Types of Insiders

‚  < ‚  Free Open Study ‚  > ‚  

There are as many motivations for insider attacks as for external attackers . Traditional insider attacks are often perpetrated by disgruntled employees. Employees might feel threatened by management changes, mergers or acquisitions, downsizing, promotions (or lack thereof), evaluations, personal conflicts with other employees , or almost anything that causes stress in the workplace. A threatened employee is in the perfect position to attack the company from within. These attacks can range from the destruction of systems or data to the theft or sale of confidential information.

Security personnel, including the incident response team, are not immune to these feelings. These personnel are especially dangerous because they have access to the most sensitive systems and are in a position to detect and block any investigation. In the same way that Robert Hanssen was able to hide for 15 years as a spy in the FBI, a security administrator knows the techniques, personnel, and policies that can be used in an investigation.

Rogue System Administrators

A system administrator can be perhaps the most dangerous of insiders. The administrator has privileged access to the critical systems. He or she often is a member of the incident response team or at least has knowledge of ongoing investigations and procedures.

System administrators are subject to the same motivations as any employee. They can be passed over for promotions or be downsized. In addition, skilled administrators often have a disdain for people who are less technically proficient. If another employee, who might be perceived as less technically qualified, receives a promotion or pay raise, the administrator might feel slighted.

Administrators often have a God-like complex. This is especially true in companies in which the technology is not well understood by the average employee or manager. The administrator might believe that he alone possess the necessary skills to keep the company running. He might feel a sense of ownership of company systems and networks. Although these motivations are not necessarily bad in most settings and can, in fact, contribute to a strong work ethic , they can also create a feeling that any actions the administrator might take are justified because the systems "belong" to him.

This is true whether the administrator is acting to "protect" the systems from other users or is taking some sort of revenge against the company. Administrators might, for example, change system passwords if they feel other users or administrators are not qualified. They might also plant logic bombs or destroy systems or data if they feel threatened. They might bypass controls or policies simply to "get the job done," especially if they believe those controls either do not apply to them (because of their superior technical skill) or are impairing the smooth functioning of the systems.

Investigating an administrator is especially challenging. Administrators can monitor and frustrate the investigation:

  • Skilled administrators can detect monitoring efforts and thwart them.

  • They can modify or delete logs.

  • They can enlist the aid of other technical personnel to act as allies . This might include technical members of the incident response team.

It is often wise to bring in outside expertise when investigating a system administrator. This expertise can ensure that the administrator and other members of the operations group (and the incident response team) are not aware that an investigation is occurring. These outsiders can also serve as an outside audit of the investigation. This is useful in demonstrating due care during and following the investigation. It might be prudent to relieve the administrator of privileged access during the course of the investigation. Of course, if access is removed or restricted, the person will know that something is going on. In this case, he or she should be briefed that an investigation is ongoing and that access will be restored upon completion.

Interviewing a system administrator can be a difficult task. The administrator might have a low tolerance for people perceived as technically unqualified. Physical security personnel, especially if they have a law enforcement background, can be viewed with contempt. The administrator might refuse to cooperate. He also might lie, especially about his technical actions. The interviewer might not be able to detect these lies. Human resources personnel, although often trained in interviewing techniques, might suffer the same shortcomings if they are perceived as technically clueless. An interview team should include both people skilled in the techniques of talking to subjects and people with the technical skills to understand the answers. Another administrator can often establish a dialogue or a relationship with the subject. However, this administrator must be completely trusted. It might be wise to rely on external assistance in this case.

If an employee has been terminated , the danger is not over. Oftentimes, employees who either leave or are fired can still access corporate systems. This might be because their accounts are not cancelled when they leave or because they either install a "back door" into the systems or work with a person still inside the company to gain access. A back door can be as simple as the installation of a trojan such as Back Orifice or NetBus on a system. It can also involve the compromise of remote access servers or the installation of unauthorized modems.

If another employee is assisting, an outsider can gain access in any number of ways. Any kind of network traffic can be tunneled through legitimate ports such as mail (25) or web (80). To the network IDS, this traffic appears to be legitimate and will be neither detected nor blocked. However, the intruder can remotely control computers inside the corporate firewall or transfer data at will.

Employees might also be motivated simply by financial considerations. An employee might be providing data to competitors and might also be providing remote access. The outside organization could be a competitor, a government agency, or an organized crime syndicate. In certain areas of the world, companies receive economic intelligence from their country's intelligence services. These services are not above using traditional spying methods (such as insiders) to provide them with data. There are apocryphal stories about Russian organized crime breaking into financial institutions to steal money. There are also stories about the syndicates transferring money into the institution to launder it.

There are three classic indicators of an insider attack. The attacker often spends more time on the job than average. He might also have a lower than average salary and might display overt signs of dissatisfaction. These people often are introverted and have poor social skills. They might, however, have high technical skills. Some of the characteristics of potential attackers are often shared by dedicated developers and system administrators. If the attack is conducted with a degree of stealth, it is impossible to distinguish a skilled attack by an administrator from the normal performance of his job.

‚  < ‚  Free Open Study ‚  > ‚  


Incident Response. A Strategic Guide to Handling System and Network Security Breaches
Incident Response: A Strategic Guide to Handling System and Network Security Breaches
ISBN: 1578702569
EAN: 2147483647
Year: 2002
Pages: 103

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net