Part II: Insider Attacks

Many current surveys and research studies indicate that human beings ‚ and primarily "insiders" ‚ are the cause of most computer attacks. In addition to the issue of an "inside job" is the fact that an insider could help an outsider gain access. Outside hackers with inside knowledge can likewise cause a great deal of expensive damage to the network, can cause time and cost damage for those who have to spend their time assessing and rebuilding the destroyed parts , and can damage the reputation of a company. All security breaches cost an employer, even the ones not defined as being "data destructive."

Although attacks conducted purely by outsiders can certainly wreak havoc, the inside job is perceived to be destructive to the organization. This is probably a psychological factor ‚ no one wants to believe that "one of our own" could do such a terrible thing. An insider-gone-bad shatters the perception (however false it might be) that when employees join the ranks of an organization, they are a loyal part of the family. The public has witnessed this type of reaction every time a new spy is uncovered in the CIA or at the FBI. The truth of the matter is that no matter what organization people work for, they are still just people. Perhaps they are mostly good people, but some will become a risk and a threat to the organization by conducting insider attacks.

Most agencies, corporations, and organizations prepare for and try to prevent insider attacks. Corporations have attorneys and technical experts who advise and implement deterrents. The most popular deterrents include the signing of nondisclosure agreements, noncompete agreement, and nonsolicitation agreements; participation in ongoing ethics training; and participation in training programs that focus on corporate policies and rules, including computer use policies. The preceding answers and ideas to prevent insider incidents are mostly ineffective and antiquated; some are even humorous . Lawyers can't stop insider incidents with wordy agreements, new policies, and more documents for employees to sign.

Technical and physical security policies, as developed in Stage 1 (preparation), try to prevent the loss of sensitive data by monitoring employees online and by implementing security badges, cameras , biometric devices, and locked or secured areas. Technology can't stop insiders with legitimate access. All the monitoring in the world cannot prevent the best and the brightest from accessing data or sabotaging an internal system. Some of these insiders are the ones with legitimate , authorized access to sensitive projects anyway. The truly deviant do not care that they have signed documents. They feel entitled to the data. Other clever thieves and criminals will go about taking insider advantage without technically doing anything to violate the signed agreements. The obvious and the inept will be detected , and some of the less sophisticated attempts to use proprietary data or to violate a patent will be found out. Agreements and nondisclosures will only reinforce to those who are already honest and noncriminal to remain honest. The clever, the slick, and the sophisticated are getting away with murder ‚ well, maybe theft ‚ and will continue to behave in criminal and destructive ways.

Some of the government agencies and defense contractors implement polygraph tests, rigorous background investigations, and psychological screening tests before hiring. Some of these same agencies continually require an update to all these vetting strategies throughout an individual's employment. Once again, however, the news has indicated that even in the most rigid screening environments, such as the CIA and the FBI, spies are still hired , and insiders have turned spy and not been detected for years even with their follow-up security checks. Although background investigations can discover the obvious problems upfront (those with prior criminal histories and arrest records), generally speaking, the majority of people in the world who are active hackers, attackers , and crackers have not been arrested for a computer crime ‚ or any crime. Therefore, a background investigation for the purposes of uncovering a would-be hacker before hiring the individual is almost a moot point.

The polygraph test is yet another misplaced idea for vetting hacker insiders. Although in many instances the polygraph is a useful tool, it usually works best for those who don't know how to beat it by doing breathing and heart-rate control exercises, those who don't feel guilty or inherently wrong about something they might have done, those who don't have respect for or fear of the polygraph process itself, or those who don't register conclusive results because their physiological responses were inconsistent across the exam. The point is that many hackers do not believe what they are doing is wrong, and thus they will not feel guilt or register a change on the polygraph. Insiders who are there to conduct industrial espionage might be trained in how to beat a polygraph. If there is any doubt as to the capability of people to beat the polygraph, remember that there were East Germans, Cubans, and Soviets who all passed polygraphs during the Cold War and were still spies for their host countries , even though they were screened by our law enforcement and intelligence agencies.

On a business level, the polygraph can be an expensive and time-consuming tool that has very low probability of generating useful results for finding bad insiders. Even if inside attackers could be screened out during the hiring process, many insiders turn bad after they have been with the organization for a period of time. Career changes, job changes, management changes, position and responsibility changes, as well as other personal, nonrelated work pressures appear and can provide the catalysts for people to change. People might become disgruntled or greedy, have a need for revenge , feel entitlement, or experience many other things that would provide the motivation to launch an insider attack.

One method used to screen employees, contractors, new hires, potential hires, and temporary workers is the use psychological instruments and batteries. Some of the more popular instruments include the Minnesota Multiphasic Personality Inventory (MMPI), the California Personality Inventory (CPI), the Adjective Checklist (ACL), and even the Myers-Briggs Type Indicator, which is actually not a clinical assessment tool. Clinically assessing and then "profiling" an individual as he or she is prescreened for hire into a company can provide the employer with some personality traits and characteristics. However, it is not legal to administer clinical testing that would indicate a mental disability, according to the guidelines established by the Americans with Disabilities Act of 1992 and the Rehabilitation Act of 1973 (sections 503 and 504). Clinical assessments that lead to identifying a mental disorder or impairment (which are listed in the Diagnostic and Statistical Manual of Mental Disorders, currently the DSM5) are defined as medical examinations, and under the law, employers cannot require medical exams until after an applicant has been given a conditional job offer (section 501, Rehabilitation Act of 1973; 29 U.S.C.A. section 791 [g], 1994; section 504, 29 U.S.C.A. sections 793 [d], 794 [d], 1994). Clinical assessments are not legally permissible during a prehiring phase when these types of tools would be the most useful.

The other problem with using psychological instruments is that the profile of a "good employee" must be derived by testing a sample of good employees and then screening the potential ones against the desired scores of the established ones. Clinical data identifying the characteristics of a good employee might be available, depending on the test, but many employees test well and start out as good employees. These good employees can, over time and because of certain life circumstances, turn into disgruntled employees, as stated earlier. The other issue is that many of the variables that determine a good employee are the same variables that have been used by those who conduct psychological tests to describe a good hacker (such as excellent technical skills, introverted, unsophisticated interpersonal skills, compulsive Internet users).

Another issue regarding clinical instruments is the ability of the test taker to falsify answers. Faking responses based uon the obviousness of the questions ‚ and the fact that many of these assessments have been in use for decades ‚ might enable the test taker to choose the response that is "appropriate." It is not difficult to select the proper Likert scale answers to questions such as,"I have disturbing thoughts,""The world is confusing,""I feel rage easily," and "I have violent urges."These tests are so transparent and have been around for so long that even the layperson who has never had a course in psychology can easily figure out what the question is asking.

Specifically , the problem of criminal attacks on computers is extremely complicated due to the perpetrators coming from both the inside and outside of a particular company. In addition, the motivations, rationales, and methods of attack differ not only between insiders and outsiders but on an individual basis. Even though hackers have been stereotyped as introverts and socially inept, many use the MO of social engineering to obtain the information needed to break and enter. An additional complication, specifically with labeling hackers as introverts, involves the definition of introversion itself and the testing tools used to categorize introverts versus extraverts. In everyday use, and in line with the nonclinical Myers-Briggs Type Indicator, extraversion and introversion have been linked to a person's interpersonal sociability. Extraverts are social, outgoing, friendly, and open. Introverts are interpersonally shy, withdrawn, reserved, and reticent. When assessing or profiling hackers and potential disgruntled employees, it might be easy to socially categorize them as introverts due to their lack of desire for interpersonal communication with others face to face. However, communication modes in our society have changed. There is a shift in social behavior from communication face to face to social interaction over the Internet. These hackers are very social, using chat rooms, bulletin boards , and other online communications networks. Thus, these computer communicators are both directing their energies toward others as well as generating a high degree of focus toward an object outside themselves ‚ the computer itself. The vehicle and means of communication have been socially altered, but the clinical tests have not been likewise altered to reflect the cultural and societal shift.

Some insider attacks also occur after an employee has been terminated , so no amount of vetting, screening, assessing, or testing upfront during the hiring process could predict or prevent a former employee from launching an attack with his or her still fully intact insider knowledge. This concept of a former employee with insider knowledge is also tangentially related to the inside-out attack. The inside-out attack is when an individual on the inside is either knowingly or unknowingly providing someone on the outside with inside information. This particular type of incident is difficult to investigate because on the onset it appears that the attack has been launched from an external source. However, as the investigation progresses, it becomes apparent that the attacker could have only compromised those systems or servers with some inside help or knowledge. After the inside link is detected, the incident becomes far more complicated to investigate. The person on the inside "assisting" the incident response team could end up to be the wayward insider.

The last issue related to insider problems concerns the insider who is really hired by, paid by, and trained by organized crime, foreign intelligence agencies, or other groups for the sole purpose of infiltrating an organization. Don't forget that an insider can technically also include business partners, teaming partners , joint ventures , subcontractors , and other partnerships. A review of recent organized crime cases, for example, Operation Uptick, revealed a vast and complex organized crime scheme in the stock brokerage and investment industry in New York City. Any legitimate companies affiliated with the front companies were duped into believing in their validity; all of their sensitive and proprietary information was being used for insider-trading purposes and stock trade "pump and dump" schemes. So there are instances in which companies acquire insiders or others who get inside information by virtue of business partnerships and affiliations. Certainly, due diligence can be conducted on any company to validate its legitimacy , and this should be done. There are people and entities out there, however, who are extremely experienced and good at creating facades and conning even the most discriminating people.

Why Insiders Attack

So, what can organizations do? The first thing every corporation, agency, or business needs to understand is the "why."Why do insiders attack? There are too many possible motives to cover every case of why an insider attacks. In general, however, there are eight motivational categories: greed, no perceived choice, revenge or retribution, entitlement, curiosity , challenge or ego, serious business, and accident .

Greed

Some insiders just want to make money. The lure of selling data or stealing property fulfills their need to make more money than their salary allows. Insider trading and other financial or stock manipulation schemes (using insider information) are a common byproduct of greed.

No Perceived Choice ‚ Had to Do It

Due to personal circumstances, perhaps totally unrelated to the job or the employer, some insiders find themselves in unrecoverable financial situations. The only perceived way out of ruin is to take what the company has to offer and sell it, exploit it, or use it to turn a profit. Those who find themselves believing that they "had to do it" are sometimes in debt and cannot afford their basic living expenses ‚ even though those expenses might not be in any way extravagant. Divorce, gambling, poor investments, extreme medical bills, or other life changes are only some of the reasons why people find themselves in what they perceive to be dire straits. In some cases, the insiders might want to believe that they are only " borrowing " from their employer. In other cases, the insiders feel so positively about the employer they were compromising and stealing from that they felt they were treating their employer as they would their family ‚ leaning on the resources that are available.

Revenge or Retribution

Other insiders conduct attacks against their employers for pure revenge or retribution. At some point, the employee feels that he or she has not been treated fairly by a specific manager or even by the company as a whole. Anger, frustration, rage, and anxieties build, finally exploding into an attack. In some cases, these insiders target the person(s) that they have perceived treated them unfairly or badly , and in some cases, the incident is targeted toward the entire company. The choice of whether to make the attack personal against someone or more generally against the reputation or name of the organization depends on who the attacker believes should experience the consequences.

Entitlement

Similar to the motive of revenge is the motive of entitlement. Insiders who attack because of entitlement might believe they were unfairly overlooked for that raise, that promotion, or that bonus. This insider might feel that the employer is just too incompetent to recognize true hard work and brilliance; thus the insider feels entitled to give him- or herself a bonus.

Curiosity

Many inside incidents, particularly those defined as "unauthorized use of systems," are a result of a Curious George ‚ type just poking around to see what he or she can get into. Although this type of behavior violates most computer-use policies and may even be illegal, many of these insiders really do not believe they are doing anything wrong. These curious intruders might not damage anything, copy anything, delete anything, or take anything.

Challenge or Ego

An extension of the curious are those who crack into systems for the challenge, the fun, and to enhance their egos. These insiders are driven by their technical prowess and the desire to demonstrate it, if only to themselves. Again, this type of behavior violates computer-use policies and likewise might be considered illegal.

Serious Business

Insiders who are there for the sole purpose of exploiting the organization are engaged in serious business. Employees who are linked to organized crime or who are part of industrial espionage are there to do serious harm and damage. Corporate sabotage , intelligence gathering, and theft are only a few of the reasons these employees are walking the halls. They have been employed by their "true employer" for the single reason of gathering, stealing, or planting information within your organization. These insiders are extremely difficult to spot, are near impossible to account for, and are very well versed and professional concerning their business of sabotage.

Accident

Some insiders create incidents but do so purely by accident or because of naivety. Many honest people who have no intent to do harm to themselves, others, or their employer inadvertently end up being the perpetrator of an incident. These insiders are perhaps not aware of the corporate policies and rules or maybe acted in a way that is not covered in the policy. People post things to the Internet that they should not, sometimes with the best of intentions. People talk to other people, not realizing that they are disclosing proprietary information. Accidents also happen to firewalls and servers. An incorrectly written protocol or a PERL or JAVA program with errors can create problems that might, in fact, look as if someone was attempting to do malicious damage to the organization.

Possible Solutions

So what can companies and organizations do to lessen the chance of an insider attack? There are certain things that an organization can do on the human level to reduce vulnerability, increase security awareness, and perhaps prevent an incident from occurring. One recommendation is to train and educate all employees regarding organizational policies for acceptable computer use. Training does help, and it also ensures that the organization is doing its best to educate the employees regarding security. Training courses will not cure the problem, but it is one piece of a multilayered security approach.

Another recommendation is to maintain the mound of legal paperwork that most new employees sign at the commencement of their employment. Although these legal documents and nondisclosure agreements don't necessarily act as a deterrent, the maintenance of these documents is important for the company.

Do not overreact or overprotect when it comes to online access or network access. Some companies deny Internet access and external email privileges to their employees. This is not the answer. Restricting or prohibiting Internet or email access with the outer world is at best antiquated and will eventually take a toll on business.

Conduct an overall organizational assessment to ascertain where your company's hot spots are and when you are most at risk for attack. Some of the most common warning signs of insider attacks waiting to happen include times of mergers, acquisitions, or downsizing; management changes (though sometimes this can be good); post performance evaluation time; bonus, promotion, or raise time; and geographic relocation of physical office space ‚ particularly if people are being relocated into cubicles from offices or are being moved from a single office to a shared office. Any change that alters the reality or the environment or forces employees into a different thought process is cause for pause. People do react to stress; unfortunately , it's not always in a constructive way.

Extend an organizational assessment to include an Internet and web search of your company's name and other critical aspects of your business. Understanding how easy it is to obtain information on an individual or an organization is the first step toward better protection. Conducting an open-source collection on your company or assessing its message boards is a good way to take the temperature of the corporate culture in a very public and noninvasive way. The information on the public Internet is just that ‚ public. No one should have the assumption that posting something is private.

Conduct a physical assessment of your facilities and work environments. Many environmental factors might actually promote or encourage online misbehavior. Again, changes in environment can affect employees. Other considerations for a physical security review include things like clean air circulation, appropriate ventilation , and heating and cooling systems. All these precautions promote the well-being of an employee and decrease stress.

In light of all the stumbling blocks concerning the use of psychological assessments as a prescreening tool to identify potential cybercriminals, the concept of a prehiring evaluation is sound. There are other types of behavioral assessment instruments, defined as nonclinical tests, that could be used to determine job suitability based on skills, education, and occupational experience. There are also nonclinical instruments that measure personality and behavioral characteristics. Although not as powerful as a clinical instrument from a pure psychological perspective, these tools, for not only legal reasons, are better suited for employee selection. These nonclinical assessments not only focus on job suitability and skills, they do not contain the obvious psychiatry -laden questions that are easily picked out and answered "appropriately."

The real answer to preventing insider attacks is the ability to understand your corporate culture. An in-depth understanding of an organization can be obtained and should be conducted as part of Stage 1, preparation.

Investigating Insiders

One of the more difficult investigations to conduct is the incident that involves an insider or group of insiders. Incident response teams should be very well trained and educated as to the company's corporate policies regarding the treatment of insiders and should consult with an attorney regarding the legal rights of an insider. There are three considerations to always keep in mind when conducting an internal investigation:

1. Everyone might be a suspect because the perpetrator is on the inside.

2. The revelation that an incident was perpetrated by an insider might cause extra stress and worry for other employees and management. (People might become anxious or paranoid and might view the investigation as a witch hunt.)

3. The manner in which the investigation is handled is a reflection on both the incident response team and the company.

In most cases, if an insider is suspected, two other departments must be brought into to investigation: human resources and physical security. Both of these departments have access to information that might assist the incident response team in the investigation. These departments might also play active roles in supporting the ongoing components or results of the investigation (such as interviewing suspects , issuing disciplinary notices, or conducting terminations). The legal counsel should also be present and consulted during the phases of an insider investigation.

If insiders need to be questioned or interviewed as part of the investigation, this process should be well planned, well executed, and well documented. The incident response team members need to have a well-rounded skill set in addition to having computer skills, firewall knowledge, various OS backgrounds, and virus knowledge. The IT incident response team members should be well versed in interview techniques and should have excellent interpersonal skills.

Employees who are suspects and others who have incident-related information might need to be interviewed. As the investigator , you should be able to structure the entire interviewing process. Incident responders should have the following information before any interviewing takes place:

1. The names of those employees who need to be interviewed.

2. The people who will be conducting the interviews: Are they from the company's physical security or HR department or from the incident response team?

3. A consistent and nonthreatening approach to all interviewees. Figure out exactly what is going to be said, what the purpose of the interview is, and what will be told to the interviewees.

4. An appropriate place to conduct the interviews without interruptions.

5. Times and dates of the interviews and approximately how long each one will initially last. Follow-up interviews can be conducted a later time.

6. The order of the interviewees:Who should be interviewed before whom?

7. The selection and presence of a third party as a witness during all interviews.

The questions asked during the interviews should be a mix of technical- and behavioral-based questions ‚ again, prepared well in advance of the interviews. Preparation and planning do not mean you should exclude open discussion or taking a different tactic during an interview session. Good investigators will conduct each interview slightly differently because the interviewees are all individuals and are different. Flexibility and thinking on your feet are also essential.

All interviews, even those conducted over the phone, should be documented. Records of these interviews might end up as evidence; therefore, the discussions must be documented as accurately as possible. The following are some of the things that should be recorded as part of the documentation process:

1. The interview data, time, and place

2. The arrival time of the interviewee

3. The names of the interviewee, the interviewer, and the witness

4. The questions asked and the answers provided

5. Any observations that might be considered nonverbal

6. The time at which the interview ended

7. Whether the interviewee is a candidate for a follow-up interview

During this interview process, the reputation of the interviewees must be maintained . Some interviewees will feel as though they are being singled out or picked on, or they might believe that because they are being questioned in relation to an incident, their career and job will be negatively affected. Management needs to participate in this process to alleviate any fears. All interviews and treatment of employees must be done with utmost respect and decorum ‚ even the interviews with the prime suspects.

The seasoned incident response team not only knows how to communicate well across departments, it knows when and with whom to communicate. The incident response team should have a "need to know" policy. Many mistakes are made by inexperienced incident response teams when they announce the problem to everyone with a technical background who will listen. Unfortunately, one of the technical experts being so helpful might be the attacker. Tipping the perpetrator off to the investigation is sure to ruin the chances of a successful outcome. A clear chain of communication is a requirement. Human nature sometimes indicates that we trust those around us and those with whom we work. There have been too many documented incidents of insiders who have been the perpetrators of cyberincidents.