RSA 2008: spot the warning signs of insider attacks

Insider attacks on corporate information are highly predictable, but nearly half of companies face losses because they ignore the warning signs, say US researchers.

Insider attacks on corporate information are highly predictable, but nearly half of companies face losses because they ignore the warning signs, say US researchers.

This emerged in follow-up research into actual attacks revealed in the 2007 E-Crimewatch survey of 671 firms conducted for the US Secret Service and Microsoft by Carnegie Mellon University's (CMU) Software Engineering Institute's Cert programme, and interviews with convicted attackers.

Dawn Capelli, a senior member of CMU's Cert team, told RSA 2008 delegates that there were both behavioural and technical changes that pointed to a raised risk of an attack on corporate information.

She said the behavoural changes in potential attackers included increased drug use, more unexplained absences or tardiness at work, aggression or violent behaviour at work, rapid mood swings, the use of work facilities for personal use, sexual harrassment and poor hygiene.

Technical changes include the creation of unknown access paths to corporate data, such as back doors, logic bombs, theft of other account holders' identity and privileges, and special relationships with other members of staff, she said.

"The victims could observe the behavioural changes but ignored them. The technical changes were observable but not detected," Capelli said.

She said most attacks were for personal gain or vengeance. They included fraudulent change of data, theft of intellectual property, and "IT sabotage", such as the destruction of data and denial of access to facilities.

The impact of such attacks was severe in some cases, she said. Some firms were unable to do business, or lost ther customer records, or could not produce goods. Others were humiliated by media attention on the attack, and private information was sent to public sites and competitors.

Most of the damage was financial, with a third of technical attacks costing firms more than £500,000. In one case a man was murdered after an insider passed his address to his wife's ex-husband.

Cappelli said most of the motives are well known. They include disaffection over unmet pay and promotion expectations, denial of access to corporate resources, poor relations with co-workers and supervisors and perceived unrealistic workloads.

She said times of great change, such as in mergers and acquisitions, where jobs were on the line, were triggers for attacks.

Most people who stole, sold or changed information for personal gain were low-level staff, typically in service roles. Most insider attacks are done on the job, and will be repeated once one is successful.

Technical attackers were likely to be highly skilled and to develop sophisticated attacks, sometimes planned over many months. Their attacks were more likely close to their employment termination dates, and their impact was likely to be greater.

In both types of attack, half the attackers had help from another insider, but just one victim in four reported the attack to the authorities, Cappelli said.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.