In mitigating insider threats, technology should be used in conjunction with information sharing and risk-prevention business practices, says Jason Clark, a researcher at the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute.
In reviewing the three key areas of insider threats - IT sabotage, theft of intellectual property and insider fraud - technology can serve as an additional mitigation layer, he says.
For IT sabotage, technologies such as resiliency, back-up, access control, code review and log analysis are beneficial, he points outs. "We would suggest data loss prevention, encryption and intrusion detection systems" when monitoring for the theft of IP, he adds.
To mitigate fraud risks, organizations should consider two-factor authentication and auditing technologies, Clark says. "Also, technologies that are capable of detecting unauthorized addition or modification of data in databases are of paramount importance."
During this interview, Clark discusses:
- Linking insider risks back to common network attacks and breaches;
- Why so-called low-and-slow attacks are always the most damaging; and
- Where and how technology fits into insider fraud detection.
Clark recently made a presentation on insider threats at Information Security Media Group's Fraud Summit. A video of his presentation is available on ISMG's Fraud Summit page.
As a researcher at researcher at the CERT Insider Threat Center at the Carnegie Mellon University Software Engineering Institute, Clark's main area of interest is insider threat and cybersecurity. He previously worked at the Census Bureau and the Institute for Defense Analyses. Clark is also researching cybercrime in the doctoral program at George Mason University.
TRACY KITTEN: Why are insider threats so difficult for organizations to mitigate?
JASON CLARK: There are many reasons why insider threat is challenging to mitigate. First, insiders can bypass existing physical and electronic security measures through legitimate measures. In other words, they're supposed to be there working on systems with access, unlike an outside attacker. Essentially they have authorized access to authorized systems. Also, some organizations may not be aware they have been a victim of an insider attack or, for a variety of different reasons, choose not to report it.
One common misconception is that insider threats can be solved with technologies. Unfortunately, solving the insider threat problem with technology will not suffice as it's difficult to search and analyze logs to look for bad behavior. In fact, the insider, for all intents and purposes, looks normal until they have the intent to complete a malicious attack. Additionally, it's often difficult to determine what normal behavior is versus insider threat behavior. Even if you could somehow solve the insider threat problem with technology, there's an entire aspect of social behavior to consider. Often times, it's challenging to predict when and why an insider may go down a slippery slope to committing an insider attack.
Duration of Insider Cases
KITTEN: How long do most insider fraud cases go on before they're detected?
CLARK: We define insider fraud as an insider's use of IT, from the unauthorized modification, addition or deletion of an organization's data, not programs or systems, for personal gain; or theft of information which leads to fraud, identity theft, credit card fraud, etc. Our results, based on a study completed in July 2012 sponsored by the Department of Homeland Security Science and Technology Directorate and the Homeland Security Advanced Research Projects Agency in collaboration with 80 case files from the Secret Service, found ... there are approximately 32 months on average between the beginning of the fraud and its detection.
KITTEN: Are there certain industries or sectors that are at greater risk for insider fraud than others?
CLARK: Of the 250 cases that we have coded and subsequently analyzed at the SEI, we have found as no surprise that banking/financial was the highest industry coming in at about 47 percent of our cases. This was followed by government at the state, local and federal level as well as healthcare, commercial facilities and communications.
Average Cost of Insider Fraud Scheme
KITTEN: How much does a typical insider fraud scheme cost a company or organization?
CLARK: According to the previous study mentioned earlier, sponsored by the Department of Homeland Security Science and Technology Directorate and the 80 case files we received from the Secret Service, we found that average damage caused by managers was slightly over $1.5 million, and the median was approximately $200,000. For non-managers, we found the average was $287,000, and median of $112,000. Of the 250 cases in our own database where we had information on the financial impact of the cases, 13 percent were impacted over a million dollars, while 32 percent had an impact between $100,000 and $999,000. Finally, 19 percent had an impact of between $10,000 and $99,000.
However, there are additional costs that cannot be measured in dollar figures alone. There are operational costs, loss of customers, embarrassment, lost privacy in the form of stolen PII that could cause additional damage that can't be measured in just dollar figures.
Emerging Insider Threat Concerns
KITTEN: What are some of the emerging insider threat concerns?
CLARK: While we do not have the data to support this, nor do we have real-time data, we do see some emerging concerns for 2014 that we're researching and watching very closely. Of interest is a look at the difference between U.S.-based and international insider threat cases. We're also looking at insider threat in the cloud and unintentional insider threat problems. Often we put such information in the form of a blog post on the CERT website which can be found at www.cert.org/insider_threat.
Use of Technology
KITTEN: What types of technologies should organizations be investing in to help at least mitigate some of their risks?
CLARK: Given that we're an FFRDC - federally funded research and development center - we're not at liberty to provide any specific vendor product recommendations. However, if we take a look at how we break down the insider threat problems in three key areas - IT sabotage, theft of intellectual property and insider fraud - we can offer categories of technologies. For IT sabotage, we would suggest technologies such as resiliency, back-up, access control, code review and log analysis. For theft of IP, we would suggest data loss prevention, or DLP solutions, encryption, intrusion detection systems and the like. For fraud, we would really consider business practices such as two-factor authorization as well as auditing technologies. Also, technologies that are capable of detecting unauthorized addition or modification of data in databases is of paramount importance. However, as a reminder, technology alone cannot solve this problem.
Breaches Linked to Insiders
KITTEN: How often would you say breaches are linked to an insider?
CLARK: This is a difficult question to answer. However in 2013, [a] magazine conducted a survey of 501 respondents and found that 53 percent of participants stated that they experienced an insider incident. It's unknown as to whether these reports are linked to a specific insider. Also, there are elements that many of these insider attacks are grossly under-reported. The most likely reasons for the under-reporting come from the fact that damage level is insufficient to warrant prosecution or there's a lack of evidence to prosecute. Often it's difficult to identify the individuals responsible for committing an electronic crime. The study also showed that 75 percent of the time organizations do not involve law enforcement. Additionally, the survey found that electronic crime, or e-crime, events were known [or] suspected to have been caused by outsiders 56 percent of the time, insiders 23 percent of the time, and 21 percent of the time it was unknown.
KITTEN: How has information sharing helped to reduce insider fraud losses across industries, if at all?
CLARK: Information sharing has certainly helped reduce insider fraud. Of course, agencies and organizations are somewhat fearful of sharing information. However, there are several task forces, such as the National Insider Threat Task Force, that really strive to improve information sharing. Conferences and other trusted communities are important in reducing insider fraud losses across industries. However, unless there are formal agreements in place, information sharing will not occur as frequently as it probably should. Given the CERT insider threats group can't compete as a trusted broker, we're in a unique position to conduct unbiased assessments of an organization's insider threat program. We have over 13 years of experience and have a wide variety of services, including training, workshops, assessments and [can] help an organization in setting up their own insider threat program. All the information we collect is protected and our reputation is stellar so we certainly urge organizations to reach out to us on our website at www.cert.org/insider_threat, and contact us if you have any questions or need assistance.