Insider Threat and Information
Security
Dawn Cappelli
Faculty, Carnegie Mellon University
Earl Crane
Adjunct Professor, Carnegie Mellon University
Insider Threat
• Hassan Abujihaad (Formerly Paul Hall)
– Arrested March 7, 2007
– Sailor on USS Benfold (2000-2001)
– Passed SECRET information to known
Islamic Jihadists containing battle group
weaknesses
– Islamic Fundamentalist Convert
– http://cicentre.com
2 of 45
Insider Threat
• Leandro Aragoncillo
– Arrested: September 10, 2005
– Sentenced to 10 years: July 18, 2007
– Retired Marine, Administration Chief of White
House VP Security Detail
– Passed 101 classified documents to
Philippine government, 37 marked SECRET
– Played to Filipino loyalties
– http://cicentre.com
3 of 45
Insider Threat
• Robert Hanssen
– Arrested February 18, 2001
• Spy since 1985
– Long-time FBI agent
– “Worst case of espionage in US
history”
• Washington Post, 20 Feb 01
– Spied in exchange for $1.4M in
cash and diamonds
4 of 45
Spy cases
• What did these have in common?
– Trusted insiders who “turned”
– Used information system trust to commit
espionage.
• Did precursors exist to alert management?
• Could these have been prevented?
– Use of technology controls to mitigate
– Use of management observation to mitigate
5 of 45
Disclaimer
• This is not “trusted computing” or
“computational correctness”
• This does not make the case that Insider
Threats are a known and prevalent
problem. This is a given assumption.
6 of 45
Overview
• Trust and Trust Online
• A brief overview of Trust
– Shifting Trust from Technology to People
• Trust and information systems
– Credibility, Ease of Use, Perceived Risk
– Technology Adoption
– Fear of the unknown
• The Critical Pathway
• Practical Application: Insider Threat mitigation
techniques through System Dynamics from
Carnegie Mellon
7 of 45
Trust
• “Nearly 70% of Americans agree with the
statement, ‘I don't know whom to trust
anymore’”
– February 2002 Golin/Harris Poll
• “What is Trust?” quesiton is not new
– Interpersonal Trust
– Team Trust
– Societal Trust
• Trust and Abstract Systems
8 of 45
What is Trust Online?
• “An attitude of confident expectation in an
online situation of risk that one’s
vulnerabilities will not be exploited.”
– (Corritore, Kracher, & Wiedenbeck, 2003)
9 of 45
A brief overview of Trust
• General vs. Specific Trust
• Kinds of Trust
– Cognitive vs. Emotional Trust
• (Komiak & Benbasat, 2004)
– Slow Trust vs. Swift Trust
• Degrees of Trust
– Weak to Strong Trust
– Basic Trust, Guarded Trust, Extended Trust
• Stages of Trust
– Deterrence Based, Knowledge Based, and Shared Identification
Based Trust
• Shifting Trust
– Trust in Technology vs. Trust in People
10 of 45
Shifting Trust
• Trust in Technology vs. People
• Shift from technology to people through
technology
– (Chopra & Wallace, 2003)
Shifting Trust from Technology to People
Goal
11 of 45
Trust in Technology
• Trust in technology follows an
interpersonal model of trust.
– Web page or electronic document
– We trust the data if:
• It is believed to be reliable
• If we trust willingly
• If we can accept or reject the information on the
document.
12 of 45
Trust in People
• Electronic commerce
– Closer to humanistic trust, where the trustee is now a
person or organization
– Confidence that a transaction will be fulfilled
appropriately.
• Online relationships
– Confidence that the other party will maintain a quality
relationship.
• Intelligence, positive intentions, ethics, dependability,
predictability, confidentiality
• This is where we approach trust and information
systems
13 of 45
Trust and Information Systems
14 of 45
Credibility
• Credibility and the perception of credibility has
four components:
–
–
–
–
Honesty
Expertise
Predictability
Reputation
• (Corritore, et al. 2003)
• Regular communication builds trust (credibility)
in online environments
– (Gibson, 2003)
15 of 45
Ease of Use
• A website that is easy for users to navigate and
find the information needed instills a sense of
trust in the user, and satisfies the user with their
online experience.
– (Corritore, Kracher, & Wiedenbeck, 2003)
• How well users can achieve their goals while
using a computer
– The hard to use ACS systems is one of the factors
contributing to espionage in the Robert Hanssen
espionage case
• (Band et al., 2006).
16 of 45
Technology Adoption
• Choose the path of least resistance
• Technology Acceptance Model (TAM)
– Perceived Usefulness (PU)
– Perceived Ease of Use (PEOU)
17 of 45
Perceived Risk
• A user’s perception of risk is closely linked
to their trust.
– A person buying a large ticket item online for
the first time may feel they have little control
over the transaction.
• Users may not be fully aware of all the
unknown risks, they have an “awareness
of the unknown” that increases their
perceived risk.
– (Komiak & Benbasat, 2004)
18 of 45
The only thing we have to fear is
fear itself
• Fear of the unknown
– Previously discussed Cognitive and Emotional
Trust
– (Komiak & Benbasat, 2004)
19 of 45
Trust and Insider Threat
• Organizations must trust their employees
to some extent
• Trust without management or technical
controls can enable insider attacks
• We can’t fix stupid
• Insider attacks follow a pattern - a “critical
pathway”
– Caveat: Not applicable to trained foreign
intelligence agents
20 of 45
Critical Pathway
(Shaw & Fischer, 2005)
21 of 45
Critical Pathway
• At-risk Subject Characteristics
– Serious promotional or personal setbacks
– Previous computer misuse
– Disabling organizational security devices
– Disregard for security protocols
– Self-esteem issues, a “high maintenance employee”
– Personnel conflicts
– Anger
– Lack of inhibitions about retaliation or revenge
(Shaw, 2006)
22 of 45
System Dynamics
• Modeled through System Dynamics
– Jay W. Forrester, 1961
• A method and supporting toolset
– Holistically model, document, and analyze complex
problems as they evolve over time
– Develop effective mitigation strategies that balance
competing concerns
• Carnegie Mellon System Dynamics Research
– Discovered the “trust trap”
23 of 45
Summary
• Discussed so far:
–
–
–
–
Trust and Trust Online
A brief overview of Trust
Trust and information systems
The Critical Pathway
• Practical Application: Insider Threat mitigation
techniques through System Dynamics from
Carnegie Mellon
– Management and Education of Risks of Insider Threat
(MERIT Model)
24 of 45
MERIT Model of
Insider IT Sabotage
25 of 45
MERIT Model
actual risk of
insider attack
acquiring
unknown
paths
behavioral
precursor
ability to
conceal
activity
technical
monitoring
sanctions
behavioral
monitoring
insider's unmet
expectation
personal
predisposition
unknown
access paths
discovery of
precursors
disgruntlement
insider's
expectation
technical
precursor
perceived risk
of insider attack
org's trust
of insider
expectation
fulfillment
precipitating
event
26 ofUniversity
45
© 2007 Carnegie Mellon
MERIT Model
actual risk of
insider attack
acquiring
unknown
paths
behavioral
precursor
ability to
conceal
activity
technical
monitoring
sanctions
behavioral
monitoring
insider's unmet
expectation
personal
predisposition
unknown
access paths
discovery of
precursors
disgruntlement
insider's
expectation
technical
precursor
perceived risk
of insider attack
org's trust
of insider
expectation
fulfillment
precipitating
event
27 ofUniversity
45
© 2007 Carnegie Mellon
Insider Threat Mitigation
• Balance information sharing with
information restriction and monitoring
• Technical Controls
• Management Controls
• Operational Controls
– Series of recommendations from Carnegie Mellon
28 of 45
Best Practices
29 of 45
Our Thoughts About Best
Practices
• Refer to the Common Sense Guide and
Insider Threat Study reports for supporting
data.
• Our goal here is to use case examples to
motivate you to ask yourself
Could something like this happen to me?
30 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #1 :
Institute periodic enterprise-wide
risk assessments.
Emergency services are forced to rely on manual
address lookups for 911 calls when an insider
sabotages the system.
Organizations need to develop a risk-based security
strategy to protect its critical assets from both
external and internal threats.
31 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #2 :
Institute periodic security
awareness training.
A team of software developers pay the price after
they ignore the team lead’s contempt and deliberate
violation of management’s directives.
Without broad understanding and buy-in from the
organization, technical or managerial controls will be
short-lived.
32 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #3:
Enforce separation of duties and
least privilege.
A supervisor accepts $50,000 to grant asylum to
immigrants who had been or could have been
otherwise denied.
While security awareness training is an excellent
start, separation of duties and least privilege must be
implemented to limit the damage that malicious
insiders can inflict.
33 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #4:
Implement strict password & account
management practices.
A disgruntled contractor snoops to his heart’s
content after he uses a password cracker to obtain
40 passwords, including the root password.
If an organization’s computer accounts can be
compromised, insiders can circumvent manual and
automated control mechanisms.
34 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #5:
Log, monitor, and audit employee
online actions.
A contractor’s sophisticated scheme, which
allowed him to steal 5000 employee passwords, is
discovered in the nick of time.
Logging, monitoring, and auditing can lead to early
discovery and investigation of suspicious insider
actions.
35 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #6:
Use extra caution with
privileged users.
An insider’s fiancée finds her promotion is better
than he ever imagined when she gives him $615,000
over the next two years.
System administrators and privileged users have the
technical ability, access, and oversight responsibility
to commit and conceal malicious activity.
36 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #7:
Actively defend against
malicious code.
A software developer realizes that the fox is
guarding the henhouse when he is able to modify
his own source code to override his own security
measures.
While insiders frequently use simple user commands
to do their damage, logic bombs and other malicious
code are used frequently enough to be of concern.
37 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #8:
Used layered defense against
remote attacks.
A foreign currency trader hides $691 million in
losses over a 5 year period – mostly from home in
the middle of the night.
Remote access provides a tempting opportunity for
insiders to attack with less risk.
38 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #9 :
Monitor and respond to suspicious
activity.
A software development manager who verbally
attacks management and coworkers on a regular
basis is finally fired, but steals critical software and
demands $50K for its return.
One method of reducing the threat of malicious
insiders is to proactively deal with difficult
employees.
39 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #10 :
Deactivate computer access
following termination.
A system administrator terminated with no
advanced notice remotely logs in using an
administrator account and shuts down their
mission critical server.
It is important that organizations follow rigorous
termination procedures that disable all open access
points to the networks, systems, applications, and
data.
40 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #11 :
Collect and save data for use in
investigations.
Monthly audit log recycling causes company
difficulty in prosecuting a long-term fraud scheme
with losses of over $500K.
Collecting and saving usable evidence preserves
response options, including legal actions.
41 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #12 :
Implement secure backup and
recovery processes.
A disgruntled system administrator amplifies the
impact of a logic bomb by centralizing critical
programs and intimidating coworker out of backup
tapes.
It is important that organizations prepare for the
possibility of insider attacks by implementing secure
backup and recovery processes that are tested
periodically.
42 ofUniversity
45
© 2007 Carnegie Mellon
Best Practice #13 :
Clearly document insider threat
controls.
After transferring to a new department, absence of
policy allows an insider to repeatedly gain
unauthorized access to his old department’s
systems without repercussions.
To ensure consistent handling and to protect against
accusations of discrimination, procedures for
dealing with malicious insiders must be clearly
documented.
43 ofUniversity
45
© 2007 Carnegie Mellon
Questions
• Earl Crane
– Crane at andrew * cmu * edu
• Dawn Cappelli
– DMC at cert * org
44 of 45
Summary of Best Practices
•Institute periodic enterprise-wide risk
assessments.
•Actively defend against malicious
code.
•Institute periodic security awareness
training for all employees.
•Use layered defense against remote
attacks.
•Enforce separation of duties and
least privilege.
•Monitor and respond to suspicious or
disruptive behavior.
•Implement strict password and
account management policies and
practices.
•Deactivate computer access following
termination.
•Log, monitor, and audit employee
online actions.
•Use extra caution with system
administrators and privileged users.
•Collect and save data for use in
investigations.
•Implement secure backup and
recovery processes.
•Clearly document insider threat
controls.
45 ofUniversity
45
© 2007 Carnegie Mellon