| Table of Contents | VRS Home | About VRSDirect | Subscribe |


COVER STORY

"Insider Threats: A Breach Too Far"

By Kevin Johnson

Network attacks don’t always come from the outside.  Imagine an email sent from inside your network, encrypted, compressed to the smallest possible size and sent to an autoresponder half-way around the world; making the full trip, there and back, in 27 seconds, unbeknownst to information owners. Got your attention?  Good; because, it’s not imagination.  This and other breaches and compromises to networks are occurring everyday in the public, private, and government sectors.  The dubious insiders perform various attacks, to include: espionage, sabotage, introducing malware and malicious code, stealing proprietary, intellectual, classified, privacy act and financial data, and finally stealing authentication credentials, allowing the perpetrator and their accomplices the ability to continue system access unabated. 

Corporate espionage, spying, can cost companies millions of dollars per breach.  In the first six months of 2009 alone, the data breach watch group, “Open Security Foundation”, reported 242 incidents with over 6 million records affected; the following is a sampling of the first 6 months:

 - 2009-01-05, United States Library of Congress

Human resources employee steals Social Security Numbers (SSN) on at least 10 employees

(SSN) [See Data Reference Types Listed at the bottom]

 

- 2009-01-07, Indiana Department of Workforce Development

Unspecified breach from 2008 compromises unemployment payment cards (CCN)

 

- 2009-02-05, Fuddruckers

            Keystroke logger on POS equipment was used to obtain credit card information.

            (CCN, NAA)

 

- 2009-02-13, Clayton County Sheriff's Department (Georgia)

            Department employee suspected of stealing personal data of deputies

            (SSN, NAA, MISC, MED, DOB)

 

- 2009-02-18, John Hopkins Hospital,

Hospital Employee steals patients' credit to obtain credit cards, goods, and loans

            (SSN, NAA, DOB)

 

- 2009-02-06, Motorola

Motorola Enterprise Mobility Solutions (aka Symbol) experienced vulnerability on their web site that compromised personal information.  (CCN, NAA)

  

2009-03-06, Federal Emergency Management Agency (FEMA)

Stolen laptop contains names, Social Security numbers, Dates of birth, addresses and phone numbers of about 50 people. (SSN, NAA, DOB)

           

2009-03-17, Shell Oil

69 Hacked website exposes 5900 customer’s names, addresses, email addresses and bank account details             (NAA, EMA, FIN)

 

- 2009-04-03, Town of Culpeper

Personal details of 7,845 taxpayers, including names, addresses, Social Security Numbers posted on internet

(SSN, NAA)

 

- 2009-04-10, Borrego Springs Bank Vavrinek (California)

Names and financial information including account numbers and balances on stolen laptops (NAA, ACC, FIN)

 

- 2009-05-04, Fulton County Board of Registration and Elections (Georgia)

Discarded voter registration documents expose 100000 names and Social Security numbers (SSN, NAA)

 

- 2009-05-05, East Burke Christian Ministries (North Carolina)

            Stolen laptop contains over 1,000 Social Security numbers (SSN)

 

- 2009-05-18, Anderson Kia of Boulder (Colorado)

Defunct dealership exposes an unknown number of customer’s names, addresses, driver’s licenses, financial details and Social Security numbers (SSN, NAA, ACC, FIN)

 

- 2009-05-28, Sony Corporation of America

Unauthorized copies of customer’s credit cards were emailed to an outside account (CCN, NAA)

 

- 2009-06-03, State of Maine Office of Information Technology

Social Security numbers and financial information of 597 sent to incorrect recipients (SSN, FIN)

 

- 2009-06-14, Custom Coffee House (Rhode Island)

Hackers access stores wireless network and steal customer’s credit and debit card data (CCN)

 

- 2009-06-12, Charles Schwab & Co

Stolen hard drive contained client names, Social Security numbers and account numbers (SSN, NAA, FIN)

  

- 2009-06-24, Oklahoma Commission for Teachers Preparation

            Stolen server (later recovered) contains Social Security numbers

            (SSN, NAA, EMA, MISC, MED, ACC, DOB)

 

 

Whether it’s internal or external, no industry is immune.

 

The 21st century is the next jumping off point of the cyber age.  In the last 20 to 30 years, since the advent of personal computers, the Information Assurance (IA) industry has all but eliminated the outside threat vector.  It is true nothing is 100 percent securable; however, with the appropriate implementation of standards, baselines and adjudicated procedures, preventing/mitigating the outside threat has become manageable.  In most instances of the reported outsider compromise; intrusions, data breaches, malware, and malicious logic, it can be traced to misconfigurations, un-patched software or firmware, security software signatures not properly updated, weak passwords or passwords not properly protected and finally un-secure user or privileged users practices (caused by carelessness or lack of training).  All of these risks could have been prevented.  The primary method of prevention is a defense in depth strategy; managing security vulnerabilities by taking into account “personnel, technology and operations.”  It is a layering tactic that allows network owners and managers to defend against most any attack.

 

However, the insider threat is a very different risk/threat vector. It’s made of people you trust, people you give the keys to your most guarded secrets, not to mention they know your network, naming conventions, where data is stored and a better than decent idea about your backup schema and maintenance schedules.  History has shown your insider could be a disgruntled or unscrupulous worker, a current or former employee, a contractor or even a privileged user, such as a system administrator (SA).  It can also be your everyday come to work and do a great job employee.  The circumstances of a moment can change everything. In “Dark Reading’s” online magazine, a TechWeb publication, it states:

 

Researchers at the InfoSec 2009 Europe conference stopped passengers at a London train station and asked what it would take to get them to give up their company’s sensitive data.  While 63 percent said they couldn’t be bribed, 37 percent said they would sell out for incentives ranging from a hearty meal to $1.5 million.”

 

The insider threat is very real.  The motives are not always monetary; it could also be for political reasons, power, prestige, or just plain old fashion revenge, jealousy, and envy.  Government agencies and the military are not the exception; in the past, sensitive and classified information have been compromised:

 

Aldrich Ames – CIA: CIA intelligence officer and his Colombian-born wife Maria Del Rosario Casas Ames, were arrested after a 10-month investigation, on charges of providing highly classified information to the Soviet KGB and later, to its successor, the Ministry of Security for the Russian Federation (MBRF) over a nine-year period.

 

Brian Regan – Air Force/NRO: Assigned to Signals Intelligence Applications Integration Office at NRO/USAF: Signals Intelligence analysis.  Attempted to spy for Iraq, Libya, and the People's Republic of China (PRC); offered them military secrets for $13 million.  Found guilty of two counts of attempted espionage, related to attempts to sell information to Iraq and China, and one count of gathering national defense information. He was acquitted of attempting to provide U.S. secrets to Libya.

 

Robert Hansen – FBI: FBI Supervisory Special Agent who spied for the Soviet KGB/Russian SVR against the United States for more than 20 years.  He pleaded guilty to 15 counts of espionage in federal court.  He was subsequently sentenced to life in prison without parole. His activities have been described as "possibly the worst intelligence disaster in US history".

 

Ana Montes – DIA: Montes used her position as an intelligence officer and, subsequently, a senior intelligence analyst to gather writings, documents, materials and information, classified for reasons of national security, for unlawful communication, delivery and transmission to the government of Cuba.  Montes first unmasked a U.S. intelligence officer to Cuba in May 1994, and revealed the name of another U.S. agent in September 1996. She betrayed two others in May 1997.

 

Lawrence Franklin – DIA: Analyst at the Pentagon since 1979 in these offices: Office of the Secretary of Defense, International Security Affairs, Office of Near East and South Asia, Office of Northern Gulf Affairs, Iran Desk.  He was found guilty communicating classified US national defense information to persons not entitled to receive that information; information used to the injury of the United States or to the advantage of a foreign nation.

 

John Walker – Navy: Warrant Officer and communications specialist for the United States Navy convicted for selling his services as a spy to the Soviet Union from 1968 to 1985.  John Walker pleaded guilty to three counts of espionage. He claimed that he had become an undercover informant for the thrill of it, rather than for the money. He was sentenced to a life term in federal prison, with eligibility for parole in ten years.

 

Harold James Nicholson – CIA: GS-15 Operations Officer specializing in intelligence operations against foreign intelligence services, including the intelligence services of the USSR and later, the Russian Federation. Violation of Title 18, United States Code Section 794(c) (conspiracy to commit espionage)

 

David Sheldon Boone – Army/NSA: U.S. Army signals analyst who worked for the National Security Agency and was convicted of espionage-related charges in 1999 related to his sale of secret documents to the Soviet Union from 1988 to 1991. He is currently serving a prison sentence of 24 years and four months.

 

As no industry is immune, their reliance on electronic storage, processing and transferring of data has become an easy target for the discontented or unscrupulous insider.  During this current period of downsizing and an economy perceived as “in a recession” or worse, the impact of the insider threat could be at its highest.  The “Ponemon Institute”, “pre-eminent research center dedicated to privacy, data protection and information security,” states in their independent study, “Data Loss Risks During Downsizing: As Employees Exit, so does Corporate Data (23 Feb 09)”:

 

- 59% of employees who leave or are asked to leave are stealing company data

- 67% used their former company’s confidential, sensitive or proprietary information to leverage a new job

- 68% are planning to use such information as email list, contact list, and employee records that they stole

 

The independent study’s statistics were the result of 945 adult-aged participants surveyed who were laid off, fired, or changed jobs in the last 12 months.  The independent study also found the most prevalent ways employees were stealing data:

 

61% - Actually took hardcopy files

53% - Downloaded data onto to a CD or DVD

42% - Downloaded onto a USB memory Stick

38% - Sent documents as an email attachment

35% - Did not delete data on home computer

 

These are very high numbers to be sure, but, more important these employees operated in a vacuum with little or no oversight.  Other thefts employees admitted include: downloads onto other portable devices (28%), kept former employer’s computer (13%), and downloaded data onto a Zip drive (3%).

 

The defense in depth strategy has vetted processes and procedures; effectively addressing personnel, technology and operations from both the inside as well as the outside threat perspective while focusing the management of access via administrative, technical and physical controls.  The International Information Systems Security Certification Consortium (ISC), whom certifies information security professionals and is considered the international gold standard in information security, separates each type of access control by categories (fig 1):

 Fig 1.

ACCESS CONTROL EXAMPLES

Controls

Administrative

Technical

Physical

Directive

Policy

Warning Banner

Security Guard

Deterrent

Directives

Violation Report

Beware of Dog

Preventative

User Registration

Passwords, Tokens

Fences, Bollards

Detective

Report Reviews

Audit Logs, IDS

Sensors, CCTV

Corrective

Employee Termination

Connection Management

Fire Extinguisher

Recovery

Disaster Recovery Plan

Backups

Reconstruct, Rebuild

Compensating

Supervision/ Job Rotation

Keystroke Logging

Layered Defenses

 

The Ponemon Institute and (ISC) share common ground in combating the insider threat.  Where the Ponemon institute study deals directly with exiting employees (laid-off, fired, and normal job changes); (ISC) addresses the threat from a lifecycle perspective, encompassing initial access, day-to-day operations, and the exit interview.  Each and every one of these categories is significant and require due diligence and enforcement.

 

Although these are all fully vetted and established standards, they may not all always apply to every organization: large organizations - definitely, organizations dealing with large amounts of data - certainly, organizations whose data is sensitive and/or classified – absolutely!  Smaller organizations who store and access sensitive data should surely implement a defense in-depth strategy.  Information Technology (IT) threats do not discriminate by the size of the organization; just as threats within an enterprise do not discriminate by the number of networks connected.  A threat had by one can be a threat shared by all.  Once these access control categories are appropriately put in place, “managers of a system, network or enterprise can exercise a directing or restraining influence over the behavior, use, and content of each.”

 

Preventing the inside threat is a dynamic process for a constantly changing Information Assurance (IA) posture.  The implementation of these controls compliment the numerous directives governing the secure operation and management of the enterprise architecture, Computer Network Defense (CND) and the fielding and maintenance of IT capabilities.  As such, an organization’s personnel, technology and operations are all critical components of our business processes.  In business where people are our most important asset, people unchecked are also our weakest link.

 

References:

Open Security Foundation (http://www.opensecurityfoundation.org/)

Dark Reading’s Online Magazine (http://www.darkreading.com/)

The Ponemon Institute (http://www.ponemon.org/)

International Information Systems Security Certification Consortium (ISC)

Handbook of Information Security Management

  

Data Type Key:

ACC – Account Number

CCN – Credit Card Number

DOB – Date of Birth

FIN – Financial Information

MED – Medical

MISC – Miscellaneous Compilation of data

NAA – Name and/or Address

PPN – Private Personal Information

SSN – Social Security Number

Copyrights 2008 All Rights Reserved Virtual Resource Systems