1

Insider Threats

Spring 2002Team 1M. Broderick, R. Diaz, J. Gerrits, S. Konstantinou

2

Insider ThreatsAgenda

The Problem Scope Causes Effects Detection Responsibility Prevention

3

Insider ThreatsThe Problem

While companies try to defend themselves by erecting electronic defenses including firewalls, passwords, sophisticated biometric controls to complement physical protection, such as guards, locks, camera and fences, the largest threat to a company in the area of computer information and systems is from within the organization….

4

Insider ThreatsScope CSI/FBI Surveys

Financial Losses due to (all) Security Breaches were reported by between 51-75% of respondents from 1997-2001

2001 Losses of $377M reported by 196 respondents (about 37% of those surveyed)

50% of network attacks originate within enterprise Avg cost of insider Breach is ~ 100x internet break-

in! ($2.4M vs $27k)

Source: Harry Krimkowitz, :Mitigating Risks to the Insider Threat within Your Organization, SANS Institute, Information Security Reading Room. October 24, 2000. http://rr.sans.org/securitybasics/insider_threat.php

5

Insider ThreatsExamples Stealing Information:

FBI Special Agent Robert Hanssen is arrested for providing secret documents to the Soviet Union and Russia in return for payments over $600,000

Employee System Misuse Email is used to pass discriminatory or sexually harassing

messages Employees use email to organize into union activities Employees use company time to surf the internet, shop, listen to

music, copy software without proper licensing…

Intellectual Property Violations Copying and downloading programs without paying fees Assumption that everything on the internet is “free”

6

Insider ThreatsExamples

Privacy Issues Unauthorized review or disclosure of internal information

Sabotage- Untested programs- Intentionally leaving “backdoors”- Rigging calculations

- Carelessness- Leaving machines unattended so others can log on- Entering incorrect or incomplete information

7

Insider ThreatsType Voluntary

Using unauthorized software

Involuntary Inappropriate inquiries or data are attached to or

hidden in email (Virus, Trojan Horse, etc.)

Willful Setting time bombs in applications

Accidental Emailing to an incorrect recipient or “the world”

8

Insider ThreatsMotivation – 1

Risk/Reward Will I get caught? What’s the risk worth? What are the odds?

Internal (Organizational) Pressures “Performance Targets must be met to ensure continued employment”

and the mortgage is $5000/month Everyone else is doing it… If you don’t, I’ll find someone who will…

Revenge- I’ll show them…- They can’t manage without me- I’ll get you…

9

Insider ThreatsMotivation - 2 External (Extramural) Pressures

Keeping up with the “Jones” Family and personal needs Fix an external problem: environment, political action, etc.

Ignorance It can’t be that complicated… Have to answer the phone now…I’ll get back to the PC soon “Can you let me in – you know me… I forgot my key, just this

once..”

10

Insider ThreatsMotivation - 3 Just Because…

I bet I can They’ll never find this … It’s no big deal This can’t be wrong… Permission? Why?

Other Reasons…

11

Insider ThreatsEffects Internal

Financial Losses Loss of Trust Safety Issues

External Company Reputation Access to Credit Fiduciary Issues Legal Complications

12

Insider ThreatsWhy? Do people hold contradictory views

about the morality of society and business?

How does this affect insider risks?

13

Insider ThreatsWhy? Why are the statistics of reported

unethical behavior so high?

Are they high enough? (Probably not!)

14

Insider ThreatsCan I? Most of us will have to make the “right”

decision at some point during our professional careers.

Can we define clearly, consistently and unambiguously what is right?

15

Insider ThreatsWhat If...? But what if everyone else disagrees with

you?

No one likes whistleblowers!

Right?

16

Insider ThreatsWhat If...? What if … you are someone else’s tradeoff?

Your job Your lifestyle Your professional reputation Your finances Your family …

17

Insider ThreatsWho? You!

What can youyou do to contribute to a business environment that supports ethical behavior?

18

Insider ThreatsWhy? But what if everyone else disagrees?

No one likes whistleblowers!

19

Insider ThreatsResponsibility

Perpetrator Management Risk Management Information Technology Enforcement Authority

Internal Security Force External Police

20

Insider ThreatsDetection Accidental

Why did I get this result? Who sent this? Where did this originate?

Intentional Eye Witness Monitoring

Disclosure Whistleblower Self Reporting

No Detection It just stops….

21

Insider ThreatsPrevention Employee Screening and Background Checks Establish Rules in Advance Code of Ethics Employee Training Build Trust “Healthy Environment” – Self-Respect Management by Example Shared Values Monitor – Trust but Verify

22

Insider ThreatsEnforcement

Disincentives for Breaking the Rules Remove Penalties for Whistle-blowing Get the Facts! Act Quickly Legal Implications

Employee Management Customer

23

Insider ThreatsSummary

Very Large Problem

No Simple Solution

24

Insider ThreatsSummary

Minimize the Problem Areas by Pre-Screening Education Predictability Control

Healthy Environment Shared Values Self-Esteem Integrity

25

Insider ThreatsSources

CSI/FBI Survey 2001 http://www.wi-infragard.com/csi-fbi/Information%20Insecurity%20csi-fbi%20survey%20for

%20executives_files/frame.htm

CSI/FBI Survey 2000 http://www.pbs.org/wgbh/pages/frontline/shows/hackers/risks/csi-fbi2000.pdf

ARREST OF ROBERT HANSSEN CACHED BY GOOGLE.COM http://www.cicentre.com/Documents/DOC_Hanssen_Press_Conference.htm

"I KNOW WHAT YOU EMAILED LAST SUMMER" JOHN B LEWIS,SECURITY MANAGEMENT, JAN 2002, PP 93-99

”Whose Rules?” By Eileen Conklin, Information Week, Mar 11, 2002. http://www.informationweek.com/shared/printableArticle?doc_id=IWK20020308S0002