This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
Capelli says the insider stews, often acting out via conflicts with colleagues, tardiness or skipping work altogether. All the while, these privileged insiders are planning their attacks, knowing that termination may be inevitable and vengeance will be theirs.
"Organizations have to be watching so they can notice the signs. Some organizations are not monitoring for these signs at all, paying no attention to these people. Off the bat, they're going to be victims," Capelli says. "Technical people we talk to are not surprised by what we find in these cases. Their frustration is that management doesn't understand, and they can't get the funding and resources they need to be proactive and take the actions they know they need to take."
For those organizations that are paying attention, sanctions should be immediate. For employees who aren't predisposed for these behaviors, Capelli says a formal write-up by HR or even a demotion will bring the insider in line. The saboteurs will instead get angrier and continue to act out. The ultimate sanction, Capelli says, is termination, which triggers an attack.
"These people are sysadmins; they know your flaws and how to exploit them," Capelli says.
Technical monitoring is important. Savvy review of logs or account auditing could intercept unknown access paths laid down by the disgruntled insider, or the creation
| of backdoors or the insertion of logic bombs and other malware.
"The pattern is distinct where things start going downhill," Capelli says. "There is time to head this off."
The IT saboteur model is most mature; Capelli says CERT/CC is working on an insider theft of confidential information model, as well as a model of an insider who commits fraud.
CERT/CC is also developing an insider threat diagnostic, which is being funded by CyLab, that it can take to organizations to help them evaluate the insider threat and what can be done about it. Capelli says the diagnostic is a three-to-five-day onsite visit to an organization where managers are interviewed about their processes, policies and technologies based on the thousands of technical vulnerabilities and psychological traits generated from the hundreds of cases in CERT/CC's database.
"If a manager understands the signs, they can work with IT, HR, legal and others and come at the problem of insider threats together," Capelli says. "We're trying to raise awareness and perhaps give IT a justification of the problem they can take higher up to management to get more resources to fight the problem."
Capelli's teams have embarked on their first pilots, and they're asking pointed questions--for example, about account auditing and how often new accounts are vetted and with whom.
"Our report will identify areas of concern and say whether they're easy or difficult to fix," Capelli says. "Easier problems can be fixed at a lower cost, and maybe they'll look at the harder ones and fold them into their overall enterprise risk management strategy."
This was first published in November 2008