Showing posts with label insiders. Show all posts
Showing posts with label insiders. Show all posts

Saturday, April 14, 2007

Exaggerated Insider Threats

I got a chance to listen to Adam Shostack's talk at ShmooCon. When I heard him slaughter my name my ears perked up. (It's "bate-lik".) :) I hadn't seen his slides (.pdf) until now, but I noticed he cited my post Of Course Insiders Cause Fewer Security Incidents where I questioned the preponderance of insider threats. I thought Adam's talk was good, although he really didn't support the title of his talk. It seemed more like "security breaches won't really hurt you," rather than breaches benefitting you. That's fine though.

When he mentioned my post he cited a new paper titled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006 by Phil Howard and Kris Erickson. Adam highlighted this excerpt

60 percent of the incidents involved organizational mismanagement

as a way to question my assertion that insiders account for fewer intrusions than outsiders.

At the outset let me repeat how my favorite Kennedy School of Government professor, Phil Zelikow, would address this issue. He would say, "That's an empirical question." Exactly -- if we had the right data we could know if insiders or outsiders cause more intrusions. I would argue that projects like the Month of 0wned Corporations give plenty of data supporting my external hypothesis, but let's take a look at what the Howard/Erickson paper actually says.

First, what are they studying?

Our list of reported incidents is limited to cases where one or more electronic personal records were compromised through negligence or theft... For this study, we look only at incidents of compromised records that are almost certainly illegal or negligent acts. For the purposes of this paper, we define electronic personal records as data containing privileged information about an individual that cannot be readily obtained through other public means.

So, they are studying disclosure of personal information. They are not analyzing theft of intellectual property like helicopter designs. They are not reviewing cases of fraud, like $10 million of routers and other gear shipped to Romania. They are not reviewing incidents where hosts became parts of botnets and the like. All of that activity would put weight in the external column. That's not included here.

Let's get back to that 60% figure. It sounds like my hypothesis is doomed, right?

Surprisingly, however, the proportion of incident reports involving hackers is smaller than the proportion of incidents involving organizational action or inaction. While 31 percent of the incidents reported clearly identify a hacker as the culprit, 60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online.

Now we see that the 60% figure includes several categories of "organizational action or inaction". Hmm, I wonder how big the insider abuse or theft figure is, since that to me sounds like the big, bad "insider threat." If we look at this site we can access the figures and tables for the report. Take a look at Figure 2. (It's too wide to print here.) The Insider Abuse or Theft figure accounts for 5% of the incident total while Stolen - Hacked accounts for 31%. Sit down, insider threat.

Wait, wait, insider threat devotees might say -- what about Missing or Stolen Hardware, which is responsible for 36% of incidents? I'll get to that.

The numbers I cited were for incidents. You would probably agree you care more about the number of records lost, since who cares if ten companies each lose one hundred records if an eleventh loses one hundred thousand.

If you look at the corresponding percentages for numbers of records lost (instead of number of incidents), Insider Abuse or Theft accounts for 0%, Missing or Stolen Hardware counts for 2% while Stolen - Hacked rings in at 91%. Why are we even debating this issue?

Wait again, insider fans will say. Why don't you listen when the authors exclude Axciom from the data? They must be an "outlier," so ignore them. And now ignore TJX, and... anyone else who skews the conclusion we're trying to reach.

The authors state:

Regardless of how the data is broken down, hackers never account for even half of the incidents or the volume of compromised records.

To quote Prof Zelikow again, "True, but irrelevant." I'll exclude Acxiom too by looking at previous periods. In 1980-1989 Stolen - Hacked accounts for 96% of records and 43% of incidents, while Unspecified accounts for the remaining 4% of records, along with 43% of incidents. Insider Abuse or Theft was 14% of incidents and zero records, meaning no breach. In 1990-1999 Stolen - Hacked accounts for 45% of incidents but the number of records is dwarfed by the number of records lost in Unspecified Breach.

In brief, this report defends the insider threat hypothesis only in name, and really only when you cloak it in "organizational ineptitude" rather than dedicated insiders out to do the company intentional harm.

I recommend reading the report to see if you find the same conclusions buried behind the numbers. It's entirely possible I'm missing something, but I don't see how this report diminishes the external threat.

Friday, February 16, 2007

Combat Insider Threats with Nontechnical Means

I've written many posts on insider threats, like How Many Spies and Of Course Insiders Cause Fewer Security Incidents. Recently a former Coca-Cola employee was found guilty of trying to steal Coke's trade secrets, with an intent to sell them to Pepsi. According to this story, detection of the plot was decidedly non-technical:

In May, a letter appeared at Pepsi's New York headquarters offering to sell the trade secret. But that's how the beverage superpowers learned of common corporate priorities: Pepsi officials immediately notified Coke of the breach; in turn, Coke executives contacted the FBI and a sting operation was put into play.

Today I read Insider Tries to Steal $400 Million at DuPont. The story claims a technical detection method:

Computer security played a key role in the case. The chemist, Gary Min, was spotted when he began accessing an unusually high volume of abstracts and full-text PDF documents from DuPont's Electronic Data Library (EDL), a Delaware-based database server which is one of DuPont's primary storage repositories for confidential information.

Between Aug. 2005 and Dec. 12, 2005, Min downloaded some 22,000 abstracts and about 16,700 documents -- 15 times the number of abstracts and reports accessed by the next-highest user of the EDL, according to documents unsealed yesterday by Colm Connolly, U.S. Attorney for the District of Delaware...

Min began downloading the documentation about two months before he received an official job offer from Victrex, a DuPont competitor, in October 2005. The new job was slated to begin in January of 2006, but Min did not tell DuPont he was leaving until December 2005, according to the documents. It was after he announced his departure that DuPont's IT staff detected the high volume of downloads from Min's computer.


That demonstrates DuPont was unaware of the activity (which started in August) until December. That means DuPont only started looking for odd activity once Min announced his departure, so again we have another non-technical detection method. Something similar to the Coke case occurred based on this line from the same story:

Victrex was not accused of conspiring with Min. In fact, the company assisted authorities in collecting evidence against him, according to the documents.

So, in both cases nontechnical means identified and caught insider threats.

This follow-up story, 10 Signs an Employee Is About to Go Bad, lists only two technical means to identify insider threats -- the remaining eight are all decidedly analog or physical. I recommend reading this list. It represents one of the better arguments I've seen for "convergence" between physical and digital security staffs.

Unfortunately, many companies are spending lots of money on products to supposedly combat insider threats, when the best approach is nontechnical. Meanwhile, these same companies are completely 0wn3d by outsiders in .ro, .ru, .cn, etc., but little attention is paid because external threats are not the "hot topic" right now. The only saving grace is that some of the technical methods that might be helpful against insiders may work against outsiders who control company assets.

Wednesday, December 27, 2006

How Many Spies?

This is a follow-up to Incorrect Insider Threat Perceptions. I think security managers are worrying too much about insider threats compared to outsider threats. Let's assume, however, that I wanted to spend some time on the insider threat problem. How would I handle it?

First, I would not seek vulnerability-centric solutions. I would not even really seek technological solutions. Instead, I would focus on the threats themselves. Insider threats are humans. They are parties with the capability and intention to exploit a vulnerability in an asset. You absolutely cannot stop all insider threats with technical solutions. You can't even stop most insider threats with technical solutions.

You should focus on non-technical solutions. (Ok, step two is technical.)

  1. Personnel screening: Know who you are hiring. The more sensitive the position, the deeper the check. The more sensitive the position, the greater the need for periodic reexamination of a person's threat likelihood. This is common for anyone with a federal security clearance, for example.

  2. Conduct legal monitoring: Make it clear to employees that they are subject to monitoring. The more sensitive the position, the greater the monitoring. Web surfing, email, IM, etc. are subject to inspection and retention within the boundaries of applicable laws.

  3. Develop and publish security policies: Tell employees what is proper and improper. Let them know the penalties for breaching the policy. Make them resign them annually.

  4. Discipline, fire, or prosecute offenders: Depending on the scope of an infraction, take the appropriate action. Regulations without enforcement (cough - HIPAA - cough) are worthless.

  5. Deterrence: Tell employees all of the above regularly. It is important for employees who might dance with the dark side to fully understand the consequences of their misdeeds.


At the end of the day, you should wonder "how many spies?" are there in your organization. Consider the hurdles an insider threat must leap in order to carry out an attack and escape justice.

  • He must pass your background check, either by having a clean record or presenting an airtight fake record.

  • He must provide a false name and mailing address to frustrate attempts to catch him.

  • He must evade detecting by your internal audit systems.

  • He must have an escape plan to leave the organization and resurface elsewhere.


I could continue, but imagine those difficulties compared to a remote cyber intruder in Russia who conducts a successful client-side attack on your company? Now which attack is more likely -- the insider or the outsider?

Incorrect Insider Threat Perceptions

Search my blog for "insider threat" and you'll find plenty of previous posts. I wanted to include this post in my earlier holiday reading article, but I'd figure it was important enough to stand alone. I'm donning my flameproof suit for this one.

The cover story for the December 2006 Information Secuirty magazine, Protect What's Precious by Marcia Savage, clued me into what's wrong with security managment and their perceptions. This is how the article starts:

As IT director at a small manufacturer of specialized yacht equipment, Michael Bartlett worries about protecting the firm's intellectual property from outsiders. But increasingly, he's anxious about the threat posed by trusted insiders.

His agenda for 2007 is straightforward: beef up internal security.

"So far, we've been concentrating on the perimeter and the firewall, and protecting ourselves from the outside world," says Bartlett of Quantum Marine Engineering of Florida. "As the company is growing, we need to take better steps to protect our data inside."

Bartlett voices a common concern for many readers who participated in Information Security's 2007 Priorities Survey. For years, organizations' security efforts focused on shoring up network perimeters. These days, the focus has expanded to protecting sensitive corporate data from insiders--trusted employees and business partners--who might either maliciously steal or inadvertently leak information.


That sounds reasonable. As I see it, however, this shift to focus on the "inside threat" risks missing threats that are far more abundant.

First things first. Inside threat is not new. Check out the lead line from a security story:

You've heard it time and time again: Insiders constitute the greatest threat to your organization's security. But what can you do about it?

That's the lead from a July 2000 Information Security article called "Managing the Threat from Within".

Let's think about this for a moment. InfoSecMag in Dec 2006 mentioned that "organizations' security efforts focused on shoring up network perimeters," so turning inwards seems like a good idea. Wasn't looking inwards a good idea already in 2000? I'm probably not communicating my point very well, so here is another excerpt from the same Dec 2006 article:

Glen Carson, information security officer for California's Victim Compensation and Govern-ment Claims Board, says the problem stems more from a lack of user education than poor authentication.

His priority is education: explaining to the 350 users in his agency why data security is important and how it will help them in the long run.

"We recently completed a third-party security assessment and got a good test of our exterior shell, but internally our controls were lacking," he says.


I wonder if that "good test of our exterior shell" included client-side exploitation? I doubt it. Do you see where I am going?

Here's one other excerpt.

Mass-mailing worms may have gone the way of the boot-sector virus, but that does mean security managers don't have malware on their radar...

Yet there hasn't been a major outbreak since the Sasser worm in 2004, so what's all the fuss? Security managers will tell you that the lack of activity says a lot about the maturation of prevention technologies, advances in automated patch management tools, effectiveness of user awareness campaigns, and overall layered defense strategies.


Ok, are you laughing now? The reason why we're not seeing massive worms is that there's no money to be made in it. Everything is targeted these days. Even InfoSecMag admits it:

It's no secret that hacker motivations have changed from notoriety to money. Many of today's worms carry key-logging trojans that make off with your company's most precious assets. Attacks are targeted, often facilitated by insiders. Rather than relying on social engineering to move infected email attachments from network to network, hackers are exploiting holes in browsers, using Javascript attacks to hijack Web sessions and steal data.

Exactly (minus the "facilitated by insiders" part -- says who, and why bother when remote client-side attacks are so easy?)

Here's my point: why are security managers so worried about Eva the Engineer or Stan the Secretary when Renfro the Romanian is stealing data right now. I read somewhere (I can't cite it now) that something like 70 million hosts on the Internet may be under illegitimate control. It may make sense to speak more of the number of hosts not compromised instead of those that are compromised. In 2004 the authors of the great book Rootkit claimed all of the Fortune 500 was 0wned. Why do we think it's any different now?

It's possible that taking steps to control trusted insiders will also slow down outsiders who have gained a foothold inside the enterprise. However, I don't see too many people clamping down on privileged users, and guess who powerful outsiders will be acting as when the compromise a site?

Of course we should care about insiders, and the insider threat is the only threat you can control. Outsiders are far more likely to cause an incident because, especially with the rise of client-side attacks, they are constantly interacting with your users. The larger the number of users you support, the greater the number of targets an outsider can exploit. Sure, more employees means more insider threats, but let's put this in perspective!

The fact that you offer a minimal external Internet profile does not mean you're "safe" from outsiders and that you can now shift to inside threats. The outsiders are deadlier now than they've ever been. They are in your networks and acting quietly to preserve their positions. Give Eva and Stan a break and don't forget Renfro. He's already in your company.

Saturday, December 16, 2006

Duronio Postscript: 97 Months

In June and July this year I devoted several posts to covering the Duronio intrusion where my friend Keith Jones served as prosecution expert witness. Keith called this week to tell me Roger Duronio was sentenced to 8 years and one month jail time for his crimes. Great work Keith!

Thursday, November 16, 2006

Another Reason for Privileged User Monitoring

No sooner did I write about a CEO gone bad do I read this: Ex-IT Chief Busted for Hacking:

Stevan Hoffacker, formerly director of IT and VP of technology for Source Media, was arrested at his home yesterday on charges of breaking into the email system that he once managed.

According to the FBI and the U.S. Attorney for the Southern District of New York, Hoffacker hacked into his former company's messaging server, eavesdropped on top executives' emails about employees' job status, and then warned the employees that they were about to lose their positions.


I doubt there's any real "hacking" involved here. Hoffacker probably retained access or leveraged knowledge of configuration errors to access these systems.

The FBI did not say exactly how Hoffacker broke into the mail system, but it noted that the former IT exec had access to the passwords for the email accounts of other Source Media employees.

Of course, if Hoffacker was an "ex-IT chief," he wasn't a "true insider." He was an "ex-insider," who should have had all of the (hopefully) nonexistent access granted to an outsider. True, he had knowledge of the systems not possessed by the typical outsider, but just because I created systems for previous employers doesn't mean I can waltz onto their networks now.

Although I am bringing up the "inside threat" again, please don't forget that you probably have external intruders from all over the globe inside your organization now. While privileged user monitoring and insider threat deterrence, detection, and ejection are important, keep in mind the parties who are already abusing your corporate assets.

Friday, November 03, 2006

Real Insider Threats

Just the other day I read the following in Cliff Berg's book High-Assurance Design:

Roles should be narrowly defined so that a single role does not have permission for many different functions, at least not without secure traceability.

The CTO of a Fortune 100 financial services company once bragged to me over dinner that if he wanted to, he had the ability to secretly divert a billion dollars from his firm, erase all traces of his actions, and disappear before it was discovered.

Clearly, the principles of separation of duties and compartmentalization were not being practiced within his organization.


Now I read the following in VARBusiness:

Federal law enforcement officials Tuesday arrested the well-known CEO of White Plains, N.Y.-based MSP provider Compulinx on charges of stealing the identities of his employees in order to secure fraudulent loans, lines of credit and credit cards, according to an eight-count indictment unsealed by the U.S. Attorney's office in White Plains.

Terrence D. Chalk, 44, of White Plains was arraigned in federal court in White Plains, along with his nephew, Damon T. Chalk, 35, after an FBI investigation turned up the curious lending and spending habits. The pair are charged with submitting some $1 million worth of credit applications using the names and personal information -- names, addresses and social security numbers -- of some of Compulinx's 50 employees...

Terrence Chalk is also charged with racking up more than $100,000 in unauthorized credit card charges. If convicted, he faces 165 years in prison and $5.5 million in fines, prosecutors say. Damon faces a maximum sentence of 35 years imprisonment and $1.25 million in fines.


These are exactly the problems I mentioned earlier. Both cases make me sick. In the former, the Fortune 100 CEO knew his organization was broken but he thought it was a joke. In the latter, someone in a position of authority abused his access and ruined the financials lives of his employees.

This is a great example of the need to implement proper corporate governance by not centralizing the roles of CEO, President, and Chairman of the Board in a single person. Furthermore, none of those people should have access to the data abused by Mr Chalk. That level of access should stop at the VP for Human Resources.

Obviously the smallest of companies (mine included) can't separate certain duties because there are too many roles for too few people! However, organizations with 100 or more employees should certainly be taking steps to limit the access all employees have -- including the CEO.

This includes system and security administrators. According to surveys like those conducted by Dark Reading, a certain percentage of those with privileged access are abusing their power.

I often hear that system administrators should be responsible for securing their systems. I believe that sys admins should configure their systems as securely as possible, but outside parties (auditors, independent security staffs) should be responsible for auditing system activity and ensuring operation in compliance with security policies.

At some point we will also be able to remove the ability of system administrators to access sensitive data, perhaps using role-based access control (RBAC). There is no need for a sys admin who maintains a platform housing Social Security numbers and the like to be able to read those records. It will not be popular for current sys admins to relinquish their "godlike" powers, but it will result in more secure operations. Sys admins are data custodians; they are not data owners.

Monday, October 23, 2006

Bejtlich Speaking on Insider Threat

I will participate in the DE Communications Inside Job Webinar at 1100 ET on Thursday 9 November 2006. I plan to discuss why traditional externally-focused security techniques and tools are not well suited to deterring, detecting, and removing insider threats.

By insider threat I do not mean flawed services on desktops. I mean parties with the capabilities and intentions to exploit vulnerabilities in assets. I guarantee you will hear me say that the "80%" figure is a myth.

Even though I am appearing with at least one other speaker (Jerry Shenk), this is not a debate. It will be a few people discussing an import subject. I have a few other Webinars in the works and all should be free. Please join us if you have the time and bandwidth.

Update: Here's a press release. I'm glad they included this quote:

"Insiders do not account for the mythical 80% of security incidents, but their privileged access allows them to inflict devastating harm upon organizations. Security tools and tactics designed to combat the traditional external threat will not work as well, or at all, against insiders," commented Mr. Bejtlich.

Right on.

Monday, September 18, 2006

Insider Threat Study

I received a copy of a study announced by ArcSight and conducted by the Ponemon Institute. I mention this for two reasons. One, it highlights issues regarding the meaning of security terms. Two, the content is worth a look.

First, the email I received bore the subject "Are Executives the Cause of Insider Threats?". I wondered if the study examined if executives were the parties with the intentions and capabilities to exploit weaknesses in assets. That's what a threat is, and a study that implied executives (and not corporate minions or IT staff) were the real problem would be noteworthy in its own right.

Near the beginning of the report I read the following:

The survey was sponsored by ArcSight, an enterprise security management company, and queried 461 respondents who are employed in corporate IT departments within U.S.-based organizations.

For purposes of this survey, we define the "insider threat" as the misuse or destruction of sensitive or confidential information, as well as IT equipment that houses this data, by employees, contractors and others.


They're actually talking about attacks caused by insiders, not "insider threats." Working with their language, an insider threat would be "those who misuse or destroy sensitive or confidential information, as well as IT equipment that houses this data."

The report continues:

"Insider threats occur because of human error such as mistakes, negligence, reckless behavior, and sometimes even corporate sabotage."

Not really. Insider threats take advantage of vulnerabilities caused by mistakes and negligence. Insider threats employ reckles behavior (if not truly intending to cause harm) or corporate sabotage (if intending to cause harm) as attack methods.

Our survey sought to answer the following three questions.

1. What are the root causes of insider threats and how do information security practitioners respond to this pervasive IT and business risk?


They actually mean "what are the root causes of vulnerabilities that are exploited by insider threats, and how to infosec practitioners mitigate risks?" To truly address root causes of insider threats, one would analyze the motivations of threats themselves, like greed, malice, etc.

2. What technologies, practices and procedures are employed by organizations to reduce or mitigate insider-related risks?

That's great. Risks is used appropriately.

3. What are the issues, challenges and possible impediments to effectively detecting and preventing insider threats?

I would say "detecting and preventing attacks by insider threats."

The following are the most salient findings in our study: Data breaches go unreported. While we seem to be inundated with reports of data breaches, we may not know the full extent of the problem. More than 78% of respondents said that there has been at least one and possibly more unreported insider-related security breaches within their company.

Wow, that's a lot. Let's look for evidence in the report.

Table 11 reports that over 78% of respondents know of an insider-related security incident that was not publicly disclosed.



Notice Table 11 asks "Do you know of an insider-related incident in your organization (or any other organization in your industry) which was not disclosed to the public or to law enforcement?" (emphasis added)

That 78% figure doesn't mean that "more than 78% of respondents said that there has been at least one and possibly more unreported insider-related security breaches within their company" at all! In fact, there could be zero unreported breaches in the surveyed companies, and all respondents answering "yes" could be pointing to the same incident at someone else's company.

This idea is backed up by the following finding:

Table 7 shows that over 59% of respondents believe that insider-related problems are more likely to occur outside of their departments or organizational units.

So almost 60% of respondents think problems are likely to happen someplace else. That reminds me of surveys that say parents think schools in general are poor, but the school their child attends is fine.

While I think there is some interesting data in the survey report, I would keep my analysis in mind while reading it.

Friday, July 14, 2006

2006 CSI-FBI Study Confirms Insider Threat Post

Earlier this week I said Of Course Insiders Cause Fewer Security Incidents. I'm taking heat over at Matasano, but I've got some fresh facts to back me up, after getting a pointer from this Dark Reading story. In short, the 2006 CSI-FBI study is now available, and it confirms my proposition.

The study shows there is a new significance for the number "80%". Check out this chart from page 13. If you add up the two left columns, it shows that a clear majority of survey respondents -- 61% -- believe that "none" or 20% or less of their losses come from insiders. In other words, for the clear majority of survey respondents, 80% or more of their losses come from external threats.

Why is this? Apparently it's caused by the number one cause of dollar losses -- "virus contamination." "Unauthorized access to information" is a fairly close second, compared to the positions of the other dollar losses. It's interesting that "system penetration by outsider" accounts for a fraction of losses -- but maybe external attackers gaining "unauthorized access to information" is the problem? It's probably not insiders gaining "unauthorized access to information," since (1) most insiders already have access -- they just misuse it; and (2) if insiders were such a problem, they would account for a bigger proportion of losses.

Again, again -- I agree that insiders have the potential to cause the biggest amount of damage. Look at the havoc caused by rogue CEOs and CFOs. However, the numbers aren't lying -- external problems are bigger. We have ways of dealing with rogue insiders that completely dwawf our options with handling outsiders.

At some point my critics will recognize the reason I am so vocal about the difference between threats and vulnerabilities. For the most part, we can address vulnerabilities. Secure coding, security infrastructure, configuration management, training, etc. all help reduce the number of vulnerabilities (or at least have the potential to). After all, we control what we deploy (or at least we should!)

Threats are completely different. Threats are people, people living in basements in Eastern Europe, China, Africa, wherever -- outside the reach of law enforcement and the military. While we patch and configure away old vulnerabilities, these same external intruders never stop.

Behind every virus, Trojan, worm, botnet is a person -- a person -- yet we continue to worry about the latest hole in the Linux kernel. The only group who can make any difference in this battle against bad people are the police and military. Unfortunately, the current police and military infrastructure is currently not capable of addressing these threats.

We are not going to code, configure, or patch our way out of this problem, because the real issue is the threat, not the vulnerability. Vulnerabilities come and go; at present, threats continue until they get bored.