|
On almost any given day you can find a news story about an employee
who has gone bad and committed fraud or damaged an organization.
Insider threat is a timeless problem. It's always been there and it always
will be there. Why? Because companies need to trust their employees in
order to stay in business.
The most widely accepted model for explaining why people commit fraud is the fraud triangle created by noted criminologist and sociologist
Dr. Donald Cressey in the early 1950s. According to Cressey, three factors
must be present at the same time in order for someone to commit a security breach: pressure
or motivation, rationalization and opportunity.
Today's electronic society has changed this model.
In Cressey's time the incentive was mostly financial,
but now there are many other reasons why a person
may bypass security or commit fraud. In the early
days of IT, hackers wanted fame or were just curious
to see if they could pull off an exploit. These days the
motive may be revenge against the company or an
employee, which is not financially related. Pressure
to get the job done no matter what may also cause
someone to skirt security.
Therefore, I postulate that there is a new fraud
model to consider. To commit fraud, or any other
improper action, a person needs the following three
elements: access, knowledge/ability and intent.
Access: Physical or logical ability to enter, touch
or reach a resource. In computers, this is often controlled
by network rules, access control lists (ACLs)
and a user ID and password.
Knowledge/Ability: Familiarity or experience
with an object or resource. This means knowing
what to do after accessing the resource.
Intent: The purpose or an anticipated outcome
that guides a person's planned actions; knowingly
causing damage to the resource.
Here's an example of how these elements fit
togethe...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
r. Suppose I have a logon ID and password to
our mainframe computer, therefore I have access.
Not only that, but I am given full administrator
rights to it. The problem is I'm a neophyte on the
mainframe-I barely know how to log on. Plus, I
like my organization and don't want to cause it
harm. Therefore, I'm missing two of the three
requirements for fraud: knowledge and intent. Even
though I have access, there is little risk of my causing
intentional harm.
Access and knowledge are the elements most
under our control (it's impossible to audit intent). If
you can reduce a user's access/authority or increase
the controls (which requires the attacker have more
knowledge), then you reduce the risk. You must also
ascertain what is required for the exploit.Many vulnerabilities
require uber-hacker abilities to exploit
them, like freezing the memory chips to bypass disk
encryption. However, while only a minute percentage
of people can normally exploit such vulnerabilities,
there are increasingly more script kiddie tools
available to reduce the knowledge level required.
Insider threat mitigation: Fraud detection model
Keeping the new fraud model in mind, an organization
can prevent fraud by having the following processes in place:
* Separation of duties
* Background checks, including a financial
records check
* Job rotation/cross-training
* Protecting and limiting access to administrator
accounts
* Role-based access control (RBAC)
By considering the access, knowledge and intent
required to compromise a system, you can make
more intelligent risk decisions. Furthermore, using
these concepts promotes the proper balance of security
within an organization, thereby reducing costs
while improving security.
|
 |
|
