Chapter 10. Responding to Insider Attacks

‚  < ‚  Free Open Study ‚  > ‚  

Insider attacks constitute a special, challenging situation for an incident response team. Insiders already have access to sensitive systems, access that might include a high degree of privilege. These people are, at least nominally, trusted. The attacks are often difficult to detect. Intrusion detection systems might be unable to distinguish an attack from a normal pattern of behavior. In fact, the theft and removal of data might not even qualify as an attack in the technical sense. Everyone who investigates might be a potential suspect.

An insider attack can be defined as the intentional misuse of computer systems by users who are authorized to access those systems and networks. It is often difficult to distinguish intentional misuse from simple human error. Insiders might be employees, contractors, temporary help, or even customers or business partners . This definition ignores attacks by ex-employees or by employees who are not specifically authorized to access systems, but those attacks share some characteristics with more classic insider attacks as well.

This chapter will discuss the specific challenges of preparing for and responding to insider attacks, along with measures that might mitigate their impact. It will present various types of insiders and attacks and will discuss legal considerations that should be discussed when preparing a response.

Early statistics on computer security incidents stated that insider attacks accounted for the majority of incidents. In recent years , this has apparently declined. The 2000 Computer Security Institute study stated,"Survey results illustrate that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters , confirming the trend in previous years. Seventy-one percent of respondents detected unauthorized access by insiders. But for the third year in a row, more respondents (59%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (38%)." [1] There is some question as to whether this is due to an increase in external attacks or simply better detection. In any case, insiders can still cause the greatest damage. The same survey reported that the most serious cases involved the theft of proprietary information (66 respondents reported $66,708,000). [2]

[1] Computer Security Institute, Computer Crime and Security Survey, March 22, 2000, www.gocsi.com/prelea_000321.htm.

[2] Ibid.

Statistics on insider attacks are poor. There has been almost no research on the characteristics of the insider problem. To complicate this, information sharing among victims is extremely rare, so most data is anecdotal at best.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net