They might seem like normal employees, working away quietly like everybody else. But they're not. They're criminal insiders, using their privileged positions inside companies everywhere to access and steal confidential data or cause mayhem on the company's IT systems.
One way might be to build a profile of corporate turncoats. Once singled out, they can be scrutinized more closely than other employees. However, before starting an employee profiling program, there are three key questions to ask: What is the profile of a criminal insider? Is it legal or appropriate to single out suspected thieves? Is there a clever technical solution -- such as identity and access management -- to stop corporate sabotage without the fuss and hazards of profiling?
Building the employee profiling model
A profile of criminal insiders does exist. Carnegie Mellon's Computer Emergency Readiness Team (CERT) issued its first Insider Threat Study in 2002 (.pdf). Since then, CERT has updated the work annually in conjunction with the U.S. Secret Service. Their work has become the foundation for profiling potential computer criminals inside companies and organizations.
The CERT study focuses on three types of insider crimes: fraud, information theft and sabotage. The study says the profile of the typical insider crook is different for each crime. Those committing fraud tend to be current employees, evenly divided between males and females and mostly not in technical or management positions. Those who stole information, on the other hand, were overwhelmingly male employees in technical positions.
The most shadowy were the saboteurs. They were, again, mostly male, but also mostly former employees who no longer had system access. Many were technical, often highly skilled, and used that skill to break into systems using either stolen user account info, or bogus logins they had planted prior to either leaving or being fired. These individuals were often disgruntled employees with grudges against the company or personal problems.
With that profile in mind, does that mean that every male with a technical background who is disgruntled -- or could be someday -- should be watched closely? The answer is no. Before engaging in employee profiling, a company should always consult either its in-house legal counsel or an outside attorney on what does and doesn't violate laws governing employee privacy. Profiling could land a company in legal trouble if there is something in writing discriminating against employees based on personal characteristics.
Preventative employee profiling
On the other hand, there are five steps a company can take to protect itself from insider crime using the CERT profile. They shouldn't be formal or written policies, but rather informal best practices. The five steps are:
- Perform thorough background checks;
- Don't ignore suspicious behavior;
- Always apply security policies to everyone;
- Revoke system access as a routine part of termination procedures; and
- Use strict access-management controls.
Every potential new employee should have a background check. These checks should include verification of prior employment, education and professional credentials. Also check for a criminal record. If possible, when verifying employment, get a feel for how well the potential employee got along with co-workers and management, or if there were any behavioral problems.
Assuming the employee passes the pre-hiring screening, don't ignore on-the-job warning signs. Some of these signs include belligerent, intimidating or threatening behavior toward co-workers, arrogance or being disgruntled over something in the office. These behaviors fit the CERT profile for saboteurs and, to a lesser extent, data thieves. Too often, companies brush off bizarre or unusual behavior. According to the CERT study, sometimes a single adverse event, either at the office or in their personal life, can trigger a saboteur into action.
Security policies and procedures should be strictly followed for all employees at all times. A common insider tactic, especially for a long-term and supposedly trusted employee, is to bully people into granting unauthorized access or to skirt procedures.
Make sure to use strong access-management controls for all employees. Data should be classified according to risk level and user groups should be given only the access they require; this is the famous principle of least privilege. Active Directory for Windows and LDAP for Unix systems both allow groups to be created with restricted access based on role and risk level.
And, of course, as soon as an employee either leaves or is terminated, cut off his or her access as soon as he or she is out the door, if not sooner. Accounts should also be regularly audited to remove those of former employees.
The insider threat is complex. Fighting it involves both human and technical controls. Profiling is one part of a program to combat malicious insiders, but it should never be your only defense.
About the author;
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security. He also writes The IT Security Guy blog at http://www.theitsecurityguy.com.
This was first published in May 2007