Insider Threat

CSCE Farkas2 Reading List The National Infrastructure Advisory Council’s (NIAC) Final Report and Recommendation on the Insider Threat to Critical Infrastructures, t_to_critical_infrastructures_study.pdf, t_to_critical_infrastructures_study.pdf CERT, Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector,

Analyzing the Insider Threat Defining the insider threat (physical and cyber) Analyzing scope, dynamics, and effect of globalization Obstacles and challenges to address the threat CSCE Farkas3

Why is it Challenging to Address the Insider Threat? Trusted employee Security breaches often undetected Lack of reported data (organizations handle the events discretely) Difficulties to understand the causes and implications of the threat CSCE Farkas4

Insider Threat “… one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.” NIAC’s final report and recommendations of the Insider Threat to Critical Infrastructures, 2008 CSCE Farkas5

Access To the systems, facilities, or information Additional “insiders” – Unescorted vendors – Consultants – Contractors Trust CSCE Farkas6

Technical Aspect CERT/SEI and US Secret Service study: Technical aspects: – Most insiders had authorized access at the time of malicious activities – Access control gaps facilitated most of the insider incidents – Most insiders modified or deleted information using only user commands – Some used technical means for compromising accounts CSCE Farkas7

Access Control Issues Access exceeded what was needed to do the job Access was obtained following termination or changes in position The insider was able to use another employees account or computer Technical control was insufficient Insider could circumvent technical control CSCE Farkas8

Trust Procedures to support trust management – Establish appropriate level of trust at employment – Monitor compliance over time – Revoke access Mission critical positions CSCE Farkas9

10 Consequences of Misuse Critical Infrastructure: – Interruption of services to a geographic area or sector – Large scale economic loss – Psychological effects (loss of public confidence) – Loss of life Public Policy: public health, public psychology, economic activity

Other Consequences Sabotage (cyber of physical) Theft Fraud Intellectual property theft, etc. CSCE Farkas11

Actors Psychologically impaired disgruntled or alienated employees Ideological or religious radicals Criminals What are the corresponding motivations? CSCE Farkas12

Psychology of the Insider Shaw, E.D., Ruby, K.G., & Post, J. M. (1998). The insider threat to information systems. Security Awareness Bulletin, 2–98, 27–46. Focuses on computer technology specialists “…introversion is characteristic of computer technology specialists as a group, as well as scientists and other technology specialists.” CSCE Farkas13

Technically Capable Insiders’ Characteristics Social and personal frustration Computer dependency Ethical flexibility Reduced loyalty Entitlement Lack of empathy CSCE Farkas14

CERT Insider Threat Blog Insider Threat Team: Insider Threat Case Trends of Technical and Non-Technical Employees, hreat_case_trends_of_technical_and_non- technical_employees.html hreat_case_trends_of_technical_and_non- technical_employees.html Non-technical incidents increase until 2006 Damage: – Average technical insiders: more than $750,000 – Average non-technical insiders: more than $800,000 CSCE Farkas15

Insider Incidents CSCE Farkas16 Copyright: CERT Insider Threat

Who Will Carry Out the Malicious Intent? Lots of disgruntled employees – there is NO direct correlation between disgruntled employees and insider threats Mechanism to betrayal: – Growing discontent – Recruitment by hostile outside entities – Infiltration of a malicious actor to a trusted position CSCE Farkas17

Psychology of the Insider Psychology plays a role in all the known cases in addition to – Ideology, religion, radicalization, and crime CERT study: comparing IT sabotage and espionage – Common set of personality traits – Behavioral deviation from what is expected CSCE Farkas18

Psychology of the Insider CERT first set of indicators for potential insiders (2008): – Difficult or high maintenance employee – Personality issues that affect social skills and decision making – History of rule violations – Social network risks – Medical/physical issues (e.g., substance abuse) CSCE Farkas19

What can be done? Employee screening – Need common screening practices Periodic reevaluation Incentives to maintain/increase loyalty Research to understand motivations and mitigate risk accordingly Technology/psychology/social studies CSCE Farkas20

Obstacles to Address Insider Threat 1. Lack of information sharing – Incentives of organizations to share their findings – Counterincentives! Lack of sufficient research – Risk management – Comprehensive model Lack of education and awareness – Privacy violation risk? – Discrimination? CSCE Farkas21

Obstacles to Address Insider Threat 2. Managing and maintaining employee identification Uneven background screening Cultural and organizational challenges Technological challenges – Not interoperable technologies among the organizations – Ethical boundaries in virtual space are not always clear – globalization CSCE Farkas22

CSCE Farkas23 Types of Insider Threats State and military espionage Economic espionage Corporate espionage Privacy compromises

CSCE Farkas24 State and Military Espionage Foreign intelligence agencies Goal: collect state and military secrets Target: foreign government Insider traitors, foreign agents, spies Motivation of traitor: – Financial gain, ideology, revenge

CSCE Farkas25 Examples 1987: Earl E. Pitts – special agent FBI – Became: KGB agent – Motivation: financial gain – Sentencing: fine ($500,000 + $250,000) 1994: Aldrich H. Ames – CIA agent – Became: KGB agent – Motivation: financial gain – Sentencing: life sentence

CSCE Farkas26 Economic Espionage Government intelligence (state sponsored_ Goal: acquire economic secret of foreign country, trade policies, and trade secrets Target: foreign corporations, research facilities, universities, defense contractors Method: similar to military espionage Technological competitions

Economic Espionage Seeking critical technologies Often ties with corporate espionage Level of security is the level of the weakest point CSCE Farkas27

CSCE Farkas28 Example Pierre Marion (France) – Admitted spying on foreign firms – IBM, Texas Instrument, Corning Glass Marc Foldberg (Renaissance Software, Inc. Palo Alto, CA) – copied software Motivation: financial gain Sentencing: community service Guillermo (Bill) Gaede – temp. employee of Intel Corp. – Motivation: financial gain – Sentencing: 33 months in federal prison

CSCE Farkas29 Corporate Espionage Corporation against other corporations Goal: acquire competitive advantage in domestic or global market Foreign or domestic competitors

CSCE Farkas30 Corporate Espionage Computer technology: convenient way Investigations – Go public or not Law – Inadequate – Gray areas

CSCE Farkas31 Examples Cadence Design Systems vs. Avant! -- software product General Motors vs. VW IBM vs. Hitachi

Dynamics Globally distributed workforce Most insiders are discovered after they committed the malicious act  increased damage Research: detect malicious behavior before it happens CSCE Farkas32

CSCE Farkas33 Privacy Violations Personal data – SS Administration – Law Enforcement – Medical – Financial Computer systems – Trusted security personnel? – Trusted system administrators? – Temporary employees?