Secret Service and CERT Release Report Analyzing Acts of Insider Sabotage Via Computer Systems in Critical Infrastructure Sectors
January 1, 2005 • Article
Secret Service and CERT Release Second Insider Threat Report
Second in a Series of Reports Focusing on Insider Threats to Information Systems and Data in Critical Infrastructure Sectors
(Washington, DC) - The United States Secret Service and the Carnegie Mellon Software Engineering Institute’s CERT today announced the findings of the second Insider Threat Study report. According to the report, which analyzed acts of insider sabotage on computer systems in critical infrastructure sectors, the majority of insiders who committed the attacks were former employees, motivated at least in part by a desire to seek revenge and who were granted system administrator or privileged access when hired.
The goal of the Insider Threat Study, made possible in part by financial support from the U.S. Department of Homeland Security’s Science and Technology Directorate, is to better understand malicious insider activities affecting information systems and data in critical infrastructure sectors. The study is the first of its kind to provide a comprehensive analysis of insider actions by analyzing both the behavioral and technical aspects of the threats.
“At a time when homeland security is more closely linked than ever to the protection of our nation’s critical infrastructure, the Insider Threat Study serves as an important reminder for all of us to protect sensitive information by closely monitoring and safeguarding network usage and reporting suspected intrusions to security personnel and law enforcement as soon as a breach is detected,” said United States Secret Service Director Ralph Basham.
Forty-nine cases, carried out between 1996 and 2002, were examined across critical infrastructure sectors. These cases were purposely limited to those in which an insider’s primary goal was to sabotage some aspect of the organization or direct specific harm toward an individual. The study revealed:
- A negative work-related event triggered most of the insiders’ actions.
- Sixty-two percent of incidents were planned in advance.
- Eighty percent of the insiders exhibited unusual behavior in the workplace prior to carrying out their activities.
- Fifty-seven percent of insiders exploited systemic vulnerabilities in applications, processes and/or procedures.
- Thirty-nine percent used relatively sophisticated attack tools.
- Sixty percent of insiders compromised computer accounts, created unauthorized backdoor accounts or used shared accounts in their attacks.
- Most incidents were carried out via remote access.
- Less than half of the insiders (43%) had authorized access at the time of the incident.
- Insider activities caused financial losses (81%), negative impacts to business operations (75%) and damage to the organizations’ reputations (28%).
“The power of a terminated employee with system administrator access should not be underestimated," said Dawn Cappelli, senior member of the technical staff with CERT. "Some organizations completely neglect disabling access upon termination. Others go through the steps to disable access, but the insider is able to find that one access control gap that was overlooked. It is important that technical staff are attentive to the obscure methods used in the insider attacks in this study.”
This report suggests important proactive strategies by all levels of an organization’s personnel to mitigate insider threats. These strategies include detailed suggestions for best practices for information security and human resources that historically have not been consistently implemented. Specifically, the report suggests:
- Disabling access following termination
- Management attention to negative events in the workplace
- Establishing formal grievance procedures as an outlet for insider complaints
- Creating reporting processes for when a colleague notices or suspects concerning behavior
- Enforcing comprehensive password policies, computer account management practices and layered security for remote access
- Using configuration management practices for detection of logic bombs and malicious code
- System logging and monitoring, and backup and recovery procedures
About the Insider Threat Study
The Insider Threat Study is a collaborative research endeavor between the Secret Service’s National Threat Assessment Center (NTAC) and CERT, designed to develop information to help private industry, government and law enforcement better understand, detect, and ultimately prevent harmful insider activity. The definition of an insider for this study includes current, former, or contract employees of an organization.
Previously, in August 2004, the first report of the Insider Threat Study was released: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. It focused on the people who had access to and perpetrated harm using information systems in the banking and finance sector, which includes credit unions, credit bureaus and other financial institutions.
About the Secret Service’s National Threat Assessment Center
The Secret Service has taken a lead role in the developing area of cyber crime, establishing working partnerships in both the law enforcement and business communities to address such issues as protection of critical infrastructure, internet intrusions and associated fraud.
The National Threat Assessment Center was created by the Secret Service in 2000 to provide leadership and guidance to the emerging field of threat assessment. Two previous NTAC studies, the Exceptional Case Study Project and the Safe School Initiative, analyzed physical attacks on public officials and public figures and attacks on schools. Both studies focused on identifying information that was operationally relevant and that could help prevent future violent or disruptive incidents. Findings from the Insider Threat Study may similarly enhance efforts within law enforcement, corporate security, information technology, and others in prevention, early detection, and investigation of cyber-related crimes.
CERT is located at Carnegie Mellon University’s Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania, USA. The SEI is a U.S. Department of Defense sponsored federally funded research and development center. The CERT Coordination Center, an initiative within CERT, was established in 1988 to deal with security issues on the Internet. It also partners with and supports the U.S. Department of Homeland Security’s National Cyber Security Division and its US-CERT to coordinate response to security compromises, identify trends in intruder activity, identify solutions to security problems, and disseminate information to the broader community. CERT also conducts research and development to create solutions to security problems and provides training to help individuals build skills in dealing with cyber-security issues.
EDITOR’S NOTE: The complete report from the Insider Threat Study can be found at http://www.secretservice.gov/ntac.shtml and http://www.cert.org/archive/pdf/insidercross051105.pdf