While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organization's business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust. A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees. An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’s computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company’s web pages, changing text and inserting pornographic images. He also sent each of the company’s customers an email message advising that the website had been hacked. Each email message also contained that customer’s usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer. A city government employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworker’s computers the day before the new finance director took office. An investigation identified the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police detective on the case as to whether all of the deleted files were recovered.
No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign. These incidents of sabotage were all committed by “insiders:” individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)
The Nature of Security Threats The greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information. The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious “insiders”. The greatest threat of attacks against computer systems are from “insiders” who know the codes and security measures that are in place 4&5. With very specific objectives, an insider attack can affect all components of security. As employees with legitimate access to systems, they are familiar with an organization’s computer systems and applications. They are likely to know what actions cause the most damage and how to get away with it undetected. Considered "members of the family," they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages or from offshore outsourcing projects are also included in this category of knowledgeable insiders.
Common Insider Threat Common cases of computer-related employee sabotage include: changing data; deleting data; destroying data or programs with logic bombs; crashing systems; holding data hostage; destroying hardware or facilities; entering data incorrectly, exposing sensitive and embarrassing proprietary data to public view such as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity. A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions. (See chart) The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider (hacker) at $56,000, while the average insider attack cost a company excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately. Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.
Insider Characteristics The majority of the insiders were former employees. • At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors. • The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization. • Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor. • Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives. Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.
- The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.
- Ninety-six percent of the insiders were male.
- Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.
- Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).
Organization Characteristics The incidents affected organizations in the following critical infrastructure sectors: • Banking and finance (8%) • Continuity of government (16%) • Defense industrial base (2%) • Food (4%) • Information and telecommunications (63%) • Postal and shipping (2%) • Public health (4%) In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.
What motivate insiders? Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons [BSB03]:
Challenge Many internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.
Revenge Internal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses.
Espionage Internal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage exists:
Industrial espionage Industrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.
International espionage International espionage means that attackers work for governments and steal confidential information for other governments.
Definitions of insider threat 1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the “true insider,” is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the “pseudo-insider,” is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities. The activities of both fall into five general categories:
- Exceeds given network, system or data permissions;
- Conducts malicious activity against or across the network, system or data;
- Provided unapproved access to the network, system or data;
- Circumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify; or
(Presented at the University of Louisville Cyber Securitys Day, October 2006) 2) Insiders — employees, contractors, consultants, and vendors — pose as great a threat to an organization’s security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many organizations, followed by policy review, and employee awareness training. (Insider Threat Management Presented by infoLock Technologies) 3) Employees are an organization’s most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods - employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders - not just employees, but consultants, contactors, vendors, and partners - must be actively managed, audited, and monitored in order to protect sensitive data. (Presented by infoLock Technologies) 4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits. (Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya) 5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem. (Dawn M. Cappelli, Akash G. Desai) 6) The "insider threat" or "insider problem" is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an "insider" has information and capabilities not known to other, external attackers. But the studies rarely define what the "insider threat" is, or define it nebulously. The difficulty in handling the "insider threat" is reasonable under those circumstances; if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved? (Matt Bishop 2005)
- Non-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.
Five common insider threat
Exploiting information via remote access software A considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen. 2.) Sending out information via e-mail and instant messaging Sensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, it's also one of the easiest to eliminate. 3.) Sharing sensitive files on P2P networks Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are it's there and waiting to be abused. The inanimate software in and of itself is not the problem – it's how it's used that causes trouble. All it takes is a simple misconfiguration to serve up your network's local and network drives to the world. 4.) Careless use of wireless networks Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether it's at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but don't overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours. 5.) Posting information to discussion boards and blogs Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk. Views of different authors about insider threat 1) Although insiders in this report tended to be former technical employees, there is no demographic “profile” of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees’ passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship. Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used. (Michelle Keeney, J.D., Ph.D. atal 2005) 2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organization's business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust. (Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning) 3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account. (Yair Amir Cristina Nita-Rotaru) 4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people. Protecting against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected Return on Security Investment. (Presented by infoLock Technologies) 5) The threat of attack from insiders is real and substantial. The 2004 ECrime Watch Survey TM conducted by the United States Secret Service, CERT ® Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees. (Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005) 6) Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organization’s vulnerabilities, have used their technical ability to sabotage their employer’s system or network in revenge for some negative work-related event. (Dawn M. Cappelli, Akash G. Desai ,at al 2004) 7) The "insider problem" is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitions vary in meaning. Different definitions imply different countermeasures, as well as different assumptions. (Matt Bishop 2005) Solution: User monitoring Insiders have two things that external attackers don’t: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place. A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze
Malicious Insider Activity These are some points which could be helpful in monitoring and minimizing the insider threats:
- Detecting insider activity starts with an expanded log
- Firewalls, routers and intrusion detection systems are important, but they are not enough.
- Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.
- Correlation: identifying known types of suspicious and malicious behavior
- Anomaly detection: recognizing deviations from norms and baselines.
- Pattern discovery: uncovering seemingly unrelated events that show a pattern of suspicious activity
- From case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organization’s procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.
- Identify suspicious user activity patterns and identify anomalies.
- Visually track and create business-level reports on user’s activity.
- Automatically escalate the threat levels of suspicious and malicious individuals.
- Respond according to your specific and unique corporate governing guidelines.
- Early detection of insider activity based on early warning indicators of suspicious behavior, such as:
- Stale or terminated accounts
- Excessive file printing, unusual printing times and
- Traffic to suspicious destinations
- Unauthorized peripheral device access
- Bypassing security controls
- Attempts to alter or delete system logs
- Installation of malicious software
The Insider Threat Study? The global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses. Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the President’s Critical Infrastructure Protection Board identified several critical infrastructure sectors10:
- information and telecommunications
The cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations’ data, systems, or daily business operations. Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information. A completely secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policy’s effective implementation is not possible without the training and awareness of staff. The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of IT Security and the ever-increasing threats it faces in today’s open world cannot be overstated. As more and more of our Banking Operations and products & services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry. Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reputation of the industry.
- chemical industry, textile industry and hazardous materials
Chapter 2 Review of Literature S, Axelsson. ,(2000) Anonymous 2001 Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level. Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.
What needs to be protected, against whom and how? Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of: Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects. Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete. Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services. Legal Compliance: Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries. A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage. Stoneburner et al (2002) In this paper the author described a the risks which are posed by a university IT system. This paper 1st gives us the background of risks ,methodology employed, its implementation and knowledge gained by performing risk assessment. Next author defines the term security and risk.According to auther from an IT perspective security can be defined as “ the state of being free from unacceptable risk”.To define a risk author quoted Texas A&M University definition “any event or action that adversely impact the University’s ability to achieve its objectives”Author discussed the security policies and guidelines. The risk assessment process has two main objectives, namely to implement reasonable safeguards and to document due diligence of management in mitigating risks. The inherent complexity of most systems, and in particular of large corporate systems, makes their risk assessment a time-consuming process. It is also important to take time to precisely define what is meant by each threat that is identified. This understanding is required so that agreement can be more readily reached on its likelihood and consequence. Also, when the threat is revisited for determination of risk mitigation action and then later in reviews of the risk management plan, an exact definition is required. The risk assessment process permits prioritization of a potentially very large number of actions that could be taken to improve security. For a new system, it gives management (and the auditors) some confidence that the risks associated with introduction of the system have been considered and addressed before the system goes live. For forecasting purposes, author divided the systems, into three categories – simple, medium and complex. From experience gained with the initial high-level and detailed risk assessments, an estimate of the number of personnel and their time involvement were prepared. Satti, M.,M.,(2003) In this report the author discuss the global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses. The national level leadership and innovation in managing Information Security become default standards for all modern states to overcome with coming challenges of Cyberspace’s threats. This paper will provide an overview of ‘Computer Emergency Response Team ‘CERT’ its objectives and goals, organization, infrastructure requirements, plans and standards. The paper will also provide albeit briefly, core requirements of the group, roles of its members and hierarchical management model that spread across the sphere of ‘knowledge groups’ to establish an effective, well-organized and consummate squad to mitigate the online risks of unseen threats. The forum will provide an unparallel leadership and innovation in Information Security Management and dissemination of cyber security knowledge and awareness in all ranks of citizens using Internet, Emails, and web based tools for business need. Spitzner (2004) The author discusses that little research has been done for one of the most dangerous threats, the advance insider, the trusted individual who knows the internal organization. These individuals are not after your systems, they are after the organizations information. This presentation discusses how honeypot technologies can be used to detect, identify, and gather information on the insider threats especially advanced insider threats, are vastly different then those of an external threat. Author discuss that before discussing how honeypots, specifically Honeynets and honeytokens, can catch the insider threat, there is a need to define goals and the threat face. Basic goal is to detect, identify, and confirm insider threats. This means leveraging honeypots to not only indicate that there is an insider, but also confirm their actions, and potentially learn their motives and resources. But the sophisticated insider made goal difficult. Author simply meant by this “someone who is technically skilled, highly motivated, and has access to extensive resources”. For example, this threat may be an employee working for a large corporation, but in reality they are employed by a competitor to engage in corporate espionage. Author defines honeypot as: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”. Honeypots do not solve a specific problem. Instead, honeypots are a highly flexible tool that has many applications to security. They can be used everything from slowing down or stopping automated attacks, capturing new exploits to gathering intelligence on emerging threats or early warning and prediction. Second, honeypots come in many different shapes and sizes. At the end of this paper author concludes that honeypots are an emerging technology, with extensive potential. Honeypots have a tremendous advantages that can be applied to a variety of different environments. Honeypots dramatically reduce false positives, while providing an extremely flexible tool that is easy to customize for different environments and threats. Randazzo, M.R., et al (2004) In this paper the author describes the Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem. Basically author discussed that Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers. Author described the reasons of insider threats. Finance is the also an reason, employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organization’s vulnerabilities, have used their technical ability to sabotage their employer’s system or network in revenge for some negative work-related event. The writer of this paper said that in January 2002 the Carnegie Mellon University Software Engineering Institute’s CERT Program (CERT) and the United States Secret Service (USSS) National Threat Assessment Center (NTAC) started a joint project, the Insider Threat Study. The study combined NTAC’s expertise in behavioral psychology with CERT’s technical security expertise to provide in-depth analysis of approximately 150 insider incidents that occurred in critical infrastructure sectors between 1996 and 2002. Analysis included perusal of case documentation and interview of personnel involved in the incident. Project reports include statistical findings and implications regarding technical details of the incidents; detection and identification of the insiders; nature of harm; as well as insider planning, communication, behavior, and characteristics. The reports have been well-received across several stakeholder domains including the business community, technical experts, and security officers. But one fear is that practitioners will mistakenly interpret the results as stand-alone statistics and assign consideration of individual implications to various departments within the organization instead of taking a holistic, enterprise-wide approach to mitigating insider threat risk. The goal of Carnegie Mellon University’s MERIT (Management and Education of the Risk of Insider Threat) project is to develop such tools. MERIT uses system dynamics to model and analyze insider threats and produce interactive learning environments. These tools can be used by policy makers, security officers, information technology, human resources, and management to understand the problem and assess risk from insiders based on simulations of policies, cultural, technical, and procedural factors. The writer of this paper described the MERIT insider threat model and simulation results. Concluding remarks of the author regarding Insider Threat Study show that to detect insider threats as early as possible or to prevent them altogether, management, IT, human resources, security officers, and others in the organization must understand the psychological, organizational, and technical aspects of the problem, as well as how they coordinate their actions over time. Keeney, M., et al (2005) In this paper authors described that an insider had extensive control over the source code of a critical application used by the organization. As lead developer of the software, he made sure that he possessed the only copy of the source code. There were no backups, and very little documentation existed. Following a demotion in both position and pay, the insider “wiped” the hard drive of his company-provided laptop. In doing so, he deleted the only copy of the source code the organization possessed. It took several months to recover the source code from the insider, during which time the organization was unable to update the software. Cappelli et al (2005) In this research paper an examination of how each organization could have prevented the attack or at the very least detected it earlier is presented. Rather than requiring new practices or technologies for prevention of insider threats, the research instead identifies existing best practices that are critical to the mitigation of the risks from malicious insiders. Chinchani et al (2005) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. In this paper, authors propose a new target-centric model to address this class of security problems and explain the modeling methodology with specific examples. Finally, they perform quantified vulnerability analyses and prove worst case complexity results on our model. Gordon, L.A., at el (2006) In this paper author discuss Uncontrolled use of iPods, USB sticks, PDAs and other devices on your network can lead to data theft, introduction of viruses, legal liability issues and more. In a society where the use of portable storage devices is commonplace, the threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.In an on-demand society where individuals can easily access portable music players, PDAs, mobile phones and digital cameras, technological innovation has responded to personal needs with the development of electronic devices that include data storage capabilities. There is, however, a downside to this modern-day scenario – the misuse of these devices in a corporate environment can spell disaster to a corporation! Virginia et al (2006) This paper introduces a framework composed of a method and of supporting awareness deliverables. The method organizes the identification and assessment of insider threat risks from the perspective of the organization goal(s)/business mission. This method is supported by three deliverables. First, by attack strategies structured in four decomposition trees. Second, by a pattern of insider attack this reduces an insider attack step to six possible scenarios. Third, by a list of defense strategies this helps on the elicitation of requirements. The output of the method consists of goal-based requirements for the defense against insiders. Attack and defense strategies are collected from the literature and from organizational control principles. Infolock technologies(2006) The authors discuss that employees are an organization’s most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods - employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders - not just employees, but consultants, contactors, vendors, and partners - must be actively managed, audited, and monitored in order to protect sensitive data. In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people.
Arc sight Detecting and Responding to Malicious Insider threats are the easiest to perpetrate, most difficult to prevent, and can be the most challenging .Insiders have two things that external attackers don’t: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place. Some employees become malicious over time; others may be spies planted to conduct industrial espionage; while still others simply make unwitting mistakes that put the organization at risk. A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. It doesn’t take a skilled hacker to print out sensitive data, copy files to an MP3 player or send confidential information to a competitor. Because of this, anybody can become a malicious insider from the disgruntled system administrator hoping to sabotage access to business critical systems to the human resources intern that is selling employee salary information to recruiters. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze malicious insider activity.
Research questions The research deals with the aspect of the following questions:
These questions have many answers because organizations have different organizational cultures and structures and do not have the same objectives, plans.In connection with the research questions above, the structure of the thesis will be presented as a process view, according to the figure 1.2. The figure illustrates the process of preventing internal security threats in an organization. The process is a view of three main stages which are 1) Investigation; 2) Analysis; 3)
- Are organizations aware of the danger of internal security threats?
- Do internal security threats have a business impact on organizations?
- How do organizations develop a plan for preventing internal security threats?
Implementation. The investigation stage will be to collect information in order to be able to identify internal security threats that may occur in an organization. At the investigation stage, the questions are:
- Are internal security threats reported outside the organization?
- How are internal security threats detected?
The analysis stage will be to understand the different facets of internal security threats. At the analysis stage, the questions are:
- Is it possible to identify all kind of internal security threats?
- What are the different aspects of internal security threats?
- Are all internal security threats convergent to the same motive?
The implementation stage will be to develop a business continuity plan in order to maintain some degree of critical business activity in spite of a catastrophe, resulting from internal security threats. At the implementation stage, the questions are:
- Which are the most critical information assets to protect in organizations?
Is it possible to prevent all internal security threats in organizations?
Overall and Specific Objectives The overall objective of the proposed research is to identify unusual access patterns due to insider threats using a run-time monitoring, clustering, and cluster identification of security events. This combination of techniques is novel within the field of security. The proposed work will make use of an existing system and assertions will be derived from a formally-specified security policy. The assertions check the correctness of security events collected from execution traces of the system’s operation. The proposed work will to identify those access patterns that do not conform to the a priori security policy. These clusters conforming to access patterns that lead to security violations will be labeled as insider threats and added to the security policy .Unusual access patterns for training and testing the security policy will come from fault injection of insider threats. Event traces come from internal events and message traffic with the latter being most applicable to systems. B. Significance of the Proposed Research: Large, complex, information systems have many interacting components, some of which are COTS components and some are internally developed.
These systems are usually distributed, many parts of the application run on different computers Security and privacy of these systems is of paramount concern. Security may be maintained by a strict enforcement of a security policy, but often insider attacks do not conform to existing models of security. Insider threats apply unusual access patterns to exploit existing or intentional internal weaknesses of the system under attack. Unfortunately, it is difficult to certify that a system is resilient to security attack when the attack, itself, is not well understood. The exploratory work of this proposal will show the feasibility of the proposed approach and may be helpful for protecting from insider attacks.
Justification for the research Many external security threats are daily reported by different institutes, such as information security center (e.g. CERT, SITIC in Sweden). Such institutes are used to work closely with organizations in order to analyze and understand the risk of the different external security threats, and to report security threats with information on how to protect you against them. Information about internal security threats may be very sensitive for organizations and according to Mr. Bruck, “the risk of internal attacks is very likely to rise in the coming year due to the growth, sophistication and ease of use of hacking tools available online” [BRU03]. Internal security threats may have a strong business impact, and organizations have to be protected by the implementation of a security design plan. The main goal of this research is to investigate and to analyze internal security threats, in order to understand the different facets of internal security threats and to establish a strategic plan to prevent internal security threats. Who should read this work?
- System administrators, Security administrators
Chapter 3 Materials and Methods The insider threat to critical information systems is widely viewed as being of the greatest concern. However, a great deal of research has been focused on identifying, capturing, and researching external threats. While malicious and dangerous, these attacks are often random with attackers more interested in how many systems they can break into then which systems they break into. To date, limited research has been done to a far more dangerous and devastating threat, the advanced insider. Insider threat is a potential problem in any organization that conceals or protects valuable information. The aim of this research is to solve the insider threat problem by the identification and assessment of risks that insiders represent to an organization. This research deals with the aspect of the following questions:
- Are organizations aware of the danger of internal security threats?
- Do internal security threats have a business impact on organizations?
I chose survey method as Olivier GRANDVAUX(2004) selected in his research. The process is a view of three main stages which are 1) Investigation 2) Analysis 3) Implementation. The figure illustrates the process of preventing internal security threats in an organization.
- How do organizations develop a plan for preventing internal security threats?
1. Investigation The investigation stage will be to collect information in order to be able to identify internal security threats that may occur in an organization. At the investigation stage, the questions are:
- Are internal security threats reported outside the organization?
- How are internal security threats detected?
The investigation stage is the outcome of a survey [Appendix A], one study from the United States Secret Service and the Carnegie Mellon University Software Engineering Institute’s CERT Coordination Center [ITS04] and from other different scientific papers. The survey has been answered by some employees from Industry name. I got 10 answers in total, and I believe that answers are reliable sources. The ten respondents answered through the Internet and results were anonymous. However I know directly some of the respondents as they are friends and other results are from friends of friends. Thus I judge that the results from the survey are valid. In instigation stage the source of the threats to the organization will be identified in order to be able to identify internal security threats that may occur in an organization following information will be collected:
- Is it possible to identify all kind of internal security threats?
- Identification of Security Threats
- Sources of Internal Threats Identification
3.1. Identification of Security Threats
3.2. Sources of Internal Threats Identification
3.1 Investigation Techniques
3.1.1 Survey The survey [Appendix A] is about twenty-five internal security threats. The goal of the survey was to get opinions from hackers on these twenty-five internal security threats and also to know if they think that these threats are relevant, not relevant or indifferent to organizations. For each question, only one answer was possible among these three choices: ƒ “Yes, I think the internal security threat is relevant” ƒ “No, I do not think that the internal is relevant” ƒ “I do not know. I think the threat is indifferent” I compiled the results as following: ƒ if more than 70% of respondents think that the threat is relevant, I will consider the threat as relevant; ƒ if more than 70% of respondents think that the threat is not relevant, I will consider the threat as not relevant; ƒ else I will consider the threat as indifferent. The results from the survey showed that 64% of internal security threats were considered as relevant. The result 64% is the number of relevant threats which is 16 divided by the total number of threats which is 25 (16/25= 0.64) The results from the survey showed that 20% of internal security threats were considered as Questioners Observations See book 2. Analysis Phase The analysis stage will be to understand the different facets of internal security threats. At the analysis stage, the questions are:
- What are the different aspects of internal security threats?
- Are all internal security threats convergent to the same motive?
Prioritization of Internal Threats Excel Spss
- Which are the most critical information assets to protect in organizations?
3. Implementation Phase The implementation stage will be to develop a business continuity plan in order to maintain some degree of critical business activity in spite of a catastrophe, resulting from internal security threats. At the implementation stage, the questions are: Is it possible to prevent all internal security threats in organizations?
Software Selection The selection of the software is very important factor to be considered during the development phase of the new system. This choice depends on many factors including current environment, amount of data to handle, and cost of programming. After analyzing the problem and considering the organizations needs, I have selected ASP as front end tool and SQL SERVER 2000 as relational data base management system for the development of this system because it has the capability to handle a fairly large amount of data. It also provides relational database management system available for personal and multi-user system. Hence this system will create compatibility among other packages and data share easily. In the design phase of any application development the first strategy to be considered is the tool selection. So for the web development we must consider the following thing.
- The application should be fast, because the end user needs fast browsing.
- The online applications so should contain more graphic and more images on it may junk the station so we need to reduce our coding.
- The data queries must be secure, and supported by the secure software.
- It is important to keep the web site simple and intuitive. Web sites, which are complex to navigate and badly designed, fail miserably in sustaining the interest of the audience.
- People hate long download time as much as they hate waiting in queue. Keep the download time for all pages to minimum.
- So for achieve the task of the web development we have to select suitable tools. For the purpose we select the following tools.
- HTML (Hyper Text Markup Language)
- CSS (Cascading Style Sheets)
- SQL Server 2000 (Database Management System)
- IIS (Internet Information Server)
- T-SQL (Transact Structured Query Language)
HTML / MS Visual Interdev 6.0 Html has come a long way from the simple language that Time Berbers lee developed in 1989. The latest modification, all loosely grouped under the heading dynamic HTML (DHTML), bring you Web pages alive with true interactivity and without performance hit. With DHTML, developers can write scripts that change the layout and content of you Web pages without having to generate a new page or retrieve one form the server. Microsoft Visual InterDev 6.0 is selected as the software tool for the proposed system. Microsoft Visual InterDev 6.0 is a component of Microsoft Developer Studio that serves as the development platform for applications dealing with the World Wide Web. Microsoft Visual InterDev supports the creation of scripts in scripting languages such as Microsoft visual Basic Scripting Edition (VBScript) and Microsoft Jscript.
Features of Visual Interdev 6.0 The following new features make web application development faster, richer and more robust.
Data Environment Creating and modifying data-related objects is performed in one place: the graphical data environment. In th data environment, one can drag and drop objects onto Active Server Pages (ASP) to automatically create data-bound design-time controls.
Data-Bound Designing Time Controls Design-time controls offer a richer, more visual editing interface for creating data-enriched pages. Data-bound controls make it simple to incorporate the script in the ASP or HTML pages to interact with a database.
Scripting Object Model The scripting object model simplifies web application development by providing a model for object-oriented scripting. Script objects simplify web application development and also greatly reduce the complexity and quality of scripting required for writing applications that span the client (browser) and server.
Site Designer To quickly prototype and build web sites, use the graphical Site Designer. In the Site Designer, site diagrams are used to create pages, links, navigation, hierarchy, and more – all with an easy-to-use drag and drop interface.
Cascading Style Sheets Editor One can edit style sheets easily in the CSS editor. One can create and modify style sheets for a set of web pages and preview how the pages, or any page in the web application would look, if the current style sheet were applied.
WYSIWYG Page Editor The Visual InterDev editor has a Design view that lets to edit and create content in a WYSIWYG workspace. In addition to the Design view, one can write script in Source view, which offers statement completion and color-coding of script elements. In addition, instead of viewing the file in an external browser, one can easily view the file in Quick view.
Active Server Pages (ASP) ASP is a Server Side Scripting environment that can be used to create and run dynamic interactive web server applications. With ASP, HTML pages, Script commands and active X components can be combined to create interactive online pages or applications. One can create scripts in either VBScript or Jscript, it doesn’t matter – your web server processes both languages equally, sending HTML formatted results to the user’s browser. Beyond ordinary scripting tasks, with ASP one can extend the scripts into full-fledged applications that perform complex tasks, such as collecting and processing order information for an online business. ASP can be used with the following web servers.
- Microsoft Internet Information Server version 5.0 on Windows 2000/NT.
- Microsoft Personal Web Server on Windows 95/98.
ASP script begins to run when a browser requests an .asp file from the web server. The web server then calls ASP, which reads through the requested file from top to bottom, executes any script commands, and sends a web page to the browser. Because the scripts run on the server rather than on the client, the web server does all the work involved in generating the web pages that are sent to browser. There is no need to worry whether a browser can process the scripts. The web server does all the script processing, transmitting standard HTML to the browser. Server-side scripts cannot be readily copied because only the result of the script is returned to the browser. The users cannot view the script commands that created the page they are viewing.
- Microsoft Peer Web Server version 3.0 on Windows NT Workstation.
SQL Server 2000 SQL Server 2000 includes several new features that make it an excellent database platform for large-scale online transactional processing (OLTP), data warehousing, and e-commerce applications. SQL Server 2000 forms a high-performance data storage service for Web applications running under IIS, or accessing the database through a firewall. Microsoft® SQL Server™ 2000 major features include:
Internet Integration The SQL Server 2000 database engine includes integrated XML support. It also has the scalability, availability, and security features required to operate as the data storage component of the largest Web sites. The SQL Server 2000 programming model is integrated with the Windows DNA architecture for developing Web applications, and SQL Server 2000 supports features such as English Query and the Microsoft Search Service to incorporate user-friendly queries and powerful search capabilities in Web applications.
Scalability and Availability The same database engine can be used across platforms ranging from laptop computers running Microsoft Windows® 98 through large, multiprocessor servers running Microsoft Windows 2000 Data Center Edition.
Enterprise-Level Database Features. The SQL Server 2000 relational database engine supports the features required to support demanding data processing environments. The database engine protects data integrity while minimizing the overhead of managing thousands of users concurrently modifying the database. SQL Server 2000 distributed queries allow you to reference data from multiple sources as if it were a part of a SQL Server 2000 database, while at the same time, the distributed transaction support protects the integrity of any updates of the distributed data. Replication allows you to also maintain multiple copies of data, while ensuring that the separate copies remain synchronized. You can replicate a set of data to multiple, mobile, disconnected users, have them work autonomously, and then merge their modifications back to the publisher.
Ease of installation, deployment, and use. SQL Server 2000 includes a set of administrative and development tools that improve upon the process of installing, deploying, managing, and using SQL Server across several sites. SQL Server 2000 also supports a standards-based programming model integrated with the Windows DNA, making the use of SQL Server databases and data warehouses a seamless part of building powerful and scalable systems. These features allow you to rapidly deliver SQL Server applications that customers can implement with a minimum of installation and administrative overhead
Data warehousing SQL Server 2000 includes tools for extracting and analyzing summary data for online analytical processing. SQL Server also includes tools for visually designing databases and analyzing data using English-based questions.
Large memory support SQL Server 2000 has high-speed optimizations that support very large database environments. SQL Server version 6.5 and earlier can support databases from 200 GB through 300 GB. SQL Server 2000 and SQL Server version 7.0 can effectively support terabyte-sized databases. SQL Server 2000 Enterprise Edition uses the Microsoft Windows 2000 Address Windowing Extensions API to support memory approaching 64 GB of RAM. This allows SQL Server 2000 Enterprise Edition to cache large number of rows in memory, which reduces overhead and speeds its ability to process queries.
Internet Information Server (IIS) Internet Information Services 5.0 (IIS) is the Windows 2000 Web service that makes it easy to publish information on your intranet.
Internet Information Services 5.0 has many new features to help Web administrators to create scalable, flexible Web applications. Following are some of its new features.
Hardware Requirements Minimum H/W requirement for running this software Hardware Requirements for Server Machine
Hardware Requirements for Client Machine
- Pentium 166 (or higher) Processor
- Pentium 100 (or higher) Processor
- VGA or higher resolution monitor, super VGA is recommended.
- Peripheral devices such as mouse and keyboard.
Methods of research There are five different methods of research available [MCL04]. The methods of research are the following: • Experimental research; • Correlation research; • Naturalistic observation research; • Survey research; • Case study research. I’ll use here survey method. The survey method is a descriptive study that does not involve direct observations by a researcher. The survey method involves collecting data via interviews or questionnaires. For example in this study, the survey research will involve collecting useful information from different sources of people, such as hackers, people in charge of the security in organizations, etc. The strengths of the survey method are particularly useful when collecting data on aspects of behaviour that are difficult to observe directly. For example, it may be difficult to observe that some of the employees have the objective of looking at confidential documents. The survey will be used to assess attitudes and opinions on internal security threats that organizations face.
Limitations on the methods The major limitation of the survey method is the reliability of data collection. People may report wrong affirmation for different reasons, such as intentional deception, poor memory, or misunderstanding of the question. This can contribute to inexactnesses in the data. The major limitation of the case study is that it involves only a single person or just a few people and for that reason it may not be representative of the general group or population. In addition, the survey method and the case study method are descriptive, not explanatory, and, therefore, cannot offer any insights into cause-and-effect relationships.
Chapter 4 Results and Discussion Key Findings of the Insider Threat Study of Sabotage Across Critical Infrastructure Sectors The key findings of the study of incidents of insider sabotage across critical infrastructure sectors are presented under five categories: • The Insider’s Motive • Pre-attack Behavior and Planning • advancing the Attack • Detecting the Attack • Consequences for Targeted Organizations
The Insider’s Motive After noticing its graphic artist’s aptitude with computers and computer programming, a company asked him to create its Internet website. A few months later, the company reprimanded the employee for absenteeism, and the company president notified the employee that the company planned to suspend him. Later that day, the employee remotely accessed the company’s network, deleted information, and added other text and images to the company’s website. The insider later admitted to law enforcement that he committed the offense because he was angry at the company for suspending him. Key Findings
- A negative work-related event triggered most insiders’ actions.
- Most insiders held a work-related grievance prior to the incident.
- The most frequently reported motive was revenge.
Pre-attack Behavior and Planning In one case, an insider had become dissatisfied with his job installing software and hardware on the company’s computers and with providing technical support to its employees. He emailed his employer the following message: “I have no intention of taking ownership of modem troubleshooting. If you insist, so be it but I can assure you the job will be completed with very little effort and no attention to detail.” He also shared his negative feelings about his employer with a coworker in an email, stating “I hope [the company owner]’s not going to be coming to lunch tomorrow. I might wind up pummeling [him].” Eventually, the insider’s dissatisfaction led to his resignation. In spite of his negative communications, the company owner permitted the insider to retain email access as a paying customer following his resignation. Several weeks after he resigned, the insider used bogus accounts he had created to change all of the company’s administrative passwords, alter the computer’s registry, delete the entire billing system, and delete two internal databases. Prior to these activities, the insider had expressed his intent to harm the company in emails he sent to a relative and a former coworker at the company. Key Findings
- Most of the insiders had acted out in a concerning manner in the workplace.
- The majority of insiders planned their activities in advance.
- Others had information about the insiders’ intentions, plans, and/or ongoing activities.
In 20% of the cases, the insider made a direct threat regarding harming the organization or an individual. In all of these cases, the insiders communicated these threats about their targets to others who were not affected by the incident. In only one case did the insider threaten his target directly. In 78% of these cases, the insider made verbal threats, although they may have used other means of communication as well.
- A majority of the insiders communicated negative sentiments to others, and in some cases they communicated direct threats of harm.
Advancing the Attack A system administrator was terminated and his account immediately disabled. However, his organization overlooked disabling his remote access to the organization’s network through the firewall, and also failed to change the root password. These oversights enabled the insider, after business hours, to sabotage the system, making it inaccessible for three days. If his remote access had been disabled, and/or the root account password changed, his actions might have been prevented. Key Findings
- When hired, the majority of insiders were granted system administrator or privileged access, but less than half of all of the insiders had authorized access at the time of the incident.
- Insiders exploited systemic vulnerabilities in applications, processes, and/or procedures, but relatively sophisticated attack tools were also employed.
- The majority of insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
- Remote access was used to carry out the majority of the attacks.
In 60% of the cases, the insider compromised an account to carry out the attack. These compromises included the use of another’s username and password (33%) or the use of an unauthorized account created by the insider (20%). In 92% of these cases, there were no indications of suspicious activity related to the account before the initial incident. The insiders also used shared accounts to carry out their activities, including group accounts, for example, system administrator or database administrator (DBA) accounts (15%), and company accounts (13%). In 30% of the cases, the insiders used their own usernames and passwords. In 13% of the cases, the insiders used accounts in more than one of the above categories to carry out the attack.
- The majority of attacks took place outside normal working hours.
Detecting the Attack A former consultant hired by an organization to set up its network was still able to log in to the admin account following termination of his contract. The new system administrator first detected the attack when he noticed probing of the organization’s network, and suspected a potential security problem. Although he took steps to further secure the network, the former contractor was still able to log in, install a remote administration tool, and use the information gathered to compromise additional accounts. The insider was finally identified several weeks later when law enforcement used forensic examinations of the organization’s server and system log files to trace his actions to remote VPN connections, then using ISP records, to the insider’s home computer. Key Findings
- The majority of the insider attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable.
- System logs were the most prevalent means by which the insider was identified.
- Insiders took steps to conceal their identities and their activities.
- Most of the incidents were detected by non-security personnel. The majority of attacks were accomplished using company computer equipment.
- Forensic examinations were used to identify the insider and gather evidence in many of the cases.
Consequences for Targeted Organizations An insider had extensive control over the source code of a critical application used by the organization. As lead developer of the software,he made sure that he possessed the only copy of the source code. There were no backups, and very little documentation existed. Following a demotion in both position and pay, the insider “wiped” the hard drive of his company-provided laptop. In doing so, he deleted the only copy of the source code the organization possessed. It took several months to recover the source code from the insider, during which time the organization was unable to update the software. Key Findings
- Insider activities caused organizations financial losses, negative impacts to their business operations and damage to their reputations.
- Incidents affected the organizations’ data, systems/networks, and components.
- Various aspects of organizations were targeted for sabotage by the insider.
Examples of such cases include ones in which the insider maligned the reputation of a company owner in email communications, and threatened company officers while also posting social security numbers associated with the company on the Internet.
- In addition to harming the organizations, the insiders caused harm to specific individuals.
Chapter 5 Summary Review of Literature
- S, Axelsson., Intrusion Detection Systems: A Survey and Taxonomy. Technical Report. Department of Computer Engineering, Chalmers University of Technology, Sweden, March 2000.
- Boran (2001), IT Security Coobook. Boran consulting, Switzerland, www.boran.com
- Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. Technical Report NIST SP 800-30, National Institute Of Standards and Technology, US (2002)
- Dr Muhammad Manshad Satti Chief Technology Officer IT butler Pty, Sydney, New South Wales Australia 2003.
- Randazzo, M.R., Keeney, M., Kowalski, E., Cappelli, D., Moore, A.: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector (2004) U.S. Secret Service and CERT Coordination Center.
- Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., Rogers, S.: Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors (2005) U.S. Secret Service and CERT Coordination Center.
- Keeney, M., Kowalski, E., Cappelli, D., Moore, A., Shimeall, T., Rogers, S.2005. Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors. In U.S. Secret Service and CERT Coordination Center.
- Cappelli, D,A Moore,T Shimeall . 2005. Common Sense Guide to Prevention and Detection of Insider Threat. Proceedings of the 24th International Conference of the System Dynamics Society, The Netherlands, Radboud University of Nijmegen.
- Mylopoulos, J, L Chung, L., Yu, E.: From object-oriented to goal-oriented require-ments analysis. In Commun. ACM 42(1) (1999) 31–37
- Chinchani, R, A Iyer, H Q Ngo,S Upadhyaya. 2005. To wards a theory of insider threat assessment. In International Conference on Dependable Systems and Networks, IEEE Publishing 108–117
- Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: 2006 CSI/FBI Computer Crime and Security Survey (2006)
13. Infolock technologies www.infolocktech.com 14. ArcSight, Inc. 5 Results Way, Cupertino, CA 95014, USA www.arcsight.com email: [email protected] 15. http://www.ifac.org.
- Cappelli, D M, A G Desai, A P Moore, T J Shimeall, E A Weaver, B J Willke.2006. Management and Education of the Risk of Insider Threat (MERIT). In proceedings of the 24th International Conference of the System Dynamics Society, The Netherlands, Radboud University of Nijmegen.