brown bag presentation: insider threats by kevin mckeever

Brown Bag Presentation:Insider Threats

By Kevin McKeever

What is an Insider Threat?Definition of an Insider Threat – A

current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

What Kind of Damage Can Insiders do to an Organization?

To name a few things:◦ Introduce viruses, worms, and trojan horses into

company’s systems and network◦ Introduce vulnerabilities to allow outside attackers

into the network◦ Steal company information or corporate secrets◦ Steal money◦ Corrupt or delete data◦ Alter data to produce inconvenience or false

criminal evidence◦ Steal identities of specific individuals◦ Alter equipment protocols, potentially causing

physical damage or loss of life

What Kinds of Insiders Are There?

There are 3 general classifications of insiders1. The trusted unwitting insider2. The trusted witting insider3. The untrusted insider

The Trusted Unwitting Insider

Someone with legitimate access to a company’s computer systems or networks, but who errs in judgment, in turn putting the company at risk

The Trusted Witting Insider

Someone with legitimate access to a company’s computer systems or networks who makes a conscious decision to sabotage the company or provide privileged information to an unauthorized party with malicious intent or for personal gain

The Untrusted InsiderSomeone who is not authorized

access to a company’s computer systems or networks, but has taken advantage of compromised user credentials or a backdoor in the system to assume the role of a trusted employee

How do Insiders Generally Attack?

Insider attacks generally follow a 4 step format:1. Gain entry to the system or

network2. Learn where the system is most

vulnerable and discover how to inflict the most damage (depending on an individuals intentions)

3. Insider sets up a workstation to carry out the devious activities

4. Insider carries out the destructive activity

Motivations to Commit Insider Attacks

4 broad categories◦Money◦Ideology◦Ego◦Coercion

Examples of Motivations to Steal

Greed or financial needAnger or revengeProblems at workIdeology or identificationDivided loyaltyAdventure or thrillVulnerability to blackmailEgo or self-imageIngratiationCompulsive or destructive behaviorFamily problems

Understanding the Insider Psyche – US-CERT Study on Insider AttacksMost insiders that commit IT

sabotage have personal predispositions that contributed to their risk of committing IT sabotage◦Serious mental health disorders◦Abnormal social skills and decision-

making bias◦History of rule violations

Understanding the Insider Psyche (cont.) – Finding #1

Most insiders who committed IT sabotage were disgruntled due to unmet expectations◦A US-CERT study yielded that 92% of

insider attacks followed a negative work-related event like termination, dispute with current/former employer, demotion, or transfers


Usually, employees that undergo stressful events have a higher likelihood of committing insider IT sabotage


Behavioral precursors were often observable in insider IT sabotage cases but ignored by the organization◦In a US-CERT study, 97% of insiders

who committed IT sabotage came to the attention of supervisors or coworkers for concerning behavior before the attack


Organizations failed to detect technical precursors◦In a US-CERT study, 87% of

organizations failed to detect technical precursors before an insider attack


Insiders created or used access paths unknown to management to setup attack and conceal their identity or actions…most insiders attacked after termination◦In a US-CERT study, 75% of insiders

who committed IT sabotage created access paths unknown to the organization


Lack of physical and electronic access controls facilitated IT sabotage◦In a US-CERT study, 93% of insiders

who committed IT sabotage exploited insufficient access controls

What Can Organizations do to Protect Themselves?

1st line of defense – prevention◦Stop the attack from ever happening

2nd line of defense – detection◦Detect malicious activity before it

does any substantial damage3rd line of defense – respond

◦Mitigate the damage done and react to the attack

How to Stop Insiders from Attacking

Training◦Educate employees on appropriate

usage of computers and network systems and the consequences if misused.

◦Training quality affects the rate of inappropriate online actions and attacks by insiders.


Limit information dispersion◦Provide information on a need to

know basis◦Limit access to information and

hardware that has access/can access the network (laptops, USBs, etc.)


Background checks◦Perform background checks on

people, make sure they are well-rounded and mentally stable people

◦People who have already committed IT sabotage may do it again sometime in the future


Prosecute the guilty◦Make sure to make an example out

of the insider who attacked so others won’t soon forget

◦“Public hangings set a strong deterrent”


Sanctioning◦Use punitive measures in an attempt

to motivate the insider to reduce inappropriate behavioral or technical actions to avoid further punishment

◦This can sometimes have an opposite effect however, increasing disgruntlement and inappropriate actions by the employee


Early mitigation through expectation setting◦Set the expectations so employees don’t

feel as if they were treated unfairly in order to minimize employee disappointment

◦Communication between employees and managers is key, along with consistent enforcement of company policies to ensure all employees are treated fairly

◦If disappointment does arise, take action to address it


Handle disgruntlement through positive intervention◦Take preventative steps to eliminate

the behavioral precursors/technical precursor behavior For example, offer EAPs or employee

assistance programs that assist employees dealing with personal/work related issues that may impact job performance

◦May not be effective if quality of intervention is low


Targeted monitoring◦Not practical for all employees in an

organization but effective if used correctly For example, logging online activity

across an organization’s network periodically, or monitoring employees who exhibit suspicious activity


Eliminate unknown access paths◦Whether its forgetting old access

paths or discovering new ones, they must be taken care of in order to ensure more comprehensive system protection and stop insiders from potentially sabotaging systems. Organizations can do this by monitoring

network traffic


Measures upon demotion or termination◦ A clearly defined process for demotions and

terminations can prevent insiders from attacking an organization

◦ Don’t be too brash in firing employees sometimes it only takes a bit of training and encouragement to get them to conform, but don’t be too forgiving as they may be trouble for the company and never conform even after multiple attempts

◦ Don’t give them a lot of time during the termination process. If they think they will be terminated or once they are terminated, they may attack a system because they may still have access to it or be familiar with techniques to manipulate or exploit it


Frequent system checks◦Monitor the system using technical

analysisFrequent people checks

◦Monitor employees using employee evaluations and other quality checks


Defense in depth – it’s all about checks and balances/separation of powers◦Continuously audit systems◦Maintain multiple layers of

authorization and authentication◦Ensure network security systems are

in place and functioning properly (firewalls, etc.)


Back up your data◦Sometimes insiders do succeed and

information is compromised◦At this point, it’s damage control and

backing up your data to ensure accuracy and credibility is of vital importance

◦It’s important to back up your data somewhere that isn’t on the same network/also vulnerable to insider attacks, as the insider may have compromised the back up data as well

Behavioral Indicators of an Insider Attack

Without need or authorization, takes proprietary or other material home

Inappropriately seeks or obtains proprietary or classified information on subjects not related to their work duties.

Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors.

Unnecessarily copies material, especially if it is proprietary or classified.

Remotely accesses the computer network while on vacation, sick leave, or at other odd times.

Disregards company computer policies on installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential information.

Works odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules when clandestine activities could be more easily conducted.

Behavioral Indicators of an Insider Attack (cont.)

Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel.

Short trips to foreign countries for unexplained or strange reasons. Unexplained affluence; buys things that they cannot afford on their household income.

Engages in suspicious personal contacts, such as with competitors, business partners or other unauthorized individuals.

Overwhelmed by life crises or career disappointments. Shows unusual interest in the personal lives of co-workers; asks

inappropriate questions regarding finances or relationships. Concern that they are being investigated; leave straps to detect

searches of their work area or home; searches for listening devices or cameras.

Many people experience or exhibit some or all of the above to varying degrees; however, most people will not cross the line and commit a crime.

Organizational Factors Contributing to Insider Attacks

The availability and ease of acquiring proprietary, classified, or other protected materials.

Providing access privileges to those who do not need it. Proprietary or classified information is not labeled as such, or is

incorrectly labeled. The ease that someone may exit the facility (or network system)

with proprietary, classified or other protected materials. Undefined policies regarding working from home on projects of a

sensitive or proprietary nature. The perception that security is lax and the consequences for

theft are minimal or non-existent. Time pressure: Employees who are rushed may inadequately

secure proprietary or protected materials, or not fully consider the consequences of their actions.

Employees are not trained on how to properly protect proprietary information.

CERT’s top 10 list for winning the battle against insider threats

1. Create an insider threat program ASAP2. Work together across the organization to

stop insider threats3. Address employee privacy issues with

general counsel (use tact, make sure you don’t violate any privacy rights etc)

4. Pay close attention at resignation and termination

5. Educate employees regarding potential recruitment (people trying to recruit you to steal/modify information through you)

CERT’s top 10 list for winning the battle against insider threats (cont.)6. Recognize concerning behaviors as a

potential indicator7. Mitigate threats from trusted business

partners, make sure they are subjected to the same policies and procedures as employees to ensure comprehensive system protection

8. Use your current technologies differently (create an insider team or train security operations center staff about insider threats, etc.)

9. Protect what’s most important (like intellectual property)

10. Learn from past incidents so they don’t happen again

Statistics, Trends, and Facts

Insider attacks are becoming more sophisticated. 22% of insiders used rootkits (hacker tools) to attack systems in 2011 compared to just 9% in 2010.

critical system disruption and loss of confidential or proprietary information are the most adverse consequences an organization can experience from insider cybersecurity events, according to respondents in a US-CERT study

More attacks are committed by outsiders, but attacks by insiders are viewed to be the most costly to organizations

In a 2011 study of 607 respondents, 76% of insider incidents were handled internally without legal action, the public is not aware of them many times…12% was handled internally but with legal action, 8% was handled externally where law enforcement was involved, and 3% was handled externally by filing a civil action

Statistics, Trends, and Facts

Cybersecurity attacks from foreign entities has doubled from 5% in 2010 to 10% in 2011

Unintentional exposure of private or sensitive information has significantly declined from 2010 – 2011, from 52% to 31% thanks to cybersecurity training and implementation of internal monitoring tools like data loss prevention (DLP) amongst other techniques

In the FBI’s pending case load for the current fiscal year (2012), economic espionage losses to the American economy total more than $13 billion

In just the last four years, the number of arrests the FBI has made associated with economic espionage has doubled; indictments have increased five-fold; and convictions have risen eight-fold

Questions?

Sourceshttp://www.cert.org/insider_threat

/\http://www.infosecisland.com/blo

gview/21411-IT-Security-Preventing-Insider-Threats.html

http://searchsecurity.techtarget.com/definition/insider-threat

http://www.csoonline.com/article/682205/the-3-types-of-insider-threat?page=3

http://www.gideonrasmussen.com/article-13.html

http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

http://www.cert.org/insider_threat/

http://www.cert.org/insider_threat/

http://www.infosecisland.com/blogview/21411-IT-Security-Preventing-Insider-Threats.html













brown bag presentation: insider threats by kevin mckeever

Documents