Insider Threat. CSCE 727 - Farkas2 Reading List The national Infrastructure Advisory Council’s Final Report and Recommendation on the Insider Threat to

Insider ThreatInsider Threat

CSCE 727 - Farkas 2

Reading ListReading List The national Infrastructure Advisory Council’s Final Report and

Recommendation on the Insider Threat to Critical Infrastructures, http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf , focus on sections IV, …, VII , 2008

Recommended CERT, Insider Threat Study: Illicit Cyber Activity in the Information

Technology and Telecommunications Sector, www.cert.org/archive/pdf/insiderthreat_it2008.pdf , 2008

Insider threat to security may be harder to detect, experts say, http://www.computerworld.com/securitytopics/security/story/0,10801,70112,00.html , 2012

Analyzing the Insider ThreatAnalyzing the Insider Threat

Defining the insider threat (physical and cyber)

Analyzing scope, dynamics, and effect of globalization

Obstacles and challenges to address the threat

CSCE 727 - Farkas 3

Why is it Challenging to Why is it Challenging to Address the Insider Threat?Address the Insider Threat?

Trusted employee Security breaches often undetected Lack of reported data (organizations handle the

events discretely) Difficulties to understand the causes and

implications of the threat– How to apply the Method, Opportunity,

Motivation (MOM) approach?– Give examples of consequences.

CSCE 727 - Farkas 4

Insider ThreatInsider Threat

“… one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.” NIAC’s final report and recommendations of the Insider Threat to Critical Infrastructures, 2008

CSCE 727 - Farkas 5

AccessAccess

To the systems, facilities, or informationAdditional “insiders”

– Unescorted vendors– Consultants– Contractors

Trust

CSCE 727 - Farkas 6

Technical AspectTechnical Aspect

CERT/SEI and US Secret Service study:Technical aspects:

– Most insiders had authorized access at the time of malicious activities

– Access control gaps facilitated most of the insider incidents

– Most insiders modified or deleted information using only user commends

– Some used technical means for compromising accounts

CSCE 727 - Farkas 7

Access Control IssuesAccess Control Issues

Access exceeded what was needed to do the job Access was obtained following termination or

changes in position The insider was able to use another employees

account or computer Technical control was insufficient Insider could circumvent technical control

CSCE 727 - Farkas 8

TrustTrust

Procedures to support trust management– Establish appropriate level of trust at

employment– Monitor compliance over time– Revoke access

Mission critical positionsWhat are the technical capabilities to

support trust management?CSCE 727 - Farkas 9

CSCE 727 - Farkas 10

Consequences of MisuseConsequences of Misuse Critical Infrastructure:

– Interruption of services to a geographic area or sector

– Large scale economic loss– Psychological effects (loss of public confidence)– Loss of life

Public Policy: public health, public psychology, economic activity

Other ConsequencesOther Consequences

Sabotage (cyber of physical)TheftFraudIntellectual property theft, etc.


ActorsActors

Psychologically impaired disgruntled or alienated employees

Ideological or religious radicalsCriminals What are the corresponding motivations?


Psychology of the InsiderPsychology of the Insider

Shaw, E.D., Ruby, K.G., & Post, J. M. (1998). The insider threat to information systems. Security Awareness Bulletin, 2–98, 27–46.

Focuses on computer technology specialists “…introversion is characteristic of computer

technology specialists as a group, as well as scientists and other technology specialists.”


Technically Capable Insiders’ Technically Capable Insiders’ CharacteristicsCharacteristics

Social and personal frustration Computer dependency

– Will this characteristics still hold in current society?

Ethical flexibility Reduced loyalty Entitlement Lack of empathy


CERT Insider Threat BlogCERT Insider Threat Blog Insider Threat Team: Insider Threat Case Trends of

Technical and Non-Technical Employees, http://www.cert.org/blogs/insider_threat/2011/01/insider_threat_case_trends_of_technical_and_non-technical_employees.html

Non-technical incidents increase until 2006 Damage:

– Average technical insiders: more than $750,000– Average non-technical insiders: more than $800,000


What is the detection rate for technical vs. non-technical insiders?

Insider IncidentsInsider Incidents


Copyright: CERT Insider Threat


Psychology plays a role in all the known cases in addition to – Ideology, religion, radicalization, and crime

CERT study: comparing IT sabotage and espionage– Common set of personality traits– Behavioral deviation from what is expected



CERT first set of indicators for potential insiders (2008):– Difficult or high maintenance employee– Personality issues that affect social skills and

decision making– History of rule violations– Social network risks– Medical/physical issues (e.g., substance abuse)


Who Will Carry Out the Who Will Carry Out the Malicious Intent?Malicious Intent?

Lots of disgruntled employees – there is NO direct correlation between disgruntled employees and insider threats– Why not?

Mechanism to betrayal:– Growing discontent– Recruitment by hostile outside entities– Infiltration of a malicious actor to a trusted

position


Anonymity vs. AccountabilityAnonymity vs. Accountability

Malicious users do not want to be caughtPotential mitigation strategy: establish clear

accountabilityHow will it affect users privacy rights?



Types of Insider Threats Types of Insider Threats

State and military espionageEconomic espionageCorporate espionagePrivacy compromises


State and Military EspionageState and Military Espionage

Foreign intelligence agenciesGoal: collect state and military secretsTarget: foreign governmentInsider traitors, foreign agents, spiesMotivation of traitor:

– Financial gain, ideology, revenge


ExamplesExamples

1987: Earl E. Pitts – special agent FBI– Became: KGB agent– Motivation: financial gain– Sentencing: fine ($500,000 + $250,000)

1994: Aldrich H. Ames – CIA agent– Became: KGB agent– Motivation: financial gain– Sentencing: life sentence


Economic EspionageEconomic Espionage

Government intelligence (state sponsored)Goal: acquire economic secret of foreign

country, trade policies, and trade secretsTarget: foreign corporations, research

facilities, universities, defense contractors Method: similar to military espionageTechnological competitions

Economic EspionageEconomic Espionage

Seeking critical technologies Motivation Opportunity Methods aspect? Accountability? Often ties with corporate espionage

– What are the effects of employee turnover? Level of security is the level of the weakest point.

– Estimate level of protection for finance, nuclear vs. transportation, communication



ExampleExample Pierre Marion (France) – Admitted spying on foreign

firms– IBM, Texas Instrument, Corning Glass

Marc Foldberg (Renaissance Software, Inc. Palo Alto, CA) – copied software

Motivation: financial gainSentencing: community service

Guillermo (Bill) Gaede – temp. employee of Intel Corp.– Motivation: financial gain– Sentencing: 33 months in federal prison


Corporate EspionageCorporate EspionageCorporation against other corporationsGoal: acquire competitive advantage in

domestic or global marketForeign or domestic competitors


Corporate EspionageCorporate Espionage

Computer technology: convenient wayInvestigations

– Go public or not

Law– Inadequate – Gray areas


ExamplesExamples

Cadence Design Systems vs. Avant! -- software product

General Motors vs. VWIBM vs. Hitachi

DynamicsDynamics

Globally distributed workforceMost insiders are discovered after they

committed the malicious act increased damage

Research: detect malicious behavior before it happens

How? Suggest approaches. What are the consequences of these approaches?



Privacy ViolationsPrivacy ViolationsPersonal data

– SS Administration– Law Enforcement– Medical– Financial

Computer systems– Trusted security personnel?– Trusted system administrators?– Temporary employees?


Business RelationshipBusiness Relationship

Trade secrets acquired during normal business relationship

Transfer of proprietary secretsTrust in partners?


Visits and RequestsVisits and Requests

Insider unwittingly release proprietary infoSocial engineeringPrivacy violationsIllegal?Unethical?Example: false identity, overly friendly,

demanding, etc.


Foreign ResearchersForeign Researchers

CRA News, November 2005 US attracts outstanding researchers, students,

educators Supports US to become economic power Export control:

– March 2005: Department of Commerce’s Bureau of Industrial Security (BIS)

– July 2005: Department of Defense Place restrictions on foreign nationals who “use” or have

access to sensitive technologies (export control)


Proposed ChangesProposed Changes

Export applications: in addition to citizenship and country of residence, consider country of birth as well

Expand the definition of “use” to any form of instructions on export controlled info

Exclude from the fundamental research exemption those that are sponsored by the government and subject to prepublication review.


Foreign ResearchersForeign Researchers

Office of Inspector General: Loopholes allow leakage of sensitive information– Requests special requirements to access such

materials

Criticism: academia, industry, other federal agencies, U.S. Senate– Almost all oppose the proposed rule


Fraud and EmbezzlementFraud and Embezzlement

False transactions or tampering with systemGoal: financial gain (usually)Examples:

– Bogus transactions– Data diddling (modification)

Obstacles to Address Insider Obstacles to Address Insider ThreatThreat

Lack of information sharing– Incentives of organizations to share their findings– Counterincentives!

Lack of sufficient research– Risk management– Comprehensive model

Lack of education and awareness– Privacy violation risk?– Discrimination?


Obstacles to Address Insider Obstacles to Address Insider ThreatThreat

Managing and maintaining employee identification

Uneven background screening Cultural and organizational challenges Technological challenges

– Not interoperable technologies among the organizations– Ethical boundaries in virtual space are not always clear– Globalization


What can be done?What can be done?

Employee screening– Need common screening practices

Periodic reevaluationIncentives to maintain/increase loyaltyResearch to understand motivations and

mitigate risk accordinglyTechnology/psychology/social studies


Next ClassNext Class

National Security


Documents

Insider Threat. CSCE 727 - Farkas2 Reading List The national Infrastructure Advisory Council’s Final Report and Recommendation on the Insider Threat to