External threat that we are facing daily is not a question anymore. Every company or even individual tries their best to prevent their system being hijacked by anybody that they don't know, who are trying to destroy or use their system to do damage to other system. How about insider threat? Is insider threat is real? Who is this insider? What prevention should be taken to reduce the chance that employee will not work against the company? This paper will discuss about what is insider threat, what are they after, when and how are they going to attack, and how to prevent the accident to be happened.
External threat that we are facing daily is not a question anymore. Every company or even individual tries their best to prevent their system being hijacked by anybody that they don't know, who are trying to destroy or use their system to do damage to other system. How about insider threat? Is insider threat is real?
The 2004 E-Crime Watch Survey TM which conducted by the United States Secret Service, CERT Coordination Center (CERT/CC) and CSO Magazine, found that 29% out of 70% of respondent that know where the attacks are from were done by insider . The year after that the percentage decreases into 20% . Then at 2007, the same organizations and Microsoft did the same investigation and found out that 31% were conducted by insider. These percentages are taken from 671 executives and law enforcement officials. FBI also did a survey about cyber crime which called "CSI Computer Crime & Security Survey" . The result of the survey shows that the percentages of attacks from insider threat are decreasing. The peak of the insider threat is at 1999 which is more than 90% . Now, from the survey , the incident caused by the insider is 44%. Even though the percentages are not big, the losses from the attack are more destructive than the attack from outsider. It is not only destroying a particular system but also the reputation of the company and some company even cannot conduct any business .
Who is the insider
So, who is this insider? Insider threat to critical infrastructure is one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise that would allow them to exploit the vulnerabilities of that entity's security, systems, services, products, or facilities with the intent to cause harm . In the paper , what they means with critical infrastructure that can cause a really big problem if it is compromised such as Banking and Finance, Commercial Facilities, Defense Industrial Base, IT, Nuclear, etc. Insiders are employees were to sabotage some aspect of the organization or to harm individual because of disgruntled or financial problem . Cert's definition of a malicious insider is a current or former employee, contractor, or business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. So, basically insider can be everyone. It can be disgruntled employees or even an excellent employee that are bored and try to discover something that he/she not supposed to do or know about.
How they become a threat
After we categorized who are the insiders, now we can focus on how they can become a threat. The risks of the insider are great because the insiders are employees which currently working at the company and have a technical proficiency. They know what rule or policy that the company have with all the loop holes that it has. They also can easily harm the system and cover their track. It is encouraged by the lack of tools to understand, analyze and distribute the problem of the insiders . The insider can also collaborate with other worker or workers which have the access to that particular system to get what he or she wants. They can shoulder surfing or using social engineering  to obtain access without someone suspecting their action or using some other high level technique .
Why they do it
According to , they have observed 7 reasons why the employees become an insider in IT sabotage. The first reason is the employees are already dangerous by nature which can be from the environment, such as: drug, bullied, history of violations. The second reason is they didn't satisfy with how the employer or coworkers treat them. Stressful working environment can also become the reason why the employees become a threat. Next reason is the supervisor or coworker didn't care or act when they see there are concerning actions before the attack. The fifth reason is the company didn't have the security to detect the weird activity of the employee at the internet, such as: downloading hacker tools or learning how to hack. The other reason is there are no further actions taken when the employees got terminated or there are no security controls. The employees can still use their id and password to access the system or can use the hole which they install before they got terminated. The last reason is lack of physical security and access controls which makes it easy to change or access any data. Another reason according to Pfleeger is some of them are unintentionally doing it .
Obstacles in detecting the threat
In , there are several obstacles that need to be faced to be able to get to the insider threat. First, lack of information sharing, lack of ways to share the information about the insider threat makes it difficult to address the problem of the threat. The lack of share is triggered by the fear of giving advantages or giving up the vulnerabilities to the competition. Second, needed research on insider threats, this obstacle is related to the need to see the criminal history in employment. The education and awareness of the insider threat need to be known by all structure of the company. All level of employee need to learn about the insider threat so that they can monitor the weird behavior of the other coworker and they know the risk of doing so. The need of managing and maintaining employee identification is one of the main obstacles because it is hard to ensure that they are who they say. This is driven by the lack of tools to certify that the employee is who they represent themselves to be. The next obstacles is uneven background screening practice which means there are no standard methods to how far the screening can be done. The advanced technology becomes the obstacles because there are no boundaries to where the employee can be controlled. The last obstacle is cultural and organizational obstacles. Different culture and different organization have their own policy and rule which is sometimes the opposite of the current company.
Insider threat preventions
We have seen how threatening insider threat is, the reason why employee become a threat and the obstacle of distributing the information about the insider threat. So, can insider threat be prevented? Carnegie Mellon University's CyLab has published three documents of how to prevent and detect the insider threat . In the third document, they have added and update several practices which makes the total become 16 practices to prevent and detect the insider threat.
Practice 1: Consider threats from insiders and business partners in enterprise-wide risk assessments. It is common to think that friends or family are the closest people that you can trust, but not according to Bureau of Justice Statistics which shows that the highest percentage of crime are done by non stranger . It is the same case with organization or company. The partner can be an insider threats also. The partner knows a lot about the organization and can violate all the policy without the organization knows about it. The partner can be used as a way to enter into the organizations. That is why, it is important to do assessments to the partner too, so that, the partner cannot be used as a door way to harm the organization.
Practice 2: Clearly document and consistently enforce policies and controls. The policy needs to be clear, reasonable, include all aspect of the employees, enforced with equal punishment, and distributed. The employee needs to be able to read the policy and understand what each policy means and the risk in not following it.
Practice 3: Institute periodic security awareness training for all employees. All of the employees need to have a regular training on security awareness. Without a regular training, the employees, especially a new employee, will try something that they are not sure whether it against the policy or they are still in the boundary. They will also think that the punishment of what they are doing is not severe and didn't have any effect to the company or only affect the company a little bit. The employees also need to know the risk of insider threat and the consequence of it. They need to be informed and report any concerned behaviors, such as: giving or bragging a threat, know or associated with a criminals, downloading a huge number of files, try to gain password or user name of other employees, etc. The manager or supervisor also needs to be trained to be able to know social networking behaviors.
Practice 4: Monitor and respond to suspicious or disruptive behavior, beginning with hiring process. It is an updated practice. Filtering the new employee at the hiring stage is a really important step to reduce the insider threat. Filtering can be done by checking the background of the new employee, such as criminal record, or previous employment because once the person feels the "good" from the "dark side" that person will be tempted to do it again.
Practice 5: Anticipate and manage negative workplace issues. From the first day of work, employees need to be aware of the behavior or the ways the colleague handle the work and the habit of the work. If the supervisor spots any rejection, the supervisor needs to act immediately. It is important for supervisor to give consequence based on the policy not subjectively.
Practice 6: Track and secure the physical environment. Employees are main assets in the company, so it is important for the company to protect them and maintain a comfortable work place. The company also needs to limit access to the environment or to a critical room. This practice will protect the physical aspect of the company. If unauthorized person can get a physical access to a critical system of the company, basically the company already lost that system.
Practice 7: implement strict password and account management policies and practices. The organization should implement a strict password policy and keep logging and monitoring all access which can be traced back to the individual that accessing the account. There are a lot of ways for the attacker to obtain an access to the system, such as: unattended logged in system, social engineering, or a piece of sticky notes under keyboard. It is recommended to ensure that all password are strong, the employee didn't share password or store their password in plain-text and change their password regularly. It is also a good practice to make sure that the employee didn't use the password that can be guessed easily, such as using the name of the month or family member's name.
Practice 8: Enforce separation of duties and least privilege. Separation of duties and least privilege have to be implemented to decrease the lost in the case of insider act. Separation of duties means dividing task into several people to limit the chance one employee giving out the project, damage, or create a backdoor without working together with another employee. The least privilege minimize the chance that an employee gets more access then he or she should have whenever any changes happen to the status of the employee.
Practice 9: Consider insider threats in the software development life cycle. The defect in software development life cycle (SDLC) or vulnerabilities of the software can cause a significant damage to the company. In the development stage, a technical employee can insert a little source code as a logic bomb or a backdoor to be access at later time. This act can be limited by doing practice 8 and hoping that at least one of the employees at the development stage will realize and fix it.
Practice 10: Use extra caution with system administrators and technical or privileged users. System administrators and technical or privileged uses are the most dangerous possibility of insider threat because they have the ability to damage and conceal the act. They can do a really sophisticated method in destroying the system and with their knowledge it is not a hard thing to hide what they have done.
Practice 11: Implement system change controls. Controls are processes that make sure that the information and the services runs as it should be, and reduce the risk related to the technology used. Change controls are controls that guarantee that any changes is accurate, documented, as it planned and from an authorized user . The example of this practice is host based intrusion detection system (host based IDS). Host based IDS can be configured to draw a picture of the system that not suppose to be changes and will report any changes to the system based on the original picture of the system.
Practice 12: Log, monitor, and audit employee online actions. Logging system is the most critical aspect to detect the damage that insider threat have done. By using logging system, the company can detect who is the one that making changes to which system. Most of the insiders' threat was caught because of the log system.
Practice 13: Use layered defense against remote attacks. Most company already prepare against this kind of attack. But, the case they didn't prepare is the insider trying to attack their system using remote system. It gives them the opportunity to tempt to mesh with the system.
Practice 14: Deactivate computer access following termination. When an employee got terminated, it is the best practice to deactivate their account but not deleting them. Deactivate means the account and all stuff that the employee did is still there but no one can access it except for the administrator because the administrator can assign the project to the new employee in exchange of the laid off employee. It is not wrong to delete the account of the terminated employee but when a new employee come and work in the same project the new employee need to "reinvent the wheel" which will takes more time and money.
Practice 15: Implement secure backup and recovery processes. It is a big chance that the insider can harm the system even though every precaution has been taken. That is why it is important to implement secure backup and recovery processes to keep company work as it is. The secure backup and recovery processes need to be tested regularly and be placed in secure place.
Practice 16: Develop an Insider Incident Response Plan. The Insider Incident Response Plan is a procedure to investigate and deal with insider threat. The team for the response team need to be selected really good to make sure that no one from the member of the team can be an insider threat. The plan need to consider the rights of everyone, specific action for control damage should be taken, and general purpose and responsibilities of member team should be clear. For this plan to be able to be effective, it should not be known to all employees, only the supervisor and above them should know about it. Employees need to know about its existence and be trained to report any suspicious action of another employee.
From E-Crime Watch Survey TM conducted by the United States Secret Service, CERT Coordination Center (CERT/CC), CSO Magazine and Microsoft or CSI Crime CSI Computer Crime & Security Survey conducted by FBI, it is clear that the threat from insider is not just a tall tale to scare the company or any organization. It is one of threat out there that needs to be watch for. This insider can be anyone from a family, disgruntled employee, an executive, business partner and even can be an employee of the month of any company. This threat is hard to detect because it is something that a lot of company not eager to share because it can be used to harm them further. It is also hard for the company to recover from the damage caused by the insider because the insider mostly a skilled professional and mostly the company are not prepared for such case. The proposed practices from Carnegie Mellon University's CyLab are really good practices but not all of them are applicable to all company or organization. The company needs to choose and apply the practices where they are applicable. End of the story, just like we cannot be sure that a system is completely secure, there are no company that can be really clean from the insider threat.
- CERT, "2004 E-CrimeWatch Survey, Summary of Findings ." [online]. Available: http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf. [Accessed: Aug. 29, 2009].
- "2005 E-CrimeWatch Survey, Summary of Findings ." [online]. Available: http://www.cert.org/archive/pdf/2004eCrimeWatchSummary.pdf. [Accessed: Aug. 29, 2009].
- "2007 E-CrimeWatch Survey." [online]. Available: http://www.cert.org/archive/pdf/ecrimesummary07.pdf. [Accessed: Aug. 29, 2009].
- Cappelli, D., Caron, T., Trzeciak, R. F., "Spotlight On: Programming Techniques Used as an Insider Attack Tool ," [online]. Available: http://www.cert.org/archive/pdf/ insiderthreat_programmers_1208.pdf. [Accessed: Aug. 29, 2009].
- Cappelli, D. M., Desai, A. G., Moore, A. P., Shimeall, T. J., Weaver, E. A., Willke, B. J.," Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage", [online]. Available: http://www.cert.org/archive/pdf/ merit.pdf. [Accessed: Sept. 28, 2009].
- Cappelli, D., Moore, A., Trzeciak, R.," Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1", [online]. Available: http://www.cert.org/archive/pdf/CSG-V3.pdf. [Accessed: Nov. 12, 2009].
- "Criminal Victimization, 2008".[online].Available: http://www.ojp.usdoj.gov/bjs/pub/pdf/ cv08.pdf. [Accessed: Nov. 12, 2009].
- FBI,"CSIsurvey2006".[online].Available: http://pdf.textfiles.com/security/fbi2006.pdf. [Accessed: Nov. 12, 2009].
- FBI,"CSIsurvey2008". [online]. Available: http://gocsi.com/forms/csi_survey.jhtml. [Accessed: Nov. 12, 2009].
- Hanley , M., Moore, A. P., Cappelli, D. M., Trzeciak, R. F.," Spotlight On: Malicious Insiders with Ties to the Internet Underground Community,"[online]. Available: http://www.cert.org/ archive/pdf/CyLab%20Insider%20Threat%20Quarterly%20on%20Internet %20Underground%20-%20March%202009P.pdf . [Accessed: Sept. 28, 2009].
- "Information Technology Controls, the Institute of Internal Auditors". [online]. Available: http://www.theiia.org/download.cfm?file=70284. [Accessed: Nov. 10, 2009].
- Noonan, T., and Archuleta, E., "The National Infrastructure Advisory Council's Final Report and Recommendation on The Insider Threat to Critical Infrastructures." [online]. Available: http://www.dhs.gov/xlibrary/assets/niac/niac_insider_threat_to_critical_ infrastructures_study. pdf. [Accessed: Sept 28. 12, 2009].
- Moore, A. P., Cappelli, D. M., and Trzeciak, R. F.,"The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures." [online]. Available: http://www.cert.org/archive/pdf/08tr009.pdf. [Accessed: Sept. 28, 2009].
- Pfleeger, C.P. (2008). Reflections on the Insider Threat. In Insider Attack and Cyber Security, Beyond the hacker, pp. 5-15.