Realizing and Mitigating the Insider Threat

Overview

Employees are considered a companies most valuable asset. However sometimes these assets, for a number of reasons, go rogue and can cause the company an astonishing level of damage both financially and socially. Sometimes this damage is irreparable. As companies continue to spend significant portions of their Information Security budget on external threats, they must at the same time be cognizant of the threat which exists from within; their own employees. This paper seeks to highlight the threats that exist from within the firewalls of a company and how companies can effectively monitor and deal with these threats.

Protecting sensitive information from unauthorized manipulation and disclosure by its insiders has become a major concern for organizations worldwide. Current and former employees, executives, contractors and other insiders pose a substantial threat due to their knowledge and authorized access to corporate internal systems and data. These individuals may act on their own driven by revenge or dissatisfaction with company management. Yet, many of the insider crimes are executed for financial gain in concert with outsiders such as identity thieves, organized crime groups or competitors.

On average more than 75% of corporate IT security budgets are directed toward protecting against external threats. This a bit ironic when one considers that in a 2005 Computer Security Institute/FBI Computer Crime and Security Study it was found that insiders were responsible for just as many incidents as outsiders. Also, at a point in time, it was determined that 80% of financial fraud was committed by insiders. Furthermore, identity theft and fraud are rampant today, costing firms in excess of the 2007 estimate of $45 billion. Yet, companies still spend more on external threats than they spend on internal threats. Why?

Does the Insider Threat exist?

A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company's manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator's termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company's server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.

An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer's computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company's web pages, changing text and inserting pornographic images. He also sent each of the company's customers an email message advising that the website had been hacked. Each email message also contained that customer's usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer.

Therefore, the answer to the question posed is an unequivocal yes, the insider threat does exist. These attacks are just a few examples of the types of attacks that can occur when a company is attacked by a once trusted employee. In order to truly recognize and mitigate the insider threat a company must understand the types of attacks that can occur, who might most likely perpetrate them and how to put measures in to effectively detect and mitigate the damage of a potential attack.

Types of Insider Threats

In a survey conducted by CERT, it was determined that there are three basic insider threat types. They are IT sabotage, theft of confidential or proprietary information and fraud. While these attacks occur fairly at the same rate, IT sabotage occurs more frequently compared to the others. IT sabotage is a threat to any organization that relies on an IT infrastructure for its business, regardless of the size or complexity of its use. In addition, many organizations regard theft of proprietary or confidential information as an insider threat. Also while fraud is not a risk for all organizations it still occurs and can have material consequences to an organization.

Who is the insider threat?

As it relates to the IT sabotage, it was determined that majority of the insiders who committed acts of sabotage were former employees who had held technical positions with the targeted organizations. The dangers posed by disgruntled technical staff, both before and after termination or other negative work related events, need to be recognized as potential threats for insider IT sabotage. In a study conducted by CERT, it was determined that negative work-related event triggered most insiders' actions. Also most of the insiders had acted out in a concerning manner in the workplace. The majority of insiders planned their activities in advance to committing them. Furthermore, when hired, the majority of insiders were granted system administrator or privileged access, but less than half of all of the insiders had authorized access at the time of the incident.

However, fraud and information theft indicates that organizations need to exercise some degree of caution with all employees. These types of attacks can be carried out by technical and non technical staff alike. Fraud and information theft unlike IT sabotage is not limited to a group of employees. For example with fraud, any employee with legitimate access to an information system is able to modify the data to hide his or her fraudulent activity. Information theft is similar although it has been shown while this attack mainly perpetrated by current employees, a number of these employees at the time they committed the attack had already accepted positions at other companies some even at competitors.

The common criterion in all of these attacks is access to information. Any employee in an organization is capable of committing these attacks for the simple

...