Disaster-Resource.com

New Faces of Cyber Crime – The Insider Threat
By Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV
May 2008

Good News and Bad
Based on all of the hard work of IT and information security teams we are beginning to see real progress on protecting the enterprise against external threats. However, the bad news is that we are being faced with a new challenge – that of protecting our information assets from insider threats. Insider attacks account for as much as 80% of all computer and Internet related crimes. 70% of attacks causing at least $20,000 of damage are the direct result of malicious insiders.

In fact, the US Secret Service – National Threat Center has indicated that: “The greatest information security threat facing your organization is in your office right now. It has the ability to bypass the physical and logical controls you have put into place to protect the perimeter of your network and has already obtained credentials to access a significant portion of your infrastructure.”

In February 2008 a Dallas based healthcare organization sent out notifications to about 37,000 patients that their personal and financial information had been compromised. A former data processor from that healthcare organization was apprehended a while later and pleaded guilty to fraudulent possession and use of stolen personal identification. In March of 2007 a spouse of a US Sales person loaded unauthorized personal software on to a major pharmaceutical company’s laptop for the purpose of accessing a peer-to-peer file sharing network. That software gave other users access to address information, home and/or cell phone numbers, social security numbers, and in some instances bonus data for over 17,000 present and former employees. In another case a scientist admitted he stole $400 million in intellectual property from his former company. In 2006 healthcare workers in a NJ hospital sold patient medical and treatment information about George Clooney who was involved in a motorcycle accident to a tabloid newspaper.

So we can see that information security breaches caused by insiders are happening every day, in all sized and types of firms all across America. In fact, from 2000 to 2007 the number of reported incidents where insiders were found to be the source of information security breaches or leaks has grown exponentially.

Interesting statistics
Below are some interesting statistics which show that the people who cause these breaches do not require special access or advanced training. All they need is a desire, time, and simple access to the data. You can also see that the breaches turned out to be expensive to the enterprise.

  • Only 17% of the insider events studied insiders with administrator access
  • 87% of attacks used very simple user commands that did not require any advanced knowledge
  • 30% of the incidents took place at the home of the insider using remote access to the enterprise’s network
  • Most insider events were triggered by a negative event in the workplace
  • Most perpetrators had previous disciplinary issues
  • Of the breaches reported in 2005 & 2006 total costs averaged about $180 per lost customer record and the average total cost per company was $4.8 million per breach and breaches ranged from $226,000 to $22 million.

So who are these insiders?
Some are individuals who have malicious intent to cause harm and others are just inattentive, bored, or complacent employees with no malicious intent at all.

Malicious Perpetrators

  • IT expert with a hacker mentality or mind set.
  • Terminated or demoted employee.
  • Dissatisfied or disgruntled employee.
  • Fraudster motivated by financial gain.
  • Employee who wants unauthorized access to information.

Non-malicious Individuals (employees or contractors)

  • Technically knowledgeable employee who simply finds it enjoyable to get around security measures.
  • Employee who simply fails to pay attention to proper IT usage.
  • Untrained employee or new hire.
  • Employee without adequate training.

What are the threats that enterprises face?

Threats can be placed into four basic areas:

  • The malicious/disgruntled employee that has been recently demoted or terminated and now has a desire to do damage to the IT infrastructure or critical information because of a grievance they have against the management or the enterprise.
  • Unintentional exposures or breaches which are caused by employees who put the IT infrastructure and critical information at risk by installing unauthorized software, opening virus-infected e-mail attachments, being taken in by social engineering attacks, spilling coffee into a server, releasing sensitive information to friends or relatives and etc.
  • Corporate espionage where hackers, thieves or spies recruit and sometimes pay employees to steal critical data or damage critical IT resources or information. Sometimes short-term low profile contractors are used.
  • Dishonest insiders who abuse employee privileges to their own personal gain or satisfaction.

So what practices can be employed to help to reduce the problem?

  1. Implement strict password and account management policies and practices.
  2. Enforce separation of duties, least privilege, and one-over-one signoff for assigning access to sensitive information or data. Rotation of assignments also helps.
  3. Use extra caution in selection and training of system administration personnel.
  4. Provide periodic security awareness training for all employees.
  5. Log, monitor, and audit employee on-line actions.
  6. Conduct enterprise-wide risk assessments regularly (at least once a year).
  7. Actively defend against malicious code (use people, process, and technology to accomplish).
  8. Deactivate systems access ASAP following termination of employees and contractors.
  9. Insure that secure backup and recovery processes for critical data are in place and functioning as required.
  10. Monitor and respond rapidly to all suspicious actions on systems and behavior by employees.
  11. Conduct background checks of all personnel who work inside the enterprise (employees and contractors).

Don’t Let Familiarity Muddy the Waters
It is very uncomfortable to think that a collogue or friend might be capable of committing a cyber crime or security breach. They work and interact with us at work and sometimes at home with us every day. However, we must as security and business continuity professionals examine clearly and objectively all risks that can adversely affect our organizations. We cannot allow familiarity or complacency be the reason for our failure to protect critical, sensitive, or personal data.

About the Author
Dr. Jim Kennedy is the Business Continuity Services Practice lead and a Principal Consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of two books, Blackbook of Corporate Security and Disaster Recovery Planning: An Introduction and author of an e-book, Business Continuity & Disaster Recovery – Conquering the Catastrophic. jtkennedy@alcatel-lucent.com