© 2008 Carnegie Mellon University

Preventing Insider Threats: Avoiding the Nightmare Scenario of a Good Employee Gone Bad

Dawn CappelliOctober 31, 2008

2

TRUE STORY:

Personal information stolen for millions of customers of

phone companies, credit card companies and banks …

Companies contracted with a consumer data organization

that hired a data mining organization

whose system administrator stole the data

3

TRUE STORY:

Emergency services are forced to rely on manual address lookups for

911 calls on Friday night ….

Employee sabotages the system and steals all backup tapes

4

TRUE STORY:Financial institution discovers $691 million in

losses ...

Covered up for 5 years by trusted employee

5

Agenda

Introduction

How bad is the insider threat?

Background on CERT’s insider threat research

Brief overview of findings from our research

Tools for preventing or detecting insider threats

6

What is CERT?

Center of Internet security expertise

Established in 1988 by the US Department of Defense on the heels of the Morris worm that created havoc on the ARPANET, the precursor to what is the Internet today

Located in the Software Engineering Institute (SEI)• Federally Funded Research & Development Center (FFRDC)

• Operated by Carnegie Mellon University (Pittsburgh, Pennsylvania)

7

CERT’s Definition of Malicious Insider

Current or former employee, contractor, or business partner who

o has or had authorized access to an organization’s network, system or data and

o intentionally exceeded or misused that access in a manner that

o negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems.

Note: Note: This presentation does not address national This presentation does not address national security espionage involving classified information.security espionage involving classified information.

8

2007 e-Crime Watch Survey

CSO Magazine, USSS, Microsoft, & CERT

671 respondents

0

20

40

60

80

100

2004 2005 2006 2007

Percentage of Participants Who Experienced an Insider Incident

41 39

5549

9

CERT’s Insider Threat Research

Insider Threat Cases

Database

Hundreds of cases have been analyzed

• US cases from 1996 to 2007 in critical infrastructure sectors

• US Secret Service

• Carnegie Mellon CyLab

• Department of Defense

Data includes both technical & behavioral information

10

Breakdown of Insider Threat Cases in CERT Database

0

10

20

30

40

50

60

70

80

Theft or Modification for Financial Gain

Theft for Business Advantage

IT Sabotage

76

24

74

17

Misc

11

Comparison of Insider Crimes - 1

IT SabotageTheft or

Modification for Financial Gain

Theft for Business

Advantage% of crimes in case database

45% 44% 14%

Current or former employee?

Former CurrentCurrent (95%

resigned)

Type of positionTechnical (e.g. sys admins or DBAs)

Non-technical, low-level positions with

access to confidential or

sensitive information (e.g. data entry,

customer service)

Technical (71%) - scientists,

programmers, engineers

Sales (29%)

Gender MaleFairly equally split between male and

femaleMale

[1

12

Comparison of Insider Crimes - 2

IT SabotageTheft or

Modification for Financial Gain

Theft for Business

Advantage

TargetNetwork, systems, or

dataPII or Customer

Information

IP (trade secrets) – 71%

Customer Info – 33%

Access used Unauthorized Authorized Authorized

WhenOutside normal working hours

During normal working hours

During normal working hours

Where Remote access At work At work

Recruited by outsiders

None½ recruited for theft;

less than 1/3 recruited for mod

Less than 1/4

Collusion None

Mod: almost ½ colluded with

another insiderTheft: 2/3 colluded

with outsiders

Almost ½ colluded with at least one insider; ½ acted

alone; 25% stole for foreign gov/org

[1

13

What Can You Do?

Review CERT’s Common Sense Guide to Prevention and Detection of Insider Threats

http://www.cert.org/archive/pdf/CommonSenseInsiderThreatsV2.1-1-070118.pdf

Version 3 to be published in January 2009

14

Tools for Preventing or Detecting Insider

Threats

15

Change Control

Help to prevent or detect• Planting or downloading of malicious code or

unauthorized software

• Unauthorized modification of critical files

• Unauthorized changes to source code

• Unauthorized installation of hardware devices

16

Data Leakage Tools

Help to prevent or detect accidental or intentional leakage of confidential information• Emails

• Documents

• Printing, copying, or downloading

• Removable media

17

Network/Employee Monitoring Tools

Help to detect• Unauthorized access

• Suspicious activity around resignation

• Unauthorized escalation of privileges

• Anomalous user activity

18

Identity Management Systems

Help to • Prevent creation of or detect usage of backdoor

accounts

• Implement and maintain access control

• Disable all access upon termination

19

Others

Encryption

Physical access control systems

Automated data integrity checks

Backup and recovery systems

20

Contact Information

Insider Threat Team Lead:Dawn M. CappelliTechnical Manager, Threat and Incident ManagementCERT ProgramSoftware Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh, PA 15213-3890+1 412 268-9136 – Phonedmc@cert.org – Email

http://www.cert.org/insider_threat/