And yet another bad office day

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage.

Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as:
- Alternating backup operators
- Combining on- and off-site backups
- Tightly controlling physical access to backup storage and especially archives
- Closer management supervision and/or physical monitoring of trusted employees working in the data center
- Better training and automation of backup processes, reducing the need to give backup ops unrestricted logical access to data
- Better HR processes for monitoring employees in such trusted positions and more respect for the valuable jobs they perform.

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

Awareness and training surveys in EU and US

Two survey reports into information security awareness and training practices offer insights into the state of the art.

The first report from the European Network and Information Security Agency ENISA is Information security awareness initiatives: current practice and the measurement of success.

Although the survey and case studies are European in origin, I'm sure the general discussion and ideas on the thorny issue of measuring information security awareness programs, and in fact measuring information security as a whole, are broadly applicable. Three-quarters of the Europeans surveyed said they have to do security awareness as a compliance requirement. I didn’t realize it was such a high proportion.

References in the report to the lack of consensus and evolving good practices indicate the variety of awareness and metrics techniques in use. I was interested to see markedly different opinions on the value of CBT (Computer Based Training) or posters, for examples, and ambiguity throughout the report about "training" vs "awareness" (NIST SP800-50 speaks to the difference, as does the NASCIO report noted below). I heartily agree with the implication that security awareness should be a rolling year-long event, continually updated to reflect current issues, rather than a sporadic/once-a-year training course (the dreaded 'sheep dip'!) or, even worse, the once-a-career induction course, no matter how effective is classroom-based training.

The awareness topic list on page 5 of the report seems 'about right' to me although there are many other topics perhaps worth covering (e.g. software development, database security, privacy ...) if you are creative about it, which also helps keep the program fresh and interesting. All in all, it's 20 pages well worth reading.

The second report from NASCIO (an organization representing chief information officers, information technology executives and managers from US state governments) is IT Security Awareness and Training: Changing the Culture of State Government. The authors promote security awareness as a preventive control that can help to avert major crises caused by serious information security incidents.

"Since a holistic approach to security revolves around people, cultural change is needed to truly ensure that employees and contractors understand their IT security responsibilities and take them seriously."

The report promotes the value of continuous, long-term, broad-based security awareness activities in addition to more narrowly focused and spasmodic training activities.

"Continuous and ongoing awareness and training activities for state employees (and contractors) could help prevent a major state crisis ... Cultural change to the fabric of the state government workforce is needed to make IT security and the ethical use of state IT resources as ubiquitous as technology. Since that cultural change involves changing the way that state employees perceive IT security, consistency and patience are necessary ingredients. Isolated presentations or training sessions, while a good start, will not lead to the creation of a long-term culture of IT security. After all, state employees, like everyone else, have many plates to juggle and may not retain the entirety of the aweareness and training content to which they hjave been exposed, expecially upon the passage of months or years. Hence, regularized and constant reminders in mand forms are needed the enact this cultural shift ... Consistency is a key factor. One isolated presentation does not make for adequate awareness. Presentations on a more frequent basis can help to keep IT security at the forefront of government officials' agendas so that executive and legislative support does not wane over the long term."

Absolutely! This is probably the key reason that old-fashioned "security awareness" programs (usually consisting of sporadic and uncoordinated security training sessions in fact) do not achieve the instant results that are anticipated. People who naively expect security awareness to turn things around within a few weeks or months are missing the point: genuine cultural change takes continuous gentle pressure in the right direction over years not weeks.

"Innovative approaches may serve to spark IT security awareness in the minds of many state employees. By starting with a marketing campaign of sorts for IT security, a state can start to build a culture of IT security vigilance."

Again, I agree wholehartedly. With the marketer's hat on, NoticeBored's security awareness posters (for example) are efffectively 'advertizing' information security as a whole, with a touch of humor and a little information on the monthly awareness topics for good measure. A distinctive logo on all the materials helps bind them into a whole, while the underlying messages in all the materials reinforce the fundamental core values in information security such as: confidentiality, integrity and availability; risk and control; and prevention, detection and correction. This is quite clearly a branding technique. [By the way, that idea suggests to me a novel way of measuring the effectiveness of security awareness programs, namely using the same techniques that marketers use to assess the effectiveness of advertising programs. Surveys might for example assess the recall of key program images, sayings and messages by representatives of the target audiences, and measure the retention of information security concepts compared to 'competing' awareness initiatives such as health-and-safety or legal compliance.]

As you read the report, do check out the sidebars with numerous examples of security awareness activities from several states. Many of them have a public outreach element with security awareness activities targeted beyond satte employees.

The NASCIO report quotes Insider Security Threats: State CIOs Take Action Now! published earlier this year from which the graph above is taken. The obvious increase in incidents on the graph presumably reflects better incident reporting processes (otherwise there seems to have been a severe lapse of security since 2005) but the proportion of insider vs external hacker attacks is interesting. Insiders, of course, have ready access to the information required to do their jobs and often much wider access to information due to the practical problems of trying to enforce 'need to know' outside of a military context. When insiders go bad, therefore, they can cause a lot of damage without triggering the intruder alerts that (some) hackers trip. Other insiders are often best placed to identify and report internal security incidents, provided they are aware of their responsibilities and know what to look out for - in other words, security awareness is a very important element of control against the insider threat.
The report also touches on the difficulties of getting executive support for security awareness and offers some practical tips, essentially starting with specific high-level security awareness activities targeting the very executives who should understand and fund awareness.

Go ahead: print out both reports, sit yourself down somewhere quiet with a cup of coffee, red-pen them and cogitate. There are good ideas and complementary approaches in both of them. I certainly came away with a number of interesting thoughts and quotations that will appear on the NoticeBored site and our awareness materials in due course.

New awareness module on protecting trade secrets

Continuing the flow of innovative security awareness materials, we have released another completely new NoticeBored Classic module about protecting trade secrets. This module complements and extends May’s module on insider threats and June’s on privacy and data protection. Organizations need to protect valuable information assets including sensitive commercial or proprietary information such as descriptions of their unique business processes and ingredients, customer lists, product and corporate development plans, financial models and results. The module looks at practices ranging from competitive intelligence at one end of the ethics/legality scale to industrial espionage and information warfare at the other, covering all points in between. It’s important to realize that competitors may not share our moral values and respect for the law so do pay attention: forewarned is forearmed!

Boeing insider charged

A remarkable insider threat story involves allegations that an auditor at Boeing systematically trawled the network for sensitive data, copied it to a USB memory stick, took it off-site and disclosed it to newspaper reporters.

"A disgruntled Boeing employee was charged Tuesday with 16 counts of
computer trespass for allegedly stealing more than 320,000 company files
over the course of more than two years and leaking them to The Seattle
Times. Gerald Lee Eastman, who was a quality assurance inspector at Boeing at
the time of the thefts, is slated to be arraigned on July 17, according
to a spokesman for the King County Prosecuting Attorney's Office. He
faces up to 57 months in prison if convicted on all counts ... Eastman used what prosecutors called his "unfettered access to Boeing systems" to download large amounts of data from information stores he had no legitimate reason for accessing, according to the criminal complaint."

The article claims that the man was aggrieved at Boeing:

"The complaint noted that Eastman told detectives he was disgruntled with
Boeing because he had brought several issues related to parts
inspections to the attention of both the company and the FAA. He said
none of his concerns had been addressed to his satisfaction. The report
contends he said he collected data to back up his claims that there were
problems with the inspection process."

If that's true, passing proprietary information to the news media seems a rather unconventional way for an auditor to 'blow the whistle'.

Technology myopia

A white paper, podcast and podcast transcript on insider threats promotes essentially four threat responses: behavioral analysis, integrated security components, automatic response and iterative modeling. All four are technical responses to an essentially human problem. And guess what, the paper is from IBM.

I'm not arguing that expensive technical responses are totally worthless but rather that they need to be supplemented by cheap humanistic responses - policies, procedures, management oversight, awareness/training/education, compliance activities and so forth. I'm sure IBM Consulting would love to sell you those as well.

Privacy and insider threats collide in databases

A Ponemon Institute survey into database security found that:

"- Trusted insiders remain a significant, and largely unmonitored risk
- A majority of organizations do not have the technology or processes required to effectively manage against insider threat
- Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property
- The vast majority of data exposed in the past two years has been confidential customer and employee information.
The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. Despite this concern, fifty-seven percent of those surveyed do not believe that their organizations have taken adequate measures to protect against malicious insiders and fifty-five percent do not believe that they have taken adequate measures to protect against “data loss.”
The survey also found that despite being aware of these threats, inadequate protection of corporate databases is the norm rather than the exception. Forty percent of those surveyed do not have the mechanisms in place, or are unaware of whether databases are monitored for suspicious activity. This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources. Eighty-eight percent of those surveyed manage greater than one hundred databases and a majority of respondents manage in excess of 500 databases."

Although the survey was sponsored by a company with a vested interest in database security, the survey sample was large enough for the results to be statistically significant. The Ponemon Institute is a respected survey institution, for instance including notes in the report about possible biases in the respondants and responses. To a non-scientist, it may seem perverse that pointing out possible weaknesses in the method actually makes is stronger, but better that than to ignore or gloss over them.

As to what needs to be done about database security, the survey commentary merely suggests a few hints e.g.:

"Among core security and IT professionals, operational efficiencies and system optimization are consistently higher priorities than efforts related to Sarbanes-Oxley, PCI, NIST 800-53 or other similar compliance initiatives ... our results show that intellectual property and business confidential information in databases is not generally protected. Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee information a high priority."

... so priorities need to be adjusted (but how?).

Perhaps Lloyds TSB has (part of) the answer?

Insider Threat - Protecting the Enterprise from Sabotage, Spying, and Theft

Despite the promise, this book does not do justice to such an important topic. The naive writing style and lack of unique, meaty content detract from the value.

[Read our review for more in this vein, if you need any more that is.]

Insider becomes outsider

A man is accused of hacking into his former employer's systems two weeks after walking out and deleting "an entire computer drive of personal employee information". It is claimed that he was "was one of only three people who knew the needed passwords to log into the company's computer system at that time." The prosecution will presumably have to explain how they drew the specific conclusion that it was him that deleted the disk, not one of the other two people who, by their admission, also knew the passwords, someone else entirely, or one of those chance IT events caused by cosmic rays or gremlins.

More insider threat resources here.

Expert witness accused of perjury

A man who has appeared in court as an expert witness for computer forensics has been accused of perjury. After 'inconsistencies' in the qualifications claimed in his resume came to light, a background check revealed that he has served prison time on a forgery charge.

This story is a good illustration of the need to conduct thorough background checks on people in positions of trust and power. Insiders who are known former forgers might be welcome in a criminal gang but not in your average court or corporation.

Insider threat - USB thumb drive

"A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. This is just one of the scenarios that security professionals and IT managers are increasingly worried about. According to one recent study, IT managers said portable storage devices, such as thumb drives and MP3 players, have surpassed even malware to become a top concern."

I presume reporter Sharon Gaudin from Information Week has simply swallowed and regurgitated the blurb from Bill Piwonka (yes, that's his real name - I couldn't make 'em up), VP of product management for Centennial Software, which conducted a "survey" at the InfoSec security conference in London. [Would you be surprised to hear that the company sells a "solution" to control access to USB drives?] The scenario described above looks more like an insider threat example to me. The fact that the worker used a USB thumb drive is incidental: it could equally have been a USB hard drive, a CD-ROM, even a pen and paper. She could have emailed it to herself or an accomplice, perhaps ZIPped up with 256-bit AES to bypass any content inspection. Preventing the abuse of USB thumb drives is hardly going to stem the flow.

Coin bugs tell a story

Having just issued a security awareness module on 'insider threats', I'm currently researching for a future topic on 'competitive intelligence' so this story caught my imagination. The mystery about US defense contractors working in Canada being bugged by coins containing miniature transmitters has been solved: the coins were a commemorative 'poppy' issue with a special protective coating that looked suspicious to alert defense people.

Regardless of the eventual outcome in this case, the way that the suspicious coins were identified and reported up the line demonstrates good security awareness. The contractors were evidently well aware of the possibility of being bugged, enough to spot and report the susicious coins. Their managers and clients, in turn, quickly raised the alarm and so the story spread. The authorities now admit that they did not fully validate the reports but it appears they chose to err on the side of caution. We call that 'fail-safe'.

If a similar situation occurred in a regular commercial setting, how many of you and your colleagues would have identified the possible threat, or reported it? Would any of your managers have given such a report even a second thought, let alone circulated a warning? Would someone have investigated and resolved the issue? That's called 'fail-open'. Or 'fail' for short.

Life in the fast lane

Two former Ferrari engineers have been convicted by an Italian court for stealing and passing confidential proprietary engineering data to their new employer, Toyota.

“This prosecution highlights the seriousness of the ‘insider threat’. Disgruntled employees still find it all too easy to take company secrets off the network and onto portable storage devices such as CDs and USB sticks,” said Matt Fisher, VP of Centennial Software. “You don’t have to work in Formula One for your secrets to be valuable to the competition. With corporate IP the fuel that keeps business running, all companies are vulnerable to damage from data leaks,” he added.

As we said in our latest newsletter on insider threats, there is no shortage of case study materials on this topic.

More insider threat links here

Insider threats awareness module released

Insiders (employees and pseudo-employees such as contractors and consultants) have ready access to valuable information assets. Information security incidents caused by insiders are therefore a substantial threat to every organization. The news media frequently record incidents such as terminated employees who wreak revenge by hacking their former employer’s networks. Less often in the headlines but much more common in practice are those ‘little accidents’ by employees that damage information systems and data - everything from occasional typos to (ahem) reformatting the wrong disk (been there, done that!). Read all about May’s band new NoticeBored security awareness module here and check out our new links collection on insider threats.

Poetic justice

CFO dotcom has a short news piece about a former Enron HR director prosecuted for submitting fraudulent consulting invoices to Enron post-bancruptcy and sentenced to 63 months in prison. He has been ordered to repay $2.9m in restitution - $2.3m and a house have already been seized by the authorities.

So here we have a greedy employee (an insider) of a greedy employer caught with his hand in the corporate cookie jar.

Information Systems Security journal free (for now!)

Taylor & Francis has made numerous issues of the ISC2's official organ, the Information Systems Security journal, available for free, at least for the moment. They also made EDPACS available for a while but that freebie ended a week ago, I believe. In other words, take the opportunity today to browse the journal and download/read any interesting articles now before it's too late and you need to subscribe.

In a few moments browsing, I've found an interesting piece by Tom Peltier on social engineering, one on securing against insider attacks and several articles on security metrics, an enduring interest of mine.

More information security management links

A legal argument for security awareness

An article by Ryan Sulkin on Law dotcom starts thus: "As headlines continue to report data security breaches at an alarming rate, discussion often focuses on the need for enhanced technical controls, such as two-factor authentication and encryption, to protect sensitive, personally identifiable information. The role of the company employee, both as the cause of, and the first line of defense against, security breaches is often lost in the analysis. Yet developing law is increasingly requiring administrative or procedural controls, particularly those directed at employees, as a component of a legally compliant security program." Making the case for security training/awareness, it continues: "However, employees need not be viewed as an expensive companion threat to outsiders. Instead, if companies properly focus on key employee-related security controls and implement those controls in a reasoned and responsive manner, employees can be powerful assets to data security. Employees can assist companies with compliance requirements and, at the same time, help serve as an important line of defense from insider and outsider threats." Ryan picks out GLBA, HIPAA, PCI, FFIEC and ISO 17799 as examples of laws, regulations and standards that require employees awareness, training and education in security. "Finally, in light of all the evolving legal requirements and technological threats to security discussed above, it is important for companies to ground security in the culture of their organization. This begins with the training process, but also requires an ongoing emphasis on the importance of security." Well said Ryan!

More resources for security awareness and laws, regulations and standards

Under cover for 23 years

A remarkably successful identity thief was eventually brought to justice in Britain when an alert immigration officer spotted false documentation, sparking checks that revealed a fraudulent passport application. The self-styled Earl of Buckingham (not his real name) lived for some 23 years under an assumed name. The genuine Christopher Edward Buckingham died as a child. The fraudster's real identity remains hidden, thanks partly to Switzerland’s privacy laws since he was working in Zurich as an IT security consultant for an insurance company ... which itself raises all sorts of interesting insider threat questions.

More identity theft resources

When SysAdmins go bad 2 - the terror returns

As if to reinforce our recent posting regarding the insider threat and, especially, the threat from employees in trusted/privileged positions, another former system administrator has been charged with planting a logic bomb on his employer's systems, fearing that he was going to lose his job following a merger. The bomb was safely defused before it exploded but the alleged bomber's career options don't look too bright right now.

More malware links

Insider threats info from CERT

A fascinating podcast by CERT's Dawn Capelli reveals a survey by CERT/SEI/US Secret Service/CSO survey of the insider threat. As well as the usual roll-call of scary statistics (27% of security incidents are caused by insiders; 55% of the organizations surveyed had experienced deliberate insider malicious activities; 57% of IT sabotage attacks are committed by former employees), mentions several interesting incidents and threats such as employees deliberately stealing proprietary software and other information over a long period or just prior to moving to a new job, downloading logic bombs and framing their supervisors, creating backdoor accounts or modifying privileged scripts or planting long-fuse logic bombs while they still have privileged systems access.

To back-up the podcast, there is a wealth of information on the insider threat on CERT's website. This is evidently a focus area for CERT and (on a professional note) it is gratifying to find that employee security awareness is recognized as an important control - specifically, Dawn mentioned use of 'whistleblower hotlines', policies and so forth to encourage/facilitate employees shopping their peers. Snitching may create its own ethical dilemmas but, speaking as one who has occasionally benefited from information provided in confidence by 'snouts' aggrieved at the liberties taken by their colleagues, it is a sadly underappreciated form of control.

Account management and review processes and change/configuration change management practices are also emphasized. The podcast highlights the amount of trust placed in privileged IT insiders.

More security awareness links

When SysAdmins go bad

Information Week reports that "A federal prosecutor says the sentencing of a former IT systems administrator to eight years in prison for an insider attack should sound a warning to hiring managers that they need to be more vigilant about who they're putting in critical IT positions. ... The March 4, 2002 attack brought down about 2,000 servers both in the company's data center, as well as in branch offices around the country. The financial giant reported that simply cleaning up the mess and getting back online cost UBS more than $3.1 million. ... Duronio [the guilty party] has a criminal record that includes charges of burglary and assault. A presentencing report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s. ... A spokeswoman for UBS said that when Duronio was hired in 1999, the company only ran background checks on a select number of people. Duronio was not one of them". Background checks aren't perfect but, in this case at least, should have raised concerns about the candidate prior to his employment in such a responsible position. The attack was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911.

More links on hacking, malware, accountability, roles & responsibilities, incident management and laws, standards & regulations

CERT podcasts

Thanks to a tip-off from Gideon Rasmussen on the insider threat email reflector, I've come across a series of information security podcasts by CERT, aimed at 'business leaders'. The podcast on security Return On Investment (ROI) contains an interesting comment relating to research by "a couple of economists at the University of Maryland named Lawrence Gordon and Martin Loeb" who are said to have determined that a security control investment should only go ahead if the cost is no more than 37% of the expected return. I find this a very curious statement: from a purely economic point of view, almost any net positive return is financially worthwhile provided that (a) there is sufficient funding available for the investment (i.e. it is not outranked by other higher return investments) and (b) the projected costs and returns are realistic ... which is perhaps the issue here. Security projects in the main create returns by reducing risks and hence reducing projected future losses compared to the do-nothing option. The economists seem to be saying the security and risk professionals are seriously overestimating projected savings. They may have a point.
More security awareness and risk management resources