While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organization’s business and how their computer systems work. They have both the confidentiality and access to perform these attacks.
An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.
A system administrator angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company’s manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software.
Following the system administrator’s termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company’s server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees.
An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’s computer network. Three weeks following his termination, the insider used the username and password of one of his former coworkers to gain remote access to the network and modify several of the company’s web pages, changing text and inserting pornographic images.
He also sent each of the company’s customers an email message advising that the website had been hacked. Each email message also contained that customer’s usernames and passwords for the website. An investigation was initiated, but it failed to identify the insider as the perpetrator. A month and a half later, he again remotely accessed the network, executed a script to reset all network passwords and changed 4,000 pricing records to reflect bogus information. This former employee ultimately was identified as the perpetrator and prosecuted. He was sentenced to serve five months in prison and two years on supervised probation, and ordered to pay $48,600 restitution to his former employer.
A city government employee who was passed over for promotion to finance director retaliated by deleting files from his and a coworker’s computers the day before the new finance director took office. An investigation identified the disgruntled employee as the perpetrator of the incident. City government officials disagreed with the primary police detective on the case as to whether all of the deleted files were recovered.
No criminal charges were filed, and, under an agreement with city officials, the employee was allowed to resign.
These incidents of sabotage were all committed by “insiders:” individuals who were, or previously had been, authorized to use the information systems they eventually employed to perpetrate harm. Insiders pose a substantial threat by virtue of their knowledge of, and access to, employer systems and/or databases. Keeney, M., et al (2005)
The Nature of Security Threats
The greatest threat to computer systems and information comes from humans, through actions that are either malicious or ignorant 3 . Attackers, trying to do harm, exploit vulnerabilities in a system or security policy employing various methods and tools to achieve their aims. Attackers usually have a motive to disrupt normal business operations or to steal information.
The above diagram is depicts the types of security threats that exist. The diagram depicts the all threats to the computer systems but main emphasis will be on malicious “insiders”. The greatest threat of attacks against computer systems are from “insiders” who know the codes and security measures that are in place 4&5. With very specific objectives, an insider attack can affect all components of security. As employees with legitimate access to systems, they are familiar with an organization’s computer systems and applications.
They are likely to know what actions cause the most damage and how to get away with it undetected. Considered “members of the family,” they are often above suspicion and the last to be considered when systems malfunction or fail. Disgruntled employees create mischief and sabotage against systems. Organizational downsizing in both public and private sectors has created a group of individuals with significant knowledge and capabilities for malicious activities 6 and revenge. Contract professionals and foreign nationals either brought into the U.S. on work visas to meet labor shortages or from offshore outsourcing projects are also included in this category of knowledgeable insiders.
Common Insider Threat
Common cases of computer-related employee sabotage include: changing data; deleting data; destroying data or programs with logic bombs; crashing systems; holding data hostage; destroying hardware or facilities; entering data incorrectly, exposing sensitive and embarrassing proprietary data to public view such as the salaries of top executives. Insiders can plant viruses, Trojan horses or worms, browse through file systems or program malicious code with little chance of detection and with almost total impunity.
A 1998 FBI Survey 7 investigating computer crime found that of the 520 companies consulted, 64% had reported security breaches for a total quantifiable financial loss of $136 millions. (See chart)
The survey also found that the largest number of breaches were by unauthorized insider access and concluded that these figures were very conservative as most companies were unaware of malicious activities or reluctant to report breaches for fear of negative press. The survey reported that the average cost of an attack by an outsider (hacker) at $56,000, while the average insider attack cost a company excess $2.7 million. It found that hidden costs associated with the loss in staff hours, legal liability, loss of proprietary information, decrease in productivity and the potential loss of credibility were impossible to quantify accurately.
Employees who have caused damage have used their knowledge and access to information resources for a range of motives, including greed, revenge for perceived grievances, ego gratification, resolution of personal or professional problems, to protect or advance their careers, to challenge their skill, express anger, impress others, or some combination of these concerns.
The majority of the insiders were former employees.
- At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.
- The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%). Most insiders were either previously or currently employed full-time in a technical position within the organization.
- Most of the insiders (77%) were full-time employees of the affected organizations, either before or during the incidents. Eight percent of the insiders worked part-time, and an additional 8% had been hired as contractors or consultants. Two (4%) of the insiders worked as temporary employees, and one (2%) was hired as a subcontractor.
- Eighty-six percent of the insiders were employed in technical positions, which included system administrators (38%), programmers (21%), engineers (14%), and IT specialists (14%). Of the insiders not holding technical positions, 10% were employed in a professional position, which included, among others, insiders employed as editors, managers, and auditors. An additional two insiders (4%) worked in service positions, both of whom worked as customer service representatives.
Insiders were demographically varied with regard to age, racial and ethnic background, gender, and marital status.
- The insiders ranged in age from 17 to 60 years (mean age = 32 years)17 and represented a variety of racial and ethnic backgrounds.
- Ninety-six percent of the insiders were male.
- Forty-nine percent of the insiders were married at the time of the incident, while 45% were single, having never married, and 4% were divorced. Just under one-third of the insiders had an arrest history.
- Thirty percent of the insiders had been arrested previously, including arrests for violent offenses (18%), alcohol or drug related offenses (11%), and nonfinancial/ fraud related theft offenses (11%).
The incidents affected organizations in the following critical infrastructure sectors:
- Banking and finance (8%)
- Continuity of government (16%)
- Defense industrial base (2%)
- Food (4%)
- Information and telecommunications (63%)
- Postal and shipping (2%)
- Public health (4%)
In all, 82% of the affected organizations were in private industry, while 16% were government entities. Sixty-three percent of the organizations engaged in domestic activity only, 2% engaged in international activity only, and 35% engaged in activity both domestically and internationally.
What motivate insiders?
Internal attackers attempt to break into computer networks for many reasons. The subject has been fruitfully studied and internal attackers are used to be motivated with the following reasons [BSB03]:
Many internal attackers initially attempt to break into networks for the challenge. A challenge combines strategic and tactical thinking, patience, and mental strength. However, internal attackers motivated by the challenge of breaking into networks often do not often think about their actions as criminal. For example, an internal attack can be the challenge to break into the mail server in order to get access to different emails of any employee.
Internal attackers motivated by revenge have often ill feelings toward employees of the same company. These attackers can be particularly dangerous, because they generally focus on a single target, and they generally have patience. In the case of revenge, attackers can also be former employees that feel that they have been wrongfully fired. For example, a former employee may be motivated to launch an attack to the company in order to cause financial losses.
Internal attackers motivated by espionage, steal confidential information for a third party. In general, two types of espionage exists:
Industrial espionage means that a company may pay its own employees in order to break into the networks of its competitors or business partners. The company may also hire someone else to do this.
International espionage means that attackers work for governments and steal confidential information for other governments.
Definitions of insider threat
1) The definition of insider threat should encompass two main threat actor categories and five general categories of activities. The first actor category, the “true insider,” is defined as any entity (person, system, or code) authorized by command and control elements to access network, system, or data. The second actor category, the “pseudo-insider,” is someone who, by policy, is not authorized the accesses, roles, and/or permissions they currently have but may have gotten them inadvertently or through malicious activities.
The activities of both fall into five general categories:
- Exceeds given network, system or data permissions;
- Conducts malicious activity against or across the network, system or data;
- Provided unapproved access to the network, system or data;
- Circumvents security controls or exploits security weaknesses to exceed authorized permitted activity or disguise identify; or
- Non-maliciously or unintentionally damages resources (network, system or data) by destruction, corruption, denial of access, or disclosure.
(Presented at the University of Louisville Cyber Securitys Day, October 2006)
2) Insiders — employees, contractors, consultants, and vendors — pose as great a threat to an organization’s security posture as outsiders, including hackers. Few organizations have implemented the policies, procedures, tools, or strategies to effectively address their insider threats. An insider threat assessment is a recommended first step for many organizations, followed by policy review, and employee awareness training.
(Insider Threat Management
Presented by infoLock Technologies)
3) Employees are an organization’s most important asset. Unfortunately, they also present the greatest security risks. Working and communicating remotely, storing sensitive data on portable devices such as laptops, PDAs, thumb drives, and even iPods – employees have extended the security perimeter beyond safe limits. While convenient access to data is required for operational efficiency, the actions of trusted insiders – not just employees, but consultants, contactors, vendors, and partners – must be actively managed, audited, and monitored in order to protect sensitive data.
(Presented by infoLock Technologies)
4) The diversity of cyber threat has grown over time from network-level attacks and password cracking to include newer classes such as insider attacks, email worms and social engineering, which are currently recognized as serious security problems. However, attack modeling and threat analysis tools have not evolved at the same rate. Known formal models such as attack graphs perform action-centric vulnerability modeling and analysis. All possible atomic user actions are represented as states, and sequences which lead to the violation of a specie safety property are extracted to indicate possible exploits.
(Ramkumar Chinchani, Anusha Iyer, Hung Ngo, Shambhu Upadhyaya)
5) The Insider Threat Study, conducted by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute CERT Program, analyzed insider cyber crimes across U.S. critical infrastructure sectors. The study indicates that management decisions related to organizational and employee performance sometimes yield unintended consequences magnifying risk of insider attack. Lack of tools for understanding insider threat, analyzing risk mitigation alternatives, and communicating results exacerbates the problem.
(Dawn M. Cappelli, Akash G. Desai)
6) The “insider threat” or “insider problem” is cited as the most serious security problem in many studies. It is also considered the most difficult problem to deal with, because an “insider” has information and capabilities not known to other, external attackers. But the studies rarely define what the “insider threat” is, or define it nebulously. The difficulty in handling the “insider threat” is reasonable under those circumstances; if one cannot define a problem precisely, how can one approach a solution, let alone know when the problem is solved?
(Matt Bishop 2005)
Five common insider threat
Exploiting information via remote access software
A considerable amount of insider abuse is performed offsite via remote access software such as Terminal Services, Citrix and GoToMyPC. Simply put, users are less likely to be caught stealing sensitive information when they can it do offsite. Also, inadequately protected remote computers may turn up in the hands of a third-party if the computer is left unattended, lost or stolen.
2.) Sending out information via e-mail and instant messaging
Sensitive information can simply be included in or attached to an e-mail or IM. Although this is a serious threat, it’s also one of the easiest to eliminate.
3.) Sharing sensitive files on P2P networks
Whether or not you allow peer-to-peer file sharing software such as Kazaa or IM on your network, odds are it’s there and waiting to be abused. The inanimate software in and of itself is not the problem – it’s how it’s used that causes trouble. All it takes is a simple misconfiguration to serve up your network’s local and network drives to the world.
4.) Careless use of wireless networks
Perhaps the most unintentional insider threat is that of insecure wireless network usage. Whether it’s at a coffee shop, airport or hotel, unsecured airwaves can easily put sensitive information in jeopardy. All it takes is a peek into e-mail communications or file transfers for valuable data to be stolen. Wi-Fi networks are most susceptible to these attacks, but don’t overlook Bluetooth on smartphones and PDAs. Also, if you have WLANs inside your organization, employees could use it to exploit the network after hours.
5.) Posting information to discussion boards and blogs
Quite often users post support requests, blogs or other work-related messages on the Internet. Whether intentional or not, this can include sensitive information and file attachments that put your organization at risk.
Views of different authors about insider threat
1) Although insiders in this report tended to be former technical employees, there is no demographic “profile” of a malicious insider. Ages of perpetrators ranged from late teens to retirement. Both men and women were malicious insiders. Their positions included programmers, graphic artists, system and network administrators, managers, and executives. They were currently employed and recently terminated employees, contractors, and temporary employees. As such, security awareness training needs to encourage employees to identify malicious insiders by behavior, not by stereotypical characteristics. For example, behaviors that should be a source of concern include making threats against the organization, bragging about the damage one could do to the organization, or discussing plans to work against the organization. Also of concern are attempts to gain other employees’ passwords and to fraudulently obtain access through trickery or exploitation of a trusted relationship.
Insiders can be stopped, but stopping them is a complex problem. Insider attacks can only be prevented through a layered defense strategy consisting of policies, procedures, and technical controls. Therefore, management must pay close attention to many aspects of its organization, including its business policies and procedures, organizational culture, and technical environment. Organizations must look beyond information technology to the organization’s overall business processes and the interplay between those processes and the technologies used.
(Michelle Keeney, J.D., Ph.D. atal 2005)
2) While attacks on computers by outside intruders are more publicized, attacks perpetrated by insiders are very common and often more damaging. Insiders represent the greatest threat to computer security because they understand their organization’s business and how their computer systems work. They have both the confidentiality and access to perform these attacks. An inside attacker will have a higher probability of successfully breaking into the system and extracting critical information. The insiders also represent the greatest challenge to securing the company network because they are authorized a level of access to the file system and granted a degree of trust.
(Nam Nguyen and Peter Reiher, Geoffrey H. Kuenning)
3) Geographically distributed information systems achieve high availability that is crucial to their usefulness by replicating their state. Providing instant access at time of need regardless of current network connectivity requires the state to be replicated in every geographical site so that it is locally available. As network environments become increasingly hostile, we have to assume that part of the distributed information system will be compromised at some point. The problem of maintaining a replicated state in such a system is magnified when insider (or Byzantine) attacks are taken into account.
(Yair Amir Cristina Nita-Rotaru)
4) In 2006, over 60% of information security breaches were attributable to insider behavior, yet more than 80% of corporate IT security budgets were spent on securing perimeter defenses against outside attack. Protecting against insider threats means managing policy, process, technology, and most importantly, people. Protecting against insider threats means managing policy, process, technology, and most importantly, people.The Insider Threat Assessment security awareness training, infrastructure reconfiguration, or third party solutions, you can take comfort in knowing that you have made the right choice to improve your security posture, and you will achieve your expected Return on Security Investment.
(Presented by infoLock Technologies)
5) The threat of attack from insiders is real and substantial. The 2004 ECrime
Watch Survey TM conducted by the United States Secret Service, CERT ® Coordination Center (CERT/CC), and CSO Magazine, 1 found that in cases where respondents could identify the perpetrator of an electronic crime, 29 percent were committed by insiders. The impact from insider attacks can be devastating. One complex case of financial fraud committed by an insider in a financial institution resulted in losses of over $600 million. 2 Another case involving a logic bomb written by a technical employee working for a defense contractor resulted in $10 million in losses and the layoff of 80 employees.
(Dawn Cappelli, Andrew Moore, Timothy Shimeall,2005)
6) Insiders, by virtue of legitimate access to their organizations’ information, systems, and networks, pose a significant risk to employers. Employees experiencing financial problems have found it easy to use the systems they use at work everyday to commit fraud. Other employees, motivated by financial problems, greed, or the wish to impress a new employer, have stolen confidential data, proprietary information, or intellectual property from their employer. Lastly, technical employees, possibly the most dangerous because of their intimate knowledge of an organization’s vulnerabilities, have used their technical ability to sabotage their employer’s system or network in revenge for some negative work-related event.
(Dawn M. Cappelli, Akash G. Desai ,at al 2004)
7) The “insider problem” is considered the most difficult and critical problem in computer security. But studies that survey the seriousness of the problem, and research that analyzes the problem, rarely define the problem precisely. Implicit definitions
vary in meaning. Different definitions imply different countermeasures, as well as different assumptions.
(Matt Bishop 2005)
Solution: User monitoring
Insiders have two things that external attackers don’t: privileged access and trust. This allows them to bypass preventative measures, access mission-critical assets, and conduct malicious acts all while flying under the radar unless a strong incident detection solution is in place.
A number of variables motivate insiders, but the end result is that they can more easily perpetrate their crimes than an outsider who has limited access. Insiders can directly damage your business resulting in lost revenue, lost customers, reduced shareholder faith, a tarnished reputation, regulatory fines and legal fees. With such an expansive threat, organizations need an automated solution to help detect and analyze
Malicious Insider Activity
These are some points which could be helpful in monitoring and minimizing the insider threats:
- Detecting insider activity starts with an expanded log
- and event collection.
- Firewalls, routers and intrusion detection systems are important, but they are not enough.
- Organizations need to look deeper to include mission critical applications such as email applications, databases, operating systems, mainframes, access control solutions, physical security systems as well as identity and content management products.
- Correlation: identifying known types of suspicious and malicious behavior
- Anomaly detection: recognizing deviations from norms and baselines.
- Pattern discovery: uncovering seemingly unrelated events that show a pattern of suspicious activity
- From case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organization’s procedures. This will ensure that insiders are addressed consistently, efficiently and effectively regardless of who they are.
- Identify suspicious user activity patterns and identify anomalies.
- Visually track and create business-level reports on user’s activity.
- Automatically escalate the threat levels of suspicious and malicious individuals.
- Respond according to your specific and unique corporate governing guidelines.
- Early detection of insider activity based on early warning indicators of suspicious behavior, such as:
- Stale or terminated accounts
- Excessive file printing, unusual printing times and
- keywords printed
- Traffic to suspicious destinations
- Unauthorized peripheral device access
- Bypassing security controls
- Attempts to alter or delete system logs
- Installation of malicious software
The Insider Threat Study?
The global acceptance, business adoption and growth of the Internet, and of Internetworking technologies in general, in response to customer requests for online access to business information systems, has ushered in an extraordinary expansion of electronic business transactions. In moving from internal (closed) business systems to open systems, the risk of malicious attacks and fraudulent activity has increased enormously, thereby requiring high levels of information security. Prior to the requirement for online, open access, the information security budget of a typical company was less then their tea and coffee expenses.
Securing cyberspace has become a national priority. In The National Strategy to Secure Cyberspace, the President’s Critical Infrastructure Protection Board identified several critical infrastructure sectors10:
- banking and finance
- information and telecommunications
- postal and shipping
- emergency services
- continuity of government
- public health
- chemical industry, textile industry and hazardous materials
- defense industrial base
The cases examined in the Insider Threat Study are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations’ data, systems, or daily business operations.
Incidents included any compromise, manipulation of, unauthorized access to, exceeding authorized access to, tampering with, or disabling of any information system, network, or data. The cases examined also included any in which there was an unauthorized or illegal attempt to view, disclose, retrieve, delete, change, or add information.
A completely secure, zero risk system is one which has zero functionality. Latest technology high-performance automated systems bring with them new risks in the shape of new attacks, new viruses and new software bugs, etc. IT Security, therefore, is an ongoing process. Proper risk management keeps the IT Security plans, policies and procedures up to date as per new requirements and changes in the computing environment. To implement controls to counter risks requires policies, and policy can only be implemented successfully if the top management is committed. And policy’s effective implementation is not possible without the training and awareness of staff.
The State Bank of Pakistan recognizes that financial industry is built around the sanctity of the financial transactions. Owing to the critical role of financial institutions for a country and the extreme sensitivity of their information assets, the seriousness of IT
Security and the ever-increasing threats it faces in today’s open world cannot be overstated. As more and more of our Banking Operations and products & services become technology driven and dependent, consequently our reliance on these technology assets increases, and so does the need to protect and safeguard these resources to ensure smooth functioning of the financial industry.
Here are different area in which we can work and check insider threat, but I chose textile industry as in textile industry there is less awareness of the insider threat. If an insider attack in an industry then industrialist try to cover up this news as these types of news about an industry can damage the reputation of the industry.
Chapter 2 Review of Literature
S, Axelsson. ,(2000)
Continuity of operations and correct functioning of information systems is important to most businesses. Threats to computerised information and process are threats to business quality and effectiveness. The objective of IT security is to put measures in place which eliminate or reduce significant threats to an acceptable level.
Security and risk management are tightly coupled with quality management. Security measures should be implemented based on risk analysis and in harmony with Quality structures, processes and checklists.
What needs to be protected, against whom and how?
Security is the protection of information, systems and services against disasters, mistakes and manipulation so that the likelihood and impact of security incidents is minimised. IT security is comprised of:
Confidentiality: Sensitive business objects (information & processes) are disclosed only to authorised persons. ==> Controls are required to restrict access to objects.
Integrity: The business need to control modification to objects (information and processes). ==> Controls are required to ensure objects are accurate and complete.
Availability: The need to have business objects (information and services) available when needed. ==> Controls are required to ensure reliability of services.
Legal Compliance: Information/data that is collected, processed, used, passed on or destroyed must be handled in line with current legislation of the relevant countries.
A threat is a danger which could affect the security (confidentiality, integrity, availability) of assets, leading to a potential loss or damage.
Stoneburner et al (2002)
In this paper the author described a the risks which are