Published: 10 Jan 2009
On almost any given day you can find a news story about an employee who has gone bad and committed fraud or damaged an organization. Insider threat is a timeless problem. It's always been there and it always will be there. Why? Because companies need to trust their employees in order to stay in business.
The most widely accepted model for explaining why people commit fraud is the fraud triangle created by noted criminologist and sociologist Dr. Donald Cressey in the early 1950s. According to Cressey, three factors must be present at the same time in order for someone to commit a security breach: pressure or motivation, rationalization and opportunity.
Today's electronic society has changed this model. In Cressey's time the incentive was mostly financial, but now there are many other reasons why a person may bypass security or commit fraud. In the early days of IT, hackers wanted fame or were just curious to see if they could pull off an exploit. These days the motive may be revenge against the company or an employee, which is not financially related. Pressure to get the job done no matter what may also cause someone to skirt security.
Therefore, I postulate that there is a new fraud model to consider. To commit fraud, or any other improper action, a person needs the following three elements: access, knowledge/ability and intent.
Access: Physical or logical ability to enter, touch or reach a resource. In computers, this is often controlled by network rules, access control lists (ACLs) and a user ID and password.
Knowledge/Ability: Familiarity or experience with an object or resource. This means knowing what to do after accessing the resource.
Intent: The purpose or an anticipated outcome that guides a person's planned actions; knowingly causing damage to the resource.
Here's an example of how these elements fit together. Suppose I have a logon ID and password to our mainframe computer, therefore I have access. Not only that, but I am given full administrator rights to it. The problem is I'm a neophyte on the mainframe-I barely know how to log on. Plus, I like my organization and don't want to cause it harm. Therefore, I'm missing two of the three requirements for fraud: knowledge and intent. Even though I have access, there is little risk of my causing intentional harm.
Access and knowledge are the elements most under our control (it's impossible to audit intent). If you can reduce a user's access/authority or increase the controls (which requires the attacker have more knowledge), then you reduce the risk. You must also ascertain what is required for the exploit.Many vulnerabilities require uber-hacker abilities to exploit them, like freezing the memory chips to bypass disk encryption. However, while only a minute percentage of people can normally exploit such vulnerabilities, there are increasingly more script kiddie tools available to reduce the knowledge level required.
Insider threat mitigation: Fraud detection model
Keeping the new fraud model in mind, an organization can prevent fraud by having the following processes in place:
* Separation of duties
* Background checks, including a financial records check
* Job rotation/cross-training
* Protecting and limiting access to administrator accounts
* Role-based access control (RBAC)
By considering the access, knowledge and intent required to compromise a system, you can make more intelligent risk decisions. Furthermore, using these concepts promotes the proper balance of security within an organization, thereby reducing costs while improving security.