Addressing the Insider Threat

My May issue of “IT Compliance in Realtime” is now available!
The first article I have within this issue is, “Addressing the Insider Threat.”
Here is the unformatted text of the article; download the PDF to get the much nicer, prettier, formatted version…

No matter how much an organization invests in and implements information security technology, the human element will always be the most critical, and most vulnerable, component within the information security program. When personnel are entrusted with authorized access to information and applications on systems and networks, there is the possibility that bad things will happen through that access. In addition, personnel can create information security incidents outside of technology through the mishandling of print media and storage media and via malicious actions.
Organizations need to address three primary types of insider threats:

  • Mistakes
  • Lack of training and awareness
  • Malicious intent

I’ve written and talked about this topic many times (most recently within articles for the March and April issues of the CSI Alert newsletter), but these issues are worth revisiting.
People Make Mistakes
To err is human.” – Alexander Pope
All people will make mistakes, no matter how smart or how experienced. People who have authorization to access sensitive information and personally identifiable information (PII) can make a simple mistake in the blink of an eye or the press of a computer key that will result in a damaging privacy incident. Consider the following examples:

  • Accidentally sending email to the wrong address–In October 2006, the Republican National Committee mistakenly emailed a list containing the names, races, and Social Security Numbers (SSNs) of dozens of top Republican donors to a reporter who subsequently wrote a news story about the faux pas.
  • Accidentally including sensitive information within email messages–Once in December 2006 and then again in January 2007, the names and SSNs of 3031 newly licensed nurses were accidentally posted on the Ohio Board of Nursing’s Web site. They didn’t realize the mistake until a nurse visiting the site saw the information and reported it.
  • Accidents that occur at an outsourced vendor–In November 2006, a printing contractor for the Chicago Public Schools mistakenly mailed a list of names, SSNs, and home addresses for 1740 former school employees as part of a packet of health-insurance information to all the employees.
  • Accidentally sending postal mail to the wrong address–In January 2008, a U.K. Dell customer complained to the Information Commissioner’s Office (ICO) after his loan agreement documents, which included bank account details, signature, and debit card number, were mistakenly mailed to the wrong address–to a man with a completely different surname living in Ireland. Dell reportedly didn’t know of the mistake until the recipient in Ireland contacted the man in the U.K., who then contacted the ICO, who then notified Dell.

Organizations must realize that personnel will make mistakes. Security controls must be in place to mitigate the impact of inevitable mistakes and to prevent as many mistakes as possible.
This is the gift of training and expertise – the ability to extract an enormous amount of meaningful information from the very thinnest slice of experience.” – Malcolm Gladwell, Blink, page 241, 2005.
Many incidents happen because personnel are not given the education necessary to effectively safeguard information. You cannot expect personnel to intuitively know how to protect information; you must provide them with effective periodic training and ongoing awareness communications to help them obtain the security and privacy understanding necessary to effectively perform their jobs while protecting information. It is your responsibility as an information security, privacy, and/or compliance business leader to make sure your personnel are not security clueless.
Through my experience and research, I have found some of the most often-occurring incidents that result from unawareness include:

  • The storage of clear-text PII on mobile computers and storage devices that are subsequently lost or stolen.
  • Computers and storage media containing clear-text PII left unattended and in clear view, such as on a car seat or restaurant table, and are subsequently stolen.
  • Clear-text PII sent within email messages or email attachments that are then forwarded to someone else, intercepted, mistakenly sent to the wrong folks, or any number of bad things because personnel didn’t know they weren’t supposed to put PII in messages.
  • System and application passwords given to coworkers–most often managers or people who claim to be technical support–by employees who didn’t know they weren’t supposed to share passwords. The information the employees’ are authorized to access is then accessed by those unauthorized parties.
  • PII given to callers by customer service call center representatives who did not know to first verify the caller’s identity. Fraud then occurs by the social engineering criminal who successfully scammed the call center representative.
  • Confidential information left open in work areas by personnel unaware that they must secure PII and other sensitive information before leaving a work area. The information is subsequently taken, copied, and used.
  • PII sold by marketing and sales folks as a source of revenue generation because they did not know this was against the company’s policies and in violation of the posted privacy policy promising that no PII will be shared with third parties.

This is just the beginning of what could be a very long list. Whenever personnel do not get effective training or ongoing awareness communications, they will not know how to secure information, and a very wide range of incidents will likely occur as a result.
People Will Be Malicious
Cheating may or may not be human nature, but it is certainly a prominent feature in just about every human endeavor.” – Steven D. Levitt and Stephen J. Dubner, Freakonomics, page 25, 2005.
There will always be a significant percentage of people who will do bad things if they are motivated or see an opportunity to get away with it. There are unlimited motivations for workers to do bad things with their workplace authorization:

  • Fear of losing employment –Marie Cooley, a former employee at the Jacksonville, Florida, small business Steven E. Hutchins Architects, read the paper one Sunday morning in January 2008 and saw what she thought was a help wanted ad for her job. So she went to her office that night and deleted, using her authorized access, 7 years’ worth of the architect firm’s files for which there were no backups.
  • Upset with employer policies –In 2001, Steven William Sutcliffe posted the PII of more than 1000 of his former coworkers, including payroll information, SSNs, birth dates, and residential addresses, with some of this information hyperlinked to an article about identity theft on his personal Web site. In addition, he posted and made threats to injure or kill others in retaliation for being fired from his job because he refused to provide his SSN to the Human Resources department. The case was still dragging on in the courts in 2008.
  • Revenge –On January 9, 2008, the U.S. District Court for the Northern District of Georgia sentenced William Bryant to 5 months of prison, a $15,470 fine, 5 months home confinement, 2 years of supervised release, and 200 hours of community service for hacking into the computer and telecommunications system of his former employer, Cox Communications, after he was asked to resign. Bryant “remotely shut down portions of the company’s system, resulting in the loss of computer and telecommunications services, including access to 9-1-1 emergency services, for Cox customers in Texas, Las Vegas, New Orleans, and Baton Rouge. Cox technicians restored service within hours.”
  • Job insecurity –On January 8, a federal court in Newark, New Jersey, sentenced Yung-Hsun “Andy” Lin, a former systems administrator for Medco Health Solutions Inc., to 30 months in prison for planting logic bomb computer code intended to delete data stored on Medco’s network. Lin was afraid he was going to be laid off from his job, and he wanted the logic bomb in place in case he was.
  • Opportunity without fear of getting caught –In October 2007, Joseph Nathaniel Harris, the former branch manager of the San Jose Medical Group’s McKee clinic, was sentenced to 21 months in prison and 3 years of supervised release, and ordered to pay $145,154 in restitution for stealing computer equipment and a DVD containing patients’ names, SSNs, medical diagnoses, and other information in 2005 while he had unsupervised oversight of the clinic. He reportedly also stole money and medications from the clinic, and is suspected of burglarizing the area clinics after he left his job as manager.

Protecting Against the Insider Threat
You cannot prevent all people in positions of trust from abusing their authorization or from making mistakes, and it is not likely every person will always have the knowledge necessary to properly safeguard information at all times. However, you can take many actions to significantly reduce these threats. The following list highlights 20 quick tips, enumerated to facilitate discussion reference but in no particular order, that will help to address and mitigate the insider threat:

  1. Have comprehensive information security and privacy policies and procedures in place
  2. Provide periodic training and ongoing awareness communications
  3. Consistently enforce sanctions
  4. Mitigate messaging risks
  5. Make backups
  6. Perform personnel background checks
  7. Work with other areas in the organization
  8. Provide minimal information access authorization
  9. Implement employment exit procedures
  10. Log access to data files, applications, and systems
  11. Implement extra controls for personnel in positions of authority
  12. Implement change management controls
  13. Document red flags in personnel behavior
  14. Obtain executive support for information security and privacy programs
  15. Establish separation of duties
  16. Implement effective password management
  17. Implement layers of information security throughout the enterprise
  18. Implement configuration management procedures
  19. Implement sound vendor and business partner practices
  20. Document and maintain information security incident and privacy breach response plans

You cannot prevent people from doing bad things. However, you must implement appropriate due care controls to mitigate the risks as much as possible. Trust is good, but it is not a control, and it is not a standard of due care.
Additional resources for information about the insider threat:

  • D. Cappelli, A. Moore, T. Shimeall, US-CERT, “Common Sense Guide to Prevention and Detection of Insider Threats”, 2005,
  • “Insider Threat Study: Illicit Cyber Activity in the Government Sector,” U.S. Security Service, CERT Software Engineering Institute, Carnegie-Mellon, January 2008,
  • “Insider Threat Study: Illicit Cyber Activity in the Information Technology and Telecommunications Sector,” U.S. Security Service, CERT Software Engineering Institute, Carnegie-Mellon, January 2008,

Please let me know your feedback!

Tags: , , , , , , , ,

Leave a Reply