 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
Insider threats are outlined in Enemy At The Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security
Management Countermeasures by Brian Contos (~$33 from Amazon). However, the book’s main purpose is a sales pitch for the author’s Enterprise Security Management system. “The problem with many criminals is that they get addicted to illegal behavior. The excitement that comes from committing the first crime has its roots in the fear of getting caught. If they don’t get caught, they are encouraged to do it again and possibly again. As they get away with more crimes and infractions, they begin to feel untouchable. Eventually, they feel like they can commit any crime and get away with it.” (quoted from High-tech Crimes Revealed ~$30 from Amazon). “A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door.” This is a classic insider threat example a.k.a. white collar crime. Ira Winkler explained in an interview arising from the HP debacle some possible countermeasures against “pretexting” and other hacker techniques. Two former Ferrari engineers have been convicted by an Italian court for stealing and passing confidential proprietary engineering data to their new employer, Toyota. [This story is still unfolding as of July 10th 2007] The UK National High Technology Crime Unit (NHTCU) has evidence that criminal gangs are infiltrating organizations to gather information by bribing insiders. “There is infiltration. We haven’t found a single case of this being through intimidation or other means; it’s about making money.” Whilst people often talk about this risk, it is unusual to hear it from such an authoritative source. Extrusion Prevention - the story of insider theft, a three-piece article from Israeli author, Danny Lieberman, is a useful summary of the threats, vulnerabilities and impacts of unauthorized information disclosure by insiders, along with the controls including legal measures. There’s a high signal-to-noise Yahoo group on insider threats and a page of related resources from group (or should that read squadron) leader Gideon Rasmussen. Accountability and division of responsibilities feature prominently in a podcast and transcript of an interview with CERT’s Dawn Capelli on the insider threat. A presentation by Dawn discusses surveys by CERT/SEI/US Secret Service/CSO Magazine on insider threats. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, for example, drew a variety of unsurprising conclusions about the types of insider attack and the profiles of perpetrators. Case summaries in the report make interesting fodder for security awareness purposes. There is a wealth of information on the insider threat on CERT’s website including their commonsense guide to prevention and detection of insider threats . This is a focus area for CERT. It is gratifying to find that employee security awareness is recognized as an important control. A case study describes the investigation of a series of security breaches that traced back to an IT worker. “The organization learned several important lessons from these incidents, the most important of which was the need for clear and comprehensive policies that state what actions are prohibited and how violations will be treated. New and detailed security policies were developed and put into place to clarify what system administrators are authorized to do. The policies removed any ambiguity regarding what could be considered wrongdoing on the part of system administrators and spelled out sanctions for violators”. Whether insider threats involving IT are covered by traditional “crime insurance” or new “cyber insurance” is the topic of an Insurance Journal article. An article on ‘head hacking’ reports: “Protecting an organisation’s information assets from such an insidious form of intrusion can be frustratingly difficult. After all, most information security measures are designed to block intruders, rather than protect insiders from being subverted and inadvertently revealing information.... In one way, all computer hacking is about the human factor. Hackers succeed in hacking not just by exploiting weaknesses in computers, but also the shortcomings in the ways that those computers are managed or applications are developed. ... The answer is to educate users about the risks and to adequately monitor both insiders and outsiders. It won’t be easy, but companies simply cannot afford to ignore this form of attack.” A former UBS IT systems administrator, Roger Duronio, was sentenced to eight years in prison for attacking the network he was supposedly managing. The logic bomb which cost over $3m was sparked by Duronio getting a $15k lower than expected bonus in the aftermath of 911. “The computer sabotage trial of a systems administrator who was found guilty of attacking the network he had been hired to protect at UBS PaineWebber is sending out a sobering message, and one that can’t be stressed enough: No matter what network security you have in place, it may not be enough to protect you from one of your own. It’s almost a clich [sic], but one that many companies still do not take seriously.” Good insider threat case study here. The US Department of Justice Computer Crime and Intellectual Property Section publishes brief summaries of hacking and other crimes they have been involved with, such as one involving Alta Vista servers being hacked by a former Alta Vista employee. The FBI investigated whether a former employee of a mining equipment company hacked into the company’s computer system from home to copy files of projects he had worked on. Former employees should, of course, have had their access rights removed but it is unclear whether the hacker used his own login credentials or hacking techniques. The phrase To err is human... encapsulates the fact that people and computers are fundamentally different in many respects. People often make mistakes, are sometimes lazy and react emotionally or irrationally. Computers, in contrast, slavishly and precisely follow logical program instructions. If we are to improve information security (or indeed many other problems involving people), we must take these fundamental differences into account. We need to think holistically: ‘systems’ are not just the computers but include the users and administrators plus the management and operational processes. A report on human errors in healthcare argues that “the majority of medical errors do not result from individual recklessness or the actions of a particular group--this is not a ‘bad apple’ problem. More commonly, errors are caused by faulty systems, processes, and conditions that lead people to make mistakes or fail to prevent them.” Within a fascinating analysis of information security breaches surveys, Meta Group stated “Although 80% of the incidents are external (including virus/worms or Web defacements), we estimate that 80% of direct financial losses come from internal breaches, which are often hushed up and therefore hardest to quantify [our emphasis]. Consequently, organizations should invest in internal controls to protect against few attacks, which result in significant direct losses, and in external controls to protect against numerous attacks, which cause little damage directly, but result indirectly in losses such as decreased resource availability.” This conclusion very neatly solves a widespread paradox - ‘Internet hackers’ and ‘worms’ are Big News but privileged insiders must be controlled to avoid the most serious breaches. Unfortunately, since Meta Group was acquired by Gartner, the analysis is no longer online, at least probably not for free :-( DeseretNews reported that customer details were sold to identity thieves by employees of Bank of America, Wachovia and two other banks. “We’ve got a nasty problem and it keeps getting worse over the past couple of months,” said Peter G. Neumann, a security expert with SRI International [and long-time manager of the RISKS mailing list]. “Insiders have always been a concern, it’s just that (institutions) are finally admitting it.” Security awareness is one of, if not the most important internal control against hacking by staff (trusted insiders).
|
|
|
|