Secret Service and CERT analyze insider threats
- By William Jackson
- Aug 26, 2004
It doesn't take a techie to abuse an IT system from the inside, and inside attackers do not fit any common profile.
Those are among the findings of the Secret Service and the CERT Coordination Center in a study of insider attacks against financial organizations.
Damage to the victimized institutions ranged from a few hundred dollars to hundreds of millions of dollars.
The report, Illicit Cyber Activity in the Banking and Finance Sector
, is the first in a series of Insider Threat Studies in critical infrastructure sectors.
The report was funded by the Homeland Security Department and conducted by the Secret Service's National Threat Assessment Center and the CERT/CC of Carnegie Mellon University's Software Engineering Institute.
Teams from the two organizations analyzed information on 23 incidents committed by 26 people. The incidents had been investigated by the Secret Service or reported in the news. The analysis ranged from the perpetrator's background and planning through discovery and response to the breach.
Statistics on insider attacks against IT systems are difficult to collect because many incidents go unreported and the study's results may not be representative.
But, 'the fact remains that insiders have perpetrated illicit acts against organizations in the critical infrastructure sectors,' the report says. 'While limited, this study provides insight into actual criminal acts committed by insiders.'
The primary findings:Most incidents required little technical sophistication. Only 23 percent of perpetrators held technical positions, and 87 percent of the incidents used only simple, legitimate user commands.Perpetrators planned their actions. In addition, in 85 percent of cases, someone else knew of the plans.Financial gain was the dominant motive, driving 81 percent. Other common motives were revenge (23 percent), dissatisfaction (15 percent) and to garner respect (15 percent).Perpetrators do not share a common profile. Just 58 percent were male, 54 percent were single, their jobs were scattered throughout the organizations and few of them were known troublemakers. However, 27 percent did have arrest records.Nearly two-thirds of the cases were detected by people outside IT security staffs, 35 percent of them by customers.Victims suffered losses ranging from $168 to more than $691 million.Most of the acts were committed while on the job.
The report urges organizations to 'look beyond their IT and security to their overall business processes,' to secure their systems and to create a culture of security.
But while creating this culture, 'it would be counterproductive to create an environment of mistrust,' the report warns. 'It should be made clear that preventing or limiting the damage due to insider attacks is to the mutual benefit of the organization and its workforce.'
William Jackson is a Maryland-based freelance writer.