Insider Threats

From Computing and Software Wiki

(Difference between revisions)
Jump to: navigation, search
(References)
(External Links)
 
(75 intermediate revisions not shown)
Line 1: Line 1:
-
Definition
+
An '''insider threat''' is anyone who has "special access or knowledge with the intent to cause harm or danger" [8]. Any disgruntled employee, contractor, or formal employee can be considered as an insider threat as most organizations have little to no protection to prevent sensitive material from being exposed. The consequences of failing to protect an organization's sensitive material can be devasting such as the security breach of 4 major U.S. banks in March, 2005.
-
== Overview of Insider Threats ==
+
[[Image:lockonpb.jpg|thumb|300px|right|
-
Etc
+
'''Insider Threats'''
 +
<br>Of about 100 corporate breaches or losses of information that were made public in 2005, about half were from the inside—and about half of those were straight-on thefts of information by employees [[http://www.businessweek.com/the_thread/techbeat/archives/2006/01/the_insider_thr.html 5]].]]
-
== Sources of Insider Threats ==
+
 
 +
 
 +
== Sources==
===Employees===
===Employees===
-
Employees of an organization are amongst the greatest risk in terms of access to and potential harm with an organization’s sensitive material. Organizations typically assume that they can trust their employees. They believe that their employees are primarily interested in the productivity and successfulness of the organization. Therefore they are not considered to be of any possible danger and are considered last when a leak of sensitive material has occurred.
+
Employees of an organization are amongst the greatest risk in terms of access to and potential harm with an organization’s sensitive material. Organizations typically assume that they can trust their employees. They believe that their employees are primarily interested in the productivity and successfulness of the organization. Therefore they are not considered to be of any possible danger and are considered last when a leak of sensitive material has occurred. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm 2]]
===Contractors===
===Contractors===
-
Info
+
Contractors pose a greater risk to an organization as often in practice, they are not subjected to the same background verifications and screening as a regular employee. Organizations also have little to no influence and control on the hiring procedures utilized by contractors. This puts an organization in risk as contractors often have high, privileged access to the organization's sensitive materials due to the outsourcing of IT functions. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm 2]]
===Former Employees===
===Former Employees===
-
Former employees who pose a threat to their former organization are typically disgruntled employees. They believe that the organization has “done them wrong” and feel that revenge is justified. They are able to gain access to sensitive material either:
+
Former employees who pose a threat to their former organization are typically disgruntled employees. They believe that the organization has “done them wrong” and feel that revenge is justified. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm 2]] They are able to gain access to sensitive material either:
-
*Directly: Through a back door. If an employee fears termination, he or she may prepare a backdoor access or alternative usernames and passwords in order to gain entry. They may also begin collecting proprietary data for later use.
+
*Directly: Through a back door. If an employee fears termination, he or she may prepare a backdoor access or alternative usernames and passwords in order to gain entry. They may also begin collecting proprietary data for later use.  
*Indirectly: Through former associates. A former associate may create a back door access for the former employee or may provide him or her with proprietary information.
*Indirectly: Through former associates. A former associate may create a back door access for the former employee or may provide him or her with proprietary information.
==Prevention & Counter Measures==
==Prevention & Counter Measures==
-
There are several prevention and counter measures in minimzing the risk of insider threats. A combination of training, account protection, and the knowledge of one knowing that their actions are being logged and audited can hesitate a disgruntled employee from attacking the system or revealing sensitive materials. "Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully." [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]]
+
There are several prevention and counter measures in minimzing the risk of insider threats. A combination of training, account protection, and the knowledge of one knowing that their actions are being logged and audited can hesitate a disgruntled employee from attacking the system or revealing sensitive materials. "Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully." [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm 1]]
===Background Checks===
===Background Checks===
-
Several organizations do not perform adequate background verification on their new employees. Screening new employees properly, such as reference checks or inspecting criminal records, can reduce the probability of an organization hiring individuals that may be an insider threat. Background checks should be performed for all individuals who are given access to an organization's sensitive materials even if they are not directly employed by the organizations (e.g.: Contractors) [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm Eric D. Shaw]].
+
Several organizations do not perform adequate background verification on their new employees. Screening new employees properly, such as reference checks or inspecting criminal records, can reduce the probability of an organization hiring individuals that may be an insider threat. Background checks should be performed for all individuals who are given access to an organization's sensitive materials even if they are not directly employed by the organizations (e.g.: Contractors) [[http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html 4]].
===Monitoring Employee Behaviour===
===Monitoring Employee Behaviour===
-
U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm Eric D. Shaw]] Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours. Some examples include but are not limited to:
+
U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. [[http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html 4]] Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours. Some examples include but are not limited to:
-
* Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspicious behaviour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]]
+
* Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspicious behaviour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm 1]]
-
* Monitoring suspicious or disruptive behaviour by employees within the work place. An organization can institute policies that require their employees to report any suspicious behaviour which should be followed up by the human resource department. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm news@sei]]
+
* Monitoring suspicious or disruptive behaviour by employees within the work place. An organization can institute policies that require their employees to report any suspicious behaviour which should be followed up by the human resource department. [[http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm 1]]
===Restrictions on Remote Access===
===Restrictions on Remote Access===
-
Majority of insider attacks use some form of remote access. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm Eric D. Shaw]] An organization should restrict remote access to only those individuals with a legitimate, business related need.
+
Majority of insider attacks use some form of remote access. [[http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html 4]] An organization should restrict remote access to only those individuals with a legitimate, business related need.
Employees accessing the organization from outside should not be granted the same level of privlege as they would have in the work place. The restricted remote access not only protects the organization against insider attacks but also viruses and malware that can spread through the connection.
Employees accessing the organization from outside should not be granted the same level of privlege as they would have in the work place. The restricted remote access not only protects the organization against insider attacks but also viruses and malware that can spread through the connection.
===Enforcing the Principle of Least Privlege===
===Enforcing the Principle of Least Privlege===
-
The Principle of Least Privilege refers to the concept that all users in a system are granted the "most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks." [[http://technet.microsoft.com/en-us/library/bb456992.aspx MS]]. This principle minimizes the potential damage caused by an accident, error, or unauthorized use.
+
The Principle of Least Privilege refers to the concept that all users in a system are granted the "most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks." [[http://technet.microsoft.com/en-us/library/bb456992.aspx 3]]. This principle minimizes the potential damage caused by an accident, error, or unauthorized use.
-
It is also important for an organization to have a procedure within their policy that requires the terminated employee's access accounts be disabled from all of the organization's access points including:  physical locations, networks, software, data, and all sensitive materials. [[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm Eric D. Shaw]]
+
It is also important for an organization to have a procedure within their policy that requires the terminated employee's access accounts be disabled from all of the organization's access points including:  physical locations, networks, software, data, and all sensitive materials. [[http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html 4]]
===Monitoring Electronic Outbound with Software===
===Monitoring Electronic Outbound with Software===
-
Peez!
+
Organizations can utilizie software to monitor electronic outbounds for sensitive materials. Some examples of electronic outbounds include but are not limited to:
 +
* Instant messaging
 +
* E-mail
 +
* Copying to a portable USB drive
 +
By monitoring the outbound channels, software solutions can use various algorithms and pattern matching against a database of stored sensitive material to see if anything is being leaked out. A suspicious match is generally flagged and followed by by the appropriate party [[http://www.businessweek.com/the_thread/techbeat/archives/2006/01/the_insider_thr.html 5]]. Some software solutions, such as Vontu, are sophisticated to a point that it can even spot material such as source code or financial information [[http://www.vontu.com/solutions/high-tech.asp 6]].
 +
 
 +
== Example of an Insider Threat ==
 +
[[Image:OrazioLembo.jpg|thumb|right
 +
'''Orazio Lembo'''
 +
<br>Customers' account information from several banks were illegally sold by bank employees to Orazio Lembo, whom police said was illegally posing as a collection agency [[http://money.cnn.com/2005/05/23/news/fortune500/bank_info/ 7]].]]
 +
The consequences of ignoring insider threats can be devastating. A notable example would be in March, 2005 where personal and account information for approximately 670,000 individuals in New Jersey were stolen by employees from the Bank of America, Wachovia, Commerce Bancorp, and PNC [[http://www.businessweek.com/the_thread/techbeat/archives/2006/01/the_insider_thr.html 5]]. It was considered one of the biggest data thefts ever in the banking industry. The employees were "upper-level" bank employees who had access to organizations' customers' accounts and were paid $10 per account. They were paid by Orazio Lembo, a man who posed illegally as a collection agency, who then sold the information, which included customer account numbers and balances, to over 40 law firms and collection agencies [[http://money.cnn.com/2005/05/23/news/fortune500/bank_info/ 7]].
 +
 
 +
== See Also ==
 +
 
 +
* [[Social engineering]]
 +
* [[Systems for Detecting Network Intrusion]]
 +
* [[Information security awareness]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.cert.org/insider_threat/ Insider Threat Research]
 +
* [http://www.vontu.com/ Vontu]
== References ==
== References ==
-
* news@sei: "Protecting Against Insider Threat", Dawn Cappelli, Andrew Moore, and Timothy Shimeall, [http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm]
+
* 1: "Protecting Against Insider Threat", Dawn Cappelli, Andrew Moore, and Timothy Shimeall, [http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm http://www.sei.cmu.edu/news-at-sei/columns/security_matters/2007/02/security-matters-2007-02.htm]
-
* Eric D. Shaw: "The Insider Threat To Information systems", Eric D. Shaw, [http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm]
+
* 2: "The Insider Threat To Information systems", Eric D. Shaw, [http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm]
-
* MS: "Applying the Principle of Least Privlege to User Accounts on Windows XP", Mike Danseglio, [http://technet.microsoft.com/en-us/library/bb456992.aspx http://technet.microsoft.com/en-us/library/bb456992.aspx]
+
* 3: "Applying the Principle of Least Privlege to User Accounts on Windows XP", Mike Danseglio, [http://technet.microsoft.com/en-us/library/bb456992.aspx http://technet.microsoft.com/en-us/library/bb456992.aspx]
-
* Mike Chapple: "Thwarting insider threats", Mike Chapple, [http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html]
+
* 4: "Thwarting insider threats", Mike Chapple, [http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1093643,00.html]
-
*Background checks
+
* 5: "The Insider Threat", Steve Hamm, [http://www.businessweek.com/the_thread/techbeat/archives/2006/01/the_insider_thr.html http://www.businessweek.com/the_thread/techbeat/archives/2006/01/the_insider_thr.html]
-
*Monitoring employee behaviour
+
* 6: "Protect source code, protect intellectual property", Vontu, [http://www.vontu.com/solutions/high-tech.asp http://www.vontu.com/solutions/high-tech.asp]
-
*Restrict accounts
+
* 7: "Bank security breach may be biggest yet", CNN, [http://money.cnn.com/2005/05/23/news/fortune500/bank_info/ http://money.cnn.com/2005/05/23/news/fortune500/bank_info/]
-
*Restrict the scope of remote access
+
* 8: "Insider Threat: Protecting The Enterprise from Sabotage, Spying, and Theft", Dr. Eric Cole, Sandra Ring, pg 7.
-
*Enforce the principle of least privlege
+
-
[[http://www.ntc.doe.gov/cita/CI_Awareness_Guide/Treason/Infosys.htm]]
+
--[[User:Balijam|Balijam]] 00:34, 25 March 2008 (EDT)

Current revision as of 04:36, 25 March 2008

An insider threat is anyone who has "special access or knowledge with the intent to cause harm or danger" [8]. Any disgruntled employee, contractor, or formal employee can be considered as an insider threat as most organizations have little to no protection to prevent sensitive material from being exposed. The consequences of failing to protect an organization's sensitive material can be devasting such as the security breach of 4 major U.S. banks in March, 2005.

Insider Threats
Of about 100 corporate breaches or losses of information that were made public in 2005, about half were from the inside—and about half of those were straight-on thefts of information by employees [5].


Contents

Sources

Employees

Employees of an organization are amongst the greatest risk in terms of access to and potential harm with an organization’s sensitive material. Organizations typically assume that they can trust their employees. They believe that their employees are primarily interested in the productivity and successfulness of the organization. Therefore they are not considered to be of any possible danger and are considered last when a leak of sensitive material has occurred. [2]

Contractors

Contractors pose a greater risk to an organization as often in practice, they are not subjected to the same background verifications and screening as a regular employee. Organizations also have little to no influence and control on the hiring procedures utilized by contractors. This puts an organization in risk as contractors often have high, privileged access to the organization's sensitive materials due to the outsourcing of IT functions. [2]

Former Employees

Former employees who pose a threat to their former organization are typically disgruntled employees. They believe that the organization has “done them wrong” and feel that revenge is justified. [2] They are able to gain access to sensitive material either:

  • Directly: Through a back door. If an employee fears termination, he or she may prepare a backdoor access or alternative usernames and passwords in order to gain entry. They may also begin collecting proprietary data for later use.
  • Indirectly: Through former associates. A former associate may create a back door access for the former employee or may provide him or her with proprietary information.

Prevention & Counter Measures

There are several prevention and counter measures in minimzing the risk of insider threats. A combination of training, account protection, and the knowledge of one knowing that their actions are being logged and audited can hesitate a disgruntled employee from attacking the system or revealing sensitive materials. "Insiders tend to feel more confident and less inhibited when they have little fear of scrutiny by coworkers; therefore, remote-access policies and procedures must be designed and implemented very carefully." [1]

Background Checks

Several organizations do not perform adequate background verification on their new employees. Screening new employees properly, such as reference checks or inspecting criminal records, can reduce the probability of an organization hiring individuals that may be an insider threat. Background checks should be performed for all individuals who are given access to an organization's sensitive materials even if they are not directly employed by the organizations (e.g.: Contractors) [4].

Monitoring Employee Behaviour

U.S. Secret Service studies have shown that most insider attacks were done by individuals who had disciplinary problems. [4] Procedures can be created and enforced for both the human resources and IT departments to monitor employee behaviours. Some examples include but are not limited to:

  • Through the use of access and account policies, an organization can associate online actions with the employee that performed them. Online actions should be logged and periodically monitored for suspicious behaviour. The logs can also be audited by the organization to discover and then further investigated for possible insider attacks. [1]
  • Monitoring suspicious or disruptive behaviour by employees within the work place. An organization can institute policies that require their employees to report any suspicious behaviour which should be followed up by the human resource department. [1]

Restrictions on Remote Access

Majority of insider attacks use some form of remote access. [4] An organization should restrict remote access to only those individuals with a legitimate, business related need.

Employees accessing the organization from outside should not be granted the same level of privlege as they would have in the work place. The restricted remote access not only protects the organization against insider attacks but also viruses and malware that can spread through the connection.

Enforcing the Principle of Least Privlege

The Principle of Least Privilege refers to the concept that all users in a system are granted the "most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks." [3]. This principle minimizes the potential damage caused by an accident, error, or unauthorized use.

It is also important for an organization to have a procedure within their policy that requires the terminated employee's access accounts be disabled from all of the organization's access points including: physical locations, networks, software, data, and all sensitive materials. [4]

Monitoring Electronic Outbound with Software

Organizations can utilizie software to monitor electronic outbounds for sensitive materials. Some examples of electronic outbounds include but are not limited to:

  • Instant messaging
  • E-mail
  • Copying to a portable USB drive

By monitoring the outbound channels, software solutions can use various algorithms and pattern matching against a database of stored sensitive material to see if anything is being leaked out. A suspicious match is generally flagged and followed by by the appropriate party [5]. Some software solutions, such as Vontu, are sophisticated to a point that it can even spot material such as source code or financial information [6].

Example of an Insider Threat

right Orazio Lembo
Customers' account information from several banks were illegally sold by bank employees to Orazio Lembo, whom police said was illegally posing as a collection agency [7].

The consequences of ignoring insider threats can be devastating. A notable example would be in March, 2005 where personal and account information for approximately 670,000 individuals in New Jersey were stolen by employees from the Bank of America, Wachovia, Commerce Bancorp, and PNC [5]. It was considered one of the biggest data thefts ever in the banking industry. The employees were "upper-level" bank employees who had access to organizations' customers' accounts and were paid $10 per account. They were paid by Orazio Lembo, a man who posed illegally as a collection agency, who then sold the information, which included customer account numbers and balances, to over 40 law firms and collection agencies [7].

See Also

External Links

References

--Balijam 00:34, 25 March 2008 (EDT)

Personal tools