $7 Billion , 25 January, 2008.
Patzakis, J., New Incident Response Best Practice: Patch and Proceed is No Longer Acceptable Incident Response Procedure, Guidance Software, Pasadena, California, September 2003.
Park, J., and R. S. Sandhu, The UCON ABC usage control model, ACM Trans. Inf. Syst. Secur. 7(1): 128–174, ACM Press, 2004.
Park, J. S. and J. Giordano, Role-Based Profile Analysis for Scalable and Accurate Insider- Anomaly Detection, Proc. IPCCC’06, 2006.
Park, J. S. and J. Giordano, Access Control Requirements for Preventing Insider Threats, Proc. ISI’06 LNCS 3975, pp. 529–534, Springer, 2006.
Probst, Ch. W., R. R. Hansen, and F. Nielson, Where Can an Insider Attack?, Proc. of FAST’06, LNCS 4691, pp. 127–142, Springer, 2006.
Probst, Ch. W. and J. Hunker, The Risk of Risk Analysis-And its relation to the Economics of Insider Threats, Proc. of the Eighth Workshop on the Economics of Information Security (WEIS 2009), June 2009.
Sandhu, R. S., E. J. Coyne, H. L. Feinstein, and C. E. Youman, Role-Based Access Control Models, IEEE Computer 29(2): 38–47, 1996.
Viega, J. and G. McGraw, Building Secure Software, Addison-Wesley Professional Computing Series,2002.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Crampton, J., Huth, M. (2010). Towards an Access-Control Framework for Countering Insider Threats. In: Probst, C., Hunker, J., Gollmann, D., Bishop, M. (eds) Insider Threats in Cyber Security. Advances in Information Security, vol 49. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-7133-3_8
Download citation
DOI: https://doi.org/10.1007/978-1-4419-7133-3_8
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-7132-6
Online ISBN: 978-1-4419-7133-3
eBook Packages: Computer ScienceComputer Science (R0)
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.