Examining the insider threat

The United States Secret Service and the Carnegie Mellon Software Engineering Institute’s CERT have published the findings of their second ‘Insider Threat Study’. According to the report, which analysed acts of insider sabotage on computer systems in critical infrastructure sectors, the majority of insiders who committed the attacks were former employees, motivated at least in part by a desire to seek revenge and who were granted system administrator or privileged access when hired.

The goal of the Insider Threat Study is to better understand malicious insider activities affecting information systems and data in critical infrastructure sectors. The study provides a comprehensive analysis of insider actions by analysing both the behavioural and technical aspects of the threats.

The Findings
Forty-nine cases, occurring between 1996 and 2002, were examined across critical infrastructure sectors. These cases were purposely limited to those in which an insider’s primary goal was to sabotage some aspect of the organisation or direct specific harm toward an individual.

The study revealed:

• A negative work-related event triggered most of the insiders’ actions.

• Sixty-two percent of incidents were planned in advance.

• Eighty percent of the insiders exhibited unusual behaviour in the workplace prior to carrying out their activities.

• Fifty-seven percent of insiders exploited systemic vulnerabilities in applications, processes and/or procedures.

• Thirty-nine percent used relatively sophisticated attack tools.

• Sixty percent of insiders compromised computer accounts, created unauthorised backdoor accounts or used shared accounts in their attacks.

• Most incidents were carried out via remote access.

• Less than half of the insiders (43 percent) had authorised access at the time of the incident.

• Insider activities caused financial losses (81 percent), negative impacts to business operations (75 percent) and damage to the organisations’ reputations (28 percent).

“The power of a terminated employee with system administrator access should not be underestimated," said Dawn Cappelli, senior member of the technical staff with CERT. "Some organisations completely neglect disabling access upon termination. Others go through the steps to disable access, but the insider is able to find that one access control gap that was overlooked. It is important that technical staff are attentive to the obscure methods used in the insider attacks in this study.”

Implications
This report suggests important proactive strategies by all levels of an organisation’s personnel to mitigate insider threats. These strategies include detailed suggestions for best practices for information security and human resources that historically have not been consistently implemented. Specifically, the report suggests:

• Disabling access following termination

• Management attention to negative events in the workplace

• Establishing formal grievance procedures as an outlet for insider complaints

• Creating reporting processes for when a colleague notices or suspects concerning behaviour

• Enforcing comprehensive password policies, computer account management practices and layered security for remote access

• Using configuration management practices for detection of logic bombs and malicious code

• System logging and monitoring, and backup and recovery procedures.

The complete report can be found at

http://www.secretservice.gov/ntac.shtml and http://www.cert.org/archive/pdf/insidercross051105.pdf

•Date: 17th May 2005 • Region: N.America • Type: Article •Topic: BC general
Rate this article or make a comment - click here