Securing Data from Insider Threats

Executive Summary

The goals of this paper are to review and analyze selected cybercrimes’ events, where actors of those data breaches are insiders, and recommend a common set of actions which would have prevented or reduced successful criminal exploitations. Additionally, it will explain security gaps that lead to the loss of valuable sensitive, protected, or confidential data, regardless of attacker intent. Malicious attacks are intentional, whereas negligent and accidental attacks are unintentional. Finally, this paper will present a framework to protect confidentiality, integrity and/or availability of data from insider threats. [Note: Opinions expressed in this article are mine.]

Insider, Insider Threats, and Motives

Who is an insider? An insider is anyone who has active physical or logical access to a third-party company asset involving information systems. By this definition, examples of an insider include employees (i.e., CEO, janitor, etc.), former employees, contractors, business partners, or suppliers if the party in question has active access to the third-party company’s asset (Kowalski et al, 2008, & Insider Threat Defense Inc, 2017).

What are the insider threats and motives? The primary threats posed by an insider involve loss of valuable company data by his/her actions regardless of intent. ‘Malicious’ action requires a motive to harm the company with a conscious decision to act inappropriately (Kowalski et al, 2008). Examples include copying proprietary information such as intellectual property for personal gain, leaking pending merger talks to competitor company. ‘Negligent’ action is based on conscious decision to act inappropriately, but do not have harmful motives. Examples include copying company proprietary information in a personal thumb drive to work during the weekend to meet a project deadline or be more productive. Malicious insiders exploited business processes as often as they exploited technical vulnerabilities (Insider Threat Defense Inc, 2017). ‘Accidental’ action neither has a motive to harm nor does it have a conscious decision to act inappropriately. Examples include emailing proprietary data to the wrong person, or be a victim of a phishing attack and install malware in the company network. But repeated accidental actions could be considered ‘negligent’. Colwill (2010) covered both negligent and accidental under accidental.

According to Colwill (2010), “A malicious insider has the potential to cause more damage to the organization and has many advantages over an outside attacker…”. Verizon (2016) data breach investigations report shows malicious or privilege misuse actors are predominantly end users (33%), followed by leadership roles (14%) and system administrators or developers (14%). Top two motivations for the crime are financial gain (34%) and espionage (25%). The same Verizon (2006) report mentioned that the top five threats for negligent and accidental breaches are caused by capacity shortage, misdelivery, publishing errors, misconfiguration, and disposal errors. The Verizon (2017) data breach report mentioned that the top three motives are financial gain (60%), snooping (17%), and espionage (15%). The same report also mentioned that top three industries where most of the breaches took place are in healthcare (30%), public administration (23%), and financial (13%). The Symantec (2014) data breach reports that accidentally made public accounted for 29% and theft/loss computer/drive accounted for 27% of all data breaches.

Review of Selected Insider Threats Cases

$1 billion worth of trade secrets stolen by a design engineer (Insider Threat Defense Inc, 2017). A former Intel design engineer, Biswamohan Pani was charged with stealing $1 billion worth of trade secrets of a next generation microprocessor on 11/05/2008. During his last days at Intel, Mr. Pani was taking his vacation from Intel while he started working for AMD, Intel’s competitor. During that last week of his employment with Intel, he downloaded $1 Billion worth of design material in an Intel-provided work laptop over VPN. Intel’s trade secrets were encrypted. To view those encrypted documents, he was trying to login to the Intel network two days after his last day at Intel, but was not able to. This sets an alarm at Intel. Furthermore, Intel recovered a hardcopy of trade secret documents from his residence on July 1, 2008. Intel’s trade secret document management system tracks document access information. Mr. Pani had signed a Non-Disclosure Agreement upon his acceptance of job at Intel. During his exit interview Mr. Pani signed paperwork which stated that he returned all Intel Trade Secrets under his possession per employment contract with Intel (USA v. Pani, 2008). Based on the above facts that was far from truth. Though we will never know the real reason why he was gathering Intel’s proprietary documents during his job change to AMD, we know thatthose documents were very valuable to Intel. But we can state that Mr. Pani’s intention was to use this information for personal gain. Therefore, his action was malicious.

$81 million dollars cyber theft from Central Bank of Bangladesh (Insider Threat Defense Inc, 2017). The Central Bank of Bangladesh hired Fire-Eye to investigate this breach. The hackers used phishing and other social engineering techniques to manipulate some low and mid-level bank employees’ actions and were successful in installing at least six different malwares. Hackers then used fraudulent SWIFT inter-back messages to request the transfer of $951 million all to various people and banks in the Philippines. But some fund transfer to ‘Jupiter’, whose name is similar to a sanctioned Iranian oil tanker, slowed some of the transfer. The Central Bank of Bangladesh and New York branch tried to contact the Federal Reserve Bank of New York over that weekend once they realized the issue, but were not answered. A group with possible ties to a Philippine Bank were aware of how end-to-end SWIFT fund transaction works. Then, they launched phishing attacks against Central Bank of Bangladesh in New York (Schwartz, 2016). The attacks were successful since some bank employees clicked the links in the email, which helped to install six malwares in the system. The bank employees displayed negligence in this case.

In August 2016, hackers pulled out $44 million dollar in single CEO fraud attack (Insider Threat Defense Inc, 2017). Hackers sent an email to the Leoni CFO to transfer 44 million dollars to an account. The email came from the company email system in a similar fashion to how the CEO sends an email to the CFO for fund transfers. But in this case, the email is not from the actual CEO. It is believed that the hackers used phishing to get into the company network. Then they did recon for a few months to understand how the fund transfer works (Sjouwerman, n.d.).?This is a phishing attack because of the negligent employees at Leoni.

UBS network sabotaged by a system administrator (Insider Threat Defense Inc, 2017). Roger Duronio was expecting a bonus of 50,000 dollars, instead,he received only 32,000 dollars. He was furious, wrote a malware, installed it in the systems with a logic bomb to execute at a future date, quit his job, and bought short term put-options of the company to make profit with the expectation that the stock price will decrease. A few weeks after he left the company, the logic bomb acted upon the company’s systems erasing?most of the data from 2,000 servers and 17,000 workstations. It costed UBS 3.1 million dollars and a several thousands of man hours to bring the systems back to work. The company never mentioned the loss of business in dollars, but as we know, their business depends on trading volume (Gaudin, 2006). In this case, most of the traders couldn’t execute trades for a while. Investigators found copies of the malware on Mr. Duronio’s home computer and a hard copy in his home. Furthermore, he bought 20,000 dollars’ worth of put options which had very short expiration dates. Therefore, his intention was malicious.

Saudi Aramco data breach – the biggest hack in history (Insider Threat Defense Inc, 2017). In 2012, the data of 35,000 computers was partially or fully wiped out by malware. One computer technician took a phishing bait by clicking a suspicious link in an email. “Cutting Sword of Justice” claimed the responsibility. To protect them from the virus, some of the computers were disconnected from the intranet. According to Pagliery, one of the most valuable companies on Earth was propelled back into 1970s technology, using typewriters and faxes (2015). The company had to buy such massive numbers of hard drives that hard drive prices went up from September 2012 to January 2013. In this case, hackers were successful by tricking the computer technician to install a powerful malware to cause havoc (Pagliery, 2015). The computer technician was not intentionally installing the malware.?Therefore, this is a case of negligence on his part.

Bob (not his real name) outsourced his job to China (Insider Threat Defense Inc, 2017). He was in his mid-forties; a family man and mild-mannered gentleman, and was a top software developer at Verizon. Verizon was trying to figure out why there were VPN connections coming out of China to their network. It was worried that those connections might be Chinese hackers trying to obtain proprietary information. Therefore, the company started an investigation. At the end of the investigation they found that one of their top employees, Bob, was outsourcing his job to Chinese consultants. According to Davies (2013), Bob was surfing his working day on Reddit, eBay and Facebook, while a Chinese consulting firm performed his job while earning one fifth of Bob’s salary (Davies, 2013). Bob was not planning to harm anyone, in fact, he has done what his employer might consider doing -- to cut cost and get great service. But the issue here is that this consulting company did not have any contract with Verizon. This is a case of employee negligence. This consulting company could have caused security havoc for Verizon.

Data locked by a fired IT employee (Insider Threat Defense Inc, 2017). Triano Williams was an IT System Administrator for the American College of Education, an Indianapolis-based online educational service provider. Mr. Williams was working at its Chicago location. The College decided to centralize all IT functions at its Indianapolis location. The company offered a choice to Mr. Williams either to move to the central location or take a severance package. But Mr. Williams couldn’t move due to his joint custody of his daughter in Chicago, nor did he want to take the severance package. The American College of Education fired him on April 1, 2016. Mr. William changed the administrative password of a cloud account, and he did not provide the new password to his former employer. Over 2,000 of its students couldn’t use their school issued emails for any academic capabilities. Mr. Williams demanded $200,000 in exchange for the password through his lawyer. The College counter sued him and got a judgment against his in the amount of $248,350 dollars in damages. The College went ahead with another cloud service provider and went back in business (Bisson, 2017). Mr. Williams changed the administrator’s password and demanded $200,000 in exchange for the new password. These facts show that he had an intention to harm the company financially. Therefore, his act was malicious.

Computer system crashed by a former engineer (Insider Threat Defense Inc, 2017). Former Network Engineer Ricky Mitchell intentionally reset EnerVest Operating company’s network servers remotely to factory settings upon learning that he was going to be fired. The company couldn’t conduct normal business operation for 30 days. Furthermore, the company data backup stopped working during this time (DOJ, 2014). A company can hire or fire a person based on its business needs. Fire was the case for Mr. Mitchell. But he took it personally and crashed his company’s network servers. This was a malicious attack since he intended to harm the company.

Zillow paid $130 million to Move for stealing data (Insider Threat Defense Inc, 2017). Two of Zillow’s high-level executives who once worked for Move stole trade secrets and proprietary information from Move before joining Zillow in 2013. Move claimed that Mr. Samuelson and Mr. Beardsley, both top level executes destroyed evidence on various hard drives, portable devices and computers on which stolen data was once copied. The judge declared that Zillow and Mr. Samuelson’s act was not in bad faith, and that Beardsley’s action to cover up is questionable. Zillow settled the lawsuit by paying $130 million to Move without taking any responsibility of wrongdoing (Lane, 2016). This is a classic case, where a top executive can cause more financial harm to a company than an ordinary Joe. There was a clear intention to make profit and/or personal gain at Zillow by these two executives. This is a malicious case, therefore, Zillow’s fine of $130 million is justified.

Stealing and distributing trade secret by an ex-employee (Insider Threat Defense Inc, 2017). Derek Sing was a former electrical engineer at Rogerson Kratos (RK), a Pasadena based aircraft avionics company. Mr. Sing was fired because he was not able to meet project deadlines, often times he was tardy, and his attitude towards leadership and his fellow workers was unprofessional. While working at RK, Mr. Sing accumulated scores of design trade secrets and proprietary documents. To get back at RK, he started distributing those documents to RK’s competitors (DOJ, 2016). This case somewhat resembles Zillow’s case above, except in this case Mr. Sing did not have any company’s backing. This is also a case of a malicious attack.

$6.2B annual cost for healthcare data breaches (Insider Threat Defense Inc, 2017). According to a Protenus whitepaper, roughly ninety percent of hospitals reported data breaches, and most of the breaches are due to human error. Forensics costs for a breach is 4 million dollars in average and breach notification costs $560,000 in average. Lawsuits costs $880,000 in average and revenue loss from each breach is $4.7 million dollars in average. Furthermore, average HIPAA settlement costs are around 1.1 million dollars. As the report mentioned that a significant data breaches are human errors, these can be designated as negligent or accidental cases (www.beckershospitalreview.com, 2017).

$248M plus Target data breach started at Fazio Mechanical (Radichel, 2014). One of Target’s vendors named Fazio Mechanical had access to Target’s external billing system. During the recon phase, they had gathered that information via Internet search. Phishing was used to trick a Fazio Mechanical employee, so that the employee inadvertently helped to install a Citadel Trojan to its system by clicking a link in the email. Hackers were able to collect Fazio Mechanical’s credentials to access Target’s billing system via malware (Radichel, 2014). The mega breach at Target was started with this credential which costed Target at least $248 million (Weiss and Miller, 2015). Someone at Fazio Mechanical got tricked by hackers in a phishing attack. This was unintentional. In this case, the employee was negligent.

Recommended Countermeasures to Insider Threats

Managing insider risks are more complex than managing outsiders (hackers) risks. In the case of hackers, protecting access points are the primary focus where they can infiltrate systems. But to combat insider risks, a holistic approach is needed. Management and technical security controls must be based on insider risk assessment. Employment lifecycle-related security controls must be clearly defined with a culture of trust in mind. Non-technical controls are more important than technical controls which include encryption, access controls, least privilege, monitoring and auditing (Colwill, 2010).

A. Management Security Controls

People’s security controls should include background checks for new hires, hiring trusted personnel, cultivating a culture of trust, appreciating personnel, providing security training and awareness, and having least privilege per job role (Steele & Wargo, 2007; Scott & Spaniel, 2016; Janes, 2012 and Walker, 2008). Process security controls should include establishing security policy (i.e., data classification, data retention, data destruction, password policies, need to know, random inspection of users and work areas; and user profiling per job groups, etc.), security procedures to carry on the security policies, governance process, incident response procedures, social engineering training (Janes, 2012 and Walker, 2008).

B. Technical Security Controls

Technical security controls should include security architecture, network security segmentation, endpoint security, full disk encryption, electronic device detection, mandatory access control, multi-factor authentications, strong boundary controls between networks of different classifications, system as well as network events monitoring, data backup, audit reviewing, proper systems hardening, and penetration testing (Steele & Wargo, 2007; Janes, 2012 and Walker, 2008). It should also include auto monitoring of intellectual property via data loss prevention, inventory of data, content monitoring including database, predictive artificial intelligence, protecting data from phishing attack through email and web, behavioral analytics, forensics, response (Swartz, 2007; Scott & Spaniel, 2016 and Hunker & Probst, 2008).

Conclusion

This paper sheds light on insider threats – intentional (e.g., malicious) as well as unintentional (e.g., negligence, accident). This write-up analyzed breaches which took place at Intel, Central Bank of Bangladesh, Leoni, UBS, Saudi Aramco, Verizon, American College of Education, EnerVest Operating, Move, Rogerson Kratos, healthcare companies, and Fazio Mechanical. Security controls to counter insider threats should provide deterrence, prevention, detection and remedies (Theoharidou et al. 2005).

References

beckershospitalreview.com. (2017). Healthcare breaches cost $6.2B annually. Retrieved on 11/11/17 from: https://www.beckershospitalreview.com/healthcare-information-technology/healthcare-breaches-cost-6-2b-annually.html

Bisson, D. (2017). Fired IT Employee Demands $200K in Exchange for Unlocking Data. Retrieved on 11/11/17 from: https://www.tripwire.com/state-of-security/latest-security-news/fired-employee-demands-200k-exchange-unlocking-data/#.WH90Yiy7-lM.twitter

Colwill, C. (2010). Human factors in information security: The insider threat -- Who can you trust these days? Retrieved on 11/11/17 from: https://www.sciencedirect.com/science/article/pii/S1363412710000051

Davies, C. (2013). Software developer Bob outsources own job and whiles away shifts on cat videos. Retrieved on 11/11/17 from: https://www.theguardian.com/world/2013/jan/16/software-developer-outsources-own-job

DOJ. (2014). Former Network Engineer Pleads Guilty To Crashing Employer's Computer System. Retrieved on 11/11/17 from: https://www.justice.gov/usao-sdwv/pr/former-network-engineer-pleads-guilty-crashing-employers-computer-system

DOJ. (2016). Glendale Man Found Guilty of 32 Counts of Stealing and Distributing Avionics Trade Secrets Belonging to Former Employer. Retrieved on 11/11/17 from: https://www.justice.gov/usao-cdca/pr/glendale-man-found-guilty-32-counts-stealing-and-distributing-avionics-trade-secrets

Gaudin, S. (2006). Ex-UBS Systems Admin Sentenced To 97 Months In Jail. Retrieved on 11/11/17 from: https://www.informationweek.com/ex-ubs-systems-admin-sentenced-to-97-months-in-jail/d/d-id/1049873

Hunker, J. & Probst, C. (2008). Insiders and Insider Threats -- An Overview of Definitions and Mitigation Techniques. Retrieved on 11/11/17 from: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.465.7490&rep=rep1&type=pdf

Insider Threat Defense Inc. (2017). Insider Threat Incidents – Could They Happen to Your Organization? Retrieved on 11/11/17 from: https://www.nationalinsiderthreatsig.org/pdfs/Insider%20Threats%20Incidents-Could%20They%20Happen%20To%20Your%20Organization.pdf

Janes, P. (2012). People, Process, and Technologies Impact on Information Data Loss. Retrieved on 11/11/17 from: https://www.sans.org/reading-room/whitepapers/dlp/people-process-technologies-impact-information-data-loss-34032

Kowalski et al, (2008). Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector. Retrieved on 11/11/17 from: https://resources.sei.cmu.edu/asset_files/WhitePaper/2008_019_001_52266.pdf

Lane, B. (2016). Move over alleged trade secret theft: Settles one of most contentious battles in history of online real estate. Retrieved on 11/11/17 from: https://www.housingwire.com/articles/37204-zillow-to-pay-130m-to-settle-lawsuit-with-move-over-alleged-trade-secret-theft

Pagliery, J. (2015). The inside story of the biggest hack in history. Retrieved on 11/11/17 from: https://money.cnn.com/2015/08/05/technology/aramco-hack/

Radichel, T. (2014). Case Study: Critical Controls that Could Have Prevented Target Breach. Retrieved on 11/11/17 from: https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412

Schwartz, M. (2016). Report: New York Fed Fumbled Cyber-Heist Response. Retrieved on 11/11/17 from: https://www.bankinfosecurity.com/report-new-york-fed-fumbled-cyber-heist-response-a-9281

Scott, J. & Spaniel, D. (2016). In 2017, The Insider Threat Epidemic Begins. Retrieved on 11/11/17 from: https://icitech.org/wp-content/uploads/2017/02/ICIT-Brief-In-2017-The-Insider-Threat-Epidemic-Begins.pdf

Sjouwerman, S. (n.d.). Cyberheist Nets 44 Million In Single CEO Fraud Attack. Retrieved on 11/11/17 from: https://blog.knowbe4.com/cyberheist-nets-44-million-in-single-ceo-fraud-attack

Steele, S. & Wargo, C. (2007). An Introduction to Insider Threat Management. Retrieved on 11/11/17 from: https://www.tandfonline.com/doi/abs/10.1080/10658980601051334

Symantec (2014). Internet Security Threat Report 2014. Retrieved on 11/11/17 from: https://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf

Swartz, N. (2007). Protecting Information from Insiders. Retrieved on 11/11/17 from: https://www.questia.com/magazine/1P3-1296906321/protecting-information-from-insiders

Theoharidou et al. (2005). The insider threat to information systems and the effectiveness of ISO17799. Retrieved on 11/11/17 from: https://www.sciencedirect.com/science/article/pii/S0167404805000684

USA v. Pani. (2008). United States of America v. Biswamohan Pani. Retrieved on 11/11/17 from: https://regmedia.co.uk/2008/11/06/amdintelpaniindictment.pdf

Verizon. (2016). 2016 Data Breach Investigations Report. Retrieved on 11/11/17 from: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Verizon. (2017). The Insider Threat: Protecting the Keys to the Kingdom Retrieved on 11/11/17 from: https://www.verizonenterprise.com/resources/reports/rp_data-breach-digest-2017-insider-threat_xg_en.pdf

Walker, 2008. Practical management of malicious insider threat – An enterprise CSIRT perspective. Retrieved on 11/11/17 from: https://www.sciencedirect.com/science/article/pii/S136341270800054X

Weiss, N. and Miller, R. (2015). The Target and Other Financial Data Breaches: Frequently Asked Questions. Retrieved on 11/11/17 from: https://fas.org/sgp/crs/misc/R43496.pdf