 |
|
|
|
Secrets, Technology and Insider Threats
|
|
|
Understanding how technology has changed the internal security landscape, and the behavior of the people you trust with your secrets
By Dan Verton
The insider threat is one of the biggest threats to the security and stability of the nation and the private companies that constitute its economic engine. Today, the modern enterprise is valued most by its intellectual property, including trademarks, copyrights, patents, research and development data, software specifications, internal policies and procedures, customer and vendor data, human capital (know-how), sales and business strategies, and, of course, classified information used by government agencies for purposes of national security.
Ironically, the same technological development that has revolutionized the world of business is now making the act of doing business increasingly dangerous for companies of all sizes. “There is a speed of change that occurs when you introduce a new technology,” said Michael Theis, Cyber-Counterintelligence Chief at the National Reconnaissance Office (NRO). “We're way behind in the security industry in looking at how we interact with technology and how humans change their behavior.”
Information technologies have evolved at such a rapid pace that their corresponding rapid insertion into corporate and government enterprise has literally obliterated the notion of the security perimeter.
“Technology has really changed how the insider acts, reacts and transmits information, using new technologies, miniature devices, pushing information out to message boards, and via instant messenger,” said Terry Gudaitis, director of incident response services for Science Applications International Corp. (SAIC), which provides scientific, engineering and systems integration services.
This is the reality that confronts today's modern enterprise. However, it is a reality that most security practitioners and senior decision makers have yet to acknowledge. Their businesses and agencies are hemorrhaging secrets and they don't even know it. For those unfortunate enough to be awakened to the problem after the fact, their response is often simply to fire the offender(s), leaving the conditions that led to the crime in place. Such reactive approaches to security leave critical gaps in place that can then be exploited by the next unscrupulous employee or business partner who manages to evade early detection. “People really don't want to believe that it's happening,” says Gudaitis, who is a former behavioral specialist at the CIA. “They believe they've hired good people, they've hired good vendors, and they've done everything they thought they could do, but they know that because of compliance and the reputation risk that they really need to start paying attention.”
Today, the modern business and government enterprise would be hard-pressed to identify the electronic boundaries that separate them from the rest of the world. In addition, those same organizations would likely find it even more difficult to identify all of the locations where their electronic assets - their digital intellectual property - reside or who has access to them. The security perimeter, that once provided at least a modicum of security, no longer even does that much. When the history of the Internet age is written, the security perimeter will be counted among the first things to have become extinct.
As one result, insiders are finding it easier to commit crimes, while their activities are more difficult to detect. New technologies have lowered the bar considerably when it comes to the technological prowess required to carry out insider crimes or conduct electronic espionage. Very few insider crimes involve the use of sophisticated scripts or software programs. Instead, they often involve legitimate user activity and require little knowledge of network security. Further complicating matters is the availability of easy-to-use “ordinary” devices such as picture phones and keychain Universal Serial Bus (USB) storage devices. Documents that used to take an insider multiple trips or multiple briefcases to carry now fit easily in these small storage devices.
Peter McDonald, director of federal sales at Denver-based Vericept Corp., a compliance and content control software provider, said his company has uncovered a wide range of insider threats across all vertical sectors of the economy. “We're seeing everything from credit card information, social security numbers, customer lists, and intellectual property, such as source code, new chemicals and new fabrications,” he said. “It ranges the entire spectrum from identity information, financial information and intellectual property.”
Application security is another real concern for organizations dealing with insider activity, as well as new legal requirements, such as the Sarbanes-Oxley Act of 2002 and the Gramm-Leach-Bliley Act of 1999, which outline corporate governance and personal information disclosure reporting requirements, respectively. Although the malicious or criminal insider may not be technically sophisticated, such users often gain detailed knowledge of specific application vulnerabilities, workarounds and administrative overrides that can easily facilitate insider abuse. It is also interesting to note that these, and other types of insiders, often are not employed in technical positions. It is no longer necessary to have a degree in computer science to steal or corrupt sensitive, classified or privacy-protected data.
The low level of technological know-how required to conduct most forms of insider abuse raises interesting questions about the psychological profile of the average malicious insider. Research has shown that they share many personality traits. There also may be similarities in their personal lives that may act as instigating factors in their decision to strike out at a perceived injustice. However, while recent studies have focused almost exclusively on the psychological profiles of information technology professionals (e.g. system administrators, help-desk technicians, etc.--who have the technical ability to misuse computer assets in a way that would prevent them from getting caught), insiders come in all shapes and sizes, and from all educational and professional backgrounds. They also can be found in almost any division within a particular company or organization, and sometimes are contract employees, subcontractors, service providers or the employees of an outsourcing firm.
Who Are Dangerous Insiders?
David Drab, Xerox's Director of Information Content Security Services and a former FBI agent who spent the bulk of his career investigating and pursuing members of La Cosa Nostra (LCN or the American Mafia), notes that his former nemesis will always be a risk factor, but “today's threat is very different because the world is very different. Ubiquitous connectivity through the Internet, digitalization of information assets, the warp speed of technology, and the diversification of business models in the global economy have contributed to this transformation. All these factors contribute to the concept of an enterprise without borders. Today's enemy… may (not) be readily identifiable, but may resemble the guy or gal you went to lunch with today. It may have no face at all and you may never see it. It may attack you at anytime, from anywhere in the world. So what is the threat? And who is the enemy that must be acknowledged today? Today's enemy lives in a virtual world, and can be virtually anyone.”
The insider threat is also not necessarily an individual. Some now are a part of well organized groups. “You have a significant proportion of the insider threats coming from the average employee who feels disloyalty to the employer,” said Gudaitis. “There also is an influx of those who are in organized groups who want to obtain information for competitive and financial reasons, which refers to economic espionage.”
Outsourcing
The concept of loyalty is changing in America. One might go as far as to argue that loyalty in the American workplace has been at a crossroads for several years. The outsourcing of American technology jobs has left many skilled citizens searching for work, struggling to feed and clothe their families, and losing sleep over an uncertain future while watching lower-wage workers overseas prosper. And while U.S. companies temporarily halted their plans to outsource jobs in the immediate aftermath of the Sept. 11, 2001 terrorist attacks, the trend is now once again in full swing. This has led to an undercurrent of anger and resentment throughout the American IT workforce.
The trend of outsourcing information technology (IT) jobs overseas has added new pressures to the highly volatile mix of ingredients that go into the making of a disgruntled or malicious insider. This is a topic that has, until now, gone unnoticed. American companies ignore this potential powder keg at their own peril.
How much IT development work has moved from Main Street U.S.A. to Europe and the Far East? The answer is quite a lot. In October 2004, for example, International Data Corp., a consultancy in Framingham, MA, estimated that U.S. companies outsourced $6.87 billion worth of custom application development, systems integration and application management. More than 72 percent of that work went to India, 8 percent went to the Philippines, 7.7 percent went to Central and Eastern Europe, and China took in 6.5 percent. Consulting firm Gartner Inc. estimated that by the end of 2004 one out of every ten U.S. IT jobs had been shipped overseas.
Other studies are more telling. The TPI Index, for example, put the value of IT outsourcing contracts signed during the first quarter of 2005 at $10.8 billion. In addition, Forrester Research Inc. predicted that by 2015 3.5 million white-collar jobs, or 200,000 per year, would move out of the U.S. to offshore locations. In fact, some estimate that between 2000 and 2003 approximately 104,000 IT jobs were lost in the U.S. to offshore outsourcing.
And contrary to popular belief, U.S. companies aren't shipping only low-level jobs overseas. While there are plenty of low-level call center jobs that are now based in places like India, research and development work is increasingly being sent overseas. For example, 70 percent of the personal digital assistants (PDAs) and 65 percent of the laptop computers on the market today are designed in Taiwan. And even networking infrastructure leaders, such as Cisco Systems, Nortel and Lucent, are increasingly farming out critical software design work to overseas firms. Wipro Technologies, for example, employs 8,000 researchers and developers to produce telecommunications equipment, electronic systems for automobiles and microchips for various industries. It is the world's largest contract R&D firm, and it is based in India.
HR Issues
To understand the psychology of the dangerous, high-tech insider one must understand the nature of change in the digital world and the impact that technology has had on the workplace. Change, in this context, has not been a good thing for security or for people in general. In fact, the argument can be made that the growth of the Internet and the shift that has occurred in the way people communicate, work, play, collaborate, socialize and learn has had unintended, negative consequences on the psychological makeup of a large portion of the American workforce.
“If you give somebody a new technology, their personal behavior will change,” said Michael Theis, Cyber-Counterintelligence Chief at the National Reconnaissance Office (NRO). “It may take some time or it may be very quick, but it will change.”
The problem has always been judging the trustworthiness of individuals, he said. The processes in use are geared toward a brick and mortar world and they have been in use since the 1940s and 1950s. “The problem is less than one in 10 teenagers sees any kind of a moral issue in swapping music online,” says Theis. “And if I brought them in for a polygraph and asked them 'have you ever stolen' they would say no. And would they pass? Yes. And my secrets are in the computer, where the idea of swapping information is okay.”
The motivations of malicious insiders are as varied as the techniques used to commit sabotage, espionage, theft or extortion. However, recent studies of the psychological profiles of malicious insiders have revealed several common characteristics that make information technology professionals (particularly system administrators) an “at risk” population for malicious insider activity and more vulnerable to outside manipulation by other criminals or international espionage efforts.
The most notable study was “Inside the Mind of the Insider,” conducted by Eric Shaw, a former CIA psychological profiler, and Jerrold Post, a former CIA psychologist and a noted expert on the psychology of terrorism and political violence. Post, who developed the Camp David Profiles for former President Jimmy Carter, characterizes internal cyber crime as a subset of workplace violence.
"In almost every case, the act which occurs in the information system era is the reflection of unmet personal needs that are channeled into the area of expertise," Post said in July 2001.
While the majority of hackers are little more than garden-variety criminals, Post found that the world of cyber-crime does have its share of Lee Harvey Oswalds. One example is Abraham Abdallah, a 32-year-old Brooklyn busboy who in March 2001 managed to pull off the biggest Internet identity heist in history, stealing the online identities of 200 of the richest people in America. There is little difference in motivation between criminals like Abdallah and Oswald, Post said: "To steal somebody's identity is to escape from one's place of insignificance. It's a special species of assassination." Increasingly, however, identity theft is simply a means to a criminal end, usually illicit financial gain. And the very individuals we entrust with managing critical data and systems are those about whom we should be most concerned. "Almost all of these people are loyal at the time of hiring,” Post said. “So this isn't a matter of screening them out."
It is, however, a matter of knowing who is at risk of committing malicious insider activity, how to recognize the warning signs, and how to manage and relieve workplace stressors that may push an employee over the edge.
Introversion is the one common characteristic shared by most IT specialists who are at risk of taking part in malicious insider activity, say Post and Shaw. It is important to note, however, that as with all of the personality traits shared by IT workers and malicious insiders the purpose of studying their prevalence is not to make a judgment about such traits or the general population that exhibits them, but rather to study their occurrence in cases where insider crimes are committed. And it is in that context that introversion plays a significant role in the incidence of high-tech insider crimes.
System administrators tend to prefer the non-personal nature of Internet communications and, as a result, often demonstrate less developed interpersonal and social skills, Post and Shaw note. As such, these individuals are usually more prone to deal with conflict in a detached, unconstructive, potentially hostile manner. They may send flame e-mails to co-workers and superiors; face-to-face discussions, when they do occur, are usually focused solely on personal gripes about how poorly the workplace is managed, the illogical decisions that others are making regarding IT systems and networks, and how only select employees (primarily the individual doing the complaining) are underappreciated and overworked by senior managers. However, while many honest individuals share similar feelings and personality traits, the malicious insider often experiences a breaking point. That breaking point can stem from the confluence of work stressors that go unaddressed by managers and personal conflicts, such as divorce, alcoholism, financial problems and other stressful family matters.
The particular type of introvert we are talking about here also often demonstrates a high level of computer dependency. This is not surprising given the current research on general hacker activity. Those who become malicious computer hackers often display an unhealthy dependence on computer communications and friendships and, as a result, develop a disdain for others outside of their Internet-based social circles. Likewise, the independent nature of living an Internet life (as opposed to nurturing one's social skills in the real world) often creates individuals who do not function well in a team environment. The real world does not allow one to simply 'disconnect' or find an alternate chat room where one's opinions and beliefs are more widely shared and supported.
What You Can Do
There are two primary components of the technological answer to the insider threat: observe and model human behavior, and adopt a defense in depth strategy.
“We are looking at behavior,” said Vericept's McDonald. “We believe that most malicious attacks are premeditated. A lot of our customers, for example, have employees who are looking for jobs. So we have a resignation category that tracks these threats. And we're seeing patents and other sensitive intellectual property going out with resumes.
“We also see tons of insider hacker activities, including key-logging, network mapping, and attempts to access databases that individuals shouldn't have access to. There's a lot of behavior associated with data loss that you can look for instead of seeing an event and responding to it.”
According to Theis, the way ahead is in modeling human behavior and understanding how technology continues to change the way people behave: “If we understand human behavior in cyberspace we can develop mathematical models that will help us to develop tools.”
Once we have the models and the tools, it's important to implement them and use them appropriately. “Just relying on people following the rules and doing what they are supposed to be doing is not going to cut it,” said Gudaitis . “Corporations also need to be aware of things that slip between the cracks.” And that means regularly looking for your organization's intellectual property in places you know it doesn't belong.
The only way to combat the insider threat is to adopt a defense-in-depth security strategy that does more than simply monitor access attempts from outside the electronic enterprise. It must also monitor the flow of information from within. By its very nature, a defense-in-depth strategy has at its core an organization's most precious assets: its information and its knowledge.
Excerpted from Dan Verton's The Insider: Best Practices Edition (August 2006)
Dan Verton is the author of The Insider: Best Practices Edition (August 2006). The founder and executive producer of Homeland Defense Week, Verton is a former military intelligence officer and winner of the 2003 Jesse H. Neal National Business Journalism Award. He's written four books on cybersecurity, including Black Ice: The Invisible Threat of Cyber-Terrorism and The Insider.
|
|
|
|
|
