Security

Manage insider threats: Knowing where the risks are

Tom Olzak details the insider threats that an organization should be prepared to defend.

Too often, we view insider risk as a homogenous threat landscape; employees with access do bad things and there is business impact. While this description is somewhat accurate, it doesn't provide enough information with which to manage risk. What we need is a deeper look at what types of threats exist, the business roles involved, and the signs that typically exist when an employee, vendor, etc. is not complying with policy, law, or ethics. Armed with this information, organizations can implement administrative, technical, and physical controls to mitigate insider risk.

In this opening article, we look at the three categories of insider threats as defined in The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Cappelli, More, & Trzeciak) and at The CERT Insider Threat Center. In Part 2, we will discuss recommended methods for detecting, containing, and responding to insider threats planned, in progress, or completed.

Insider threat defined

Defining insider threats requires an understanding of who and what are involved. The three primary categories of associated attacks are theft of intellectual property, fraud, and damage to information resources. In each category, CERT research tells us that a specific business role is usually responsible. See Table A.

Table A

Intellectual property theft

Intellectual property (IP) is any "creation of mind" created or owned by an organization. For our purposes, examples include

  • Engineering designs/drawings
  • Software created in-house
  • Trade secrets

In many situations, the creators of IP (engineers, software developers, etc.) believe they have ownership rights. In others, financial gain or professional advancement is the driver for theft. The tipping point from good to rogue employee usually happens when creators don't receive recognition for their work or when they don't perceive themselves as adequately compensated and appreciated. CERT lists several objectives for IP theft, including

  • Starting a new business
  • Providing a competitive advantage to a new employer
  • Providing it to a foreign country (especially a country with which an employee has cultural, political, or ethnic ties)

Because people allowed access to IP are most likely to steal IP, detection can be difficult. However, close attention to common IP removal paths is the first step in mitigating risk from IP loss, including

  • Company email
  • Remote network access
  • Storage on laptops and other mobile storage devices
  • File transfer services (e.g., FTP or SFTP)

Fraud

Fraud is theft of financial assets. Employee fraud is much more common than most organizations believe. In an article at CFOOnline.com, Tracy L. Coenen writes, "Experts estimate that on average it costs companies 3% to 5% of revenue each year." For example, a payroll clerk creating a false employee, paying that employee, and then collecting and cashing the check commits fraud. Other types of fraud include misuse of expense accounts or payment to vendors when they provide no services or products. People deep in debt with no hope of digging themselves out tend to top the list of insider threats in this category.

Fraud occurs when three conditions are met, as shown in Figure A. Pressure is usually a seemingly overwhelming financial need. Opportunities consist of vulnerabilities in an organization's processes, security, etc. that allow a pressured employee to steal with little chance of detection. Rationalization occurs when an employee convinces himself that his need is greater than ethical or moral concerns. An employee might also rationalize theft based on how she perceives management mistreatment or ingratitude for the business value she's provided. Removing one side of the triangle eliminates or significantly reduces risk from fraud.

Figure A

Fraud Triangle Developed by Donald Cressey

Fraud occurs across many channels, and involvement might extend beyond employees to external criminal individuals or organizations. Again, employees resorting to fraud usually seek financial gain. Methods include

  • Selling stolen information
  • Modifying information to realize financial gains for self or others
  • Receiving payment for adding, modifying, or deleting information

Most employees committing fraud avoid complex technological pathways. For example, the last two examples above simply require alteration of a database without removal of data. When data is removed, it is often downloaded to a home computer, copied to mobile storage, faxed, or emailed.

Damage to information resources

Damage to information resources is usually an attempt to break one or more business processes, thereby resulting in significant harm to the business. In most cases, only someone with administrator access can successfully achieve these goals. For example, a programmer might plant a logic bomb that destroys a database, irreparably damages server software, or causes an application to perform in unexpected ways. In addition to logic bombs, reconfiguration of network devices in ways that cause significant loss of productivity is a surreptitious malicious act often difficult to remediate.

Administrators don't always want to make themselves known with a large, visible event. Rather, creation of additional administrator accounts often provides an attacker with long-term access for small but costly hits against a current or former employer. Organizations without proper log management would have a very difficult time assigning responsibility when the rogue account is eventually identified.

Collusion

Employees don't always have access to everything needed for theft or system damage. Many organizations raise barriers with separation of duties enforced with role-based access control. Enterprising insider threats circumvent these controls using collusion.

What is collusion?

Peter Vajda writes, "Collusion takes hold when two (or more) individuals co-opt their values and ethics to support their own - and others' - mis-deeds." The key word is support. While an engineer, for example, might have full access to all relevant components of the IP he or she intends to steal, a payroll or accounts payable clerk might not. Consequently, the person planning the theft might recruit key employees with access to information or processes otherwise unavailable.

It is usually the most trusted employees who commit these crimes. Collusion increases the risk for the perpetrators, but it also decreases the opportunities to detect theft. Bypassing separation of duties via collusion circumvents a key control. According to CERT research, it isn't uncommon for multiple individuals (including outsiders) to participate in long-term fraud.

Probability of collusion

Managers like to believe their employees will behave with integrity, but collusion is a common cause of insider risk. According to a Fraud Matters Newsletter article posted at the EFP Rotenberg website, "Collusion accounts for as much as 40 percent of fraud, with median loss of approximately $485,000-nearly five times that of crimes perpetrated by an individual alone." The amount of loss from fraud associated with collusion significantly elevates associated risk to levels needing close attention by security teams and management.

The last word

Insider threats can potentially cost organizations a great deal each year through loss of IP, fraud, and damage to information resources. Each threat category largely involves a specific role or set of business roles and different attack vectors. In Part 2, we will explore recognizing problem employees and implementation of controls to mitigate insider opportunities.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

28 comments
noxigen
noxigen

Great article Tom. In regards to IT with admin privileges: Segregation of Duties and the Principle of Least Privilege are fundamental ways of thinking that some businesses don't take seriously. The business, IT and information security leaders have to commit to a strategy to help their organization minimize the amount of damage that can be done by those with elevated rights. Taking a scan of who has local administrator rights on all your servers (including nested groups!) is a good start. Take that list and get justification for every account and keep track of who the account holder is or if it's a service account - who owns it. If a user doesn't truly need full administrator rights to do their job, consider delegating specific rights using a tool like [b]System Frontier[/b]. Having roles and responsibilities defined and [u]enforced[/u] will help limit insider threats tremendously.

mjd420nova
mjd420nova

A very large client with close to 100K desktops and 50K laptops in national offices and headquarters. All machines are keyed with a thumb drive for each employee. Their units will not start without one but the advantage is that any employee with a key can use any other unit. Service people have their own diagnostic keys and the IT people have more extensive keys and no software resides with the user. This was all thought out when a cleaning lady used a labs desktop to download some videos and gamble. She was pretty sharp to have gotten past the site blocker and infested the machine with a rootkit that almost took over their lab network. Now, it is up to each individual to guard his key. This prevents any intrusion attempts from within. Blocking web sites only goes so far and site hijacks are pretty common. Internal attacks from outside can be difficult if you can't get past the firewall.

apotheon
apotheon

There is no such thing as "IP theft" as described in this article. It's talking about copyright and patent infringement, and industrial espionage. While there may be theft involved in an act of industrial espionage, the theft is not of "IP", but of materials that represent the copyrights or (probably pending) patents in question. Criminy. People should know this stuff by now. edit: By the way . . . how has TR/CBSi changed its comment formatting this time? I don't know the magical incantation that'll allow me to emphasize text any longer, and I can't be arsed to find documentation of this stuff on the badly-organized site every couple months.

feral
feral

Information security is only a small part of the equation, the overall attitude to and implementation of "Protective Security" which encompasses physical, information and personnel security is the key. But given trusted insiders are personnel consider this. Most companies rely solely on the recruitment process which onlydetermines an employee's job suitability but does not determine suitability to access resources of a confidential or commercially sensitive nature. Th recruitment process does facilitate appropriate levels of vetting to determine if there is anything in a persons character or background that could lead to them becoming the next "trusted insider". Companies rely on technology which can be bypassed where as the problem is a "Human Factor" problem. A well designed and targeted vetting program that looks into an employee's history and lifestyle to determine if they are a security risk is critical. Another area that most companies overlooks is "Security Awareness", Security Awareness training should be mandatory annually to remind employees of their obligation to protect company resources and to educate them about the threats the company faces be it cyber or trusted insider. Teaching employees to notice when someone's behavior has significantly changed which indicate the person is a potential threat, reporting it and the sensitive handling of the matter are all critical to mitigating the risk from the trusted insider. Until organisations implement these sort of mitigation tactics the problem will only get worse.

Tony Hopkinson
Tony Hopkinson

Otherwise huge swathes of the TR audience will get ripped off by each other...

HypnoToad72
HypnoToad72

And then delegate the blame to them when all the outsourcers do a slop job, where nothing is communicated between departments... (a lot of articles also say "IT is dead" but those, at best, ignore how much of a disaster such upgrades have been...) More supply-side hogwash - you'll find risks everywhere. Just swallow some prozac and live under a rock, since you might find the biggest risk to said organization the moment you see a mirror. Sheeh.

maj37
maj37

It happened to us about 20 years ago. The guy that was responsible for maintaining our office areas by hiring contractors to paint, move walls, fix things etc. got the contractor to send in bills for the same work multiple times. The guy then just signed the invoices and sent them to AP. This went on for 3 years, getting worse every year, to the tune of about $750,000 until finally someone discovered it. The contractor claimed the guy told him nepotism rules prevented his wife from getting paid to work there and this was how the company approved paying her.

Tony Hopkinson
Tony Hopkinson

certainly, but the true insider threat is the person you explicitly trusted and later found you shouldn't have. So I'm going have to say red herring.

Tom Olzak
Tom Olzak

Apotheon, Within the context of the insider threat research conducted by the CERT insider threat team, IP theft includes the taking of drawings, code, etc. and using them contrary to IP law and to the detriment of the owning organization. Apparently a difference in semantics, but the underlying point is the same. Tom.

Tony Hopkinson
Tony Hopkinson

yourself away on a public site at 18:50 on 15/02/2013 GMT. No job at weinventedtheifstatementanditsourssonah.com for you matey... :D

Tony Hopkinson
Tony Hopkinson

The one who said Burgess, Maclean and Philby were good guys.

Tom Olzak
Tom Olzak

While I agree to a point, I also believe that many administrators have access they shouldn't have. In most organizations where I've worked, privileged access was handed out carelessly to avoid actually designing a true role-based access control process. Tom.

Tony Hopkinson
Tony Hopkinson

Save me the trouble of writing it again? Assuming I was going somewhere that used the same language and infrastructure and had the exact same requirement? The algorithms in our heads, the nifty trick that makes the job simpler is in our heads. More to the point the catalog of errors that end up in the production code due to technical debt is in our heads. Steal code, only an incompetent would bother. You are one of those we should patent of our use of the if statement types aren't you? :p

apotheon
apotheon

"Semantics" refers to "meaning". The key here is that "theft" doesn't *mean* anything relevant to copyright or patent infringement. The fact CERT's personnel misuse the term doesn't suddenly make the term mean something different. What if I took pictures of your living room through your open window? Would I have "stolen" your living room? Would I have "stolen" your privacy? Even if privacy laws prohibit me from taking pictures of the interior of your home through your living room window without your permission, I would not be "stealing" anything. The crime in question, then, would not be "theft", even if some legally challenged privacy advocacy group decided to refer to the practice as "privacy theft". So . . . no, it isn't "still IP theft". It's copyright or patent infringement and/or industrial espionage.

apotheon
apotheon

It might ruin the joke, but . . . what?

apotheon
apotheon

. . . basically every manager who has been working in a management job for a while would probably tell you that, even if the manager in question is engaged in making such a decision as you describe *right now*. I notice noxigen's profile doesn't say "manager", though.

Tony Hopkinson
Tony Hopkinson

due to commercial exingencies? GIve him access for now, we'll sort it later? Never happened? Really?

noxigen
noxigen

Same experiences here Tom. No matter what tool or technology you put in place, having RBAC in place with good processes to enforce it are vital.

Tony Hopkinson
Tony Hopkinson

Not really. What actually happened is security got in the way of making money, so it got de-prioritised. I did the job a long time, I know how it works and I know why it works. I also know that once the realisation sinks in that may be Fred shouldn't have had access to every system in the business, too late. After one particular episode I became a bit of stickler for making sure access I shouldn't have was revoked. Good vetting question that, but if you answer it correctly you're as likely to not get the job as otherwise. So this person doesn't believe he should be trusted. aha, next...

apotheon
apotheon

That's what NDAs are for. If someone signs an NDA, you can go after 'em for disclosing. If someone does not sign an NDA, you should share stuff with that person that you don't want the person repeating.

Tony Hopkinson
Tony Hopkinson

They think buying debts is sound business proposition. I was watching some piece on the idiot box yesterday. (There was an attractive woman reading it out, he hastens to explain) Some idiot was on there saying despite all the care they took with their IP, people could still leave and remember key parts of it. What is the world coming to eh? My current favourite is tit for tat...

apotheon
apotheon

I suppose the guy on the team who does more harm than good with his coding might want to copy code -- and as long as he's talking to an executive instead of a programmer, he might find someone who wants the code. Then again, maybe they're talking about stuff like people leaking code to the Internet for the express purpose of showing the world what kind of ridiculous cock-ups exist in the company's closed source, as happened with Win2k sources were leaked years ago. That was not an f-word that got asterisked out. It was the word for something you do with, say, a single-action revolver before firing. It's rather odd the obscenity filter stripped that out, considering all the potential uses of the term that are in no way impolite and do not refer to other things ending in "ck". In fact, the one "obscene" usage of it that comes to mind comes from a metaphorical reference to a rooster.

apotheon
apotheon

I've just kinda been doing some of my own things, trying to run a nascent standards and advocacy group (the Copyfree Initiative), writing code, maintaining four Ruby gems and a FreeBSD port, taking classes through Coursera for the joy of learning, wading through a flood of email, dealing with a flu, taking care of a cat with cancer, co-writing an RPG product for Raging Swan (interesting publisher name -- yeah?), spending some time in IRC, and handling a slew of other stuff. I haven't really been maintaining any specific online community presence very consistently other than the Copyfree Initiative, so TR's not special as regards my neglect.

Tony Hopkinson
Tony Hopkinson

doesn't always translate I suppose, sometime the pie in the face comes at an oblique angle. Where you been anyway? I had to stand in for you with some of those obscurity is security boys.

apotheon
apotheon

I still don't get it, but I'll live.