When we think of the words "insider threat" most of us tend to cringe. Even as security officers, often we don't want to talk about it. It is human nature to want to believe that the threats that we face are outside of our own organization, and that the enemy is 'them' and not one of 'us.' As individuals, we are part of many groups in society including the companies we work for, professional associations, volunteer groups, religious organizations, multiple groups of friends with different interests, and the group we spend the most time with in our lives, our families. It is disconcerting to believe that any member of the groups to which we belong by choice would expose us to bad behavior or that we can not trust the members of the groups to which we have chosen to belong. After all, we choose these groups to provide a certain level of safety, security, and comfort within our lives.
So why is it important and why should we even care about the group dynamics with respect to the insider threat? One reason - complacency. When we belong to these groups and interact on a daily basis, we tend to get a false sense of comfort with the individuals that we are dealing with. Individuals show their 'best face' to the organization, the one that will
- Enable them to work on rewarding projects
- Provide a path to promotion
- Create long-term job security
- Cause the organization to appreciate their contributions.
There is much that is unknown about the employees that we work with, other than the face that is shown to us as they show up for work. We perform background checks on individuals as they enter the workplace, however these are typically not very extensive, limited geographically, limited to serious criminal offenses, and may not provide enough real information about the individual. Organizations typically do not reinvestigate the individuals very frequently either and changes in their economic situation, which could create a new motive for the individual for criminal activities, would not be caught.
It's Real, Really!
The insider threat can't happen to your organization? Good, hard-working people are employed there? Consider the following scenarios, each of which was a real incident:
- The financial division manager for a parking authority was responsible for handling disputes regarding parking tickets. Due to the lack of sound business controls, it was easy for him to mark the tickets as voided in the system and pocket the money collected for fines, reducing the amount collected in the system and keeping the difference.
- Food stamps were provided in excess of the entitled allotment in return for a certain number of food stamps, which they kept. This fraud cost $70,000 in 53 cases as a result of an "expedited procedure" whereby the supervisor approval and other personal information was not required.
- Two motor vehicle department employees colluded to overcome the segregation of duties policies whereby the driver's license information was to be entered by a clerk and verified by a manager before it became effective. The two employees placed pictures of themselves and fake addresses to obtain credit cards in their victim's names, subsequently purchasing $255,000 of cars and merchandise.
- A federal court sentenced Yung-Hsun "Andy" Lin, a former systems administrator for Medco Health Solutions, Inc., to 30 months in prison for planting a logic bomb to delete data stored on the Medco Network. He was ordered to also pay $81,200 in damage he caused to the computer systems.
- A front-desk operator stole information on 1,100 patients to sell to a cousin to submit fraudulent Medicare claims.
- The North Carolina Court of Appeals is allowing the use of the Health Insurance Portability & Accountability Act (HIPAA) as the standard of care in a lawsuit whereby an office worker used a clinic owner's account and password to look up patient information.
- An IT professional at a military base encrypted files upon learning that she would be downsized. She offered the system administrator that she would decrypt the files in exchange for a $10,000 'severance offer,' and the system administrator accepted before consulting with the proper authorities. Prosecutors determined that they could not pursue charges upon reviewing the case.
- An engineer at an energy processing plant became angry with his new, non-technical supervisor and had several outbursts. His wife was terminally ill, and he was sent home due to the work disruptions. The staff discovered some unusual modifications to the control systems, and he refused to provide the password to the engineers, threatening the productivity and safety of the plant.
- The general manager of the GE nuclear facility in Wilmington, North Carolina, received an extortion letter with a sample of uranium dioxide powder. The letter stated that the writer had two five-gallon containers of low enriched uranium dioxide that had been taken from the plant. The containers were identified in the letter by serial number and were subsequently authenticated as being missing from the plant. The letter demanded $100,000 or else the material would be dispersed in an unnamed U.S. city. An employee of a subcontractor was arrested and sentenced to fifteen years in prison.
- A grand jury in San Jose, Calif., handed down separate indictments for two men at NASA for downloading child pornography to government computers, who face a maximum sentence of 10 years imprisonment and a fine of $250,000 and would be required to register as sex offenders.
- And the list goes on ...
The aforementioned incidents illustrate that the insider threat is real across industries, public and private companies, and large and small organizations. These incidents arise from a multitude of motivations and as with any crime, only certain percentages of the total activity are actually detected.
Most individuals that show up to the workplace are honest, trustworthy individuals trying to create a living and provide for their families. This group is not the group that we should be concerned with, it is the minority of individuals that have the motivation to steal from the employer that we are concerned with. So how many people are we talking about? One or two? A few? A couple dozen? Herein lies the problem - we just don't know! Let's assume for a moment that 95% of individuals that show up for work every day are hard working, honest citizens that would never think of harming their employer for any reason. Let's also assume that, in this 95% of individuals, 100% of them perform their jobs completely, without any errors, and follow the security policies 100% of the time. Feeling a little queasy about this 95% number now? Well, let's continue the example anyway. So, if we have 50,000 employees in our company, and we don't have to worry about 95% of them, that means that we still have 5%, or 2,500 employees, that we do need to worry about protecting the environment from them. Furthermore, these individuals are inside the perimeter of the company, with authorized login accounts, access to the physical facility, and they may have management approval for privileged access, and visit the facilities every day of the week. Now we have an issue that is real and needs to be discussed.
The actual numbers of insider threats are difficult to determine, as within organizations, this has typically not been a focus area, and external studies that have been done tend to focus on the activities concerning fraudulent activities and less on the "mistakes" that are made by people inside the organization. Moreover, the willingness of organizations to disclose the insider threat activity is limited unless there is a requirement to disclose by law.
For example, security incidents involving personal information much be disclosed to the impacted parties under California Senate Bill 1386; however, the exact particulars of the breach, such as the activity that created the disclosure, do not have to be reported to the consumer. Organizations are unlikely to state that "Employee Jane Smith did a stupid thing by putting the names, addresses, and health information of our patients on a website because she was in a rush to get the application upgraded on a Friday afternoon." The company could open itself up to potential legal trouble with the associate as well as having to endure difficult employee relations with other employees as a result. They may indicate the activity, that occurred, or that there was an inadvertent disclosure while retaining some of the details.
Even in today's climate of "loyalty = you work, you get paid, and we start over again next week" mentality between corporations and individuals, companies still want to be viewed by their employees as being trustworthy when dealing with them and looking out for their care. This is why to some organizations the mere 'thought' of starting to look into individuals work affairs smells of the 'big brother' image that corporations want to avoid. Consider, for the sake of example, the case of voluntary terminations. Once an individual has provided his resignation notice how many organizations walk the individual out the door immediately and say, "thank you for all you have done"? No, the typical practice, which is even encouraged by the organization, is to honor the 2-week notice provided by the associate and let the person continue to work in the building until his or her last day.
As an organization, we assume they are trustworthy and not downloading confidential customer lists, strategies, pricing guides, employee rosters, financial or health records, etc., and walking them out the door. We also assume they are not doing damage to files and the backups that they have access to, planting backdoors/logic bombs/malware on the system, and wreaking havoc with whatever they have access to. Maybe they are leaving because a contract has been lost, they did not get the promotion they wanted, or they are disgruntled for another reason. And yet, because organizations want to be seen as a good company to work for by the other employees, they want to maintain an aura of respect for the departing associate. While there is some merit in this view, and walking them out the door immediately may be viewed as an extreme situation to be held only for involuntary terminations, there needs to be a balance in mitigating the risk of an insider threat.
US-CERT Insider Threat Survey
The U.S. Secret Service and the Software Engineering Institute's CERT program at Carnegie-Mellon University produced two 2008 reports on the insider threat, including, "Illicit Cyber Activity in the Government Sector" and "Illicit Cyber Activity in the Information Technology and Telecommunications Sector." The report was focused on the insider threats, which occurred as a result of fraudulent activity and really did not address the threats caused by carelessness of employees and contractors.
The survey reviewed 149 cases between 1996 and 2002 across 12 of the critical infrastructures, leveraging secret service case files. For the government sector, 36 incidents conducted by 38 insiders (employees, contractors or former employees and contractors) resulting in 21 cases of fraud (13 financial fraud), 9 cases of sabotage, 3 theft of confidential information, and 3 involving both theft and sabotage were identified. The organizations impacted included child and family support services, motor vehicle registration, police, judicial, and other assorted government agencies.
The study makes the following observations and conclusions from the cases reviewed:
- There were no statistically significant common demographics of race, gender, or age that could be determined.
- The majority (58%) of the insiders were current employees in administrative and support positions, which required limited technical skills, with 50% of those assigned to leadership or supervisory roles. Those with IT technical skills made up 26% of the insiders.
- Nearly half of the insiders exhibited some inappropriate behavior that was noticed by others prior to the incident. These behaviors included calling in sick frequently, leaving work early, demonstrating a poor attitude, and engaging in arguments with other employees.
- A significant number of insiders (84%) had no previously recorded incidents or violations of organization policies.
- A majority of the motivation was financial gain (54%), and those motivated by revenge (24%) included incidents of sabotage (67%), theft of confidential information (11%), and events including both (22%).
- In over 56% of the cases, specific events triggered the incident, with a single incident potentially being the result of multiple events, such as:
- Termination, demotion, transfer, other disciplinary action (40%)
- Financial hardship or bribe (40%)
- Personal problem unrelated to organization (15%)
- Dispute or dissatisfaction with management (10%)
- Other events (5%)
- Authorized access was used most of the time (56%), using access control gaps (69%) to facilitate the incidents. Access exceeded what was needed to perform their jobs.
- Most of the insiders planned their activities in advance.
- In 58% of the cases they used their own account, and in 42% of the cases they used someone else's account, such as a system administrator, expired, other employees, shared, or an account on another employee's computer without a screen lock.
Most of the insiders that were detected did not understand the severity of their actions or the financial impact that was caused. The study is useful, in that it highlights the motivations, techniques to commit the activity, and the types of individuals and behaviors that were exhibited. Detection of the activity is difficult, as many times, insider activity is a 'silent crime' in that the disgruntled employee that has an axe to grind will want to do this in a manner to avoid detection.
Other Types of "Insider" Threats
Much of the discussion of insider threats refers to malicious intended behavior; however, the insider threat as a result of accidental, careless, or a lack of understanding of the security policies should also be regarded as the "insider threat." Someone leaving a laptop in the car, or emailing/improperly disposing of personal confidential information can have consequences that are just as serious as the malicious insider threat. This discussion is primarily focused on the insider threats that are the result of intentional, malicious actions to cause harm to the organization.
Learning from the Outside Threats
The problem by this point should be very clear that these events do happen within organizations where individuals have the motive, opportunity, and means to carry out the threat. It is difficult to get a handle on what the real magnitude of the problem may be for any one particular company or industry; however, there are certain steps that can be taken to mitigate the risk. Whatever the number of actual incidents is, it should be clear that the problem does exist and an organization needs to have a thought-out, defined approach.
Much of the discussion at security conferences is focused on protecting the perimeter, the end points, and the remote access capabilities to prevent an external party from accessing the internal systems. The conversations tend to focus on the hackers 'out there' vs. the individuals with authorized access within the organization. Firewalls, intrusion detection systems, encrypted network traffic/email and physical security devices are discussed to prevent and detect entry. As the old adage goes, an organization is typically hard and crunchy on the outside and soft and squishy on the inside, like an M&M. Many of the security principles that we apply to protect the information from the external world, if implemented correctly, also go a long way to protect the threats from our own employees and contractors. For example, ensuring that baselines containing only the necessary services are developed for devices such as servers, routers and switches, ensuring that baselines are applied consistently to all servers, and that the configurations are monitored on a regular basis, helps to protect the internal computing environment from the outside. These same configurations and associated monitoring that reduce the impact of the outside threat also serve to limit the internal damage and detect the inside threat. Let's review some of these controls and other considerations for reducing the insider threat risk.
11 Ways to Mitigate the Risk
Short of monitoring an employee or contractor's every move with surveillance cameras, there are steps that can be taken to reduce the risk. Each organization has to decide how much loss they are willing to tolerate, as each of these areas requires an investment, in some cases substantial investments that may outweigh the benefits. Even with these controls in place, there will still be the residual risk of user carelessness or of those angry users who are determined to circumvent the system. Thoughtful implementation of some or all of these controls can deter, prevent, detect, or reduce the ultimate impact of the incident.
1. Deliver Security Policy by Management. The tone at the top is essential for all security programs, as the more the employees understand that management expects that the security policies must be complied with and that they are not just the product of the Information Security Department, the less likelihood they will believe that a violated business process or that a circumvented security process will go undetected.
2. Communicate Insider Threats Through Security Awareness Programs. Security awareness programs communicate the key reasons why the security policies exist and the consequences for not following them, such as disciplinary action up to and including termination. Sanctions must be enforced. Providing examples of where insider activity had occurred and where the internal IT security departments and management had detected the activity, terminated the employee, and successfully prosecuted the individual could serve as a deterrent to others contemplating such activity. To avoid potential issues for the company, unless the case presented was public information, the names or any identifying information involved in the incidents should not be communicated. This can be an effective approach as it communicates that 1) incidents do happen within the organization, and 2) monitoring activities are in place and management attention will detect this type of activity.
3. Conduct Pre-Employment Screening. Pre-employment background and reference checks can uncover prior criminal records, credit problems, or issues with character. They can also serve as a deterrent for individuals, some of which may not even apply in the first place if they are aware that a background check is required.
4. Pay Attention to Performance Issue Handling. In many cases there is a job-related event that triggers action on the part of the employee to take action. Anger may fuel the need for the disgruntled employee to take action, either while still with the company or planned for soon after their departure. Employees should have a venue to address their concerns, complaints and dissatisfaction and obtain the feeling that they are being listened to. Managers also need to be trained to skillfully handle performance review issues. When performance issues do occur, appropriate documentation needs to be maintained to permit tracking of the behavior over time.
5. Enforce Separation of Duties and Need-to-Know Access. Effective separation of duties ensures that access to critical information and functions are not held by the same individual. Checks and balances implemented through review and approval processes are consistently applied so that gaps, even in 'emergency' situations are appropriately controlled and reviewed. For example, permitting someone to enter purchase orders and make payments against those orders can lead to bogus, undetected entries. If appropriate segregation of duties is implemented, this reduces the risk since collusion of two or more parties is necessary to commit the fraud. In situations where it is necessary to have one person perform the function due to limited staff, regular management review and sign-off processes may be implemented.
6. Implement Strict Password and Account Policies. These are the keys to the online activity of the employees and contractors and unless this is sufficiently controlled through appropriate account provisioning, adequate password complexity requirements, policies prohibiting sharing, and management of the passwords through secure means, the entire system can be circumvented.
7. Monitor Employee Actions. Events performed by employees need to be logged and the logs need to be reviewed for abnormal behavior. If the appropriate controls have been put in place in the assignment of the accounts and passwords as previously noted, then the actions of the employee can be accurately associated to the events shown on the logs. Security Information Management tools can aggregate the logs and provide deeper inspection by setting up rule sets for the anomalies.
8. Pay Increased Attention to Privileged Accounts. Systems administrators have elevated access through the use of privileged accounts. If a system administrator that has the capability to alter or delete the log entries commits the fraud, detecting the event will be more difficult, if even possible. Special monitoring should be applied to these accounts due to the damage that can be caused.
9. Implement a Rigorous Termination Process. The organization must define all the accesses that could potentially be granted to an employee and contractor. A solution that ensures the system and physical access is terminated immediately following the termination must be implemented. Typically physical and system access termination will involve coordination of individuals from multiple departments such as Human Resources, Identity & Access management (security administration), physical security, network infrastructure, outsourced data centers, systems administrators, and so forth. The process must include rapid notification, confirmation, and subsequent auditing to ensure the individuals are terminated promptly.
10. Maintain Backup and Recovery. Backup and recovery represent corrective controls in the event that the insider is successful in bypassing the other controls. This becomes the last line of defense to get the organization's files back to the normal state. The backup needs to be secured and tested to be useful. Technically savvy attackers may also contaminate the backups for multiple generations by changing information just prior to the backups, and then changing it back. When the attack is performed several weeks later, the attacker has already changed the information on the written to the backup tapes, rendering the restore ineffective.
11. Invest in Forensic Procedures. A variety of forensic tools in an organization's toolkit increase the capability to analyze what the employee or contractor has been doing with the company assets. Files may be deleted and unrecoverable through normal means, but are accessible through the forensic tools. Court-presentable evidence can then be provided in the event the case is prosecuted.
The insider threat issue must be attacked with people, process, and technology through a defense-in-depth strategy. If the systems are maintained according to the security configurations necessary, duties are segregated, accounts and passwords are controlled, and employees are made aware that their actions are being logged and monitored, there is less likelihood that a disgruntled employee will attempt the unwanted activity. On the flip side, if it appears that management is not involved, the systems are wide open, and it is easy to utilize another account through lax policies, there may be a perception that getting caught is less likely. It is funny how people slow down when approaching a police officer parked by the side of the freeway, only because he "might" have the radar gun recording our actions. If the police announced that they never ticket anyone on that section of the freeway, what might our driving habits be like?
As stated in the beginning, most employees and contractors are trustworthy and contribute their energy everyday towards the company mission. However, unexpected, disappointing events can cause individuals to perform criminal activities and they are sometimes unaware of the magnitude or the consequences of their actions. To provide adequate information assurance, special attention to the insider threat should be built into our security programs.
Implicit Trust Can Lead to Data Loss
Lack of Privileged Password Management Can Explain What Went Wrong at Societe Generale
Insider Threats Remain Low Priority
Todd Fitzgerald, CISSP, CISA, CISM, is the Director of Systems Security and Systems Security Officer for United Government Services, LLC. He has over 25 years of broad-based information technology experience, holding senior IT management positions with Fortune 500 and Global Fortune 250 companies. Todd is a member of the board of directors and
security taskforce co-chair for the HIPAA Collaborative of Wisconsin (HIPAA COW), a participant in the CMS/Gartner Security Best Practices Group, Blue Cross Blue Shield Association Information Security Advisory Group, previous board member for several Information Systems Security Associations (ISSA), and is a frequent speaker and writer on security issues. Todd focuses largely on issues related to security management, risk assessments, policy development, organizing security, security assessments, regulatory compliance (HIPAA, CAST, NIST, ISO 17799), security awareness, and developing security programs.