Insider Threats
CERT (at Carnegie Mellon) just released a study on insider threats. They analyze 49 insider attacks between 1996 and 2002, and draw some conclusions about the attacks and attackers. Nothing about the prevalence of these attacks, and more about the particulars of them.
The report is mostly obvious, and isn’t worth more than a skim. But the particular methodology only tells part of the story.
Because the study focuses on insider attacks on information systems rather than attacks using information systems, it’s primarily about destructive acts. Of course the major motive is going to be revenge against the employer.
Near as I can tell, the report ignores attacks that use information systems to otherwise benefit the attacker. These attacks would include embezzlement—which at a guess is much more common than revenge.
The report also doesn’t seem to acknowledge that the researchers are only looking at attacks that were noticed. I’m not impressed by the fact that most of the attackers got caught, since those are the ones that were noticed. This reinforces the same bias: network disruption is far more noticeable than theft.
These are worrisome threats, but I’d be more concerned about insider attacks that aren’t nearly so obvious.
Still, there are some interesting statistics about those who use information systems to get back at their employers.
For example of the latter, the study’s “executive summary” notes that in 62 percent of the cases, “a negative work-related event triggered most of the insiders’ actions.” The study also found that 82 percent of the time the people who hacked their company “exhibited unusual behavior in the workplace prior to carrying out their activities.” The survey surmises that’s probably because the insiders were angry at someone they worked with or for: 84 percent of attacks were motivated by a desire to seek revenge, and in 85 percent of the cases the insider had a documented grievance against their employer or a co-worker….
Some other interesting (although not particularly surprising) tidbits: Almost all—96 percent—of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent).
Brian Stanko • May 18, 2005 11:07 AM
The element of the report that I find disturbing is the subtext that strange behaviour in the workplace is more than likely a sign of sabotoge. And even more disturbing is the suggestion that employees should be watching each other for the telltale “signs” and reporting said signs to the powers that be.
From the report: “Developing a formal process for the reporting of such behavior in the workplace is important, including the consideration of whether a mechanism for anonymous reporting should be provided. Employees should be informed of the process and encouraged to avail themselves of the opportunity to report suspicious or inappropriate behavior.”
Smacks of 1984 thought-crime logic and fear mongering: saboteurs act strangely-you are acting strangely-therefore you are a saboteur.