While the danger of the "insider threat" has been well cataloged, the details of inside attacks have not been considered in much depth. For example, who are these insiders? And what sorts of attacks do they launch? A new joint study by the U.S. Secret Service and the CERT Coordination Center helps shed some light on these questions.
Insider Threat Study: Illicit Cyber Activity in the Banking and Financial Sector examines insider incidents "from both the behavioral and technical perspectives." Investigators carried out a thorough review of 23 incidents (from fraud and the theft of intellectual property to sabotage) perpetrated by 26 insiders and found that most incidents--87 percent--were not technically sophisticated. In these cases, "the insiders employed simple, legitimate user commands" to commit their crimes. Seventy-eight percent of the insiders were authorized users, and almost half used their own usernames and passwords in the attack.
In one case, an employee of a vendor of credit card point-of-sale terminals used social engineering to get authentication information that allowed him to add credit to his own credit card. In another case, a fired employee's access account remained open, allowing him to remotely sabotage the system. Fewer than a quarter of the insiders had a technical position such as a system administrator.
The report shows that many of these insiders were caught by persons not responsible for security, particularly customers; additionally, many were caught through nonautomated procedures (for example, customer complaints, manual account audits, and an inability to log in). Three-quarters of the culprits were identified using system logs.
So what can be done to stop insiders, whether technically sophisticated or not? The report concludes that "the detection and assessment...of insider incidents will continue to require manual diagnosis and analysis," as automated anomaly-detection tools tend to be expensive and reactive. @ Read the full Insider Threat Study at Security Management Online.