Insider Attacks: The Doom of Information Security Methods to thwart insider

attacks: products, techniques and policies

Anton Chuvakin, Ph.D.

WRITTEN: 2002

DISCLAIMER:
Security is a rapidly changing field of human endeavor. Threats we face literally change every day;
moreover, many security professionals consider the rate of change to be accelerating. On top of
that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as
well. Thus, even though I hope that this document will be useful for to my readers, please keep in
mind that is was possibly written years ago. Also, keep in mind that some of the URL might have
gone 404, please Google around.

Summary: this report introduces the internal threat for information security. We consider
insider attacks within the overall framework of information security and their difference
from perimeter attacks, look at the developed solutions (technical, legal and
psychological) and their inadequacies and outline proposals for the most effective
countermeasures. We also study current trends in insider attacks.

Overview

So, you have a firewall in place, right? Oh, even an Intrusion Detection System? Your
security policy is nicely written and posted all over the company. You accept the fact that
nobody is totally safe, but you think you can manage risks successfully. In this case, it is
time to think about the following issues. Can your engineers access payroll records if they
really want to? Would a janitor be able to copy the business plans from your CEO
computer onto the diskette and sell it to competitors? Can your system administrator
encrypt the access control data and hold the company hostage after being fired? Can
your ex-employees get to you company LAN one year after being let go? If you have
indeed thought about those issues and found a way to resolve them, you are definitely
way ahead of the pack in the information security race.

Insider threats account for up to 80% of the information security related incidents
according to some recent surveys. Computer Security Institute (CSI) and FBI 1998-2002
surveys show that computer-related crimes and abuse committed by the employees are
on the rise for at least the last 4 years. The same surveys also show that most of the
information security losses are due to the theft of proprietary information, the task most
likely performed by insiders. One of the earlier surveys demonstrated that the average
damage from an outside intrusion was $60,000 while the losses caused by the average
insider attack exceeded $2.7 million. Companies were known to go bankrupt due to the
theft of their source code or lose business due to mayhem caused by ex-employees
(http://www.computerworld.com/itresources/rcstory/0,4167,STO61983_KEY73,00.html?&_ref=1131579460)
Recent FBI spy case also presents a nice demonstration of the scary power of a well-
entrenched insider.

Comparisons of information security to the castle defense are always popular. One easily
pictures sturdy stone walls rising steeply above the deep moat full of water, heavy ironclad
gates, and bastions with archers and ballistas. Other metaphors from siege craft abound
in information security as well. Firewalls, bastion hosts, attacks, intruders are just some
examples. It is well known from military history that to take over a castle attackers need a
much larger force than the one hiding in the fortress. Even with an overwhelming
superiority, the attack is not a walk in the park. Defenders, located at an elevated position
on the walls and towers, usually can choose from a variety of methods to repel an attack.
It is also easy to see that one is coming your way: from a tall tower one can detect the
enemy troop movements at a great distance. Now, just imagine the effect of somebody
opening the castle gate under the cover of darkness to let the invading army in. The tables
are instantly turned: the larger force rushes in and usually overwhelms the defenders.
There is also an element of surprise that gives a crucial advantage in warfare. Such is the
effect of insider attacks! And it is typically too late to sort out who let the enemy in when
your town turns into a burning inferno i.e. when the competitors already know your
business plans and new product designs or your company is sued for millions of dollars by
partners who lost money due to hacker invasion into your network.

Insider attacks also may cast a dark shadow on a company PR image. The common
wisdom will claim that if the company had to sue its own employees, lost revenue due to
employee crimes or had to yield to extortion by former employees something must be
wrong in the environment. Thus, insider attacks are more often underreported than
successful perimeter breaches. It makes the study of internal attacks a complicated issue
with many blank spots in the picture. Enhanced role of human factors, as will be shown
below, is another aspect that contributes to this complexity.

Types of threats

So, what is the dreaded "threat from within"? Internal risks cover a wide variety of human
and computer factors that threaten the IT environment.

Lets study the human threats first. "Insider" is typically an employee, contractor, business
partner or anybody who has any level of legitimate access to company computing
resources.

What are the typical insider goals and objectives? Insiders can violate any of the three
"letters" from the famous information security triad - CIA: Confidentiality, Integrity and
Availability. Examples might include theft or disclosure of proprietary information (violates
confidentiality), unauthorized modification of company data (breaks data integrity) and
denial of service attack or destruction of company information assets (undermines
availability). They can be driven by the widest range of reasons, both rational (money,
status, power) and irrational (revenge, frustration, emotional pain, other personal
problems). Further, we will investigate the possibility of early detection of violations based
on psychological profiles and character traits conducive to the above emotional states.

We should note that security against internal threats cannot be reduced to physical
security, which serves slightly different purpose. For example, shredding confidential
documents before trashing them is a physical security measure that is aimed against both
malicious insiders and outside attackers, curious enough to sift through company garbage.
Physical security measures are of utmost importance in the enterprise security policy, but
cannot be considered a sole remedy against insiders.

We can, however arbitrary it might sound, classify insiders by their intent into malicious
and non-malicious insiders. Malicious insiders might want to eavesdrop on private
communication, steal or damage data, use information in a violation of company policy or
deny access to other authorized users. They can be motivated by greed, need for
recognition, sabotage (both for hire and to improve their standing at the expense of
others), desire to make themselves irreplaceable for the job (by creating problems only
they can fix), revenge or other intense negative emotional state. Unstable emotional states
in IT employees are a new popular subject among psychologists. This research might
eventually shed some light on how insider threats originate. Disgruntled employee is a
favorite character in the inside threats game. His or her game is to "undo" the "wrongs"
done to them by the company or a particular employee by causing damage to them or
even to extract financial benefits at the expense of those parties.

Non-malicious insiders are users making mistakes that compromise security. Users
motivated by their desire to "explore" the company network or to "improve" how things
work with blatant disregard to security regulations are also in this category. Having no
malicious intent, they can still present a serious danger to the enterprise since they can
open a way for outside attackers, erroneously destroy information or otherwise degrade
integrity and availability of computing resources. Another category of non-malicious
insiders would be an insider operating under control of a malicious outsider, such a hacker
using Social Engineering, blackmail or threat of violence. Infamous Social Engineering
techniques such as direct request, persuasion, threat and other forms of deception are the
easiest way to get inside information about the company. Hackers are known to use
Social Engineering to evaluate the target, get initial information about the protective
measures and then possibly to launch a full-blown Social Engineering attack by enlisting
insiders to do their bidding. A famous hacker Kevin Mitnick used to boast that he only
rarely had to resort to technical means of attacking systems since usually people just gave
him the required data. Descriptions of the known Social Engineering attack methods are
beyond the scope of this document. At the very least, you should recognize that Social
Engineering is a way to easily convert a much harder outside attack into an easy inside
one, effectively opening the castle door for the invaders. One cost-effective way to lower
the damage from Social Engineering attacks is a well-designed security awareness
program, which includes the description of Social Engineering technology and signs that
the attack is taking place. Penetration testing for Social Engineering attacks is described
in the Open Source Security Testing Methodology Manual (OSSTMM) available at
http:///www.osstmm.org.
Thus, violations, committed by insiders, can be loosely divided into three categories:

1. Mistakes, honest but no less deadly for security 2. Crimes of opportunity, that are
probably preventable by awareness 3. Malicious premeditated crimes, the hardest to stop,
but the most rare

Different methods are used to handle each of those threats.

Managing Internal Threats

Several groups of methods were proposed to manage the risk of internal threats. We
classify them into technological, administrative, legal and psychological methods. We will
provide more details about their application, advantages and disadvantages. It should be
noted, that the overall efficiency of them, even combined together, is far below the existing
techniques for network perimeter defense.

Overall, to facilitate protection from information threats one should employ the principle of
defense in-depth. It means that having a firewall should not stop you from buying and IDS,
and having the IDS should not make you avoid host hardening, and having done that
should not make you remove the alarm system from your server room. Some people ask
question such as why they need personal firewalls on all PCs if they have an enterprise
firewall from a leading manufacturer that is believed to be reliable. Defense in-depth is
allocation of trust over several protection mechanisms so that when their firewall fails or is
penetrated the computers inside will still be able to resist the hazard. Centralized
collection of analysis of all audit trails is of crucial importance as well.

Defense in-depth and the application of all appropriate security measures might lead to
sacrificing a part of system usability. Thus before applying any new security procedures,
the cost and benefit analysis should be performed to determine the business need.
Defending a local summer camp web server with enterprise-strength firewall and
managed security monitoring service is ridiculous to anybody. However, determining the
need to spend $10,000 on security in case where potential loss of $1 million might happen
with a 1% probability can only be done through careful cost analysis.

Technical methods

Technical methods appear to be the least efficient for fighting insider threats. In recent
years, several products were marketed as a counter-insider solutions. Sophisticated
intrusion detection or anomaly detection systems, personal firewalls, end-to-end
encryption software was supposed to thwart or significantly mitigate the threat from within.
Encryption, for example, was once presented as the final solution to the insider threat. In
fact, it only stops insiders from listening to the network wire. Moreover, one should keep in
mind that any encryption scheme is as secure as its endpoints. If one can read another
person's email by sitting at his PC, how is your fancy 128-bit network protection making
email more secure? Intrusion and anomaly detection systems are promising tools to
distinguish attack attempts from normal network traffic even if no vulnerability is exploited
(as it is often the case for insider attacks). Unfortunately, current anomaly detection
research (directed mostly towards statistical profiling and mathematical methods to fish for
various anomalies in network traffic and host access patterns) does not allow for a reliable
detection. The systems sometimes produce a flood of false-positives i.e. taking a normal
network behavior pattern for an intrusion. These systems will help address the big portion
of insider network-based attacks when they mature. The value of intrusion detection
systems can be significantly increased by configuring them to report to a centralized log
analysis solution. In this case, one is able to correlate the IDS data with other security
information sources and to distinguish false positives from other attacks.

Access controls based on a well-written security policy with clear marking of resources
and entities authorized to access them will go further and will at least stop your secretaries
from perusing the payroll database at their leisure. The next level in access control
facilities would be the military-style scheme with information classification and clearances,
supported by the mandatory access controls. However, it was suggested that the
differences between business and military security requirements are too vast to fit into a
logically simpler military scheme. For instance, classifying corporate information into
various security classes proves to be an unfeasible task. Overall, creating and
maintaining such an environment is very expensive, might require special hardware or
software (some of it might not even be off-the-shelf) and dedicated administrative staff
with rare and highly advanced skills. All other personnel will also have to be retrained for
the use of new IT infrastructure. The impact on usability and productivity is likely to be
disastrous as well. Some degree of "need to know" basis will definitely help to combat the
internal risks in the corporate environment. It might simply mean giving each employee
just enough privileges to do his or her job, but no more. Keeping track of this activity
requires might require extra effort by your security administrators, but it will most certainly
pay off in case of attempted intrusion.

It is evident that a company firewall that separates the internal networks from the hostile
Internet offers absolutely no protection against the internal threats. However, information
flow might be compartmentalized using the set of internal firewalls to cut the company
LAN into comparatively independent subnetworks. This measure is a commonly
suggested security feature that also helps against outside hackers who already
entrenched themselves into the company network and against the spread of certain kinds
of malware such as worms. Moreover, if your engineers spent time hacking at the internal
firewalls instead of working productively, you have more serious troubles than can be
cured by the firewall. When using the firewalls to partition your LAN always remember that
"Titanic" was also divided into 16 separate watertight compartments that were supposed
to make it "unsinkable"...

Another avenue of technology-based protection is employee monitoring. The companies

that sell content filtering and personnel monitoring equipment are quick to claim that if you
record every keystroke, store all email traffic and network access logs and utilize video
surveillance you can be reasonably sure you are safe. The first objection that comes to
mind is "what about people who scan the logs, man the displays, read the email?" Who is
watching the watchers? Another set of even more trusted elite employees? Ok, so who is
watching over their shoulders? Some reports also indicate that many highly invasive
measures, while being legal, can poison the atmosphere, lower employee morale and
create the climate of unneeded paranoia. If you are required to be subjected to fingerprint
scanning before you are allowed to touch the office trashcan, even good employees might
rebel and leave the company. There is a fine balance between trusting your employees
and cultivating more company loyalty and trusting them too much to allow for abuse and
other violations. Here we are not talking about nuclear facilities, missile bases or shadowy
NSA compounds, but a business environment that always has its own secrets. Employee
monitoring is useful to combat certain narrow range of threats such as Internet access
abuse or harassing email messages, but hardly goes beyond that. To control costs, a
selective monitoring program might be introduced as part of a general information security
awareness program. It will serve to enhance security in the organization and to guide
employees towards the acceptable practices in case of problems. Security department
can "offer help" in accessing company resources upon detecting the unauthorized access
attempt by contacting the employee with proper procedures for the access to the
resource. The sample follows: "Hello! John? This is security department. We have noticed
that you tried to get into the accounting database from your computer. To do that you just
have to fill the form ABC-123 at the Accounting Department and get a temporary access
code. Thanks for your cooperation!"

Keeping a detailed audit trail is considered an important part of security monitoring. This
part is indispensable for tracking insider violations. All the critical systems should record
an audit trail of user actions, network accesses and sensitive file accesses and send it to a
centralized location for automated analysis. The guidelines for system auditing are freely
available and should be followed. The art and science of system auditing calls for an
effective configuration of audit controls and analysis of collected data, which is highly non-
trivial, otherwise the information flow will unmanageable so that nobody will pay any
attention to audit data. Reliable audit data will not stop an enemy, but will greatly assist in
determining his or her identity, which is usually well hidden in insider attacks.

Unfortunately, however many protection and monitoring mechanisms are in place, the risk
of disclosure by authorized employees is totally indefensible by technical methods. If you
have a valid reason to access company new product plans or if you are a chief designer of
the above plans, no technical controls will stop you from selling them to the highest bidder.
To lessen this exposure we should look beyond the technology.

Legal and administrative methods

Legal prevention mechanisms should also be viewed as a part of an enterprise security

awareness program. The personnel should be aware of the appropriate country and local
laws, company regulations and the procedures for their application in their work
environment. Ideally, the implications of the potential violation should be clearly stated.
Examples include "disclosure of this information is punished by the $100,000 fine and a
jail sentence of up to 5 years", "employees who violate this rule are subject to immediate
termination" and so on.
Legal means include various non-disclosure clauses, legal warnings and general fear of
prosecution. Non-disclosure agreement is a valid way to keep company secrets private.
Your company legal department should prepare this document since there are many
possible loopholes that might arise in case of a lawsuit. Legal disclaimer should be shown
before the access to a resource is granted. Resources might include company computer
systems or intranet web pages "for internal use only". The more often it is shown to a
user, the more likely that it will be remembered when he or she is about to abuse a
company resource. Here is the sample disclaimer shown before the sign-on process:

"The information that you are about to access is Company confidential and part of a
proprietary database. By your actions (which may be monitored) of logging in to this
database, you acknowledge that you are a XYZ, Inc employee or authorized sub-
contractor with an authorized account on this XYZ, Inc provided system, and such
information is Company confidential and part of a proprietary database, you will not share
such information with anyone who does not have the right to view it, and the treatment of
this information is governed by the applicable employee policy acknowledged by you,
which provides, in part, that confidential information will not be shared with others who do
not have access privileges to this system. Violation of your confidentiality obligations will
result in disciplinary action, up to and including termination and may subject the offender
to criminal liability."

Development of such controls is to be conducted as a joint effort of IT and legal

departments.

Information security policy also plays a huge role in administrative protection from insider
threats since it outlines the acceptable use of information systems in the company. The
important issue related to the information security policy is its wide dissemination. Every
employee should know about the authorized use of company computing resources and
company expectations of its employees. Regular training might be required to keep the
employees current about the policy changes. The training should be designed not only to
make employees know about the policy, but to make them comply with its regulations.

Separation of duties is yet another administrative control. This is similar to military

procedure when more than one person is needed to launch a ballistic missile. If a single
person is responsible for making backups, storing them, verifying them, delivering them to
an off-site storage, it creates a catastrophic single "point of failure". If that administrator
develops an emotional instability or just a strong dislike for his or her supervisor,
disastrous consequences are soon to follow. All technology that has a potential to "make
or break" the company should not be controlled by a single person.

Proper termination of employment and all access rights is also an easy administrative
method that costs a little, but saves a lot in case leaving employees harbor any sort of
negative feeling towards the company and are prepared to act on them. Former
administrators causing chaos in their former networks were reported several times during
recent years. This measure is extremely simple, very effective and unfortunately is most
often forgotten by the companies!

To conclude, most of the legal protection mechanisms work to stop the "crime of
opportunity"-type offenses and not the malicious premeditated crimes. A mole, specially
planted to discover company secrets, an insider hoping for a big financial gain or a person
under intense emotional pressure or blinded by his or her desire to revenge usually is
more risk tolerant and thus likely to ignore legal warnings. Fighting those categories will
require more sophisticated (which almost always means more expensive) methods.

Psychological methods

The idea to use the psychological profiling similar to the one used to track serial killers and
terrorists for computer crimes committed by insiders only recently came into light when the
first systematic data on insider attacks became available.

Personnel security audit, as suggested by Dr Eric Shaw and Dr Jerrold Post of Political
Psychology Associates (www.pol-psych.com)is a way to approach internal threats by
studying the potential perpetrators using profiling techniques, pre-employment screening,
detection of risky character traits and their tracking, security awareness training and
effective intervention by human resources specialists. Another component of this program
is setting up online (possibly anonymous) contact points for personnel and HR
professionals to interact with IT employees in order to detect early danger signs.

Dr Post and others outlines three major obstacles to the widespread use of these
techniques: high costs, complex technical challenges and the isolated position of most
information security groups within corporate bureaucracies. Almost no company can afford
an infosec-trained psychologist, particularly considering the fact that there are not many of
them around. Even routine background checks are only done by the most security-
conscious organizations such as the military and intelligence. The mentioned lack of
expertise is also made difficult by the introverted nature of many IT employees. This
means that untrained observers do not see many of the danger signs until the damage is
already done. However, some of the more common sense ways to observer employee
behavior (such as change in their office social habits) can be done by managers.

Dr Post has also developed a classification of insider types by their motivation, purpose
and typical actions (available
http://www.infosecuritymag.com/articles/july00/features2a.shtml). The general list of
personality traits that make an individual more prone to becoming an insider threat was
also determined (http://www.securitymanagement.com/library/000762.html).

Those traits are:

1. Frustrations 2. Computer dependency 3. Ethical flexibility 4. Reduced loyalty 5.

Entitlement 6. Lack of empathy
Having any or all of those characteristics common for IT professionals does not compel
one to attack one's company, to blackmail, extort, steal or destroy. However, people
possessing these traits under certain conditions of emotional stress are much more likely
to cause problems. Combined with an intense stress and lack of supervisor interaction
those traits often led to security compromises, including the breaches of national security.
Unfortunately, accurate identification of those signs and especially the actions required
upon their detection require a high level of proficiency in the field of psychology and
information security. Even with the highly trained personnel professionals present (such as
in intelligence services), the precise identification of future intruders is not always possible.
This fact is demonstrated by most of the recent spying cases such as recent FBI Robert
Hanssen case. It is interesting to note that Hanssen job was closely related to information
technology and one of his alleged crimes involves unauthorized accesses to FBI
databases.

Another risk factor is that such employees, even if detected and let go before they
explode, are in a perfect position to launch Social Engineering attacks by abusing trust of
their former coworkers. This risk can be managed by maintaining the high degree of
security awareness among employees.

Conclusion

Insider threat will remain a primary information security risk for the foreseeable future. A
number of diverse factors (technical, administrative, psychological) contributing to the
problem make it one of toughest challenges in information security. In addition, combined
with a high potential financial and reputation loss, as suggested by the recent surveys, it
deserves more attention than it is currently given. Our analysis suggests that only by
making use of a well-balanced prevention program that includes technical (protective
hardware and software, sophisticated centralized audit data analysis, online
communication monitoring), administrative (legal disclaimers, awareness programs,
proper termination handling) and psychological (employee screening and profiling, training
managers in identifying the internal threats) measures, one can hope to mitigate the risks.
This program should be based on organization security policy, designed using the
comprehensive resource and threat assessment. Another important aspect is the need for
strict security policy enforcement - every employee should know what things are
prohibited and why no exceptions are tolerated. Having security policy is a huge step in
the right direction for the company, however, such policy should be willingly followed by all
employees, from janitor to CEO - only in this case the internal threat will become just
another factor in information security management rather than an unstoppable force that
can destroy the company.

ABOUT THE AUTHOR:

This is an updated author bio, added to the paper at the time of reposting in 2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log
management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI
Compliance" and a contributor to "Know Your Enemy II", "Information Security Management
Handbook" and others. Anton has published dozens of papers on log management, correlation,
data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog
http://www.securitywarrior.org is one of the most popular in the industry.

In addition, Anton teaches classes and presents at many security conferences across the world; he
recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries.
He works on emerging security standards and serves on the advisory boards of several security
start-ups.

Currently, Anton is developing his security consulting practice

www.securitywarriorconsulting.com/, focusing on logging and PCI DSS compliance for security
vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI
Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging
Evangelist, tasked with educating the world about the importance of logging for security,
compliance and operations. Before LogLogic, Anton was employed by a security vendor in a
strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.