Industry View

The Enemy Inside

A realistic approach to prioritizing actions to prevent privileged user or insider security threats.

By Kristin Gallina Lovejoy

April 12, 2006 — CSO —

For many years external security threats received more attention than internal security threats, but the focus has changed. While viruses, worms, Trojans and DoS are serious, attacks perpetrated by people with trusted insider status—employees, ex-employees, contractors and business partners—pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside.

The reason insider attacks "hurt" disproportionately is that insiders can and will take advantage of two important rights: trust and physical access.

In general, users and computers accessing resources on the local area network (LAN) of the company are deemed trusted. Practically, we do not draconically restrict their activities—revoke trust—because an attempt to control these trusted users too closely will impede the free flow of business.

And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker.

What Motivates the Internal Attacker?

Internal attackers "perpetrate harm" for a number of reasons.

• Challenge/Curiosity: Many internal attackers don't think about their acts as "attacks" at all. They would constitute the act instead as a challenge—combining patience, skill and a combination of tactical and strategic thinking. Common examples of these attacks may include breaking into e-mail or IM accounts, accessing sensitive data assets (i.e., salary or financial data) or conducting ad hoc penetration tests.
• Revenge: Internal attackers motivated by revenge have negative feelings directed not simply to the company, but also toward a particular individual within that company. These attackers can be particularly dangerous because they are patient and targeted. In this category, it is common for the attackers to be a former employee who feels he/she has been wrongfully terminated.
• Financial gain: Internal attackers motivated by financial gain steal confidential information for a third party.

What's the Inside Attacker Profile?

The United States Secret Service and the Carnegie Mellon University Software Engineering Institute's CERT Coordination Center published an insider threats study report in 2005 which offered critical insights into the mind and motivation of the "inside attacker." According to the statistics gathered, the inside attacker is usually:

• Male
• 17-60 years old
• Holds a technical position (86 percent chance)
• May or may not be married (50/50 chance)
• Racially and ethnic diverse

Sufficiently broad pool? Absolutely. Here are some additional statistics, again from the same CERT study:

• In 92 percent of the incidents investigated, revenge was the primary motivator.
• Sixty-two percent of the attacks were planned in advance.
• Fifty-seven percent of the attackers surveyed would consider themselves "disgruntled."
• Eighty percent exhibited suspicious or disruptive behavior to their colleagues or supervisors before the attack.
• Only 43 percent had authorized access (by policy, not necessarily via system control).
• Sixty-four percent used remote access to carry out the attack.
• Most incidents required little technical sophistication.

• Email
• Print
• Comments
• Digg This
• SlashDot