• Semantics of authorized access

  • Automated, dynamic revocation of privileges

  • Profiling patterns of user behavior

  • Response approaches (automated, recovery, reconstitution)

  • Application-based intrusion detection

  • Instrumentation of commercial off-the-shelf (COTS) applications

  • Continuous biometrics

  • Software for monitoring the system administrator

  • Component verification

  • Fingerprinting of documents

  • Tagging technologies

A Rand workshop in August of 20006 on the insider threat generated the following as the top research areas to which attention should be devoted in the next two to five years:

  • Survivable architecture frameworks

  • Differential access controls

  • Provenance

  • Mobile code (protect code from attack as well as systems from malicious code)

It was emphasized repeatedly that the insider threat and cyber-security problem is not merely a technological one. Good policies and policy enforcement are also necessary. Research is needed in how to define, describe, manage, and manipulate security policies. Systems can be abused through both bad policy and bad enforcement. Tools are needed to make setting and enforcing policy easier.

Another issue raised was the question of how to begin focusing security techniques at the application level, both centralized and distributed. Application-level audits to examine usage patterns (presuming that normal use of a particular application is well-defined) could be integrated with other kinds of audits to provide a more robust picture of system usage. In addition, a list of applications that are most often exploited by insiders could be used to provide guidance as to where attention should be focused. On the other hand, this runs the risk of an escalating ‘arms race’ as attackers become aware of the common knowledge and then focus their attentions elsewhere.

A particularly useful area of investigation would be to gain a more complete understanding of what sophisticated and successful system administrators do to protect their systems. Encapsulating that knowledge and codifying it somehow would provide insight into what the best kinds of defense are. Participants also noted that adding to system administrators’ security knowledge and overall resources would strengthen systems security.

Meeting participants emphasized that progress on this issue will be made only when researchers move beyond thinking about how to protect systems against relatively


The proceedings of this workshop are available at http://www.rand.org/publications/CF/CF163/.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement