Employees who are disgruntled or enticed to steal by outside criminal organizations are compromising financial companies' systems with little sophistication and no clear-cut behavioral profile, according to a report from the U.S. Secret Service and the Carnegie Mellon CERT/CC.
The joint effort examined 23 incidents by 26 insiders in the banking and finance sector between 1996 and 2002. Of the 23 incidents, it found 15 involved fraud, four the theft of intellectual property and four sabotage.
The report concluded, "Insiders pose a substantial threat by virtue of their knowledge of and access to their employers' systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means."
Security experts from the financial sector aren't surprised by the findings.
"Rewind a century, before the Internet. You had bank robbers and insiders pilfering money, but there were good accounting controls to deal with it," said Guillermo Kopp, vice president of financial services strategies for Needham, Mass.-based research and consulting firm TowerGroup. "Fast forward to the present, where you have a much more automated and complicated banking process. The report is saying half of insider attacks were from clerks, administrators and others who aren't technologically sophisticated; some of whom are lured by organized crime. That shows serious lapses in control. Perhaps most telling is that it's the customers who discover problems."
Kopp and others said the lesson is that financial organizations need better internal checks and balances and a mix of access control and intrusion detection devices to spot suspicious activity early in the process.
The report gives examples of malicious insiders, including two credit union employees who misused their authorized access to alter credit histories in exchange for money; a foreign currency trader who used several tactics to make it look like he was one of the bank's star producers when he actually lost the bank more than $600 million; and an employee angry over the size of his annual bonus who planted malware that deleted 10 billion files in the company's computer systems, costing $3 million to fix.
The study also found:
- Incidents required little technical sophistication to carry out.
- Perpetrators planned their actions.
- Perpetrators were motivated by financial gain, revenge or a desire for respect.
- Perpetrators did not share a common profile.
- Victim organizations suffered financial loss.
- Perpetrators committed acts while on the job.
The report said malicious insiders used simple, legitimate user commands 87% of the time; 9% of incidents were carried out via a script or program; and 13% involved spoofing or flooding. Insiders exploited systemic vulnerabilities in applications and/or processes or procedures 70% of the time and took advantage of flaws inherent in the design of the hardware, software or network 60% of the time. Also noted in the report: Someone other than the insider had full or partial knowledge of the insider's activities 85% of the time.
Umesh Verma, CEO of Houston-based security software firm Blue Lance Inc., said the report reflects problems he has long warned his clients in the financial industry. "It's important to have a separation of duties and granularity of security controls," Verma said. "It's especially important to limit the security access people have to certain applications; to ensure their areas of authority are very defined and narrow." At the same time, he acknowledged enterprises find it difficult to strike a balance. "If you lock down everything, it hurts your ability to conduct business."
John Hall, associate director of the Washington D.C.-based American Bankers Association, said there are three ways institutions can guard against insider threats: "It's important to continue background checks on employees and have a rotation of repeat checks on long-term employees, perhaps every three to five years," Hall said. "Institutions should make sure only authorized employees have access to protected databases, and tools like retina scans or digital certificates could be helpful tools. And they need to monitor computer activity on a regular basis."