Takeaway: Ddetails the insider threats that an organization should be prepared to defend.
While this description is somewhat accurate, it doesn’t provide enough information with which to manage risk. What we need is a deeper look at what types of threats exist, the business roles involved, and the signs that typically exist when an employee, vendor, etc. is not complying with policy, law, or ethics. Armed with this information, organizations can implement administrative, technical, and physical controls to mitigate insider risk.
In this opening article, we look at the three categories of insider threats as defined in The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Cappelli, More, & Trzeciak) and at The CERT Insider Threat Center. In Part 2, we will discuss recommended methods for detecting, containing, and responding to insider threats planned, in progress, or completed.
Insider threat defined
Defining insider threats requires an understanding of who and what are involved. The three primary categories of associated attacks are theft of intellectual property, fraud, and damage to information resources. In each category, CERT research tells us that a specific business role is usually responsible. See Table A.Table A
Intellectual property theft
Intellectual property (IP) is any “creation of mind” created or owned by an organization. For our purposes, examples include- Engineering designs/drawings
- Software created in-house
- Trade secrets
- Starting a new business
- Providing a competitive advantage to a new employer
- Providing it to a foreign country (especially a country with which an employee has cultural, political, or ethnic ties)
- Company email
- Remote network access
- Storage on laptops and other mobile storage devices
- File transfer services (e.g., FTP or SFTP)
Fraud
Fraud is theft of financial assets. Employee fraud is much more common than most organizations believe. In an article at CFOOnline.com, Tracy L. Coenen writes, “Experts estimate that on average it costs companies 3% to 5% of revenue each year.” For example, a payroll clerk creating a false employee, paying that employee, and then collecting and cashing the check commits fraud. Other types of fraud include misuse of expense accounts or payment to vendors when they provide no services or products. People deep in debt with no hope of digging themselves out tend to top the list of insider threats in this category.Fraud occurs when three conditions are met, as shown in Figure A. Pressure is usually a seemingly overwhelming financial need. Opportunities consist of vulnerabilities in an organization’s processes, security, etc. that allow a pressured employee to steal with little chance of detection. Rationalization occurs when an employee convinces himself that his need is greater than ethical or moral concerns. An employee might also rationalize theft based on how she perceives management mistreatment or ingratitude for the business value she’s provided. Removing one side of the triangle eliminates or significantly reduces risk from fraud.
Figure A
Fraud Triangle Developed by Donald Cressey
Fraud occurs across many channels, and involvement might extend beyond employees to external criminal individuals or organizations. Again, employees resorting to fraud usually seek financial gain. Methods include- Selling stolen information
- Modifying information to realize financial gains for self or others
- Receiving payment for adding, modifying, or deleting information
Damage to information resources
Damage to information resources is usually an attempt to break one or more business processes, thereby resulting in significant harm to the business. In most cases, only someone with administrator access can successfully achieve these goals. For example, a programmer might plant a logic bomb that destroys a database, irreparably damages server software, or causes an application to perform in unexpected ways. In addition to logic bombs, reconfiguration of network devices in ways that cause significant loss of productivity is a surreptitious malicious act often difficult to remediate.Administrators don’t always want to make themselves known with a large, visible event. Rather, creation of additional administrator accounts often provides an attacker with long-term access for small but costly hits against a current or former employer. Organizations without proper log management would have a very difficult time assigning responsibility when the rogue account is eventually identified.
Collusion
Employees don’t always have access to everything needed for theft or system damage. Many organizations raise barriers with separation of duties enforced with role-based access control. Enterprising insider threats circumvent these controls using collusion.What is collusion?
Peter Vajda writes, “Collusion takes hold when two (or more) individuals co-opt their values and ethics to support their own - and others’ - mis-deeds.” The key word is support. While an engineer, for example, might have full access to all relevant components of the IP he or she intends to steal, a payroll or accounts payable clerk might not. Consequently, the person planning the theft might recruit key employees with access to information or processes otherwise unavailable.It is usually the most trusted employees who commit these crimes. Collusion increases the risk for the perpetrators, but it also decreases the opportunities to detect theft. Bypassing separation of duties via collusion circumvents a key control. According to CERT research, it isn’t uncommon for multiple individuals (including outsiders) to participate in long-term fraud.
Postingan
