NEWS AT SEI
This article was originally published in News at SEI on: February 1, 2007
Are Insiders Really a Threat?
The threat of attack from insiders is real and substantial. The 2006 E-Crime Watch Survey conducted by the United States Secret Service (USSS), the SEI CERT Program, and CSO Magazine, found that in cases where respondents could identify the perpetrator of an electronic crime, 32% were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of almost $700 million. Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.
Over the past several years, CERT has been conducting a variety of research projects on insider threat. One of the conclusions reached is that insider attacks have occurred across all organizational sectors, often causing significant damage to the affected organizations. These acts have ranged from low-tech attacks, such as fraud or theft of proprietary information, to technically sophisticated crimes that sabotage the organization’s data, systems, or network. Damages are not only financial; widespread public reporting of the event can also severely damage the organization’s reputation.
Insiders have a significant advantage over others who might want to harm an organization. Insiders can bypass physical and technical security measures designed to prevent unauthorized access. Mechanisms such as firewalls, intrusion-detection systems, and electronic building-access systems are implemented primarily to defend against external threats. However, not only are insiders aware of the policies, procedures, and technology used in their organizations, but they are often also aware of their vulnerabilities, such as loosely enforced policies and procedures or exploitable technical flaws in networks or systems.
Partnering with the USSS, CERT has been conducting the Insider Threat Study, gathering extensive insider threat data from more than 150 case files of crimes involving most of the nation’s critical infrastructure sectors. To date, researchers have published two reports documenting the results of the study: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector and Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. This study shows that use of widely accepted best practices for information security could have prevented many insider attacks or detected them earlier. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices critical to the mitigation of the risks from malicious insiders.
Who Is The Suspicious Insider?
Disgruntled technical staff members, both before and after termination, must be recognized as potential threats for insider IT sabotage. Data pertaining to fraud and information theft suggest that organizations must exercise some degree of caution with all employees. Current employees in practically any position have used legitimate system access to commit these types of crimes. (Of special note is that almost half of the employees who stole information while still employed had already accepted other job offers.) Unfortunately, there is no profile of an insider who poses a threat to an organization; the threat can be recognized based only on a combination of patterns of behavior and online activity.
Can Insiders Be Stopped?
Insiders can be stopped, but stopping them is complex. Insider attacks can be prevented only through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of an organization, including its business policies and procedures, organizational culture, and technical environment. Managers must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used.
Too often organizations allow the quality of their practices to erode as no malicious activity is detected over time. One of the vulnerabilities posed by insiders is their knowledge of exactly this: the quality of their organization’s defenses. Based on our research to date, the practices outlined below are the most important for mitigating insider threats.
Practices for Preventing Insider Attacks
The following 13 practices for preventing insider attacks will provide an organization with defensive measures that could prevent or facilitate early detection of many of the insider attacks other organizations have experienced. This is an overview of the best practices covered in the "Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition; see the complete document for more details.
Practice 1: Institute periodic enterprise-wide risk assessments.
It is difficult for an organization to determine the proper balance between trusting its employees, providing them access to achieve the organization’s mission, and protecting itself from those same employees. Access combined with knowledge of the organization’s vulnerabilities in both technology and business processes gives insiders the ability to carry out malicious activity against their employers. An organization must protect itself from both insiders and outsiders using risk-management principles. The organization must take an enterprise-wide view of information security, first determining its critical assets, then defining a risk-management strategy for protecting those assets from both insiders and outsiders.
Practice 2: Institute periodic security awareness training for all employees.
A culture of security awareness must be instilled in the organization so that all employees understand the need for policies, procedures, and technical controls. The first line of defense from insider threats is the employees themselves. All employees in an organization must understand that security policies and procedures exist, that there is a good reason that they exist, that they must be enforced, and that there can be serious consequences for infractions. Each employee must be aware of the organization’s security policies and the process for reporting policy violations.
Practice 3: Enforce separation of duties and least privilege.
If all employees are adequately trained in security awareness, and responsibility for critical functions is divided among employees, the possibility that one individual could commit fraud or sabotage without the cooperation of another individual within the organization is limited. Effective separation of duties requires the implementation of least privilege, that is, authorizing people only for the resources they need to do their jobs.
Practice 4: Implement strict password and account-management policies and practices.
No matter how vigilant employees are in trying to prevent insider attacks, if the organization’s computer accounts can be compromised, insiders have an opportunity to circumvent both manual and automated mechanisms in place to prevent insider attacks.
Practice 5: Log, monitor, and audit employee online actions.
If account and password policies and procedures are enforced, an organization can associate online actions with the employee who performed them. Logging, periodic monitoring, and auditing provide an organization the opportunity to discover and investigate suspicious insider actions before more serious consequences ensue.
Practice 6: Use extra caution with system administrators and privileged users.
Typically, logging and monitoring is performed by a combination of system administrators and privileged users. Therefore, additional vigilance must be applied to those users.
Practice 7: Actively defend against malicious code.
System administrators or privileged users can deploy logic bombs or install other malicious code on the system or network. These types of attacks are stealthy and therefore difficult to detect in advance, but practices can be implemented for early detection.
Practice 8: Use layered defense against remote attacks.
If employees are trained and vigilant, accounts are protected from compromise, and employees know that their actions are being logged and monitored, disgruntled insiders will hesitate to attack systems or networks at work. Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully.
Practice 9: Monitor and respond to suspicious or disruptive behavior.
In addition to monitoring online actions, organizations should closely monitor other suspicious or disruptive behavior by employees in the workplace. Policies and procedures should be in place for employees to report such behavior when they observe it in coworkers, with required follow-up by management.
Practice 10: Deactivate computer access following termination.
When an employee terminates employment, whether the circumstances were favorable or not, it is important that the organization have in place a rigorous termination procedure that disables all of the employee’s access points to the organization’s physical locations, networks, systems, applications, and data.
Practice 11: Collect and save data for use in investigations.
Should an insider attack, it is important that the organization have evidence to identify the insider and follow up appropriately.
Practice 12: Implement secure backup and recovery processes.
Despite all of the precautions implemented by an organization, it is still possible that an insider will attack. Therefore, it is important that organizations prepare for that possibility by implementing secure backup and recovery processes that are tested periodically.
Practice 13: Clearly document insider threat controls.
As an organization acts to mitigate insider threat, clear documentation will help to ensure fewer gaps for attack, better understanding by employees, and fewer misconceptions that the organization is acting in a discriminatory manner.
Cappelli, Dawn; Moore, Andrew; & Shimeall, Timothy. Common Sense Guide to Prevention and Detection of Insider Threats, 1st Edition. Pittsburgh, PA: Carnegie Mellon University CyLab, 2005.
“CERT Execs on the 2006 E-Crime Watch Survey,” CSO (podcast) (September 2006).
CERT Insider Threat Research (2007).
Rasmussen, Gideon. Insider Risk Management Guide (August 30, 2006).
About the Authors
Dawn Cappelli is a senior member of the technical staff with the CERT Program at the SEI. She is technical lead of CERT’s insider threat research, including the Insider Threat Study conducted jointly by the U.S. Secret Service and CERT. Other current work includes modeling and simulation projects for risk analysis and communication of impacts of policy decisions, technical security measures, psychological issues, and organizational culture on insider threats. Cappelli is also an adjunct professor in the Carnegie Mellon H. John Heinz School of Public Policy and Management.
Cappelli has been with Carnegie Mellon since 1988. Before joining CERT in 2001, she was director of engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute, led special projects for the university’s Computing Services, and worked on projects for the Software Engineering Institute’s Information Technology team.
Andrew Moore is a senior member of the technical staff with CERT. He is also a research scientist at Carnegie Mellon CyLab. Moore explores ways to improve the security, survivability, and resiliency of enterprise systems through attack and defense modeling, incident processing and analysis, and architecture engineering and analysis. Before joining the SEI in 2000, he worked for the Naval Research Laboratory investigating high-assurance system-development methods for the Navy. He has 20 years’ experience developing and applying mission-critical system-analysis methods and tools, leading to the transfer of critical technology to both industry and the military.
Timothy J. Shimeall is a senior member of the technical staff with the CERT. His research interests are include information survivability, network situational awareness, and analysis of security incident behavior. He received his PhD in information and computer science from the University of California, Irvine, in 1989. Before joining the SEI, he served as an associate professor at the Naval Postgraduate School in Monterey, California.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.