Information Technology Reference
In-Depth Information
basis of our model is capturing any unauthorized change in the Protection State.
The malicious insider is any authorized user that utilizes inherent insider trusts
to intentionally harm or alter the Protection State of the information system.
Because the action must be intentional, this model does not view a user that
accidently opens an attachment and launches a virus to be a malicious insider.
Conversely, an individual who gains administrative rights and purposely deletes
files is a malicious insider.
3.1 Model Implementation
The malicious insider is therefore someone who violates the Protection State of
the system and is depicted as the root node of the tree representation, as shown
in Fig.1. The four subordinate nodes are the specific types of
actions
a malicious
insider may perform. It is possible to categorize any event into one of the four
distinct
actions
through analysis of the Protection State. Because the Protection
State is composed of system rights and we are focusing on the insider, we are
interested in how a user can cause a change in the state. By definition of the
Protection State, the possible ways this can occur can be defined as:
1. Change another user or object's rights (Alteration)
2. Leak user or object information to an unauthorized entity (Distribution)
3. Obtain protected information about another user or object (Snooping)
4. Change the rights on themselves (Elevation)
Each activity is considered unauthorized if it violates organization policy or
system access controls. These
actions
capture the possible malicious events that
can produce a transition in the Protection State.
Malicious
Insider
ACTIONS
Alteration
Distribution
Snooping
Elevation
Fig. 1.
The four
actions
represented in the first hierarchy of the tree
Alteration.
Alteration encompasses modifying the information system struc-
ture in any unauthorized manner. The system structure is the collection of re-
sources that comprise an information system, which includes computers, files, a
user's rights or any other asset on the system that supports system functional-
ity. The
action
of Alteration occurs when a malicious insider changes a user or
object from one state to another in an unauthorized way. A case to represent
this could be a user deleting a file from the system to purposely deny access or
intentionally launching a virus that corrupts entities on the system.
