CSCE 727 - Farkas 2
Reading ListReading List The national Infrastructure Advisory Council’s Final Report and
Recommendation on the Insider Threat to Critical Infrastructures, http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_infrastructures_study.pdf , focus on sections IV, …, VII , 2008
Recommended CERT, Insider Threat Study: Illicit Cyber Activity in the Information
Technology and Telecommunications Sector, www.cert.org/archive/pdf/insiderthreat_it2008.pdf , 2008
Insider threat to security may be harder to detect, experts say, http://www.computerworld.com/securitytopics/security/story/0,10801,70112,00.html , 2012
Analyzing the Insider ThreatAnalyzing the Insider Threat
Defining the insider threat (physical and cyber)
Analyzing scope, dynamics, and effect of globalization
Obstacles and challenges to address the threat
CSCE 727 - Farkas 3
Why is it Challenging to Why is it Challenging to Address the Insider Threat?Address the Insider Threat?
Trusted employee Security breaches often undetected Lack of reported data (organizations handle the
events discretely) Difficulties to understand the causes and
implications of the threat– How to apply the Method, Opportunity,
Motivation (MOM) approach?– Give examples of consequences.
CSCE 727 - Farkas 4
Insider ThreatInsider Threat
“… one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.” NIAC’s final report and recommendations of the Insider Threat to Critical Infrastructures, 2008
CSCE 727 - Farkas 5
AccessAccess
To the systems, facilities, or informationAdditional “insiders”
– Unescorted vendors– Consultants– Contractors
Trust
CSCE 727 - Farkas 6
Technical AspectTechnical Aspect
CERT/SEI and US Secret Service study:Technical aspects:
– Most insiders had authorized access at the time of malicious activities
– Access control gaps facilitated most of the insider incidents
– Most insiders modified or deleted information using only user commends
– Some used technical means for compromising accounts
CSCE 727 - Farkas 7
Access Control IssuesAccess Control Issues
Access exceeded what was needed to do the job Access was obtained following termination or
changes in position The insider was able to use another employees
account or computer Technical control was insufficient Insider could circumvent technical control
CSCE 727 - Farkas 8
TrustTrust
Procedures to support trust management– Establish appropriate level of trust at
employment– Monitor compliance over time– Revoke access
Mission critical positionsWhat are the technical capabilities to
support trust management?CSCE 727 - Farkas 9
CSCE 727 - Farkas 10
Consequences of MisuseConsequences of Misuse Critical Infrastructure:
– Interruption of services to a geographic area or sector
– Large scale economic loss– Psychological effects (loss of public confidence)– Loss of life
Public Policy: public health, public psychology, economic activity
Other ConsequencesOther Consequences
Sabotage (cyber of physical)TheftFraudIntellectual property theft, etc.
CSCE 727 - Farkas 11
ActorsActors
Psychologically impaired disgruntled or alienated employees
Ideological or religious radicalsCriminals What are the corresponding motivations?
CSCE 727 - Farkas 12
Psychology of the InsiderPsychology of the Insider
Shaw, E.D., Ruby, K.G., & Post, J. M. (1998). The insider threat to information systems. Security Awareness Bulletin, 2–98, 27–46.
Focuses on computer technology specialists “…introversion is characteristic of computer
technology specialists as a group, as well as scientists and other technology specialists.”
CSCE 727 - Farkas 13
Technically Capable Insiders’ Technically Capable Insiders’ CharacteristicsCharacteristics
Social and personal frustration Computer dependency
– Will this characteristics still hold in current society?
Ethical flexibility Reduced loyalty Entitlement Lack of empathy
CSCE 727 - Farkas 14
CERT Insider Threat BlogCERT Insider Threat Blog Insider Threat Team: Insider Threat Case Trends of
Technical and Non-Technical Employees, http://www.cert.org/blogs/insider_threat/2011/01/insider_threat_case_trends_of_technical_and_non-technical_employees.html
Non-technical incidents increase until 2006 Damage:
– Average technical insiders: more than $750,000– Average non-technical insiders: more than $800,000
CSCE 727 - Farkas 15
What is the detection rate for technical vs. non-technical insiders?
Psychology of the InsiderPsychology of the Insider
Psychology plays a role in all the known cases in addition to – Ideology, religion, radicalization, and crime
CERT study: comparing IT sabotage and espionage– Common set of personality traits– Behavioral deviation from what is expected
CSCE 727 - Farkas 17
Psychology of the InsiderPsychology of the Insider
CERT first set of indicators for potential insiders (2008):– Difficult or high maintenance employee– Personality issues that affect social skills and
decision making– History of rule violations– Social network risks– Medical/physical issues (e.g., substance abuse)
CSCE 727 - Farkas 18
Who Will Carry Out the Who Will Carry Out the Malicious Intent?Malicious Intent?
Lots of disgruntled employees – there is NO direct correlation between disgruntled employees and insider threats– Why not?
Mechanism to betrayal:– Growing discontent– Recruitment by hostile outside entities– Infiltration of a malicious actor to a trusted
position
CSCE 727 - Farkas 19
Anonymity vs. AccountabilityAnonymity vs. Accountability
Malicious users do not want to be caughtPotential mitigation strategy: establish clear
accountabilityHow will it affect users privacy rights?
CSCE 727 - Farkas 20
CSCE 727 - Farkas 21
Types of Insider Threats Types of Insider Threats
State and military espionageEconomic espionageCorporate espionagePrivacy compromises
CSCE 727 - Farkas 22
State and Military EspionageState and Military Espionage
Foreign intelligence agenciesGoal: collect state and military secretsTarget: foreign governmentInsider traitors, foreign agents, spiesMotivation of traitor:
– Financial gain, ideology, revenge
CSCE 727 - Farkas 23
ExamplesExamples
1987: Earl E. Pitts – special agent FBI– Became: KGB agent– Motivation: financial gain– Sentencing: fine ($500,000 + $250,000)
1994: Aldrich H. Ames – CIA agent– Became: KGB agent– Motivation: financial gain– Sentencing: life sentence
CSCE 727 - Farkas 24
Economic EspionageEconomic Espionage
Government intelligence (state sponsored)Goal: acquire economic secret of foreign
country, trade policies, and trade secretsTarget: foreign corporations, research
facilities, universities, defense contractors Method: similar to military espionageTechnological competitions
Economic EspionageEconomic Espionage
Seeking critical technologies Motivation Opportunity Methods aspect? Accountability? Often ties with corporate espionage
– What are the effects of employee turnover? Level of security is the level of the weakest point.
– Estimate level of protection for finance, nuclear vs. transportation, communication
CSCE 727 - Farkas 25
CSCE 727 - Farkas 26
ExampleExample Pierre Marion (France) – Admitted spying on foreign
firms– IBM, Texas Instrument, Corning Glass
Marc Foldberg (Renaissance Software, Inc. Palo Alto, CA) – copied software
Motivation: financial gainSentencing: community service
Guillermo (Bill) Gaede – temp. employee of Intel Corp.– Motivation: financial gain– Sentencing: 33 months in federal prison
CSCE 727 - Farkas 27
Corporate EspionageCorporate EspionageCorporation against other corporationsGoal: acquire competitive advantage in
domestic or global marketForeign or domestic competitors
CSCE 727 - Farkas 28
Corporate EspionageCorporate Espionage
Computer technology: convenient wayInvestigations
– Go public or not
Law– Inadequate – Gray areas
CSCE 727 - Farkas 29
ExamplesExamples
Cadence Design Systems vs. Avant! -- software product
General Motors vs. VWIBM vs. Hitachi
DynamicsDynamics
Globally distributed workforceMost insiders are discovered after they
committed the malicious act increased damage
Research: detect malicious behavior before it happens
How? Suggest approaches. What are the consequences of these approaches?
CSCE 727 - Farkas 30
CSCE 727 - Farkas 31
Privacy ViolationsPrivacy ViolationsPersonal data
– SS Administration– Law Enforcement– Medical– Financial
Computer systems– Trusted security personnel?– Trusted system administrators?– Temporary employees?
CSCE 727 - Farkas 32
Business RelationshipBusiness Relationship
Trade secrets acquired during normal business relationship
Transfer of proprietary secretsTrust in partners?
CSCE 727 - Farkas 33
Visits and RequestsVisits and Requests
Insider unwittingly release proprietary infoSocial engineeringPrivacy violationsIllegal?Unethical?Example: false identity, overly friendly,
demanding, etc.
CSCE 727 - Farkas 34
Foreign ResearchersForeign Researchers
CRA News, November 2005 US attracts outstanding researchers, students,
educators Supports US to become economic power Export control:
– March 2005: Department of Commerce’s Bureau of Industrial Security (BIS)
– July 2005: Department of Defense Place restrictions on foreign nationals who “use” or have
access to sensitive technologies (export control)
CSCE 727 - Farkas 35
Proposed ChangesProposed Changes
Export applications: in addition to citizenship and country of residence, consider country of birth as well
Expand the definition of “use” to any form of instructions on export controlled info
Exclude from the fundamental research exemption those that are sponsored by the government and subject to prepublication review.
CSCE 727 - Farkas 36
Foreign ResearchersForeign Researchers
Office of Inspector General: Loopholes allow leakage of sensitive information– Requests special requirements to access such
materials
Criticism: academia, industry, other federal agencies, U.S. Senate– Almost all oppose the proposed rule
CSCE 727 - Farkas 37
Fraud and EmbezzlementFraud and Embezzlement
False transactions or tampering with systemGoal: financial gain (usually)Examples:
– Bogus transactions– Data diddling (modification)
Obstacles to Address Insider Obstacles to Address Insider ThreatThreat
Lack of information sharing– Incentives of organizations to share their findings– Counterincentives!
Lack of sufficient research– Risk management– Comprehensive model
Lack of education and awareness– Privacy violation risk?– Discrimination?
CSCE 727 - Farkas 38
Obstacles to Address Insider Obstacles to Address Insider ThreatThreat
Managing and maintaining employee identification
Uneven background screening Cultural and organizational challenges Technological challenges
– Not interoperable technologies among the organizations– Ethical boundaries in virtual space are not always clear– Globalization
CSCE 727 - Farkas 39
What can be done?What can be done?
Employee screening– Need common screening practices
Periodic reevaluationIncentives to maintain/increase loyaltyResearch to understand motivations and
mitigate risk accordinglyTechnology/psychology/social studies
CSCE 727 - Farkas 40