SW Insider Attacks

Document Sample
SW Insider Attacks Powered By Docstoc
					Insider Attacks: The Doom of Information Security

Methods to thwart insider attacks: products, techniques and policies

Anton Chuvakin, SecurityWatch research, 07/10/2001

Security is a rapidly changing field of human endeavor. Threats we face literally change every day;
moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be
able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even
though I hope that this document will be useful for to my readers, please keep in mind that is was possibly
written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around.

Summary: this report introduces the internal threat for information security. We consider the insider
attacks within the overall framework of information security and their difference from perimeter attacks,
look at the developed solutions (technical, legal and psychological) and their inadequacies and outline
proposals for the most effective countermeasures. We also study current trends in insider attacks. The next
article in the series will provide the guidelines for increasing the level of security against internal attacks for


So, you have a firewall in place, right? Oh, even an Intrusion Detection System. Your security policy is nicely
written and posted all over the company. You accept the fact that nobody is totally safe, but you think you
can manage risks successfully. In this case, it is time to think about the following issues. Can your engineers
access payroll records if they really want to? Would a janitor be able to copy the business plans from your
CEO computer onto the diskette and sell it to competitors? Can your system administrator encrypt the
access control data and hold the company hostage after being fired? Can your ex-employees get to you
company LAN one year after being let go? If you have indeed thought about those issues and found a way
to resolve them, you are definitely ahead of the pack in information security race.

Insider threats account for up to 80% of the information security related incidents according to recent
surveys. Computer Security Institute (CSI) and FBI 1998-2001 surveys show that computer-related crimes
and abuse committed by the employees are on the steep rise for at least the last 4 years. The same surveys
also show that most of the information security losses are due to the theft of proprietary information, the
task most likely performed by insiders. One of the earlier surveys demonstrated that the average damage
from an outside intrusion was $60,000 while the losses caused by the average insider attack exceeded $2.7
million. Companies were known to go bankrupt due to the theft of their source code or lose business due to
mayhem caused by ex-employees
0). Recent FBI spy case also presents a nice demonstration of the scary power of a well-entrenched insider.

Comparisons of information security to castle defense are always popular. One easily pictures sturdy stone
walls rising steeply above the deep moat full of water, heavy ironclad gates, and bastions with archers and
ballistas. Other metaphors from siege craft abound in information security as well. Firewalls, attacks,
intruders are just some examples. It is well known from military history that to take over a castle attackers
need a much larger force than the one hiding in the fortress. Even with an overwhelming superiority, the
attack is not a walk in the park. Defenders, located at an elevated position on the walls and towers, usually
can choose from a variety of methods to repel an attack. It is also easy to see that one is coming: from a tall
tower one can detect the enemy troop movements at a great distance. Now, just imagine the effect of
somebody opening the castle gate under the cover of darkness to let the invading army in. The tables are
instantly turned: larger force rushes in and usually overwhelms the defenders. There is also an element of
surprise that gives a crucial advantage in warfare. Such is the effect of insider attacks! And it is typically too
late to sort out who let the enemy in when your town turns into a burning inferno i.e. when competitors
already know your business plans and new product designs or your company is sued for millions of dollars
by partners who lost money due to hacker invasion into your network.

Insider attacks also cast a shadow on the company PR image. The common wisdom will claim that if the
company had to sue its own employees, lost revenue due to employee crimes or had to yield to extortion by
former employees something must be wrong in the environment. Thus, insider attacks are more often
underreported than successful perimeter breaches. It makes the study of internal attacks a complicated
issue with many blank spots in the picture. Enhanced role of human factors, as will be shown below, is
another aspect that contributes to this complexity.

Types of threats

So, what is the dreaded "threat from within"? Internal risks cover a wide variety of human and computer
factors that threaten the IT environment.

Lets study the human threats first. "Insider" is typically an employee, contractor, business partner or
anybody who has any level of legitimate access to company computing resources.

What are the typical insider goals and objectives? Insiders can violate any of the three "letters" from the
famous information security triad - CIA: Confidentiality, Integrity and Availability. Examples might include
theft or disclosure of proprietary information (violates confidentiality), unauthorized modification of
company data (breaks data integrity) and denial of service attack or destruction of company information
assets (undermines availability). They can be driven by the widest range of reasons, both rational (money,
status, power) and irrational (revenge, frustration, emotional pain, other personal problems). Further, we
will investigate the possibility of early detection of violations based on psychological profiles and character
traits conducive to the above emotional states.

We should note that security against internal threats cannot be reduced to physical security, which serves
slightly different purpose. For example, shredding confidential documents before trashing them is a physical
security measure that is aimed against both malicious insiders and outside attackers, curious enough to sift
through company garbage. Physical security measures are of utmost importance in the enterprise security
policy, but cannot be considered a sole remedy against insiders.

We can, however arbitrary it might sound, classify insiders by their intent into malicious and non-malicious

Malicious insiders might want to eavesdrop on private communication, steal or damage data, use
information in a violation of company policy or deny access to other authorized users. They can be
motivated by greed, need for recognition, sabotage (both for hire and to improve their standing at the
expense of others), desire to make themselves irreplaceable for the job (by creating problems only they can
fix), revenge or other intense negative emotional state. Unstable emotional states in IT employees are a
new popular subject among psychologists. This research might eventually shed some light on how insider
threats originate. Disgruntled employee is a favorite character in the inside threats game. His or her game is
to "undo" the "wrongs" done to them by the company or a particular employee by causing damage to them
or even to extract financial benefits at the expense of those parties.

Non-malicious insiders are users making mistakes that compromise security. Users motivated by their desire
to "explore" the company network or to "improve" how things work with blatant disregard to security
regulations are also in this category. Having no malicious intent, they can still present a serious danger to
the enterprise since they can open a way for outside attackers, erroneously destroy information or
otherwise degrade integrity and availability of computing resources. Another category of non-malicious
insiders would be an insider operating under control of a malicious outsider, such a hacker using Social
Engineering, blackmail or threat of violence. Infamous Social Engineering techniques such as direct request,
persuasion, threat and other forms of deception are the easiest way to get inside information about the
company. Hackers are known to use Social Engineering to evaluate the target, get initial information about
the protective measures and then possibly to launch a full-blown Social Engineering attack by enlisting
insiders to do their bidding. A famous hacker Kevin Mitnick used to boast that he only rarely had to resort to
technical means of attacks since usually people just gave him the required data. Descriptions of the known
Social Engineering attack methods are beyond the scope of this document. At the very least, you should
recognize that Social Engineering is a way to easily convert a much harder outside attack into an easy inside
one, effectively opening the castle door for the invaders. One cost-effective way to lower the damage from
Social Engineering attacks is a well-designed security awareness program, which includes the description of
Social Engineering technology and signs that attack is taking place.
Thus, violations, committed by insiders, can be loosely divided into three categories:

1. Mistakes, honest but no less deadly for security

2. Crimes of opportunity, that are probably preventable by awareness

3. Malicious premeditated crimes, the hardest to stop, but the most rare

Different methods are used to handle each of those threats.

Managing Internal Threats

Several groups of methods were proposed to manage the risk of internal threats. We classify them into
technological, administrative, legal and psychological methods. We will provide more details about their
application, advantages and disadvantages. It should be noted, that the overall efficiency of them, even
combined together, is far below the existing techniques for perimeter defense.

Overall, to facilitate protection from information threats you should employ the principle of defense in-
depth. It means that having a firewall should not stop you from buying and IDS, and having the IDS should
not make you avoid host hardening, and having done that should not make you remove the alarm system
from your server room. Some people ask question such as why they need personal firewalls on all PCs if
they have an enterprise firewall from a leading manufacturer that is believed to be reliable. Defense in-
depth is allocation of trust over several protection mechanisms so that when their firewall fails or is
penetrated the computers inside will still be able to resist the hazard.

Defense in-depth and the application of all appropriate security measures might lead to sacrificing a part of
usability and productivity. Thus before applying any new security procedures, the cost and benefit analysis
should be performed to determine the need. Defending a local summer camp web server with enterprise-
strength firewall and managed security monitoring service is ridiculous to anybody. However, determining
the need to spend $10,000 on security in case where potential loss of $1 million might happen with a 1%
probability can only be done through careful cost analysis.

Technical methods

Technical methods appear to be the least efficient for fighting insider threats. In recent years, several
products were marketed as a counter-insider solutions. Sophisticated intrusion detection or anomaly
detection systems, personal firewalls, end-to-end encryption software was supposed to thwart or
significantly mitigate the threat from within. Encryption, for example, was once presented as the final
solution to the insider threat. In fact, it only stops insiders from listening to the network wire. Moreover,
one should keep in mind that any encryption scheme is as secure as its endpoints. If one can read another
person's email by sitting at his PC, how is your fancy 128-bit network protection making email more secure?
Intrusion and anomaly detection systems are promising tools to distinguish attack attempts from normal
network traffic even if no vulnerability is exploited (as it is often the case for insider attacks). Unfortunately,
current anomaly detection research (directed mostly towards statistical profiling and mathematical
methods to fish for various anomalies in network traffic and host access patterns) does not allow for a
reliable detection. The systems sometimes produce a flood of false-positives i.e. taking a normal network
behavior pattern for an intrusion. These systems will help address the big portion of insider network-based
attacks when they mature. Access controls based on a well-written security policy with clear marking of
resources and entities authorized to access them will go further and will at least stop your secretaries from
perusing the payroll database at their leisure. The next level in access control facilities would be the
military-style scheme with information classification and clearances, supported by the mandatory access
controls. However, it was suggested that the differences between business and military security
requirements are too vast to fit into a logically simpler military scheme. For instance, classifying corporate
information into various security classes proves to be an unfeasible task. Overall, creating and maintaining
such an environment is very expensive, might require special hardware or software (some of it might not
even be off-the-shelf) and dedicated administrative staff with rare and highly advanced skills. All other
personnel will also have to be retrained for the use of new IT infrastructure. The impact on usability and
productivity is likely to be disastrous as well. Some degree of "need to know" basis will definitely help to
combat the internal risks in the corporate environment. It might simply mean giving each employee just
enough privileges to do his or her job, but no more. Keeping track of this activity requires might require
extra effort by your security administrators, but it will most certainly pay off in case of attempted intrusion.

It is evident that the company firewall that separates the internal networks from the hostile Internet offers
absolutely no protection against the internal threats. However, information flow might be
compartmentalized using the set of internal firewalls to cut the company LAN into comparatively
independent subnetworks. This measure is a commonly suggested security feature that also helps against
outside hackers who already entrenched themselves into the company network and against the spread of
certain kinds of malware such as worms. Moreover, if your engineers spent time hacking at the internal
firewalls instead of working productively, you have more serious troubles than can be cured by the firewall.
When using the firewalls to partition your LAN always remember that "Titanic" was also divided into 16
separate watertight compartments that were supposed to make it "unsinkable"...

Another avenue of technology-based protection is employee monitoring. The companies that sell content
filtering and personnel monitoring equipment are quick to claim that if you record every keystroke, store all
email traffic and network access logs and utilize video surveillance you can be reasonably sure you are safe.
The first objection that comes to mind is "what about people who scan the logs, man the displays, read your
email?" Who is watching the watchers? Another set of even more trusted elite employees? Ok, so who is
watching over their shoulders? Some reports also indicate that many highly invasive measures, while being
legal, can poison the atmosphere, lower employee morale and create the climate of unneeded paranoia. If
you are required to be subjected to fingerprint scanning before you are allowed to touch the office
trashcan, even good employees might rebel and leave the company. There is a fine balance between
trusting your employees and cultivating more company loyalty and trusting them too much to allow for
abuse and other violations. Here we are not talking about nuclear facilities, missile bases or shadowy NSA
compounds, but a business environment that always has its own secrets. Security monitoring is useful to
combat certain narrow range of threats such as Internet access abuse or harassing email messages, but
hardly goes beyond that. To control costs, a selective monitoring program might be introduced as part of a
general information security awareness program. It will serve to enhance security in the organization and to
guide employees towards the acceptable practices in case of problems. Security department can "offer
help" in accessing company resources upon detecting the unauthorized access attempt by contacting the
employee with proper procedures for the access to the resource. The sample follows: "Hello! John? This is
security department. We have noticed that you tried to get into the accounting database from your
computer. To do that you just have to fill the form ABC-123 at the Accounting Department and get a
temporary access code. Thanks for your cooperation!"

Keeping a detailed audit trail is considered an important part of security monitoring. This part is
indispensable for tracking insider violations. All the critical systems should record an audit trail of all user
actions, network accesses and sensitive file accesses. The guidelines for system auditing are freely available
and should be followed. The art and science of system auditing calls for an effective configuration of audit
controls, which is highly non-trivial, otherwise the information flow will be huge and thus unmanageable so
that nobody will pay any attention to audit data. Reliable audit data will not stop an enemy, but will greatly
assist in determining his or her identity, which is usually well covered in insider attacks.

Unfortunately, however many protection and monitoring mechanisms are in place, the risk of disclosure by
authorized employees is totally indefensible by technical methods. If you have a valid reason to access
company new product plans or if you are a chief designer of the above plans, no technical controls will stop
you from selling them to the highest bidder. To lessen this exposure we should look beyond the software.

Legal and administrative methods

Legal prevention mechanisms should be viewed as a part of an enterprise security awareness program. The
personnel should be aware of the appropriate country and local laws, company regulations and the
procedures for their application in their working environment. Ideally, the implications of the potential
violation should be clearly stated. Examples include "disclosure of this information is punished by the
$100,000 fine and a jail sentence of up to 5 years", "employees who violate this rule are subject to
immediate termination" and so on.
Legal means include various non-disclosure clauses, legal warnings and general fear of prosecution. Non-
disclosure agreement is a valid way to keep company secrets private. Your company legal department
should prepare this document since there are many possible loopholes that might arise in case of a lawsuit.
Legal disclaimer should be shown before the access to a resource is granted. Resources might include
company computer systems or intranet web pages "for internal use only". The more often it is shown to a
user, the more likely that it will be remembered he or she is about to abuse a company resource. Here is the
sample disclaimer shown before the sign-on process:

"The information that you are about to access is Company confidential and part of a proprietary database.
By your actions (which may be monitored) of logging in to this database, you acknowledge that you are a
XYZ, Inc employee or authorized sub-contractor with an authorized account on this XYZ, Inc provided
system, and such information is Company confidential and part of a proprietary database, you will not share
such information with anyone who does not have the right to view it, and the treatment of this information
is governed by the applicable employee policy acknowledged by you, which provides, in part, that
confidential information will not be shared with others who do not have access privileges to this system.
Violation of your confidentiality obligations will result in disciplinary action, up to and including termination
and may subject the offender to criminal liability."

Development of such controls is to be conducted as a joint effort of IT and legal departments.

Information security policy also plays a huge role in administrative protection from insider threats since it
outlines the acceptable use of information systems in the company. The important issue related to the
information security policy is its wide dissemination. Every employee should know about the authorized use
of company computing resources and company expectations of its employees. Regular training might be
required to keep the employees current about the policy changes. The training should be designed not only
to make employees know about the policy, but to make them comply with its regulations.

Separation of duties is yet another administrative control. This is similar to military procedure when more
than one person is needed to launch the ballistic missiles. If a single person is responsible for making
backups, storing them, verifying them, delivering them to an off-site storage, it creates a catastrophic single
"point of failure". If that administrator develops an emotional instability or just a strong dislike for his or her
supervisor, disastrous consequences are soon to follow. All technology that has a potential to "make or
break" the company should not be controlled by a single person.

Proper termination of employment and all access rights is also an easy administrative method that costs a
little, but saves a lot in case leaving employees harbor any sort of negative feeling towards the company and
are prepared to act on them. Former administrators causing chaos in their former networks were reported
several times during recent years. This measure is extremely simple, very effective and unfortunately is
most often forgotten by the companies!

To conclude, most of the legal protection mechanisms work to stop the "crime of opportunity"-type
offenses and not the malicious premeditated crimes. A mole, specially planted to discover company secrets,
an insider hoping for a big financial gain or a person under intense emotional pressure or blinded by his or
her desire to revenge usually is more risk tolerant and thus likely to ignore legal warnings. Fighting those
categories will require more sophisticated (which almost always means more expensive) methods.

Psychological methods

The idea to use the psychological profiling similar to the one used to track serial killers and terrorists for
computer crimes committed by insiders only recently came into light when the first systematic data on
insider attacks became available.

Personnel security audit, as suggested by Dr Eric Shaw and Dr Jerrold Post of Political Psychology Associates
in (with specific details at is a way to approach internal threats by
studying the potential perpetrators using profiling techniques, pre-employment screening, detection of risky
character traits and their tracking, security awareness training and effective intervention by human
resources specialists. Another component of this program is setting up online (possibly anonymous) contact
points for personnel professionals to interact with IT employees in order to detect early danger signs.

Dr Post and others outlines three major obstacles to the widespread use of these techniques: high costs,
complex technical challenges and the isolated position of most information security groups within corporate
bureaucracies. Almost no company can afford an infosec-trained psychologist, particularly considering the
fact that there are not many of them around. Even routine background checks are only done by the most
security-conscious organizations such as the military and intelligence. The mentioned lack of expertise is
also made difficult by the introverted nature of many IT employees. This means that untrained observers do
not see many of the danger signs until the damage is already done. However, some of the more common
sense ways to observer employee behavior (such as change in their office social habits) can be done by

Dr Post has also developed a classification of insider types (available by their motivation, purpose and typical
actions. The general list of personality traits that make an individual more prone to becoming an insider
threat was also proposed ( Those are

1. Frustrations

2. Computer dependency

3. Ethical flexibility

4. Reduced loyalty

5. Entitlement

6. Lack of empathy

Having any or all of those characteristics common for IT professionals does not compel one to attack one's
company, to blackmail, extort, steal or destroy. However, people possessing these traits under certain
conditions of emotional stress are much more likely to cause problems. Combined with an intense stress
and lack of supervisor interaction those traits often led to security compromises, including the breaches of
national security. Unfortunately, accurate identification of those signs and especially the actions required
upon their detection require a high level of proficiency in the field of psychology and information security.
Even with the highly trained personnel professionals present (such as in intelligence services), the precise
identification of future intruders is not always possible. This fact is demonstrated by most of the recent
spying cases such as recent FBI Robert Hanssen case. It is interesting to note that Hanssen job was closely
related to information technology and one of his alleged crimes involves unauthorized accesses to FBI

Another risk factor is that such employees, even if detected and let go before they explode, are in a perfect
position to launch Social Engineering attacks by abusing trust of their former coworkers. This risk can be
managed by maintaining the high degree of security awareness among employees.


Insider threat will remain a primary information security risk for the foreseeable future. A number of diverse
factors (technical, administrative, psychological) contributing to the problem make it one of toughest
challenges in information security. In addition, combined with a high potential financial and reputation loss,
as suggested by the recent surveys, it deserves more attention than it is currently given. Our analysis
suggests that only by making use of a well-balanced prevention program that includes technical (protective
hardware and software, online communication monitoring), administrative (legal disclaimers, awareness
programs, proper termination handling) and psychological (employee screening and profiling, training
managers in identifying the internal threats) measures, one can hope to mitigate the risks. This program
should be based on organization security policy, designed using the comprehensive resource and threat
assessment. Another important aspect is the need for strict security policy enforcement - every employee
should know what things are prohibited and why no exceptions are tolerated. Having security policy is a
huge step in the right direction for the company, however, such policy should be willingly followed by all
employees, from janitor to CEO - only in this case the internal threat will become just another factor in
information security management rather than an unstoppable force that can destroy the company.

This is an updated author bio, added to the paper at the time of reposting in 2011.

Dr. Anton Chuvakin ( is a recognized security expert in the field of log management and
PCI DSS compliance. Anton leads his security consulting practice,
focusing on logging, SIEM, security strategy and compliance for security vendors and Fortune 500

He is an author of books "Security Warrior" and "PCI Compliance" ( and a
contributor to "Know Your Enemy II", "Information Security Management Handbook"; and now working on
a book about system logs. Anton has published dozens of papers on log management, correlation, data
analysis, PCI DSS, security management (see list His blog is
one of the most popular in the industry.

In addition, Anton teaches classes (including his own SANS class on log management) and presents at many
security conferences across the world; he recently addressed audiences in United States, UK, Singapore,
Spain, Russia and other countries. He works on emerging security standards and serves on advisory boards
of several security start-ups.

Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton
worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of
logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor
in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Shared By:
Description: Misc security dump