Much research in computer security has focused on approaches for preventing unauthorized and illegitimate access to systems and information. However, one of the most damaging malicious activities is the result of internal misuse within an organization. This may be because much of the attention has been focused on preventative measures against computer viruses, worms, trojans, hackers, rootkits, spyware, key recovery attacks, denial-of-service attacks, malicious software (or malware), probes, etc. such that far less attention has been focused inward.
Insider threats generally include masqueraders and/or traitors. Masqueraders generally include attackers that impersonate another inside user, while traitors generally include inside attackers that use their own legitimate credentials to attain illegitimate goals. In addition, some external attackers can become inside attackers when, for example, an external attacker gains internal network access. For example, external attackers can gain access to an internal network with the use of spyware or rootkits. Such software can be easily installed on computer systems from physical or digital media (e.g., email, downloads, etc.) and can provide an attacker with administrator or “root” access on a machine along with the capability of gathering sensitive data. In particular, the attacker can snoop or eavesdrop on a computer or a network, download and exfiltrate data, steal assets and information, destroy critical assets and information, and/or modify information. Rootkits have the ability to conceal themselves and elude detection, especially when the rootkit is previously unknown, as is the case with zero-day attacks. An external attacker that manages to install a rootkit internally in effect becomes an insider, thereby multiplying the ability to inflict harm.
One approach to prevent inside attacks generally involves policy-based access control techniques that limit the scope of systems and information an insider is authorized to use, thereby limiting the damage the organization can incur when an insider goes awry. Despite these general operating system security mechanisms and the specification of security and access control policies, such as the Bell-LaPadula model and the Clark-Wilson model, the insider attacker problem is extensive. For example, in many cases, formal security policies are incomplete and implicit or they are purposely ignored in order to achieve business goals. In fact, the annual Computer Crime and Security Survey for 2007, which surveyed 494 security personnel members from corporations and government agencies within the United States, found that insider incidents were cited by about 59 percent of respondents, while only about 52 percent had encountered a conventional virus in the previous year. Other approaches have been made that attempt to address these problems. However, these approaches merely perform a forensics analysis after an insider attack has occurred.
It should also be noted that, with the advent of wireless networking, the ubiquity of wireless networking exposes information to threats that are difficult to detect and defend against. Even with the latest advances aimed at securing wireless communications and the efforts put forth into protecting wireless networking, compromises still occur that allow sensitive information to be recorded, exfiltrated, and/or absconded. Secure protocols exist, such as WiFi Protected Access 2 (WPA2), that can help in preventing network compromise, but, in many cases, such protocols are not used for reasons that may include cost, complexity, and/or overhead. In fact, the 2008 RSA Wireless Security Survey reported that only 49% of corporate access points in New York, N.Y. and 48% in London, England used advanced security. Accordingly, many wireless networks remain exposed despite the existence of these secure protocols.
Moreover, one of the benefits of WiFi is the seemingly boundless, omnipresent signal. However, this broad transmission radius is also one of its greatest risks. The broadcast medium on which the suite of 802.11 protocols are based makes then particularly difficult to secure. In general, there is little than can be done to detect passive eavesdropping on networks. This problem is exacerbated with WiFi due to the range of the signal.
There is therefore a need in the art for approaches that bait inside attackers using decoy information. Accordingly, it is desirable to provide methods, systems and media that overcome these and other deficiencies of the prior art.