Information Technology Reference
In-Depth Information
Distribution.
Distribution captures the transfer of protected information to
an unauthorized entity. This occurs when a user has appropriate system rights
and a need to know, such as access a file. The violation of the Protection State
in Distribution occurs when a right or entity is transferred to someone or some-
thing that is not supposed to have them. The case of a user emailing a file to
an unauthorized individual is an example of Distribution. This
action
can be
the most di
cult to detect because it typically mirrors normal activities. The
malicious insider can be very evasive using this
action
because they may or may
not be bound to a specific time constraint.
Snooping.
Snooping addresses obtaining unauthorized information on a user
or object. This
action
is similar to Distribution except the user has appropri-
ate system rights without a need to know. This takes place when a user has
permissions by the system access controls but the event should not take place
because it violates organization policy. An example of this is an individual with
administrative privileges who opens and reads another user's email in an at-
tempt to gain information. Because they have accessed something their rights
permit but organization policy states should be disallowed, they have violated
the Protection State through Snooping.
Elevation.
Elevation takes place when a user obtains unauthorized rights in
the system. A classic example of this is someone trying to acquire administra-
tive privileges. There are many different ways a malicious insider may try to ac-
complish this, from automated attacks to social engineering. Elevation addresses
the notion of the malicious insider changing their permissions and encompasses
the attempt to garner any rights that are not already allowed as defined by the
Protection State.
3.2
Example
This model ensures every activity of the malicious insider can be specifically
categorized in the context of the Protection State. This principle establishes the
underlying framework that is necessary for identifying the malicious insider in a
deterministic fashion. The distinction that each activity can be captured by one
specific
action
is an important and definitive concept.
It is perhaps best to explore this notion through a practical example. If
Mallory compromises an administrative password and then deletes Alice's email
account, transitions to the Protection State take place. Mallory is a malicious in-
sider because her activities were intentional and deliberate. In this scenario there
are two distinct
actions
that occur to violate the Protection State and subse-
quently there are two transitions of the Protection State. The initial violation is
through Elevation by gaining access to the administrator account. The second vi-
olation is by Alteration in destroying an email account and changing the system
structure. Additionally, if Mallory then accesses a secure document another vio-
lation has occurred. Initially, when she captures the password through Elevation
the Protection State has changed to allow her permission to the file. Although
