This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
SO YOU THINK YOU KNOW INSIDERS
Insiders have widely been identified as the biggest threat to assets, in particular sensitive data such as customer information or intellectual property. Insiders are pegged as threats because they frequently have unimpeded access to these assets and are often aided by lax authorization and provisioning policies that dole out credentials to more applications and systems than are necessary to do one's job.
While technology solutions, such as identity management, can solve some of the problems, IT and business managers such as human resources executives can't rely on hardware and software alone to stop the riskiest threats: privileged insiders or disgruntled employees who have been let go or are on the verge of termination.
Spotting these troubled individuals before problems are unleashed is critical. CERT/CC has developed a detailed model of what disgruntled insiders look like and the sparks that set them off.
| insiders, system administrators or database administrators and those intent on causing some kind of IT sabotage, there is very little in the way of a demographic profile outside of the credentials they possess or hand out, says team lead Dawn M. Capelli.
But one thing does transcend all offenders.
"If you look at the people you work with, there are the one or two people who don't get along well with others, cause problems, can't take criticisms, and people walk on eggshells around them," Capelli says. "Those are the people who commit IT sabotage. We don't have a single case where people said, 'He was such a nice guy, I can't believe he did it.'"
While that narrows your field of potential risky insiders, there are still conditions that cause these situations to manifest, such as a withheld promotion or lower than expected pay raise. While these conditions usually aren't exclusive to the insider, some aren't able to overcome them psychologically and they become disgruntled.
"We've validated this with all our cases," Capelli says, noting that CERT/CC has a database of 150 actual cases from which it builds and refines its models. "This is a distinct pattern."
This was first published in November 2008