Financial Institutions – Can You Identify An Inside Threat?

As an information security professional at your institution, would you know what signs and indicators to monitor for an insider attack? Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions describes the problems aren’t only in identifying potential insider attacks, but how much attention is being focused on this continuing threat.

During a recent interview Cole described the typical breakdown of information security budgets at financial institutions, “If you go into the average financial institution now, and you track its security budget and map it, around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats.” Cole continued, “External or internal, attacks cost an institution both time and money. When a worm or virus hits your network, you immediately know, or can pinpoint when and where it started. But in the case of an insider attack, you don’t always know when it started, or what damage has been inflicted, until you investigate and track it.”

Institutions should address both, he says. “Most institutions have been focusing on external threats for a while and are doing a good job at stopping them, so spending more time and money on something you’re already good at, and a small percentage of your budget on a problem that’s causing lots of issues is something that should change.”

It is also a good explanation why, “At least in the near future, we’re going to see so many insider attacks.”

Cole noted that financial institutions should also review their hiring practices to determine if the criteria used for hiring a candidate is missing some indications of potential problems. “I’ve always been a strong believer that the past is a great indicator of the future, so if someone has worked for several institutions over a short period of time, that should be something to look at.” While many candidates will have excuses why they left, the candidate that has spent only six months at a time at several institutions, would not be a choice candidate, in Cole’s opinion. “There is a training curve, and if someone has only been at a position for six months, the investment alone to hire that person would be questionable.”

Institutions can do more to stem potential insiders and uncover fraud and theft, he explained. While many institutions once required their staff to take their vacation time in two week periods, the increased need for manpower at many institutions have dropped the mandatory two week vacations in key positions down to seven days. “The reasoning behind the two week vacation periods was, if there was something going on, it would usually be uncovered during that person’s time away. The institutions that are only requiring staff to take one week are lowering the bar, making it easier for perpetrators to cover their tracks,” he said.

Cole also sees much less tracking of the separation of duties. “I’m seeing less diligence at the institutions I visit of making sure that the same people don’t work together all the time, breaking up shifts and shift rotation. This is making it easier for the insider, if they are doing something, it will be harder to detect, and easier for them to cover their tracks.

What he’s seen during investigations of insider crime, “It is hardly ever one person working alone, it is usually two, three or more people working together. My point to make is if I am an insider planning or in the midst of doing something, and if the person covering for me is in on the attack, then this won’t help uncover what is happening.”

This tends to be a problem with the various fraud detection systems set up to monitor activity for insider threats, he noted. “You must look at work relationships, if Eric and Mary are always working on 80 percent of the shifts together, and they go to lunch together, then make them take vacation together.” He stressed separation of duty is important, especially in critical operation areas.

Despite efforts to identify the typical “employee” who would commit an insider attack, Cole noted it isn’t as easy as naming off disgruntled workers or poor performers. “There is no set profile, and it is a big problem. You can readily identify who would be more likely to commit a physical, armed bank robbery.”

But when it comes to identifying the typical employee who would commit an insider attack, Cole said, “I’ve seen people who’ve been at a bank for 25 years, or less than six months, many working in a variety of positions within the bank, from technical positions to and administrative positions it’s across the board.”

One quote Cole likes to use (from a recent movie) is “I trust everyone, but it’s the devil inside that I don’t trust.”

“Everyone’s got a little devil inside; the question is you don’t know what is going to take to make that person commit a crime. Anybody has the potential to commit insider fraud. They will say, well if I only take three accounts, it’s not really a big deal. From what I’ve seen, there is no set profile, and I think we’re not casting a big enough net when looking for the potential insider,” he said.

Cole explained his reasoning on this, “I think the only way to get a profile, is to look at behavioral characteristics that on the surface look totally unrelated, but then you will start noticing a trend.” One point he correlated was that many people who tend to have trouble with their supervisors or authority figures also tend to have a history of speeding tickets. “So here is a great profile indicator. But again, I don’t think we’ve done enough work on identifying and profiling these indicators.”

He postulated an example to illustrate this, “Do you look for an employee who has a few speeding tickets, or even the lack of any?”

A good example of one of the common points uncovered in many of the FBI and CIA spy cases was the accused spy most had one thing in common; they all got through the polygraph tests with no problem. So this may be the best indicator, if the person got through clean, that there might be a problem, Cole said.

Translating this to financial institutions, Cole said the person who has the “perfectly clean background” and is someone who is your model employee, who has a clean work record and has never done anything wrong, “this actually might be the one who you would want to keep a closer eye on, rather than the one who has a few blemishes on their record. Because the fact if they were terminated from a company, or they have an “X” or “Y” noted on their record, there has been no proof to date or correlation to show this is an indicator of insider threat.”

What troubles Cole about this approach? “In essence, banks are using these artificial indicators, performing a background check, and if it shows up clean, then they’re okay. The problem I have with that is when I perform an assessment for a bank and I ask them, ‘Okay these are the three things you check on a potential employee, and if they’re clean, you hire them. But then I ask them to show me factual, historical data to prove that these indicators are a good test of whether someone would steal data or not.’ So far, I have not had any bank come back with an answer.”

Cole believes that there hasn’t been enough data collected on this, and there hasn’t been enough research to find the commonalities. “I think in another year or two as this problem continues to grow and get more attention, I think we’re going to see a wider net being cast to identify these indicators and develop profiles that might not be obvious. Any attempt to do this now would be futile, because now we’re trying to use things that are closely related, but there is absolutely no proof that those are indicators for the problem.”

About Dr. Eric Cole:

Dr. Eric Cole is an industry recognized security expert, technology visionary and scientist, with over 15 year’s hands-on experience. He co-authored Insider Threat, Protecting The Enterprise From Sabotage, Spying and Prevent Employees and Contractors from Stealing Corporate Data. He currently performs leading edge security consulting and works in research and development to advance the state of the art in information systems security. Dr. Cole has more than a decade of experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He also the inventor of more than 20 patents and is a researcher, writer, and speaker for SANS Institute and faculty for The SANS Technology Institute, a degree granting institution.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.