IT sabotage: Identifying and preventing insider threats
Preventing IT sabotage from insider threats can be a challenge. Peter Sullivan explains how enterprises should monitor for characteristics of insider threat behavior.
An insider threat as an information security problem presents some of the most challenging issues that security managers face today.
The CERT Division of Carnegie Mellon University's Software Engineering Institute defines a malicious attacker as: "A current or former employee, contractor, or other business partner who has or had authorized access to the organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems."
In early 2009, 750,000 classified -- and unclassified, but sensitive -- military and diplomatic documents were disclosed to WikiLeaks by a U.S. Army insider. In response, the White House issued Executive Order 13587 in October 2011, which directed structural reforms to improve the security of classified networks and classified information.
The risks to organizations go beyond data theft and leaks; they could involve the intentional destruction of systems or data within an organization. This article will discuss insider threat behavioral characteristics related to intentional IT sabotage, regardless of the classification of data. Subsequent articles will cover insider threat behavior related to intellectual property theft and insider fraud.
Insider information technology sabotage
One idea that is to a lot of security managers is that detecting an insider threat requires an understanding of what motivates people to behave the way they do, either positively or negatively. Understanding these behavioral elements is an important tool, especially in cases of insider IT sabotage.
Insiders that commit IT sabotage are technically competent users who have the access and ability to carry out an attack, as well as the capability to conceal their illicit activities. These characteristics make detecting these kinds of insider IT sabotage very difficult, as malicious behavior rarely looks any different than normal behavior.
Insiders that commit IT sabotage are technically competent users who have the access and ability to carry out an attack, as well as the capability to conceal their illicit activities.
However, in nearly every IT insider sabotage attack, distinct patterns have been discovered, and the detection of these patterns can help identify malicious insider activities. The CERT Insider Threat Center has been working for more than 15 years cataloging, analyzing and detecting patterns of malicious insider behavior in order to understand who commits insider attacks, why they do it, when and where they do it, and how they carry out their attacks.
Much -- but not all -- of the information in this article is based on work done by the CERT Insider Threat Center. [Editor's note: The author is a visiting scientist at Carnegie Mellon University, and he teaches CERT insider threat program management and insider threat vulnerability assessment courses for the Software Engineering Institute.]
In any discussion of behavior and behavioral characteristics, it is important to remind ourselves why we are looking to discover characteristics of insider IT sabotage. Detecting one or even a few of these characteristics does not mean that a malicious insider has been detected. Rather, an understanding of these characteristics is used not to trap employees, but is used as input into a risk-based analysis of job positions at risk for IT sabotage, to understand the organizational elements that influence insiders to carry out an attack, and -- most importantly -- to develop and implement protection and mitigation strategies to protect an organization -- and its employees -- from malicious insider attacks.
Patterns in IT sabotage
One important factor of insider IT sabotage crimes is the idea of personal predisposition. According to CERT, most malicious insiders have personal predispositions that contributed to their risk of committing IT sabotage. A personal predisposition is defined as a characteristic historically linked to a propensity to exhibit malicious insider behavior.
Understanding personal predispositions can help us understand why some people act maliciously, while others who are exposed to the same conditions and events do not.
Examples of personal predispositions identified by CERT in insider IT sabotage cases include:
conflicts with fellow workers;
bullying and intimidation of fellow workers;
serious personality conflicts;
unprofessional behavior;
an inability to conform to rules demonstrated by:
arrests,
hacking,
security violations,
harassment or conflicts resulting in official sanctions or complaints, and
misuse of travel, time and expenses;
difficulty controlling anger and inappropriate behavior.
Over the years, CERT has found that many of the insiders who committed IT sabotage exhibited personal predispositions. For example, in 2005, a joint report with CERT and the U.S. Secret Service found that 30% of insiders who committed IT sabotage in critical infrastructure sectors had a previous arrest record, including arrests for violent behavior, and drug-related offenses, and fraud-related theft offenses.
However, a more recent study from CERT and the Department of Homeland Security in 2012, which focused on the financial services sector, found that just 33% of perpetrators were previously identified by management as difficult, and only 17% were identified as disgruntled. It's important to keep these red flags in mind when monitoring for and identifying potential insider threats.
Stay tuned for part two of this series on insider threat behavior.
