Cyber Security Topic: Insider Threat Detection and Management ABSTRACT Insider threats are considered as one of the most serious security problems in many studies and have received considerable attention among organizations over the world. This report will present the term “insider” and “insider threats” in cyber security, motives and effects of insider threats, underlying issues and causes of insider threats, prevention and detection of insider threats and management of insider threats within the organizations.
The report will include case studies of malicious insider threats on IT sabotage and fraud as well as oblivious insider threats with analysis and discussions. 1. INTRODUCTION In recent years, countries around the world have been developing rules and regulations which are designed to support data confidentiality and security. Many organizations have spent decades on building stronger defenses against intrusion, including firewalls, anti-virus software, email security, identity access badges, security policies and procedures.
These protections have made the business world more effective at blocking threats and attacks from the outside and made it increasingly difficult for hackers and viruses to penetrate into the system. However these protections provide only a first line of defense since it is designed to prevent unauthorized access. There are also threats and attacks from the inside of the organizations and sometimes these can cause far more damage to the organizations than external attacks.
Also it is considered the most difficult problem to detect and deal with because an insider is a trusted member of the organization and has access to information, valid authorization and capabilities . Therefore the discussion of insider threat is important and must be well defined in order to analyze the problem precisely and approach a solution. Insider and Insider Threats An insider is anyone who has the access rights to a company’s network, system or application. These trusted insiders can be general users who lack technical proficiency or someone well-qualified in technical knowledge like IT administrator.
Insider threats are threats posed by insiders who bypass the security measures of an organization (e. g. policies, processes and technologies). Theoharidou et al. (2005) defines insider threats as “threats originating from people who have been given access rights to an IS and misuse their privileges, thus violating the IS security policy of the organization” in . The damage inflicted by insider threat is very severe and possibly even crippling to the organization. This is due to the trend that organizations store more information into their core processes.
Therefore actions such as deleting and leaking of vital information can cause significant effect. While external security is thorough, the internal security is still often neglected. Hence significant losses such as loss in revenue, intellectual property and reputation would be incurred if the organizations fail to put more emphasis on internal security, or prevention of the insider threat. 2. LITERATURE REVIEW Causes of insider threats Insider threats are mostly from current employees and former employees who feel injustice has been done onto them and will only feel satisfied in gaining revenge.
Another possible cause of insider threat is the prospect of gaining returns in causing harm to the organization. There is always a motivation involved for the insider threat to be present. Therre are also oblivious insiders who cause damage without malicious intent yet their actions unknowingly compromise information confidentiality. Prevention of insider threats It is practically impossible to remove insider threats completely. The only thing we can do is to prevent and minimize such threats from happening.
There are currently two main approaches that are practiced in various workplaces to detect and prevent insider threats, mainly Technical Approach and Human Approach. Technical Approach The technical approach consists of three ways, Continuous Logging, Real-Time Alert and Targeted Monitoring. Continuous Logging Many companies have already implemented continuous logging and centralized secure log server with restricted access to very few people. This could be used to detect and investigate changes that occur infrequently such as changes to operating system files, scripts and executable services.
All these changes could come in the form of software patches that could be pushed down either from the server done by the system administrator or possibly malicious insiders who tried to modify the system to their own needs. As some computer system contain sensitive data, such as the client database and company portfolio, companies actually exercise control of the transfer of data from the system to removable storage devices such as flash drive and portable hard disk by coming up with a logging system. Another way is to do auditing on various areas and keeping records of them.
Possible things that companies audit on their secure systems include the following: * Access to backup information and results of backup and recovery tests. * Database transactions to detect unauthorized access and modification of data. * Data access and modification for all tables in a database. * Individual actions for all users who have privileged accounts, i. e. Access to confidential data or access the secure system server. * Physical access to the secure system server attempts. Real Time Alerts The main idea for real time alerts is for the system administrators to take prompt actions in the event of any suspicious activity.
Possible alerts include any unidentified device that are attached to the system such as keystroke logger, any unauthorized download of data to the removable storage devices and the creation of new accounts. New accounts are to be investigated and validate the legitimacy before they are been in used. To ensure that the real time alerts work well, there is a need for proper monitoring system in place. System administrations often scan workstations on a regular basis for potentially offensive tools such as a security fuzzer which is used to test an application or system vulnerability.
They also configure intrusion detection system and proxies to alert on suspicious outbound and inbound traffic. Many financial companies monitor access and data modification on critical tables, such as the personal identification information in the database. Targeted Monitoring This is mainly used for specific people such as those who actually required remote access from their home to their workstations in the office and employees who have left or are leaving the company. Monitoring tools are installed into the system server to keep track of any unauthorized transfer of data.
Some companies implement targeted monitoring of online activity of individuals who are leaving or have left the company. Their IP addresses will be logged, monitored and audited for any remote access to the workstation in the company. This is to prevent any unauthorized backdoor access to the workstation in the company when they leave the company eventually. Their account should also be disabled and deleted as soon as possible. Human Approach The management of the company has to create a work climate that balances rust and respect for the individual with the need to protect information. Regular reviews of contracts, financial documents, and security policies and practice should be done to identify irregularities and deter potential defrauders. Managers and board members play a major role to ensure that their staff are sufficiently trained in their job scope and content in their jobs since disgruntled staff can become vengeful staff and they will find means to fraud and abuse as form of revenge.
Many companies supervise their own employees for any suspicious activities that could arise. Supervision also includes conducting thorough background checks on potential employees. The management also develops and enforces the employees to know clearly about their job responsibilities, standard operating procedures and policies, creating suitable levels of accountability for tasks performed, regular reviews of employee activities, professional development opportunities, performance reviews, and feedbacks. Management of insider threats
Organizations typically use administrative, physical, and technical controls to deter, prevent, detect, and respond to attacks on information and systems, including insider attacks. The Management and education of the risk of insider threats (MERIT) model focuses on administrative and technical controls, since physical controls were not a predominant factor in most cases of Insider Threat Study. Below is the MERIT model which described administrative and technical controls relevant to mitigating risk of insider threats and its possible effect .
Figure 1. The MERIT model with possible effects  The Law Another way that will act as deterrence for the insider threats is the law. Company insiders and authorized users can be held legally liable for intentional damage to a protected computer regardless of whether or not the user had authorization to access the protected computer . In Singapore, the computer act, Chapter 50A of the Singapore Law, is to make provision for securing computer material against unauthorised access or modification and or matters related thereto. Below is an excerpt from the act in . “Unauthorised use or interception of computer service 6. —(1) Subject to subsection (2), any person who knowingly — (a) secures access without authority to any computer for the purpose of obtaining, directly or indirectly, any computer service; (b) intercepts or causes to be intercepted without authority, directly or indirectly, any function of a computer by means of an electro-magnetic, acoustic, mechanical or other device; or c) uses or causes to be used, directly or indirectly, the computer or any other device for the purpose of committing an offence under paragraph (a) or (b), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a second or subsequent conviction, to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 5 years or to both”. 3. RESULT AND DISCUSSION: CASE STUDY 3. 1 Malicious Insiders
There are typically three types of malicious insider attack namely: IT sabotage, fraud and Theft of intellectual property. Below is the summary comparison by type of malicious insider incidents from research performed by CERT Coordination Center at Carnegie Mellon University . Figure 2. Summary Comparison by Type of Insider Incident  This part of the case study will detail two different cases of malicious insider threat. 3. 1. 1 Adeniyi Adeyemi vs. Bank of New York Mellon The Victim: Bank of New York Mellon (BNYM) The Perpetrator/Insider:
Adeniyi Adeyemi, a 27 years old computer technician working at the headquarters of BNYM. He was eventually indicted with identity theft, money laundering and 147 other charges . Intent/Motive: Insider theft for financial gain Insider Threat: As a computer technician, Adeyemi gained access to the personal data of many BNYM employees. Using the information, he stole the identities of more than 150 BNYM employees and used them to open bank and brokerage accounts. He then stole money from the bank accounts of numerous non-profit organizations and transferred the funds into the dummy accounts.
The scheme carried on for eight years and netted him $1. 1 million . BNYM Stolen Personal Data opened bogus accounts Charities Stole money from charities Figure 3. Adeniyi Adeyemi vs. Bank of New York Mellon Case Detection of Insider Threat: It was a stealth operation, so detection was difficult. Adeyemi came under surveillance by the Electronic Crimes Task Force Unit of the United States Secret Services after suspicious Internet activity was traced back to the wireless internet connections in his apartment.
During a court-authorized search, credit reports of dozens of BNYM employees were found on his computer. Investigators also found notebooks containing hundreds of name, social security numbers, account numbers and other identifying data. Vulnerability of System: Adeyemi abused his access rights to the personal data of the BNYM employees. However, in the first place, as a computer technician, there might not have been a need to grant him access to the information as it is not relevant to his job. BNYM did not encrypt the confidential data, and that made it easier for Adeyemi to access them.
There were also vulnerabilities in the system of the non-profit organizations Adeyemi stole from. The charities readily disseminated their banking details on the internet in order to facilitate donations. This made them easy prey for unauthorized withdrawals by identity thieves. 3. 1. 2 Terry Childs vs. City of San Francisco The Victim: The City of San Francisco The Perpetrator/Insider: Terry Childs, a 43-year-old computer network administrator. He has been charged with four counts of computer tampering and sentenced to four years in prison. Motive/Intent:
An act of revenge as Childs was disgruntled with his employers. Also, he was increasingly possessive of the network he had built . Insider Threat: In 2008, Childs reset all the administrative passwords to the routers for the city’s wide area network which he built. This essentially gave him exclusive access to the city’s FiberWAN and locked top administrators out of San Francisco’s computer system. The system links nearly all departments electronically and contains confidential records such as city payroll files, official’s e-mails and law enforcement documents.
When arrested, he gave bogus pass codes to the police and refused to divulge the true code. He eventually handed it over to the mayor. The city lost administrative control over its network for 12 days and they spent $900,000 trying to regain control of its network. City officials also worry that he might have passed confidential information to a third party . Vulnerability of System: Childs had been the sole administrator of the network. He was tasked with the implementation, configuration and installation of the routers and switches that comprise the network.
It eventually became so complex that he was the only person who fully understood the configuration. This is a case of giving too much power to a single employee. There should have been more network engineers tasked to share the responsibility so that Childs will not be able to abuse his immense power. Also, the city used shared passwords for its FiberWAN and they failed it manage it adequately. Keeping track of privileged user and shared access accounts is important for accountability. Childs successfully abused this loophole. 3. 1. Analysis of Cases The two cases might not be representative of all malicious insider threats, but there are still a few valuable lessons that can be learnt. i. Stealth attacks such as that in the BNYM case can go undetected for many years. This is because the perpetrators will take steps to hide their identities and their activities. Stealth attacks may only be detected if there is a noticeable irregularity in the system. ii. Employees are privy to confidential information and proprietary knowledge about the company and its operations.
Insiders may abuse their access privileges and exploit their knowledge of the company to carry out the attacks. This makes the attacks more precise and successful. iii. Existing systemic vulnerabilities in the company make it possible for insiders to carry out their attacks. Even though it is impossible and economically impractical to prevent and obliterate insider threats completely, it will still help matters if certain policies are put in place. For example, Terry Childs will not be able to hijack the system if there were segregation of duties in place. v. The victim organizations all suffer damages from the attacks, be it financial or reputational. 3. 2 Oblivious Insider In 2005, a test study was carried by, Ira Winkler, one of the world’s experts in Internet security. Winkler and his associates performed a penetration test against the security policies of a particular company. One of the team members would dial the company’s Security Help Desk, claiming to have an issue with their computers. The help desk would then ask for the caller’s social security number in order to verify their identity.
The penetration tester made an excuse to get off the phone while dialing random employee’s desk phones telling them that he was from the security Help Desk and that there had been a security breach resulting in all passwords being wiped out. He offered to change it back for the employees, if they verify with him their Social Security Number and tell him what their old passwords were. Results: According to the test study carried out by Winkler, there were only 1 out of 100 people who refused to provide the information which the penetrator requested for over the phone.
And even so the woman who did the right thing did not know if she should report this incident and to whom. How does an Oblivious Insider compromise the company? * Technology Many of the cases of oblivious inside threats came from company’s personnel who had no knowledge of how to operate the new technologies that these organizations make use of. Some of the ways in which they could compromise this information are via 1. Accessing organizational data from home or over unsecured wireless networks 2. Using public terminal to access company’s confidential information 3.
Opening unknown email messages and falling for scams or clicking programs on internet that let in viruses or malwares that disrupt security in their company. * Unknowing multiple attacks There are many times when an employee may seem to think that he/she is actually doing their job correctly but is actually putting the company at risk because of the individual’s action. An example would be that the employee might have taken work home to complete but security protocols has it that information from the organization must not be taken out of the premises.
Therefore, the individual might repeatedly compromise confidential information by doing this. * Detection and mitigation are complex Any employee in an organization can be a potential threat to the company. There are no 100% complete defenses against this threat. The oblivious insider threat can come at any time from anyway within the company. The most effective ways of defending against such threats are through thorough security. How to effectively control the oblivious insider? * The key to working against the Oblivious Insider is engagement and vigilance by employees.
This will be the best defense against any threats that arise from within or outside an organization * Reviewing existing security controls and work towards consistent enforcement of these controls. It will provide a boost to security measures that are already in place and it will instill a sense of security in the mentality of employees. * Security teams should initiate the creation of new security controls by working together with other employees of the organization. This team could provide feedback about the specific dangers an Oblivious Insider could pose in their particular unit or division.
A security consultant with a knack for interpersonal skills could also be very beneficial in this process, perhaps even providing an outsider’s view helping to further minimize security risks. Insider threats Survey/reports In many of the surveys/reports posted online, it can be seen without a doubt that the oblivious insider poses a greater threat as to the Malicious Insider. Below is the survey result from International Data Corporation which shown accidental and deliberate insider incidents by country . Figure 4. Accidental versus Deliberate Incidents by Country  Survey 1
Figure 5 . Survey showing percentages of malicious and accidental insider threats Survey 2 Figure 6. Survey showing percentages of malicious and accidental insider threats However, it cannot be concluded that all insider threats come from accidents of employee’s blunders or technical malfunction. Defeating the Oblivious Insider requires participation from all members of an organization. With the proper security policies and controls, not only can the Oblivious Insider be neutralized, but the strength and effectiveness of the organization’s security can be greatly increased. 4. CONCLUSION
Upon findings of insider and insider threats, it is clear to us that insider threats cannot be stopped and it can be prevented only through a layered defense strategy consisting of policies, procedures, and technical controls. We have mentioned the ways to detect and prevent the insider threats, the policies to practice in mitigating insider threats and the laws that will act as deterrence from happening of insider threats with the case studies of different kinds of malicious insider threats as well as accidental ones. Hence this report allowed us to understand and gain the knowledge of insider threats in cyber security.
Based on the knowledge of insider threats, our group would like to recommend a few ways that will help to improve organization’s security and prevent insider threats . * Determining the organization’s critical assets and defining a risk-management strategy to protect those assets from both insiders and outsiders. * Implementing secure backup and recovery processes for critical systems and applications. * Making sure of all employees understand the policies, procedures, and technical controls. Each employee must be aware of the organization’s security policies and the process to report if there is any policy violation. Giving authorize access to employees only for the resources they need to do their jobs. * Implementing strong passwords, account-management policies and practices within the organization. * Discovering and investigating suspicious insider behaviors and actions through logging, periodic monitoring, and auditing of employee’s online actions. * Taking extra cautions when relate to system administrators and privileged users and strict remote-access policies and procedures. * Deactivation of employee’s access to the organization’s physical locations, networks, systems, pplications, and data following termination. * Documenting insider threat controls clearly to mitigate insider threats.