Insider attackson corporate
information are highly predictable, but nearly half of companies
face losses because they ignore the warning signs, say US
researchers.
This emerged in follow-up research into actual attacks revealed
in the 2007 E-Crimewatch survey of 671 firms conducted for the US
Secret Service and Microsoft by
Carnegie Mellon
University's (CMU) Software Engineering Institute's Cert
programme, and interviews with convicted attackers.
Dawn Capelli, a senior member of CMU's Cert team, told
RSA 2008 delegates that there were both behavioural and
technical changes that pointed to a raised risk of an attack on
corporate information.
She said the behavoural changes in potential attackers included
increased drug use, more unexplained absences or tardiness at work,
aggression or violent behaviour at work, rapid mood swings, the use
of work facilities for personal use, sexual harrassment and poor
hygiene.
Technical changes include the creation of unknown access paths
to corporate data, such as
back
doors, logic
bombs, theft of other account holders' identity and privileges,
and special relationships with other members of staff, she
said.
"The victims could observe the behavioural changes but ignored
them. The technical changes were observable but not detected,"
Capelli said.
She said most attacks were for personal gain or vengeance. They
included fraudulent change of data, theft of intellectual property,
and "IT sabotage", such as the destruction of data and denial of
access to facilities.
The impact of such attacks was severe in some cases, she said.
Some firms were unable to do business, or lost ther customer
records, or could not produce goods. Others were humiliated by
media attention on the attack, and private information was sent to
public sites and competitors.
Most of the damage was financial, with a third of technical
attacks costing firms more than £500,000. In one case a man was
murdered after an insider passed his address to his wife's
ex-husband.
Cappelli said most of the motives are well known. They include
disaffection over unmet pay and promotion expectations, denial of
access to corporate resources, poor relations with co-workers and
supervisors and perceived unrealistic workloads.
She said times of great change, such as in mergers and
acquisitions, where jobs were on the line, were triggers for
attacks.
Most people who stole, sold or changed information for personal
gain were low-level staff, typically in service roles. Most insider
attacks are done on the job, and will be repeated once one is
successful.
Technical attackers were likely to be highly skilled and to
develop sophisticated attacks, sometimes planned over many months.
Their attacks were more likely close to their employment
termination dates, and their impact was likely to be greater.
In both types of attack, half the attackers had help from
another insider, but just one victim in four reported the attack to
the authorities, Cappelli said.