Insights on the Insider Threat: Randy Trzeciak of Carnegie Mellon's CERT
We all know the risk of the insider threat is high, but what are the specific vulnerabilities for which organizations should be particularly vigilant?
In an exclusive interview, Randy Trzeciak of Carnegie Mellon's CERT program discusses recent insider threat research, including:
Trzeciak is currently a Senior Member of the Technical Staff for the Threat and Incident Management Team in the CERT Program at Carnegie Mellon University's Software Engineering Institute. He is a member of a team in CERT focusing on insider threat research, including insider threat studies being conducted with the US Secret Service National Threat Assessment Center, DOD's Personnel Security Research Center (PERSEREC), and Carnegie Mellon's CyLab. The studies analyze the physical and online behavior of malicious insiders prior to and during network compromises. Other insider threat research uses system dynamics modeling for risk analysis of the impacts of policy decisions, technical security measures, psychological issues, and organizational culture on insider threat. Trzeciak also is an adjunct professor in Carnegie Mellon's Heinz College, School of Information Systems & Management. He received a MS in Management from the University of Maryland, a BS in Management Information Systems, and a BA in Business Administration from Geneva College.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media group. We are talking today about the insider threat, and we are talking with Randy Trzeciak, the Senior Member of Technical Staff for Threat and Incident Management Team in the CERT Program and Carnegie Mellon University's Software Engineering Institute. Randy, thank you so much joining me today.
RANDY TRZECIAK: You're welcome.
FIELD: This is just one of the hottest topics of the year, the insider threat. Why don't you tell us a little bit about your research into it and some highlights of what you found.
TRZECIAK: Sure, we here at CERT have been doing research into the insider threat domain since 2001. The cases that we have looked at are actually cases that have occurred in the years of 1996 through 2007. Since that point in time, we studied hundreds of cases of malicious insiders that caused harm to the organization across all of the critical infrastructure areas within the United States.
Now, just to be clear in terms of what we mean by the insider threat, to define that we say that an insider is a current or former employee, a contractor or a business partner who has or had authorized access and intentionally exceeded that access in a manner that negatively affected the confidentiality, integrity or availability of the organization's information or information systems.
So the cases that we have -- those aren't accidental data disclosures or accidental sabotage of systems through an attachment or an email. These are actual attacks against the organizations. So we have collected hundreds of cases, we've coded them in a consistent format in a database, and then we are able to go ahead and look at trends and patterns across those particular cases. There are three types of crimes that we have studied in detail, the first being IT sabotage, the second being theft or modification of information for business advantage, and the third being the theft of information for financial gain. So we've collected statistics and reported on those three types of crimes.
FIELD: Now Randy, you talked about patterns and trends, what are some of the typical patterns and trends that you see in these insider cases?
TRZECIAK: Okay, if we were to break that down into the three types of crimes, the first one being someone who takes information or modifies information for financial gain. Obviously their motive would be to obtain some financial benefit from the information they take or the modification of information that they do within their organization. Those people typically tend to be current employees in the organization; those tend to be more the lower level positions in the organizations, the administrative or the data entry, the people who have actual responsibility for modifying or dealing with the data on a day-to-day basis.
The type of information that they are taking or modifying for the financial benefit to them as an individual, they typically would take the personally identifiable information (PII) or the customer information, and with those particular types of cases we saw a high degree of collusion outside of the organization. In the cases that we have looked at, the people who steal information with the intent tot sell it; about half of those cases were induced from someone from the outside. So they were approached on the outside with the intent to take information and go ahead and sell it to the outside individual that they are collaborating with. So that was the people who take or modify the information with a financial benefit.
Now if we look at the cases where people take information for business advantage -- what we mean by that is people who take the information with the intent to start a competing company or take it with them to a competitor or to obtain a job. So the take information and use it in some type of competition with the organization. Those types of dynamics are a little bit different in terms of the patterns. Those people were as well current employees. Those tended to be the technical or sales people in the organization. People who have access to the critical information, the intellectual property, the customer information, they were able to take it and start a competing company or take it with them to obtain a job or take it with them to a competitor as well.
In both of those two types of crimes, those crimes tended to happen during normal working business hours, during the day, and both of those types were authorized access. So these are people who have access to that information on a day-to-day basis, and in the first example they take the information and sell it and obtain some information from that, and the second one would be people who take that information and use it to start a competitor or a competing business.
And the third type of crime, the IT sabotage, that looks a little bit different. These types of crimes occur primarily with the motive of revenge. These people typically tended to be former employees. They left the organizations. Most of these were technical, many of these were very technical positions and they would come back in after the termination occurred and seek some type of revenge. They would sabotage systems or data or operations to cause some damage to the organization. So that is just the general overview of the three types of crimes that we have studied and hopefully that gives you an idea of the people that we have seen in the cases that we have done analysis on.
FIELD: Well that was really helpful. Now one thing we hear about a lot now, Randy, is that that current economic conditions really have the insider threat sort of a heightened risk. Do you find that to be the case?
TRZECIAK: Well, just to be clear in terms of the cases that we have in our case library, these are cases that were actually prosecuted, that have gone through the court system. Now we don't have the benefit of having done the analysis of the extremely current economic conditions as it relates to the insider threat cases, but what we can say is that in the cases that we have looked at in the past across these types of crimes, what we were able to do is to try to model the pattern as they tend to evolve over time.
So for example, the IT sabotage model, we describe that as a series of events as it leads up to the crime. One of the things that we have seen in that particular model is what we call precipitating events. Those are stressful events that occur and on occasion will contribute to an insider's decision to commit a malicious act. So looking at the cases that we've seen, some of the examples of precipitating events include failure to obtain a promotion, demotions, transfers, layoffs, reorganizations, bonuses being at risk or salaries being cut -- those are some of the things that we have seen contribute to that particular type of crime in the past. And if we were to say that the economic conditions would lead to similar precipitating events, we then could then say that these are things that may contribute to an insider's decision to act out.
So it seems that there is a pretty good parallel to things that may be occurring in the industry today as a resulting of the economic conditions as it relates to the cases that we have studied.
FIELD: It seems as if we've got some good material for a follow-up study as well.
TRZECIAK: Sure. Absolutely.
FIELD: Now you talked about some of the motives and the means and the factors here; can you give us sort of some inside information on some of the cases you looked at? What were some of the motives and means and factors that play into the decision to commit these crimes?
TRZECIAK: Sure, what we can do is just give you a couple of examples of cases that we have seen. One of the ones again from the financial gain perspective, we had a case that occurred in a major U.S. insurance company. This individual was the database administrator for the company, and he was frustrated at what he perceived to be an unfair low pay for his job responsibilities. What he was able to do, because he was responsible for the personnel files of this organization, he was able to download over 60,000 employee records onto removable media and then went out and solicited bids for sale over the internet. While the information he was offering included Social Security numbers, home addresses, phone numbers and salaries, and his intent was to sell the entire database to the highest bidder, fortunately law enforcement was able to convict him or was able to identify this going on and was able to stop it from happening actually before it was transferred to someone. So that was one example of a financial gain. Not all of these were extremely technical.
Another example that we had was a nighttime janitor who worked for a major U.S. bank and was able to steal the identities of more than 250 people just by going through the trash that was set for disposal in the organization. He was able to go through, obtain this information, he was able to open credit card accounts in customer names, and as you can imagine was able to purchase expense items. One of the things he did was to hide his tracks by submitting change of address requests for the accounts, so these customers never got bank statements alerting them to what was going on. He was able to use the online banking accounts, paying bills, transferring funds to checking accounts and was able to use the bill paying service.
So as you can see there is critical information that organizations that we are able to take out of the organization whether it be through electronic means or just disposal that they were able to take and obtain some financial benefit from it.
And then finally, a third case that we had was theft for business advantage. We had an example of a technical consultant for a computer software and hardware organization; he was a programmer. He informed his organization that he was going to leave to go to work for another organization. On the night before he was to leave the organization, he came in on a Sunday evening, went into the organization, obtained unauthorized access to another engineer's office, obtained access to that person's computer, and he was able to take out on removable media disc with him that contained some of the critical information from that particular software and hardware vendor.
So as you can see, information is leaving. In those particular cases the financial gain people took it to obtain a direct benefit monetarily, and the second case that we presented was someone taking it with him to take it to a new job so that he had the code available to him that he wrote for this current organization. So that's just a sample of some of the highlights of some of the cases that we have studied. We tried to break those down into the motives being financial in nature and business advantage, and the third one the IT sabotage -- those cases where people wanted to seek revenge against the organization for what typically was a perceived injustice done to them by the organization.
FIELD: Now, what are some of the prevention and detection practices or the security controls that could be implemented to help to avoid some of these insider crimes?
TRZECIAK: One of the things that we've done is to produce what we call the common sense guide to prevention and detection of insider threats. That is publicly available on our website, www.cert.org/insider_threat, so I would certainly point everyone to go out and take a look through that. That does highlight the 16 best practices that we would consider, which would allow you to hopefully prevent an insider attack from an occurring, but if not prevent it, detect it early enough to minimize the impact to the organization.
A couple of things that we will just highlight from them is that our first practice says to consider the threats from the insider's and business partners from an enterprise-wide risk assessment. So certainly organizations need to know what their critical data is, who has access to it and to be able to grant authorized access to that critical information, logging access to that and to try to be able to provide some automated way to audit and identify when people are accessing information outside of their authorized access area. So that is one of the one's that we would highlight.
Certainly we want to enforce things like separation of duties and lease privileges. We want to make sure that people have the correct roles and responsibilities tied directly to their job functions. We have seen cases where organizations as people go through the organization, obtain different positions in the organization; some of those individuals are able to accumulate privileges so we just add additional privileges on to what they do or what they did in the past. Certainly if you can go through and do audits in terms of account audits; what do people have access to? Does that line up directly to their job responsibilities? Do they have the correct roles at any point in time to do their job and not more than what they need to have access to? And one of the final ones that we would just highlight is we certainly don't overlook that as someone is leaving the organization that you are able to disable their access pass into the organization. And what we mean by that is certainly it ties to individual accounts, most people have individual accounts that, as they are leaving the organization, we want to disable those. Or commonly overlooked accounts that weren't changed or disabled when they left the organization -- things such as group accounts that there are testing accounts, development accounts, customer accounts, training accounts, those are the commonly overlooked access paths that individuals know the password to as they are leaving and they are not able to disable those. They don't remember or they don't necessarily have knowledge that people had access to those. So if you are asking yourself the question as someone is leaving, what account privileges do they have and what do we need to disable, that is probably too late. It takes some time to recover from the account audits and to identify what people have access to. Once again I would refer you to the common sense guide because it goes into much more detail and it does highlight the 16, of which we only had time to highlight a couple today.
FIELD: No that's really helpful and we definitely will point people in that direction. Now Randy, there is not much that we can do to control outside influences such as the economy and the effects of that. What can organizations do internally to track and manage maybe some of the negative workplace issues that could lead to some of these insider crimes or conditions that would be conductive to insider crimes?
TRZECIAK: Okay, what we like to try to do in our presentation is to raise awareness at the insider threat problem. We don't feel that it can only be solved by IT controls. What we try to say is that organizations need to communicate across all parts of the organization, including supervisors, managers, human resources, information technology, physical security, legal, that each of these departments may have a different perception of the risk level of employees in their organization. If we are able to communicate across the departments, the risk posed by individuals, we might get a bigger perspective or a better perspective of the big picture of individuals who may be more at risk of committing these particular types of crimes.
All too often, or what we have heard is that we are throwing IT solutions at this problem, but what we have seen in our research is there is more than just technical actions taken by the individual. There are a lot of non-technical behaviors that are exhibited in the organizations, and if we can raise awareness of these non-technical and technical behaviors, we can raise the perception that someone should be looked at a little more closely because they may be more at risk of committing a particular type of crime.
But certainly we want to respond consistently to all technical and non-technical behaviors. We certainly should get human resources involved as soon as possible. Document actions taken by individuals and certainly actions taken by the organizations as well.
FIELD: Now how about the rank and file employees; are there things that they can be doing to minimize threats that they might observe just in their own workspaces?
TRZECIAK: Certainly. In the cases that we have seen, we were surprised by the number of other individuals in the organization that knew something wasn't quite right prior to something happening, they had some knowledge of something going on. What we certainly say is to communicate and raise awareness -- that certainly organizations should regularly conduct security awareness training. And that is again common sense and should happen, but it certainly should include alerting employees to know how they can and should respond to both the non-technical behaviors and the technical behaviors. And this may even be in the form of some anonymous reporting, if they see something or some behavior that isn't necessarily acceptable in the workplace, they should report that and then in the organization the human resources or someone, a supervisor, should consistently follow up and act upon that particular behavior.
Certainly if it was a technical action, if it violated an acceptable use policy, that should be documented and should be consistently enforced, and that should be included in the person's personnel file or something so that we can document consistent actions that occurred over time related to an individual. So what we would say is that individuals, if they see something of suspicion, they should raise that and they should have a way to report that and even if it is anonymous it does provide information to people who could raise awareness of the risk individuals may pose.
FIELD: Randy a final question for you, given what you have learned from your extensive study here. What insider threat trends do you think that organizations ought to be most sensitive to right now?
TRZECIAK: Sure, one of the things that we look at is this kind of evolving perception of what the insider is and the threat's that they pose. We want to be able to say that there is an increasing complexity on the part of the individual, and what we mean by that is that the amount of collusion that is occurring in organizations from the outside, people in some cases being recruited, people on the outside knowing that people have access to information are coming in and maybe seeing that there is a financial need and offering to provide pay for some critical information. That is one for the expanded complexity issues that we try to raise.
Certainly the issue of business partners. It is certainly difficult controlling and monitoring access to information within your four physical walls, but once you start granting access to business partners and contractors and subcontractors, how do you then ensure that they are treating your data as you would treat it if you were in sole control of that. So that is more the complexity as well.
Certainly these days mergers and acquisitions, there is a heightened risk of the insider threats in organizations that are being merged into, acquiring organizations, those are things that are contributing to this complexity of how we define what an insider is and how and what threats they pose to your organizations.
And then finally what we are taking a look at the cultural differences. Certainly as organizations have global presence, we have individuals that are working inside your organization who may not be United States individuals, they may be outside, the difficulty recognizing the behaviors exhibited by the insiders who work for U.S. companies and who are not U.S. citizens. The behaviors that we have seen in these cases may be different if we take a look abroad and take a look at the behaviors that are exhibited by those individuals.
And the final one is the foreign allegiances. U.S. companies operate outside the U.S., and the majority of the employees who are not U.S. citizens, how do we then train individuals in the organizations to identify these potential indicators of someone being at risk to committing this type of crime?
Those are the trends that we are looking to explore as we go forward to identify areas that may provide information to organizations who consider insiders a risk to them.
FIELD: Well Randy it is fascinating, timely research. I am very grateful for the time and the insight you have given us today. Thank you very much.
TRZECIAK: Sure, absolutely. And just to show if anyone is interested, we are presenting at the RSA 2000 Conference in April some of this same material as well as newer cases and information, statistics, and trends and patterns. And also, we do have insider threat workshops, we are offering one later this spring, in the summer, all the information related to that is on our www.cert.org website as well as any of the best practices and the common sense guide and those things are available on our website as well.
FIELD: Well, we will point people there, and Randy I will be a RSA myself so I look forward to seeing you there.
TRZECIAK: Very good. I look forward to seeing you as well.
FIELD: We've been talking with Randy Trzeciak at CERT. For Information Security Media Group, I'm Tom Field. Thank you very much.