In 2017, the United States Department of Homeland Security designated elections equipment as critical infrastructure. Poll workers play a crucial role in safeguarding election security and integrity and are responsible for administering an election at the more than 100,000 polling places needed during an election cycle, oftentimes interacting with, and having unsupervised access to, elections equipment. This paper examines the utility of training poll workers to mitigate potential cyber, physical, and insider threats that may emerge during U.S. elections through an analysis of the relationship between poll worker training performance and their individual cybersecurity practices. Specifically, we measure a poll worker’s personal cybersecurity behavior using the Security Behaviors and Intentions Scale (SeBIS) and statistically examine this measure to their performance on three poll worker election security training modules, along with quizzes to assess poll workers' knowledge. The results indicate that a poll worker’s personal security behaviors related to Device Securement, Password Generation, and Proactive Awareness have a positive relationship with poll workers' knowledge of the threats related to election equipment and processes. k-means analysis shows that educated poll workers and those who have strong device security personal behaviors tend to score better on the poll worker training quizzes; Device Securement was also the greatest driver of the relationship between individual security behaviors and poll worker threat knowledge. These findings have implications for election security policies, emphasizing the need for election officials and managers to prioritize Device Securement and Proactive Awareness in poll worker training initiatives to enhance election security.
Authored by Abigail Kassel, Isabella Bloomquist, Natalie Scala, Josh Dehlinger
Ongoing national discourse and legal proceedings on the security and integrity of election and voting processes has focused significant scrutiny on the methods, processes, and people involved in administering this vital piece in our democracy. The COVID-19 pandemic necessitated the broadening of vote-by-mail opportunities for constituents to allow for safe and accessible access to cast a ballot. For example, in Maryland, nearly half of the more than 3 million voters (74.5% of the eligible voters) cast their ballot using Maryland’s vote-by-mail option in the 2020 General Election[1], and 27% of the nearly 2 million voters (47.4% of the eligible voters) utilized Maryland’s vote-by-mail option in the 2022 General Election[2].  Maryland residents can also to permanently choose to vote by mail, receiving a ballot for each election.  In recognition that election and voting processes and equipment security and integrity are of “vital national interest”[3], the U.S. Department of Homeland Security (DHS) labeled them as critical infrastructure within the Government Facilities sector in 2017. The nearly 1 million poll workers needed nationwide to administer a General Election are oftentimes the first line of defense in maintaining the integrity and security of elections. This paper extends our prior work reported in the Baltimore Business Review – A Maryland Journal that analyzed the cyber, physical, and insider threats in various in-person voting processes and equipment and developed poll worker training modules for those threats in partnership with Maryland Boards of Elections. Specifically, this paper further contributes to improving the security and integrity of election infrastructure through cyber, physical, and insider threat training for poll workers explicitly for the vote-by-mail processes. Specifically, this paper details the design, validation, and dissemination of a vote-by-mail threat training module. [1] https://elections.maryland.gov/press_room/2020_stats/Nov%203%20Election%20Report_Final.pdf [2] https://www.elections.maryland.gov/about/documents/03a_Administrators%20Report_December_2022.pdf[3] https://www.dhs.gov/topics/election-security
Authored by Vanessa Gregorio, Josh Dehlinger, Natalie Scala
The security concerns surrounding the 2016 and 2020 United States Presidential Elections have underscored the critical importance of election security, prompting a renewed emphasis on preventing, detecting, and mitigating emerging threats associated with election infrastructure. With their pivotal role as the first line of defense on Election Day, poll workers bear the responsibility of identifying and thwarting any potential threats that may arise. Moreover, they possess unsupervised access to the U.S. critical infrastructure elections equipment at polling places and are entrusted with administering the election processes at their local precincts. However, despite their crucial role, poll workers receive minimal, if any, specific training on security threats prior to elections. To address this gap, this research investigates poll worker threat awareness through developing, piloting, and empirically evaluating online training modules aimed at teaching poll workers to identify and mitigate potential cyber, physical, and insider threats that may arise prior to, and on, Election Day. Through statistical analysis of a pre-post-test study involving eligible and current poll workers, this research demonstrates the effectiveness of these training modules to significantly enhance poll workers' understanding of cyber, physical, and insider threats associated with the processes of three critical areas in voting: electronic pollbooks, the scanning unit, and provisional voting. The implications of this work emphasize the need for resources for election officials and managers to provide effective and comprehensive poll worker training and, thus, ensure the security and integrity of U.S. election processes.
Authored by
Network Reconnaissance - With increasing number of data thefts courtesy of new and complex attack mechanisms being used everyday, declaring the internet as unsafe would be the understatement of the century. For current security experts the scenario is equivalent to an endless cat-and-mouse game across a constantly changing landscape. Hence relying on firewalls and anti-virus softwares is like trying to fight a modern, well-equipped army using sticks and stones. All that an attacker needs to successfully breach our system is the right social networking or the right malware used like a packing or encoding technique that our tools won’t detect. Therefore it is the need of the hour to shift our focus beyond edge defense, which largely involves validating the tools, and move towards identification of a breach followed by an appropriate response. This is achieved by implementing an ethereal network which is an end-to-end host and network approach that can actually scale as well as provide true breach detection. The objective is not just blocking; it is significant time reduction. When mundane methods involving firewalls and antiviruses fail, we need to determine what happened and respond. Any industry report uses the term weeks, months, and even years to determine the time of response, which is not good enough. Our goal is to bring it down to hours. We are talking about dramatic time reduction to improve our response, hence an effective breach detection approach is mandatory. A MHN (Modern Honey Network) with a honeypot system has been used to make management and deployment easier and to secure the honeypots. We have used various honeypots such as Glastopf, Dionaea honeypots, Kippo. The dubious activity will be recorded and the attacks details detected in MHN server. The final part of our research is reconnaissance. Since it can be awfully complicated we simplify the process by having our main focus on reconnaissance. Because if a malware or an insider threat breaks into something, they don’t know what they now have access to. This makes them feel the need to do reconnaissance. So, focusing on that behaviour provides us a simple way to determine that we have some unusual activity - whether it is an IOT device that has been compromised or whatever it may be, that has breached our network. Finally we deploy MHN, deploy Dionaea, Kippo, Snort honeypots and Splunk integration for analyzing the captured attacks which reveals the service port under attack and the source IP address of the attacker.
Authored by Sourav Mishra, Vijay Chaurasiya
Insider Threat - Compare to outside threats, insider threats that originate within targeted systems are more destructive and invisible. More importantly, it is more difficult to detect and mitigate these insider threats, which poses significant cyber security challenges to an industry control system (ICS) tightly coupled with today’s information technology infrastructure. Currently, power utilities rely mainly on the authentication mechanism to prevent insider threats. If an internal intruder breaks the protection barrier, it is hard to identify and intervene in time to prevent harmful damage. Based on the existing in-depth security defense system, this paper proposes an insider threat protection scheme for ICSs of power utilities. This protection scheme can conduct compliance check by taking advantage of the characteristics of its business process compliance and the nesting of upstream and downstream business processes. Taking the Advanced Metering Infrastructures (AMIs) in power utilities as an example, the potential insider threats of violation and misoperation under the current management mechanism are identified after the analysis of remote charge control operation. According to the business process, a scheme of compliance check for remote charge control command is presented. Finally, the analysis results of a specific example demonstrate that the proposed scheme can effectively prevent the consumers’ power outage due to insider threats.
Authored by Qingqing Chen, Mi Zhou, Ziwen Cai, Sheng Su
Insider Threat - Insider threats have high risk and concealment characteristics, which makes traditional anomaly detection methods less effective in insider threat detection. Existing detection methods ignore the logical relationship between user behaviors and the consistency of behavior sequences among homogeneous users, resulting in poor model effects. We propose an insider threat detection method based on internal user heterogeneous graph embedding. Firstly, according to the characteristics of CERT data, comprehensively consider the relationship between users, the time sequence, and logical relationship, and construct a heterogeneous graph. In the second step, according to the characteristics of heterogeneous graphs, the embedding learning of graph nodes is carried out according to random walk and Word2vec. Finally, we propose an Insider Threat Detection Design (ITDD) model which can map and the user behavior sequence information into a high-dimensional feature space. In the CERT r5.2 dataset, compared with a variety of traditional machine learning methods, the effect of our method is significantly better than the final result.
Authored by Chaofan Zheng, Wenhui Hu, Tianci Li, Xueyang Liu, Jinchan Zhang, Litian Wang
Insider Threat - Web services are growing demand with fundamental advancements and have given more space to researchers for improving security of all real world applications. Accessing and get authenticated in many applications on web services, user discloses their password and other privacy data to the server for authentication purposes. These shared information should be maintained by the server with high security, otherwise it can be used for illegal purposes for any authentication breach. Protecting the applications from various attacks is more important. Comparing the security threats, insider attacks are most challenging to identify due to the fact that they use the authentication of legitimate users and their privileges to access the application and may cause serious threat to the application. Insider attacks has been studied in previous researchers with different security measures, however there is no much strong work proposed. Various security protocols were proposed for defending insider attackers. The proposed work focused on insider attack protection through Elgamal cryptography technique. The proposed work is much effective on insider attacks and also defends against various attacks. The proposed protocol is better than existing works. The key computation cost and communication cost is relatively low in this proposed work. The proposed work authenticates the application by parallel process of two way authentication mechanism through Elgamal algorithm.
Authored by Sai Vemuri, Gogineni Chaitanya
Insider Threat - Among the greatest obstacles in cybersecurity is insider threat, which is a well-known massive issue. This anomaly shows that the vulnerability calls for specialized detection techniques, and resources that can help with the accurate and quick detection of an insider who is harmful. Numerous studies on identifying insider threats and related topics were also conducted to tackle this problem are proposed. Various researches sought to improve the conceptual perception of insider risks. Furthermore, there are numerous drawbacks, including a dearth of actual cases, unfairness in drawing decisions, a lack of self-optimization in learning, which would be a huge concern and is still vague, and the absence of an investigation that focuses on the conceptual, technological, and numerical facets concerning insider threats and identifying insider threats from a wide range of perspectives. The intention of the paper is to afford a thorough exploration of the categories, levels, and methodologies of modern insiders based on machine learning techniques. Further, the approach and evaluation metrics for predictive models based on machine learning are discussed. The paper concludes by outlining the difficulties encountered and offering some suggestions for efficient threat identification using machine learning.
Authored by Nagabhushana Babu, M Gunasekaran
Insider Threat - In recent years, data security incidents caused by insider threats in distributed file systems have attracted the attention of academia and industry. The most common way to detect insider threats is based on user profiles. Through analysis, we realize that based on existing user profiles are not efficient enough, and there are many false positives when a stable user profile has not yet been formed. In this work, we propose personalized user profiles and design an insider threat detection framework, which can intelligently detect insider threats for securing distributed file systems in real-time. To generate personalized user profiles, we come up with a time window-based clustering algorithm and a weighted kernel density estimation algorithm. Compared with non-personalized user profiles, both the Recall and Precision of insider threat detection based on personalized user profiles have been improved, resulting in their harmonic mean F1 increased to 96.52\%. Meanwhile, to reduce the false positives of insider threat detection, we put forward operation recommendations based on user similarity to predict new operations that users will produce in the future, which can reduce the false positive rate (FPR). The FPR is reduced to 1.54\% and the false positive identification rate (FPIR) is as high as 92.62\%. Furthermore, to mitigate the risks caused by inaccurate authorization for users, we present user tags based on operation content and permission. The experimental results show that our proposed framework can detect insider threats more effectively and precisely, with lower FPR and high FPIR.
Authored by Wu Xin, Qingni Shen, Ke Feng, Yutang Xia, Zhonghai Wu, Zhenghao Lin
Insider Threat - A malicious insider threat is more vulnerable to an organization. It is necessary to detect the malicious insider because of its huge impact to an organization. The occurrence of a malicious insider threat is less but quite destructive. So, the major focus of this paper is to detect the malicious insider threat in an organization. The traditional insider threat detection algorithm is not suitable for real time insider threat detection. A supervised learning-based anomaly detection technique is used to classify, predict and detect the malicious and non-malicious activity based on highest level of anomaly score. In this paper, a framework is proposed to detect the malicious insider threat using supervised learning-based anomaly detection. It is used to detect the malicious insider threat activity using One-Class Support Vector Machine (OCSVM). The experimental results shows that the proposed framework using OCSVM performs well and detects the malicious insider who obtain huge anomaly score than a normal user.
Authored by G. Padmavathi, D. Shanmugapriya, S. Asha
Insider Threat - This paper deals with how to implement a system that extends insider threat behavior data using private blockchain technology to overcome the limitations of insider threat datasets. Currently, insider threat data is completely undetectable in existing datasets for new methods of insider threat due to the lack of insider threat scenarios and abstracted event behavior. Also, depending on the size of the company, it was difficult to secure a sample of data with the limit of a small number of leaks among many general users in other organizations. In this study, we consider insiders who pose a threat to all businesses as public enemies. In addition, we proposed a system that can use a private blockchain to expand insider threat behavior data between network participants in real-time to ensure reliability and transparency.
Authored by Wonseok Yoon, Hangbae Chang
Insider Threat - This paper discusses the outcome of combining insider threat agent taxonomies with the aim of enhancing insider threat detection. The objectives sought to explore taxonomy combinations and investigate threat sophistication from the taxonomy combinations. Investigations revealed the plausibility of combining the various taxonomy categories to derive a new taxonomy. An observation on category combinations yielded the introduction of the concept of a threat path. The proposed taxonomy tree consisted of more than a million threat-paths obtained using a formula from combinatorics analysis. The taxonomy category combinations thus increase the insider threat landscape and hence the gap between insider threat agent sophistication and countermeasures. On the defensive side, knowledge of insider threat agent taxonomy category combinations has the potential to enhance defensive countermeasure tactics, techniques and procedures, thus increasing the chances of insider threat detection.
Authored by Sarathiel Chaipa, Ernest Ngassam, Singh Shawren
Insider Threat - Insider threats are steadily increasing, and the damage is also enormous. To prevent insider threats, security solutions, such as DLP, SIEM, etc., are being steadily developed. However, they have limitations due to the high rate of false positives. In this paper, we propose a data analysis method and methodology for responding to a technology leak incident. The future study may be performed based on the proposed methodology.
Authored by Jawon Kim, Hangbae Chang
Data leakage by employees is a matter of concern for companies and organizations today. Previous studies have shown that existing Data Leakage Protection (DLP) systems on the market, the more secure they are, the more intrusive and tedious they are to work with. This paper proposes and assesses the implementation of four technologies that enable the development of secure file systems for insider threat-focused, low-intrusive and user-transparent DLP tools. Two of these technologies are configurable features of the Windows operating system (Minifilters and Server Message Block), the other two are virtual file systems (VFS) Dokan and WinFsp, which mirror the real file system (RFS) allowing it to incorporate security techniques. In the assessment of the technologies, it was found that the implementation of VFS was very efficient and simple. WinFsp and Dokan presented a performance of 51% and 20% respectively, with respect to the performance of the operations in the RFS. This result may seem relatively low, but it should be taken into account that the calculation includes read and write encryption and decryption operations as appropriate for each prototype. Server Message Block (SMB) presented a low performance (3%) so it is not considered viable for a solution like this, while Minifilters present the best performance but require high programming knowledge for its evolution. The prototype presented in this paper and its strategy provides an acceptable level of comfort for the user, and a high level of security.
Authored by Isabel Montano, Isabel Díez, Jose Aranda, Juan Diaz, Sergio Cardín, Juan López
Critical infrastructure is a key area in cybersecurity. In the U.S., it was front and center in 1997 with the report from the President’s Commission on Critical Infrastructure Protection (PCCIP), and now affects countries worldwide. Critical Infrastructure Protection must address all types of cybersecurity threats - insider threat, ransomware, supply chain risk management issues, and so on. Unsurprisingly, in the past 25 years, the risks and incidents have increased rather than decreased and appear in the news daily. As an important component of critical infrastructure protection, secure supply chain risk management must be integrated into development projects. Both areas have important implications for security requirements engineering.
Authored by Nancy Mead
Smart cities deploy large numbers of sensors and collect a tremendous amount of data from them. For example, Advanced Metering Infrastructures (AMIs), which consist of physical meters that collect usage data about public utilities such as power and water, are an important building block in a smart city. In a typical sensor network, the measurement devices are connected through a computer network, which exposes them to cyber attacks. Furthermore, the data is centrally managed at the operator’s servers, making it vulnerable to insider threats.Our goal is to protect the integrity of data collected by large-scale sensor networks and the firmware in measurement devices from cyber attacks and insider threats. To this end, we first develop a comprehensive threat model for attacks against data and firmware integrity, which can target any of the stakeholders in the operation of the sensor network. Next, we use our threat model to analyze existing defense mechanisms, including signature checks, remote firmware attestation, anomaly detection, and blockchain-based secure logs. However, the large size of the Trusted Computing Base and a lack of scalability limit the applicability of these existing mechanisms. We propose the Feather-Light Blockchain Infrastructure (FLBI) framework to address these limitations. Our framework leverages a two-layer architecture and cryptographic threshold signature chains to support large networks of low-capacity devices such as meters and data aggregators. We have fully implemented the FLBI’s end-to-end functionality on the Hyperledger Fabric and private Ethereum blockchain platforms. Our experiments show that the FLBI is able to support millions of end devices.
Authored by Daniël Reijsbergen, Aung Maw, Sarad Venugopalan, Dianshi Yang, Tien Dinh, Jianying Zhou