Insider Threat : Combatting the Enemy Within [1 ed.] 9781849280112, 9781849280105

Citation preview

The Insider Threat Combatting the Enemy Within

Clive Blackwell

The Insider Threat Combatting the Enemy Within

The Insider Threat Combatting the Enemy Within

CLIVE BLACKWELL

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publishers and the author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publishers at the following address: IT Governance Publishing IT Governance Limited Unit 3, Clive Court Bartholomew’s Walk Cambridgeshire Business Park Ely Cambridgeshire CB7 4EH United Kingdom www.itgovernance.co.uk © Clive Blackwell 2009 The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work. First published in the United Kingdom in 2009 by IT Governance Publishing. 978-1-84928-011-2

ABOUT THE AUTHOR

Clive Blackwell is a researcher at Royal Holloway, University of London, where his main field is security architecture. He has developed a practical three-layer security architecture to model computer networks such as the Internet and other complex systems such as critical infrastructure. He is currently applying the model to the insider threat within different business sectors, which has resulted in several academic papers. Clive is a regular speaker on security at both academic and business conferences in the US and Europe as well as the UK. He has recently been invited to give talks on the insider threat at two major business conferences. Clive received a scholarship for his PhD in network security at Royal Holloway. It has the largest Information Security Group in the UK, and has more than 200 students from all over the world on its well-known MSc course. He holds a degree in Mathematics from Warwick University and in Computer Science from Royal Holloway where he passed out top of his class, and an MSc in Information Security also from Royal Holloway. He has about 20 publications to his name within the last two years. He also runs his own IT security consultancy, Advanced Computer Services, so he is aware of the security issues facing business.

5

PREFACE

The insider threat poses a significant and increasing problem for organisations. The use of highly connected computers makes controlling information much more difficult than in the past. This is shown by the regular stories of data loss in the media such as the 25 million personal records mailed out by Revenue and Customs in the UK. In addition, we do not know enough about the insider threat, as of course many attacks are unknown to their victims or are not made public. We intend to shed light on the key security issues facing organisations from insiders to get them up to speed quickly.

ACKNOWLEDGEMENTS

I would like to thank the two Angelas. I am grateful to Angela Sasse for asking me to present a master class at the insider threat conference at University College London in November 2008, which helped me to formulate the ideas expressed in this book. Secondly, I would like to express thanks to Angela Wilde for giving me the opportunity to write this book and for her patience in awaiting its completion.

6

CONTENTS

Chapter 1: Modelling the Insider Threat..........8 What is the insider threat? ................................8 Architectural security model...........................10 An attack classification scheme ......................12 Attack surface .................................................14 Impact zone.....................................................18 System hardening............................................19 Targeting the attacker .....................................22 Chapter 2: Insider Attacks...............................27 Insider attack classification.............................27 Damage...........................................................28 Defensive protection.......................................34 Fraud...............................................................41 Theft ...............................................................50 Conclusions ....................................................59 Appendix: Further Reading.............................62 ITG Resources...................................................63

7

CHAPTER 1: MODELLING THE INSIDER THREAT

What is the insider threat? Insiders, by definition, have some level of access to organisational resources that can be misused for their own purposes. The proportion of attacks originating from insiders is debatable, but it is clearly significant. We believe that insiders can often cause great damage to an organisation because of their privileged access, knowledge of weaknesses and the location of valuable targets. The 2008 CSI Computer Crime and Security Survey and the 2008 Information Security Breaches Survey have somewhat different views on the importance of the insider threat. Most attention has historically been given to external threats, as they are more visible and easier to remedy. Internal attacks are more difficult to discover and diagnose because the controls can be evaded by employees. Many organisations only recognise the problem from insiders after they have been affected. We focus on the insider threat, but we should also mention the insider weakness or vulnerability that can lead to accidental failure or exploitation by outsiders. Insider weaknesses are caused by carrying out unsafe activities, or failing to implement or enforce adequate defensive controls. The insider threat and weakness may be addressed together to a large extent by strengthening systems and controlling employees’ behaviour. We do not count outsiders that appear to be insiders because 8

1: Modelling the Insider Threat they have gained internal access by defeating system defences. Insider – One who has legitimate access to an organisation, its systems, information or other resources. Insider threat – A risk that an insider can use their access or knowledge to cause harm to the organisation. Insider weakness – An action or failing of an insider that may expose the organisation to malicious attack or accidental damage. Insider attack – The execution of a latent insider threat. We divide insiders into the three categories of trusted insider, regular insider and partial insider: A trusted insider is an employee with special privileges that can usually cause immense damage to the organisation. This includes management, administrators, financial and technical staff who need special knowledge and privileged access to carry out their work and can usually hide their unsanctioned activities. A regular insider, henceforth called an insider, is an employee that is given access for their work. Insiders may use their legitimate access to attack their target or they may obtain unauthorised access by first defeating the internal system defences. A partial insider is someone with limited access to part of the organisation and its resources. Security guards, maintenance and cleaning staff, and other building occupants have some physical access. 9

1: Modelling the Insider Threat Business partners, customers and suppliers may have some logical access to the organisational systems and its resources. Former employees are partial insiders if they maintain some of their previous access rights. Partial insiders can often extend their privileges to reach their targets by exploiting slack internal controls. An insider attack is the execution of a latent threat by an insider to achieve their goals, which usually has a detrimental effect on the organisation. They are often straightforward to perpetrate without detection using their legitimate access, or acquiring unauthorised access using their knowledge of system weaknesses to defeat the controls. We need to understand what is valuable to insiders and their likely methods of attack to determine the necessary defensive measures. We believe that the insider threat is a difficult problem that requires systematic analysis to mitigate. Architectural security model We have designed a three-layer architectural security model to investigate and evaluate organisational security shown in Figure 1. The social layer at the top includes people and organisations along with their goals. The logical layer in the middle contains computers, software and data. The physical layer at the bottom represents the physical aspects of entities in the material world. This allows a holistic representation and analysis of complex systems such as organisations in their entirety including human and physical factors rather than as technical systems alone. 10

1: Modelling the Insider Threat

Figure 1: Security model

The social, or organisational, layer contains the abstract representation of organisations by their attributes including their goals, policies and procedures. It also includes people and their characteristics, such as their goals, knowledge and beliefs. These subjects use lower layer entities to meet their objectives. The logical layer is the intermediate layer that contains intangible computational entities including computers, networks, software and data. People are represented by logical agents, such as accounts or processes that act on their behalf, as 11

1: Modelling the Insider Threat they cannot directly control logical entities. The logical layer is incorrectly the focus of most attention in security, because all layers need protection to provide comprehensive security. The physical layer is the bottom layer that contains tangible objects including buildings, equipment, paper documents, and the physical aspects of computers, their components and peripherals. In addition, it contains electromagnetic radiation such as radio waves, electricity and magnetism that are used to transmit and store data. All higher layer entities, including people and information, have a physical existence, as well as a higher layer representation that must be considered when analysing organisational security. Technical measures alone are incomplete and cannot stop attacks that occur partially or totally at other layers. The social level controls, such as policies and procedures, can usually be evaded by employees, as they cannot cover every eventuality and are often weakly enforced. In addition, physical attacks to steal, damage or misuse equipment, computers and documents are common. We conclude that organisational security must involve all layers to provide comprehensive defence. An attack classification scheme We investigate the attack phases with an extension of Howard and Longstaff’s work described in A Common Language for Computer Security Incidents that show the different classes of entity involved in attacks and their relationships. The categories are attacker, tool, vulnerability, action, 12

1: Modelling the Insider Threat target, unauthorised result and objectives. The attacker uses a tool to perform an action that exploits a vulnerability on a target causing an unauthorised result that meets its objectives. This incomplete conceptual model fails to consider most social and physical attacks adequately through its focus on computer attacks, and largely overlooks the corresponding defensive measures. Our classification scheme extends Howard and Longstaff’s taxonomy to include the social and physical aspects of systems, which allows comprehensive system modelling of complex systems such as organisations. All attacks are initiated by people at the social layer and are only effective if they meet a social goal such as obtaining money, power, reputation or pleasure. However, people cannot operate directly at the logical layer, but use agents to act on their behalf, by accessing accounts to issue commands, run programs and access services. In the active stage of the attack, the attacker, or their agent, employs a method to perform an action that executes a threat to exploit a vulnerability with an immediate effect on a target. This ultimately achieves the attacker’s social layer goal at the expense of the organisation. We distinguish between the immediate effect at the lower layer on the confidentiality, integrity and availability of organisational resources and the ultimate effect on the organisation at the social layer. In addition, we include additional concepts to classify and clarify defensive mechanisms. In the next two sections, we examine two logical stages to position defences by constraining access to the 13

1: Modelling the Insider Threat target and limiting the effects of a successful attack. Attack surface A Microsoft employee called Michael Howard invented the idea of the attack surface, which are the available channels to access and use computer systems described in his article called ‘Attack surface: mitigate security risks by minimizing the code you expose to untrusted users’. For example, it is the set of commands offered by an application or the available links on a web page. Attack surface reduction is used by Microsoft in software development to limit the exploitation of software bugs and weaknesses by constraining the number and functionality of the available channels. We extend the idea of attack surface to all layers, which allows a complete determination of exploitable access points. For example, sensitive organisational information can be compromised through a channel at all three layers as shown in Figure 2. A social engineering attack occurs when an employee tricks another employee by e-mail or over the phone into giving out confidential information. An insider may perpetrate a logical attack by hacking into another employee’s computer to search for valuable information. Finally, physical attacks can occur by eavesdropping on private conversations or on local network communication.

14

Figure 2: Compromise of sensitive business information from a distance

1: Modelling the Insider Threat

15

1: Modelling the Insider Threat In addition, we extend the attack surface to include boundaries that the attacker can pass through to gain local access to the target rather than operating at a distance over a channel. Higher layer entities have a conceptual location that can describe their position and proximity to other entities at the same level. Continuing with the information compromise example in Figure 3, the thief can steal data physically from computers, memory sticks or paper documents. Spyware can be installed on another employee’s computer to search for valuable information. The information occupies a logical location within the spyware when it has been compromised. The thief can also impersonate other employees and misuse their privileges to obtain access to sensitive information, which can be considered as occupying or controlling the victim’s personal space at the social layer. The arrows represent the conceptual movement of the thief, or its agents, to control the victim or their data. A complete attack surface can provide systematic defence by constraining remote access and movement to the target at every layer. The insider is not limited by the external system boundaries, like building entrances and firewalls, that protect the organisation from external attacks. The insider may be constrained by internal attack surfaces that partition the system with internal defences, which they need to breach to gain unauthorised access to the target.

16

Figure 3: Compromise of sensitive business data by movement to the victim

1: Modelling the Insider Threat

17

1: Modelling the Insider Threat However, many insider attacks use authorised access, using their own accounts to access the target directly, so there is no interposed attack surface. The allowed access should be limited to the least privilege necessary for the job, so that the impact of malicious activities is limited, as we discuss in the next section. It is even more difficult to control trusted insiders that can often remove or modify the internal mechanisms to gain unrestricted access. Impact zone We also need to limit the scope and impact of successful insider attacks, as they are very difficult to stop entirely. This includes limiting undesirable effects on the target, the compromise of other parts of the system, and stopping the attacker from causing additional damage. The impact zone is the set of resources affected within the system that are unavailable, modified or disclosed illegitimately. This is a dual notion to the attack surface that constrains the inward movement and access of a system. The idea of the impact zone is already used informally in defence at all three layers. Employees are trained not to reveal sensitive information about the organisation to third parties on the phone. The term data leak prevention (DLP) refers to controlling the disclosure of sensitive information by searching the content of documents and messages for confidential information before release. Physical assets, like goods and paper documents, can be tagged with transmitters, such as radio frequency identification tags (RFIDs), to stop their removal from buildings or secure areas. 18

1: Modelling the Insider Threat Finally, it applies to the rule of least privilege that limits employees’ privileges to the minimum required to do the job, thus restricting the impact of attacks that can be launched using authorised access. The impact must have an ultimate effect at the social layer to be effective, as lower-level resources only have value to the extent that they support organisational goals. We can attempt to stop, or limit, the organisational effect by providing redundant resources, such as data backups, to provide enough resiliency, so that the system can continue to provide its services after an attack. System hardening The aim is to stop the ultimate social level effect on the organisation, so we can consider protective measures at multiple stages before, during and after the attack, which equate to attack surface reduction, hardening the target and limiting the impact zone. We consider hardening the target as a separate category for clarity, although its protection from access and use forms part of the attack surface, and its subsequent change and effects are within the impact zone. The defence may also attempt to reduce the motivation of the attacker, which we discuss in the next section. Systems and resources should be difficult to damage, remove, alter or use in undesirable ways, which requires comprehensive protection at all layers. We need to conduct a systematic analysis of systems and the threats they face as a prerequisite to building a coherent architecture 19

1: Modelling the Insider Threat providing comprehensive protection. The access and use of systems should be limited by controlling the access paths and operations allowed by different people. These controls should also constrain access to attack tools within the organisation or brought in from outside. The organisation should provide a complete attack surface at all layers to constrain authorised use and stop unauthorised access. In general, we may locate defences on the external system boundary, within the system and on the target to provide defence-in-depth. However, protecting the boundary to the organisation and its systems does little to protect against insiders already within the system. Comprehensive protection involves partitioning and isolating internal areas and systems, according to their location and functionality, to stop uncontrolled movement and access. In addition, authorised activities within internal domains should be monitored and controlled to stop policy breaches. The control boundaries should be complete and operational at all times. However, insiders can usually elevate their privileges by interfering with the controls, passing through weak controls or evading incomplete controls. The protection of resources needs a clear understanding of their functionality and weaknesses, along with the powers and possible abuse by their users. Limiting the functionality of resources makes protection easier, but may reduce the utility of the system. Resources can be placed within other objects to give them additional protection. For example, application use can be 20

1: Modelling the Insider Threat constrained through a limited user interface, and cryptographic keys can be physically protected within a smartcard. The targets should be hardened to hinder damage, removal, change and undesirable use, which limit possible undesirable effects on the rest of the system. Rapid detection of system anomalies is required to limit the impact zone in both the temporal and spatial dimensions. Issues can be resolved by automated recovery, shutting down the affected resource, or reverting to a satisfactory state such as rebooting a computer. There should be an effective triage process to deal with crucial problems first to stop a permanent, or widespread, impact. The potential impact may be limited to the target, within its neighbourhood or system wide. Problems can be fixed more widely within the system, or using external resources if the target cannot be repaired. Resiliency can be provided using redundant capacity or spare resources within the system, acquiring additional resources or provisioning services in other ways. The additional items should be independently protected so that they are unlikely to be affected by the same attack as the original resources. The independence assumption should be questioned because of the possibility of directed insider attacks. Special checks should be made of critical resources, backups and other single points of failure to ensure they will work when required. Monitoring of system activities enables problem causes and their effects to be discovered. This may enable undesirable changes to be fixed rapidly to 21

1: Modelling the Insider Threat limit the impact, and pinpoint weaknesses that can be mitigated to stop similar attacks in the future. Effective monitoring also includes finding and dealing with the attacker to stop any subsequent attacks. The impact may be limited to the physical and logical layers, or may reach the social layer. Additional protection measures are required to stop, or reduce, damage to lower layer resources causing the ultimate effect of preventing the organisation from carrying out its normal business activities. For example, damage to a computer providing a key service may not cause a major business impact if there is a straightforward repair or ready replacement. Targeting the attacker We now consider how to dissuade attacks from employees, after having discussed methods to strengthen the defence in the previous two sections. We need to understand their goals in order to determine their likely actions, which allows the selection of appropriate measures to meet credible attacks, as not everything can be protected equally. The different objectives and methods in the main insider attack categories of sabotage, fraud and theft lead to different defensive measures. The class of attack and its execution is strongly influenced by the insider’s role and capabilities, as they usually attack easy and familiar targets using their existing knowledge and abilities. Attacks are often prompted by the need to resolve, or relieve, personal and work problems. Personal 22

1: Modelling the Insider Threat issues include divorce, drug abuse, financial problems and emotional disturbance. Organisational issues include job dissatisfaction, workplace disputes and disciplinary sanctions. The main objectives are financial, including acquiring money and assets, and psychological, including enjoyment and revenge. Many attacks are caused by a combination of longterm needs exacerbated by current circumstances. The trigger is often a minor incident, but it should be understood within the wider context of existing issues in the employee’s personal life and the workplace. The motives, means and opportunity are key questions that need to be answered to prove a suspect guilty of a crime. These are considered necessary predisposing attributes of attackers, with the corollary that the defence should be successful if it can circumvent at least one factor. The opportunities include employees’ system privileges and knowledge of weaknesses that enables them to commit the attack and escape detection. The means is the set of methods, tools and techniques at the attacker’s disposal, which is influenced by the skills and knowledge they have in acquiring and using them. The attacker’s means and opportunities are largely determined by the defensive controls discussed already that limit their powers and activities. We now investigate how the organisation can decrease, or eliminate, the motivation of potential attackers by persuasion and deterrence. The organisation can attempt to persuade their employees not to attack by addressing their 23

1: Modelling the Insider Threat underlying personal and financial issues. The organisation may also encourage more loyalty and respect by good work conditions and pay, teambuilding exercises, fair treatment and addressing grievances. Note that many of the proposed measures are also good practices that may improve the effectiveness of the organisation and help to avoid other types of incidents. The organisation should also attempt to deter attacks with strong defensive measures that make the cost-benefit equation less favourable by increasing the risk or reducing the benefits. Deterrence requires ongoing enforcement measures to stop misbehaviour, and is therefore likely to be more expensive than persuasion. We propose a ‘carrot and stick’ approach to reduce the attacker’s motivation using both persuasion and deterrence. Trust, but verify. (Translation of an old Russian proverb ‘Doveryay, no proveryay’, often quoted by former US President Ronald Reagan during discussions with the Soviet Union about nuclear disarmament.)

Security controls are often seen as an unnecessary imposition on employees, and there is often a perverse incentive to ignore them to achieve the immediate business goals. Employees should be rewarded for avoiding unnecessary risks by complying with policies, as well as for meeting positive business objectives. The reasoning behind security policies should be explained, as employees are more likely to accept and operate within controls they understand. Policies should be enforced equally and fairly on all employees, including management, to avoid dissent. 24

1: Modelling the Insider Threat The attacker often has a lack of foresight of the possible repercussions on themselves and the organisation, thinking they will evade detection or making excuses for their deviant behaviour. Employees’ obligations should be made clear by the explicit allocation of duties and responsibilities, and well-publicised understandable policies with disciplinary action for breaches. It is important to deal with unacceptable behaviour early; minor abuses may escalate if they become accepted as part of the corporate culture. There should be visible defensive controls, and initial warning signs should be targeted with codes of conduct and zero tolerance. There should be safe outlets to alleviate grievances before they lead to major incidents. Deterrence includes the probability of detection and being held accountable after the event with disciplinary action, and legal measures including arrest, prosecution and suing for damages. We must recognise that some attackers, for instance disgruntled employees, may not be rational and may cause damage irrespective of any deterrent measures. The organisation may help their employees to address their underlying personal issues, including divorce, drug abuse, financial difficulties and mental instability, which may allow them to recover their psychological equilibrium in less destructive ways through professional advice and treatment, and through reduced workload and responsibilities.

25

1: Modelling the Insider Threat Many insiders simply take advantage of opportunities caused by lax controls when they find a weakness that they can exploit. The organisation can limit the opportunities by constraining access to valuable targets. Employees should not be given responsible duties without having proved their loyalty and competence. There should be adequate employment and criminal checks, as people with prior convictions or poor work records are likely to cause problems. We expect an increase in organised crime by planting people within organisations or bribing existing employees. These organised insider attacks are usually carried out methodically to achieve clearly defined financial objectives. Security procedures and controls will not stop determined insiders, but may make their attacks more difficult and limit the damage. We conclude that different types of employee usually attempt different attacks depending on their position, privileges and knowledge. Every position has some degree of access that can be abused, but some positions, such as technical, financial or managerial roles, have higher risk because of the greater means and opportunities for exploitation.

26

CHAPTER 2: INSIDER ATTACKS

Insider attack classification We classify attacks into their ultimate effects on the organisation of damage, fraud and theft to satisfy the goals of the attacker. This follows the classification used in the CERT Common Sense Guide to Prevention and Detection of Insider Threats, which is recommended as further reading. We also mention attacks motivated by curiosity, or enjoyment, without clearly defined goals that may inadvertently cause problems. The attacks have these undesirable impacts indirectly by breaching the fundamental security services of confidentiality, integrity and availability usually at lower layers. These problems may also be caused by accidental failure, or external attack, which are allowed by internal weaknesses. The main characteristics of the three classes of attack are: Damage and sabotage – causes the loss of availability and integrity of the targeted resources, with possible consequential effects on the ability of the organisation to perform its normal business activities. Fraud – causes financial losses to the organisation, or their customers, by interfering with internal financial records or making unauthorised transactions. Theft – includes logical resources, such as information and physical resources, like computers. The disclosure of sensitive business 27

2: Insider Attacks information often has a much higher impact than the loss of physical assets. Damage Methods of attack The goal of the employee is the psychological satisfaction obtained from causing damage to the organisation, motivated by a personal grudge for some perceived wrong. The aim is to destroy or damage physical resources, such as buildings, equipment and computers, and logical resources, like programs and data. These attacks on the integrity and availability of organisational resources have the ultimate effect of harming its business activities. We investigate the insider threat using our extension of Howard and Longstaff’s classification scheme with separate tables to illustrate each type of attack. The paths through the grid from left to right in Tables 1–3 show the progression of possible attacks through the various stages, starting with access to the target, before moving on to illustrate the subsequent effects that cause damage. We then consider defensive barriers to provide a complete and consistent defence at all layers to prevent the attacks or constrain their impact in Tables 4–7. We show possible damage by a disgruntled employee with a separate table for each layer in Tables 1–3. In a realistic analysis, attacks by current and former employees should be considered separately, as they are subject to different defensive controls. Table 1 has some 28

2: Insider Attacks extra columns for the concepts of attacker, ultimate effect and ultimate target that only have meaning at the social layer. Attacks at a single level can be discovered by selecting entries from each cell in a table from left to right. For example, the top line of Table 1 shows that the attacker can launch a social engineering attack on a security guard to trick them into giving unauthorised physical access. In addition, the table illustrates that attacks can occur in stages, with the unauthorised access gained in the first stage being used as the method in a subsequent stage. For example, the unauthorised physical access obtained from the security guard (shown in the Immediate effect column in Table 1) can then be used to steal or damage physical resources as shown in Table 3. This demonstrates a multi-layer attack showing some relationships between the levels. The perpetrator is usually male and holds a technical position with privileged system access, for instance as a system administrator. The motivation is invariably caused by long-standing dissatisfaction with the job, but usually triggered by a negative workplace event, such as termination or disciplinary action. The attacks often show a degree of sophistication and premeditation which, together with the privileged access and malicious intent, makes them very dangerous and difficult to obstruct.

29

2: Insider Attacks Attacker

Method

Action

Target

Immediate effect Ultimate effect

Ultimate target

Disgruntled employees or former employees

Social engineering, threats, violence, circulating rumours

Persuade other employees to act incorrectly or insecurely, hurt or frighten, misinform

Security guards, colleagues, customers, suppliers, shareholders

Unauthorised physical or logical access, injury, loss of morale, fear, loss of trust in systems and colleagues, inability to provide goods and services, cost and time to repair or obtain alternative resources

The organisation and its employees especially colleagues and management

Inability to conduct business activities effectively, cascading failures, failure to satisfy contracts, loss of reputation and trust, loss of customers, reduction in profits, lowered share price

Table 1: Damage and sabotage against the organisation at the social level

30

2: Insider Attacks The attack has the immediate effect of compromising the availability and integrity of the targeted resources, usually at lower layers, with the ultimate effect of damaging the organisation. The inability to carry out normal business activities is the most urgent problem, which may eventually lead to a decline in business. The effects are sometimes difficult to detect if the attacker causes damage surreptitiously, for instance making small, but significant, changes to databases. Employees are in a good position to target system weaknesses, such as essential components that are difficult to repair or replace. In addition, they can interfere with the recovery mechanisms, destroying back-up data along with the primary data, which may lead to permanent loss of crucial business information rather than straightforward and speedy restoration. There are also damaging attacks on organisations used as a stepping-stone to target third parties for ideological motives, for example, terrorists attempting to cause wider damage to other organisations and society in general. These adversaries are very determined, so there should be additional defensive mechanisms for organisations that may be targeted.

31

2: Insider Attacks

Method

Action

Misuse authority, gain illegitimate access (exploit known weaknesses, remote access using backdoors, use hidden or compromised accounts), install malware

Interfere with control systems

Target

Immediate effect

Control systems for buildings and Control system damaged or equipment unavailable, production slowed or shut down, damaged systems and goods, unsafe systems and Install unauthorised Computer systems (networks, environment software, issue operating systems, applications), damaging commands, computer system data (file destroy data (delete, system, privileged accounts, Unusable or unavailable corrupt or change cryptographic keys), business computers or applications, loss of files, documents and processes, business information business documents, inability to system control data, (files, databases, documents) provide business and computer format disks) services, unauthorised access

Table 2: Damage and sabotage against the organisation at the logical level 32

2: Insider Attacks

Method

Action

Exploit existing access, illegitimate access (use borrowed, stolen or duplicated keys, use unprotected entrances, follow others through security checks)

Physical damage Targets critical resources and and destruction, system weaknesses theft, undesirable change (turn off Equipment (machinery, control equipment) systems), computers, networks (internal, Internet, telecoms), data (disks, back-ups, documents), buildings (fire, water) and contents (safes, cables, pipes), environment

Avoid observation (hide, cause emergency (fire alarm), enter outside working hours (early, lunchtime, after hours), disable controls (CCTV))

Target

Immediate effect System outages, lost production, unavailable resources, environmental effects (pollution), loss of essential utilities (power, heating, water), unsafe working conditions

Table 3: Damage and sabotage against the organisation at the physical level 33

2: Insider Attacks Defensive protection The organisation can use both ‘carrot and stick’ to persuade their employees to behave correctly and deter them from acting maliciously. The attack is usually motivated by long-standing dissatisfaction with the job. The organisation can attempt to reduce an attacker’s motivation by persuasion through effective communication, better treatment, and dealing with their personal and work issues. There is usually a triggering workplace event, for instance termination or disciplinary action, so warning signs should be taken seriously and dealt with before they reach a crisis. Deterrence occurs by strengthening the defensive mechanisms to hinder the attack and by increasing the probability of detection and punishment. However, a determined employee may not consider the consequences or be deterred by the risk. The first two columns in Table 4 show defences that target the adversary to reduce their motivation by persuasion and deterrence. We now investigate how to stop damage by strengthening the defence before, during and after the attack at each different layer in Tables 5–7, which equate to attack surface reduction, hardening the target and limiting the impact. The defence to limit access aims to stop unauthorised employees from reaching the target, constraining authorised access to that needed for the job, and monitoring controls to discover policy breaches. However, these controls offer limited protection against a privileged user who already has access, or can easily gain it by passing through, evading or interfering with the controls. The organisation 34

2: Insider Attacks should limit uncontrolled paths to the target, for instance by stopping remote access, which is commonly exploited by terminated employees. In addition, good monitoring may halt the attack in time to prevent significant damage. The target can be protected by constraining its functionality and use to what is strictly necessary, which will limit possible undesirable effects that can more easily be overcome. However, the destruction or damage of resources commonly has unanticipated effects, and a privileged insider is in a position to select targets that will have an adverse effect on the organisation. There are always weaknesses, incomplete defences and unnecessary functionality that can be taken advantage of by insiders. In particular, insiders do not need to use a target, but only need physical access to damage or steal it. The ability of the organisation to continue its operations when things go wrong is crucial, as internal attacks are so difficult to stop. There should be defences to limit the effects of damage by rapid detection and recovery, because it is unrealistic to rely on preventive controls with determined insiders. This is provided by emergency measures and the provision of resiliency within the system to ensure recovery. There should be regular and rigorous checks of critical resources, such as back-ups and other single points of failure, to ensure they will work when required. The standby capabilities should be independently checked, as insiders can interfere with them when they damage the primary resources. 35

2: Insider Attacks Persuasion

Deterrence

Limit ultimate effect

Improve allegiance towards the organisation (improvements in work conditions, pay and benefits, fair treatment) Address personal and financial issues (offer support, find professional help) Clear communication (explain need for security controls, procedures and policies)

Increase probability or perception of detection (make defences visible, use fake defences such as fake alarms, empty cameras) Target predisposing behaviour (codes of conduct, zero tolerance, clear responsibilities) Punish offenders (hold accountable, enforceable disciplinary and termination procedures) Legal measures (inform police, have arrested, prosecute, sue)

Provide goods and services in different ways, contracts with third party providers Insurance Disaster recovery, business continuity, use alternative facilities (buildings, equipment), use loans or contingency funds Public relations, offer compensation Incident report, repair weaknesses, remove access from attacker, system redesign

Table 4: Protection against damage at the social level outside the active attack stages 36

2: Insider Attacks

Limit access

Harden target

Limit immediate effect

Strict policy enforcement (vigilant observation, know typical threats, implement lower layer controls on employees) Psychological features (do not respond to threats or promises, identify odd behaviour) Limit activities (use roles, limited privileges, prevent access to social engineering targets)

Security awareness and training, clear and consistent communication Strict policies (enforce least privilege, default denial, limited discretion, question requests, investigate anomalies, report policy breaches) Confirm lower layer system controls (double-check critical systems and weaknesses, manual checks of automated processes, systematic repair of known weaknesses)

Rapid response (24/7 alerts, call incident response team, operate contingency plans, call in expert or emergency services, work overtime) Recovery (use spares, acquire other resources, shutdown damaged systems, repair critical problems) Deal with attacker (monitor logs, disable access) Debrief employees, allay fears

Table 5: Protection against damage at the social level within the active attack stages 37

2: Insider Attacks Limit access

Harden target

Limit immediate effect

Enforce least privilege (roles, dual control, prevent damaging commands) Partitioning (isolated systems, separate networks) Intrusion prevention (strong monitoring, alarms) Constrain access (disable remote access, protect networks (wireless), system (compromised accounts, backdoors))

Reduce functionality (hardwired controls, secure configuration using checklists, limited user interfaces) Control change (read-only disks and file access, system integrity checks) Inaccessible computers (remote servers, secure hardware, Trusted Computing) Find and repair weaknesses (anti-virus, anomaly detection, penetration tests, network scans) Secure user access (strong authentication and passwords (change defaults), use limited accounts, delete unused/default accounts)

Host/network intrusion and anomaly detection, check audit logs Correct system (reboot, change back to initial state, reinstall software) Rapid recovery (self-diagnosis, automated repair) Data recovery (restore back-ups, recreate documents, roll back databases, file versioning) Remediate weaknesses (patch or shut down affected systems, stop network access, disable accounts, change passwords)

,

Table 6: Protection against damage and sabotage at the logical level 38

2: Insider Attacks Limit access

Harden target

Limit immediate effect

Ensure monitoring controls are working, have not been tampered with or turned off (alarms, CCTV) Secure all entrances for buildings, secure areas and rooms (fire exits, windows, ventilation ducts), install alarms, key management Control movement (accompany, sign in and out, movement detection), observe activities (open plan offices), easy identification (distinctive uniforms, badges) Limit personal items, equipment, tools, weapons Protect resources within secure areas, walls, protective coverings and enclosures

Toughened equipment that is difficult to destroy, damage or remove (stop opening (disk removal), bolt to immovable objects, tag, attach transmitters) Protect from the environment, fire, water, electricity Put documents and valuables in safes, locked filing cabinets and desks, clean desk policy

Continue production in degraded mode, contract for rapid repair Resilience (unused capacity, spare resources in different locations (secure off-site backups), use alternative utilities (back-up generators), communication facilities (Internet, wireless), rented buildings) Limit impact (seal off damage, shut down systems) Find and stop attacker

Table 7: Protection against damage and sabotage at the physical level 39

2: Insider Attacks There should be additional controls, as shown in the last column in Table 4, to stop the impact from reaching the social level with an ultimate effect on the business activities of the organisation. Damage to a computer or the loss of data does not lead to a large business impact if it can be readily replaced, restored or repaired. However, the determined insider may cause permanent damage, for instance by deleting all the data back-ups as well as the primary data. The impact of service loss can be mitigated in others ways at the social layer, including insurance and by contract. We can discover possible defensive controls at each attack stage and level from the consideration of each cell in the attack tables. This is roughly how we designed the defensive tables except for the following variations. The protection against the attacker, which is the first column in Table 1, is split into two columns in the defensive Table 4, as persuasion and deterrence employ fundamentally different measures. The other major change is that the attacker’s method and action are two separate columns in the attack tables, whereas the corresponding defensive measures are merged into the Limit access column in the defensive tables. Each table can be considered alone to give several defences that provide defence-in-depth protection against one level of attack. Alternatively, the cells under the same heading in each table allow the consideration of comprehensive protection at all levels against particular attack stages. Access can be constrained at the early stages to provide a comprehensive attack surface that reduces the probability of attack. Protection can be afforded against the immediate and ultimate effects at later 40

2: Insider Attacks stages to limit the impact of a successful attack. The tables only give some of the important controls that may protect against damage, and therefore would have to be extended in a realistic scenario. Access should be limited as far as possible without interfering excessively with business efficiency. However, internal controls rarely stop employees from misusing their privileges, or gaining additional ones, if they are determined enough. It is wise to reduce the motivation of staff to cause damage by treating them fairly and providing a good working environment. The organisation should focus attention on disgruntled technical and other trusted staff, especially just before or after termination, with thorough procedures to remove hidden access that can often easily be obtained by misusing their privileges. Fraud Methods of attack Fraud is deception of an unwilling victim usually carried out for financial gain. Insider fraud is carried out against the organisation, or against third parties related to the organisation, such as its customers, suppliers and other employees. It is carried out by men and women equally, who usually have legitimate access to financial systems through their role in the organisation. Fraudsters often use their own user accounts, although some use more sophisticated techniques and take preparatory measures, making the attacks harder to discover and remediate. Trusted insiders, for 41

2: Insider Attacks example, management, finance, IT and sales staff are in an especially good position to conduct fraud through their privileged access to financial systems and knowledge of their weaknesses. Fraudsters are motivated by financial gain, but only a minority have obvious financial problems that need urgent relief. In many cases, there seem to be psychological goals in addition, for instance boosting self-esteem by displaying obvious signs of wealth. Fraudsters are encouraged by lax defences, as demonstrated by the majority that did not adequately cover their tracks because they believed they would not be caught. The organisation should attempt to make the costbenefit equation less favourable to the fraudster by increasing the risk or decreasing the value of the crime. Persuasion involves addressing the underlying personal and financial issues, which are mostly outside the organisation’s control. Deterrence occurs by deploying a strong set of controls that the potential perpetrator believes will detect their crooked activities and hold them accountable. We briefly mention fraud against third parties, which usually involves misusing their confidential personal and financial information stored by the organisation to perform unauthorised transactions. The failure to protect this sensitive information adequately opens the organisation up to fines, stronger regulation, paying compensation and losing the confidence of its customers and business partners. We discuss direct fraud against organisations in the remainder of this section, which could be 42

2: Insider Attacks investigated systematically using tables, as we showed for damage. We classify fraud into two classes determined by the locality of the malicious activities entirely within the organisation or also involving external parties. Fraud is purely internal when the employee makes unauthorised changes to stored financial information, such as accounts data to steal directly from the organisation. It is partly external when employees perform unauthorised transactions with third parties for their own benefit. The fraudster may generate, or interfere with, transactions for their own benefit, or collude with the other transaction participants to obtain goods, services or money illegitimately. The attributes of genuine transactions can be altered by changing the price, the type and number of products, or the destination address. The anomalies should eventually be discovered by the victim, but it may be too late to recover. Fraudsters can also generate fake transactions where they transfer goods or funds to themselves and then disappear, or to dishonest or phoney companies that fail to discharge their side of the contract. The second class of fraud only involves the organisation and its systems. The fraudster can take money from accounts, or steal goods, and evade detection by making matching changes elsewhere, or by interfering with the financial controls. They can directly change the amounts in accounts they control, such as fake accounts they create for non-existent employees. They can indirectly benefit the controlled accounts by forging deposits or extending credit lines. 43

2: Insider Attacks We describe the methods of committing fraud at each layer starting at the highest. The fraudster may collude with other employees, or use social engineering to deceive them into acting incorrectly or ignoring policy breaches. They can trick administrators to give them more privileged access than required, or persuade other employees to share their passwords, so that they can perform illegitimate operations without detection and avoid responsibility. They often bypass lax procedural controls that are perceived as an annoying and unnecessary administrative overhead. For example, dual control on sensitive operations, such as making large transactions, is negated when one party is given the other’s means of authentication, so that they can perform unauthorised operations on their own. They may also exploit weaknesses to avoid checks in manual reconciliation procedures, such as matching goods shipped with their invoices, or abuse special procedures, like those for reversing incorrect transactions. Fraudsters may also exploit weaknesses in automated reconciliation procedures within the financial system. They may overcome financial application checks, for instance double-entry bookkeeping, by making corresponding alterations to other accounts, so that the credits and debits still match. They may also take advantage of weaknesses in the handling of erroneous or unusual conditions, such as using special holding accounts for unsettled transactions. The fraudster can interfere with the underlying financial controls by subverting the control software or data, so that anomalies are not detected. They may set up fake user accounts, or 44

2: Insider Attacks steal passwords using hacking or spyware to gain privileged access. They can make the system fail, so that it falls back to using weaker manual processes, such as conducting business by fax. Finally, they can avoid the controls enforced by the financial software by making direct changes to the underlying files. Malicious software can be installed to automate attacks efficiently, when searching for dormant accounts to steal from, and performing attacks that are not practicable manually, such as salami attacks, where small amounts are shaved off each operation imperceptibly. It is often straightforward for employees to acquire authentic financial forms on company-headed paper. Invoices, purchase orders and delivery notes can be used for fake transactions, whereas credit transfer, deposit and withdrawal slips can be used to defraud accounts. They can steal blank forms from filing cabinets and desks, or print new ones from computers that store the templates. Company chequebooks and credit cards can be misused to withdraw funds or conduct unauthorised transactions. Spying and eavesdropping are used to discover the authentication information required to conduct financial operations. The immediate effect is the financial loss to the organisation. It also includes the side effects of perpetrating the fraud, for example, interfering with accounts records and damaging the integrity of the financial controls. The ultimate effects may involve large monetary losses, if the fraud is not detected quickly, and the cost and time to discover and remediate the system irregularities and 45

2: Insider Attacks weaknesses. Consequential effects, for instance adverse publicity and difficulties in conducting business if the financial system is affected, may have a greater impact than the original fraud. Defensive protection There should be a systematic risk assessment and management process to avoid major fraud rather than unrealistically attempt to stop all losses. This should lead to the selection of comprehensive and enforceable protection measures to control activities that can directly lead to significant loss, like high-value transactions, or indirectly, such as managers with uncontrolled power. The protection measures should not interfere unduly with the efficiency of business processes, or be too onerous for employees, as they may be ignored. There should be an application of security rules that are known to thwart fraud such as defence-indepth, separation of duties and data minimisation. There should be preventive controls to constrain legitimate activities, supported by detective backend controls that deal with fraud to provide defence-in-depth. The stages of financial operations should be executed by different people and independently checked. For example, dual control should be used for important operations, such as authorising large transactions. Access to sensitive information should be limited by needto-know. The controls may still be evaded by a single-minded individual, or several employees acting together, but it is much more complicated and, consequently, more likely to be discovered.

46

2: Insider Attacks Anomalies should be investigated even when the irregularity is minor. A famous case of espionage against the US by a spy working for the KGB was described by Clifford Stoll in his book, The Cuckoo’s Egg, after he discovered a $0.75 accounting anomaly. It is impossible to automate controls to prevent all insider fraud, so there should be detective controls to limit losses afterwards. Normal business operations have regular patterns, so automated fraud detection controls can highlight anomalies for further investigation. Financial irregularities include performing normal activities, such as reading accounts an excessive number of times, and unusual events, for instance errors in transactions. Unusual system activities also warrant further investigation; these may be the creation of new accounts, the disabling of security controls and failed log-ins. Some normal operations just within acceptable bounds, or at random, should be checked, as employees often know how to evade the controls. Manual doublechecks include examining system records, like audit logs, or seeking confirmation from third parties, be they supervisors or credit reference agencies. Financial operations should ideally be performed on specific machines with limited functionality. These systems should be isolated from untrustworthy computers in the rest of the organisation, and they certainly should not be accessible remotely over the Internet. Consideration should be given to using strong authentication techniques, such as biometrics or 47

2: Insider Attacks smartcards, since passwords can be compromised in many ways. Employees can be placed in suitable roles to limit their privileges, so that they can only perform tasks and access the information necessary for their jobs. Their activities should be monitored and audited carefully to stop policy breaches, such as installing software, making unauthorised transactions or changes to accounts, or interfering with the controls. Activities should be logged at the transaction, computer and network levels for monitoring and subsequent analysis. This may enable the perpetrator to be held accountable for their activities, and to discover the methods employed and weaknesses exploited. Unauthorised system changes can be avoided with integrity controls where possible, by using readonly data, and checking the correctness of applications using hashes or digital signatures. The systems ought to be hardened by remediating known weaknesses using systematic patching and disabling insecure functions, and there should be automated daily checks for malware with antivirus and anti-spyware software. The functionality of computers handling sensitive financial information can be limited to a few trustworthy applications and avoiding generalpurpose office and Internet software with large numbers of exploitable weaknesses. These machines could use special hardware modules for sensitive processing, such as the Trusted Platform Module (TPM) in Trusted Computing that is significantly more difficult to compromise than processing in software. 48

2: Insider Attacks It is safer to perform sensitive financial operations in secure physical areas where access to machines can be observed by staff. Access should be limited at all times, including outside working hours, and therefore all keys should be carefully managed to stop copying and misuse. It is important to control the distribution of blank financial forms on computer and paper by numbering and accounting for each one, including unused forms. Stopping physical access to paper documents can be achieved by locking them away in filing cabinets and enforcing a clean desk policy. There should be adequate inventory checks on goods in stock, which may include CCTV cameras in warehouses and placing tracking devices on expensive products. Around half of detected fraud is discovered by a system abnormality, with many others only being detected by the victim when the loss becomes clear. This indicates that the technical controls were not discriminating enough, or that they could be evaded. Fraud by insiders cannot be entirely avoided, but it must be discovered early enough to prevent a significant impact on the organisation. There should be follow-up controls, for instance freezing accounts under investigation, recovering bad debts and random audits to limit the effects. The perpetrator’s identity could usually be determined subsequently from system records, such as logs, since it is very difficult to avoid all traces of illegitimate activity. This shows the importance of the good management and protection of records. It may be possible to hold 49

2: Insider Attacks the perpetrator accountable, but they may disappear, or not be able to pay back the losses. Fraudsters usually act alone, but sometimes they collude with other employees, or are offered inducements by outsiders. We expect to see an increase in organised insider fraud, as criminals discover that they can defeat inadequate internal controls. The speed and efficiency of computers aids large-scale fraud, as the controls may be less effective than the slower and more cumbersome manual procedures using multiple checks and balances. The organisation should consider the possibility of fraud from any employee, but there should be special measures where funds can easily be stolen in the finance, IT and sales departments. The suggested controls coherently organised to provide defence-in-depth will not avoid fraud, but should detect it before significant losses have occurred. Theft Methods of attack Information theft is defined as the illegitimate acquisition of sensitive information. We use the term theft since it is in common use, but it should not, strictly speaking, be called theft, as the organisation is not usually deprived of the information. Information theft is divided into two categories of stealing: proprietary intellectual property and confidential business records. Intellectual property includes patents, designs, trade secrets, trial products, custom computer programs, business processes and other copyright 50

2: Insider Attacks material that give the organisation its competitive advantage. Confidential business records include financial accounts, customer lists and business plans. The perpetrators are typically male, and they normally have authorised access to the confidential information. Trusted insiders with privileged access, especially in management, research and development, finance and IT, are in a good position to accomplish information theft without detection. Information theft is often performed by employees who take proprietary information, such as product designs and customer lists, for their own benefit when they set up or move to another company. These employees often think they are acting reasonably, especially if they made a significant contribution to the information’s creation. Other employees are motivated by the value of the information to competitors. They act on their own initiative, or are approached by third parties who often target susceptible people with financial or psychological problems. The organisation may dissuade key staff, such as managers and designers, from leaving by providing a satisfying work environment and good pay. Deterrence includes making employees understand the possible consequences of theft by writing them into their contracts and explaining the disciplinary measures that will be taken when data handling policies are breached. We briefly consider the theft of physical objects, such as computers and equipment, for the value of the assets themselves, rather than to obtain the 51

2: Insider Attacks information they contain. Physical theft is difficult to stop, as employees often have legitimate access for their work. The consequences include the unavailability of the resources for carrying out business tasks that need them. Theft can be limited by locking items and monitoring movement with CCTV, but it is often not practical. The theft of laptops, mobile phones and storage devices is aided by their small size and mobility. The organisation must ensure proper back-up procedures for important business information collected and stored on insecure devices. Much more time and effort has been placed in protecting physical resources, as its effects are more tangible. However, the loss of a computer or storage device may be negligible compared to the value of the information it contains, be it future product details or business plans, whose disclosure may significantly weaken the organisation’s ability to meet its goals. We distinguish between the theft of intellectual property and business records, since the feasible defences differ because of their different functions and uses. Intellectual property has long-term value and has more restricted use, so it can be given strong protection without interfering with organisational objectives. Confidential business records and documents often have more shortlived value and are needed day to day by many employees. We describe the methods of committing information theft at each layer starting at the highest. Employees often misuse their existing access to steal proprietary business information. In 52

2: Insider Attacks addition, they can use trickery or bribery to acquire the information from other employees, or indirectly by tricking administrators and supervisors into giving them unnecessary access rights that they subsequently misuse. Proprietary information often winds up in unprotected logical locations that employees may discover from their knowledge and understanding of the target. There are often multiple, poorly protected copies of sensitive information in draft documents, e-mail, temporary files and back-ups. Employees can install spyware or misuse applications to search for sensitive information. A search program like Google Desktop that indexes documents and e-mail based on keywords can find all documents on specific topics. Deleted data can be recovered from the Recycle Bin, and file recovery tools can restore files that appear to have been permanently deleted. Insiders can also take advantage of insecure information flows. They can steal information by eavesdropping on unprotected messages transferred over internal networks, or they can interfere with business processes by altering the flow of sensitive information, such as adding themselves to mailing lists. Employees can steal, read or copy sensitive documents from filing cabinets, unattended desks, the internal post, printer output and wastepaper bins. They can search through poorly protected data containers including back-ups, memory sticks and old hardware. Thieves may also steal physical objects that embody inventions and designs, such 53

2: Insider Attacks as prototypes, trial products, samples, mock-ups, models and recipes. Employees can obtain unauthorised access to computers, physically obtaining passwords by installing hardware keyloggers between the keyboard and system, or observing them when they are entered or written down. They can remove information from accessible computers using memory sticks, or steal the hard disks or entire computers, aided by their small size. Insecure devices such as mobile phones, PDAs and memory sticks often contain valuable information that employees can locate by taking advantage of their insider knowledge. Thieves can strike when the offices are empty outside normal working hours, or cause a panic by setting off a fire alarm. Insiders can steal or copy keys to enter secure areas or open safes, or abuse their legitimate access. They can install spying devices, such as microphones and hidden cameras, to snoop on confidential information. Information theft causes the loss of exclusive use of proprietary information. The theft of intellectual property will not have an immediate effect on the organisation and it may be completely unnoticed. The immediate effects are usually avoidable, for instance losing access to information that has not been backed up, or minor, such as the need to replace stolen physical assets. The ultimate effect of the loss of proprietary information to competitors causes a loss of competitive advantage and business agility, possibly leading to a diminished market share and loss of revenue. 54

2: Insider Attacks Defensive protection Important information is often stored in many unknown and insecure locations because of inadequate data management. Information cannot be recovered once it is disclosed, and there only needs to be a weakness at one location to allow compromise. An important design criterion is to limit the number of copies of and access paths to sensitive data. There should be systematic data lifecycle management to handle the creation and collection, labelling and storage, processing and use, distribution and transmission, back-up and archiving, and retirement and destruction of information in all its forms. This requires a proper risk assessment and management process to determine the exploitable weaknesses and the potential impact from loss of information. An inventory of all information should be taken that includes its purpose, value, location and modes of access. Intellectual property often has enormous long-term value, and so access should be strictly controlled. There should be minimal copies, with strictly limited access to trusted employees, on a clear need-to-know basis. It should be stored on computers in physically secure locations, as logical access controls can usually be breached by a determined thief. On the other hand, many important business records have short-term operational value and need to be shared to support business processes. There is a balance between its positive use to meet business goals, while limiting the possibility of disclosure as far as possible. 55

2: Insider Attacks There should be holistic defence to protect sensitive data in all its forms, where controls are applied wherever it is stored, processed and transmitted. It needs continuous defence by adding new protection when the existing controls are removed. For example, extra controls are required to stop paper documents from being scanned and sent as e-mail attachments. There should be an application of data minimisation and least privilege rules to limit data access. The system can allocate roles to employees to provide limited selective access to data based on a need-to-know. For example, sales staff should only be given details of their customers, rather than the entire list, to reduce the impact of disclosure. However, the controls should be in line with business needs to limit the adverse effect on productivity. The organisation needs to limit the release of sensitive information by its employees, so that they do not put it on insecure devices, send it out in the post or by e-mail, or disclose it to unauthorised individuals. There should be comprehensive policies and procedures on data handling backed up by strict enforcement measures. In addition, there should be ongoing security awareness and training in safe data management practices. Every resource should be allocated to a responsible owner who may be held responsible if it is lost. For example, employees may have to reimburse the organisation if their laptops are stolen. Sensitive business information should ideally be isolated on specific machines only accessible to 56

2: Insider Attacks authorised users using strong authentication. There should be further data controls on insecure equipment by encrypting sensitive data or the entire devices, such as laptops drives and memory sticks. All critical information must be backed up, and the back-ups require adequate physical and logical protection, including the sanitisation or encryption of sensitive data. There may be automated controls on the release of confidential information by tagging it wherever it is stored and used, so that it is not accidentally or maliciously disclosed. Data leak prevention (DLP) can limit the logical release of information through e-mail or the Internet by searching for relevant keywords. The introduction of unique signatures, such as watermarks or slight errors, may detect theft if the stolen information is subsequently exposed; yet often it will be used surreptitiously. Sensitive data should be securely deleted when it is no longer required, which is an intractable problem if data is not well managed. This can be controlled by using special versioning software to control copying, or in an ad hoc way using Google Desktop to search for sensitive documents based on keywords. All copies must be deleted by emptying the Recycle Bin, removing temporary files and destroying old back-ups. There is software to overwrite sensitive files many times, so that it cannot be restored by disk-reading equipment. Paper documents should be stored in protected containers, such as safes and locked filing cabinets, in secure locations. There may also be controls on the distribution of sensitive documents 57

2: Insider Attacks with employees signing for access and using unique numbers on copies to enforce accountability. In addition, the physical protection of intellectual property embodied in products and models must be considered. It is important to limit access to physical locations, as well as to the targets themselves, to provide defence-in-depth. Strict entry procedures may be used requiring strong authentication, backed up by monitoring activities with CCTV, or searching bags when people enter or leave. Computers containing sensitive information should be housed in secure areas, locked to solid objects, or have their movements tracked with RFID tags. The organisation may provide separate sacrificial devices for non-essential purposes, such as a laptop to use out of the office, with sensitive data held on a separate internal machine. Around half of discovered information theft was detected by a system irregularity, with many others being found by non-technical means, often by third parties such as competitors and the police. The identity of the perpetrator could, however, usually be determined after the discovery of the theft with subsequent investigation. This means that there could be better analysis of irregularities, such as breaches of security controls that may indicate theft. We expect to see more organised theft of intellectual property in the future, as we move to knowledge-based organisations that are highly dependent on the value of their proprietary information. Competitors may plant people in organisations, where they may be able to steal 58

2: Insider Attacks large amounts of valuable information, aided by the inadequate control of information on computers and the targeted theft of insecure physical devices such as laptops. It is often impossible to recover from information theft, so prevention is the best option. Reducing employees’ motivation is important, as they cannot realistically be stopped from removing sensitive information if they choose. In addition, access to important information should be limited as far as possible, consistent with business goals. There should be rigorous protection of critical intellectual property and time-sensitive business information, such as annual figures. Special attention should be given to employees when they leave, using increased monitoring and reducing their access rights. Conclusions We believe that the insider threat poses a significant and increasing problem for organisations. Systematic defence is required, as no single method can protect against employees with legitimate access to organisational resources. We proposed an architectural three-layer security model to analyse the insider threat systematically. We extended Howard and Longstaff’s classification model and introduced the attack surface and impact zone to discuss the different stages of insider attack. This enabled a systematic analysis of defensive protection to harden the system by limiting access, constraining the use of the target and limiting the impact of successful attacks. We also considered how to reduce the insider’s motivation to attack by persuasion or 59

2: Insider Attacks deterrence. The systematic method using tables that we used to analyse damage earlier in this chapter can clearly be extended to the other types of attack. Action is required against all three main categories of attack – damage, fraud and theft – because they are all widespread, and stronger measures may be needed in specific sectors. Fraud is most profitable in the financial sector, whereas sabotage causes most damage to critical infrastructure, and intellectual property is more important in knowledge-based organisations. In addition, the likelihood of attack depends greatly on the personal and occupational circumstances of the attacker, which leads to the suggestion of controls where they might have the largest impact with least cost and effort. Strong monitoring may detect preparatory actions by departing employees, who account for about half of attacks that cause damage or steal proprietary business information. Providing multiple supporting controls that offer defence-in-depth is important, as single controls can be defeated by insiders. In addition, the controls should span all three levels to provide comprehensive protection against insiders who can obtain access at any level. Important preventive defences include limiting employees’ access to the minimum needed for their jobs, and reducing their motivation to attack by persuasion and deterrence. Systematic protection should deter most opportunistic attacks, but will not stop the determined adversary, so recovery methods that limit the impact of successful attack are very important. Measures should be taken to monitor 60

2: Insider Attacks system use and collect records that enable the identification of attackers, help determine the exploited weaknesses and aid rapid recovery. The system needs to be resilient, backing up important data, or providing services in different ways, to overcome problems that cannot realistically be avoided. We end on a note of realism. Security is only required to support the achievement of organisation goals more safely, and is not an end in itself. Protection can never be 100% effective; controls should not be applied if the time and effort is greater than the potential loss mitigated. We wish you luck in this difficult balancing act!

61

APPENDIX: FURTHER READING

2008 CSI Computer Crime and Security Survey, Richardson R, Computer Security Institute (2008), at www.gocsi.com. 2008 Information Security Breaches Survey, Department for Business Enterprise and Regulatory Reform (2008), at www.berr.gov.uk/files/file45714.pdf. ‘Attack surface: mitigate security risks by minimizing the code you expose to untrusted users’, Howard M, MSDN Magazine (November 2004), at http://msdn.microsoft.com/enus/magazine/cc163882.aspx. A Common Language for Computer Security Incidents, Howard JD and Longstaff TA, Sandia National Laboratories (1998), at www.sandia.gov. Common Sense Guide to Prevention and Detection of Insider Threats, Cappelli D, Moore A, Shimeall TJ and Trzeciak R, CERT (2009), at www.cert.org/insider_threat. Enemy at the Water Cooler: Real-life Stories of Insider Threats and Enterprise Security Management Countermeasures, Contos BT, Syngress (2006). Insider Threat: Protecting the Enterprise from Sabotage, Spying and Theft, Cole E and Ring S, Syngress (2005).

62

ITG RESOURCES IT Governance Ltd sources, creates and delivers products and services to meet the real-world, evolving IT governance needs of today’s organisations, directors, managers and practitioners. The ITG website (www.itgovernance.co.uk) is the international one-stop-shop for corporate and IT governance information, advice, guidance, books, tools, training and consultancy. 1 www.itgovernance.co.uk/bc_dr.aspx is the ITG website that includes a comprehensive range of books, tools and document templates for business continuity, disaster recovery and BS25999. www.27001.com is the IT Governance Ltd website that deals specifically with information security issues in a North American context. Pocket Guides For full details of the entire range of pocket guides, simply follow the links at www.itgovernance.co.uk/publishing.aspx. Toolkits ITG’s unique range of toolkits includes the IT Governance Framework Toolkit, which contains all the tools and guidance that you will need in order to develop and implement an appropriate IT governance framework for your organisation. Full details can be found at www.itgovernance.co.uk/ products/519. 1 www.itgovernanceusa.com is the website that is dedicated to delivering the full range of IT Governance products to North America. 63

For a free paper on how to use the proprietary CalderMoir IT Governance Framework, and for a free trial version of the toolkit, see www.itgovernance.co.uk/calder_moir.aspx. Best Practice Reports ITG’s new range of Best Practice Reports is now at www.itgovernance.co.uk/best-practice-reports.aspx. These offer you essential, pertinent, expertly researched information on key issues. Training and Consultancy IT Governance also offers training and consultancy services across the entire spectrum of disciplines in the information governance arena. Details of training courses can be accessed and at www.itgovernance.co.uk/training.aspx descriptions of our consultancy services can be found at http://www.itgovernance.co.uk/consulting.aspx. Why not contact us to see how we could help you and your organisation? Newsletter IT governance is one of the hottest topics in business today, not least because it is also the fastest moving, so what better way to keep up than by subscribing to ITG’s free monthly newsletter Sentinel? It provides monthly updates and resources across the whole spectrum of IT governance subject matter, including risk management, information security, ITIL and IT service management, project governance, compliance and so much more. Subscribe for your free copy at: www.itgovernance.co.uk/newsletter.aspx. 64