The Insider Threat to Information Systems - pol-psych.com

1 1In the Information age, as we have become increas-ingly dependent upon complex Information Systems ,there has been a focus on the vulnerability of thesesystems to computer crime and security attacks,exemplified by the work of the President sCommission on Critical Infrastructure of the high-tech nature of these Systems andthe technological expertise required to develop andmaintain them, it is not surprising that overwhelmingattention has been devoted by computer securityexperts to technological vulnerabilities and , as captured in the title of a 1993 conferencesponsored by the Defense Personnel SecurityResearch Center,2 Computer Crime: A PeoplewareProblem, it is people who designed the Systems , people who attack the Systems , and understandingthe psychology of Information Systems criminals iscrucial to protecting those Management Information Systems (MIS) pro-fessional at a military facility learns she is goingto be downsized.

2 She decides to encrypt largeparts of the organization s database and hold ithostage. She contacts the Systems administratorresponsible for the database and offers to decodethe data for $10,000 in severance pay and apromise of no prosecution. He agrees to herterms before consulting with proper reviewing the case determine thatthe administrator s deal precludes them frompursuing postcard written by an enlisted man is discov-ered during the arrest of several members of awell-known hacker organization by the from his military base where he serves asa computer specialist, he has inquired aboutestablishing a relationship with the reveals the enlisted man to be aconvicted hacker and former group member whohad been offered a choice between prison andenlistment.

3 While performing computer dutiesfor the military, he is caught breaking into localphone engineer at an energy processing plantbecomes angry with his new supervisor, a non-technical administrator. The engineer s wife isterminally ill, and he is on probation after aseries of angry and disruptive episodes at he is sent home, the engineering staff dis-covers that he has made a series of idiosyncraticmodifications to plant controls and safety sys-tems. In response to being confronted aboutthese changes, the engineer decides to withholdthe password, threatening the productivity andsafety of the the regional headquarters of an internationalenergy company, an MIS contractor effectively captures and closes off the UNIX-based tele-phonic switching system for the entire discover that the contractor hadbeen notified a week earlier that he was beingterminated in part for chronic tardiness.

4 Furtherinvestigation finds the employee to have twoprior felony convictions and to be a member of anotorious hacker group under investigation bythe FBI. The employee reports he is often up allnight helping colleagues with their hacking tech-niques. Additional investigation reveals that he isthe second convicted hacker hired at this site. Anearlier case involved a former member of theLegion of Doom who had been serving as aThe Insider Threat to Information Systems1 The Psychology of the Dangerous InsiderEric Shaw, , Keven G. Ruby, Jerrold M. Post, from Security Awareness Bulletin, No. 2-981 The article is based on Insider threats to Critical InformationSystems, Technical Report #2; Characteristics of the VulnerableCritical Information Technology Insider (CITI). PoliticalPsychology Associates, Ltd.

5 , June 1998. Address comments andquestions to Jerrold M. Post, tel. (301) 229-5536 or Personnel Security Research Center (PERSEREC) inMonterey, California, is now the Security Research Center of theDefense Security of a corporate Information securityteam. He had been convicted of computer intru-sion at a local phone company. Neither individ-ual had disclosed their criminal history or hadbeen subject to background checks sufficient todiscover their past these case summaries from the files of militaryand corporate security investigators demonstrate,growing reliance on Information technology increas-es dependence on, and vulnerability to, those taskedwith the design, maintenance and operation of thesesystems. These Information technology specialists operators, programmers, networking engineers, andsystems administrators hold positions of unprece-dented importance and trust.

6 Malevolent actions onthe part of such an Insider can have grave conse-quences. This is especially true for Information tech-nology specialists operating within the criticalinfrastructure as identified in the 1997 President sCommission on Critical Infrastructure Protection sfinal cases also demonstrate several points aboutthe Insider Threat to the critical infrastructure. First,it is clear that Insider problems already exist withinthe critical infrastructure, including the military,telecommunications, and energy sectors. Second, itappears that both inside and outside of our criticalinfrastructure, there is a tendency for managers tosettle these problems quickly and quietly, avoidingadverse personal and organizational impacts andpublicity.

7 We do not really know how widespread theproblems are. What is reported appears to be only thetip of the iceberg. Furthermore, we are at risk fromrepeat offenders, as perpetrators migrate from job tojob, protected by the lack of background checks, con-straints upon employers in providing references, andthe lack of significant consequences for these , just as in organizations outside the criticalinfrastructure, the range of potential perpetrators andtheir motivations is broad. In many cases, acts ofcomputer sabotage and extortion like violence inthe workplace have been committed by disgruntledemployees who are angry about lay-offs, transfers,and other perceived grievances. Other cases involveemployees who take advantage of their position oftrust for financial gain,4hackers who are employedwithin the critical infrastructure caught engaging inunauthorized explorations, and well-motivated employees who claim they are acting in the bestinterest of their organizations.

8 Other perpetratorsinclude moles, individuals who enter an organiza-tion with the explicit intent to commit espionage,fraud or embezzlement. Overall, case investigatorsreport that the number of computer-related offensescommitted by insiders is rising rapidly each extent of the Insider Threat has also beenaddressed in corporate and government surveyresults. According to WarRoom Research s 1996 Information Systems Security Survey, percent ofthe companies surveyed reported Insider misuse oftheir organization s computer Systems . The Compu-ter Security Institute s 1998 Computer Crime Survey(conducted jointly with the FBI) reported the aver-age cost of an outsider (hacker) penetration at$56,000, while the average Insider attack cost a com-pany $ million.

9 A comprehensive study conduct-ed by the United Nations Commission on Crime andCriminal Justice which surveyed 3,000 VirtualAddress Extension (VAX) sites in Canada, Europeand the United States, found that By far, the great-est security Threat came from employees or other peo-ple with access to the computers. While someresearchers warn that survey data on computercrimes can be inaccurate due to unreported or unde-tected acts, such data is useful in characterizing aminimum level of Threat and in drawing attention tothe problem as a , in spite of the prevalence of theinsider problem and the particular vulnerability ofpublic and private infrastructures to the informationtechnology specialist, there has been little systematicstudy of vulnerable insiders, while major investmentsare being devoted to devising technologies to detectand prevent external penetrations.

10 Technologicalprotection from external threats is indeed important,but human problems cannot be solved with techno-logical solutions. Without a detailed examination ofthe Insider problem and the development of newmethods of Insider risk management, such an unbal-3 According to the PCCIP report, infrastructure is defined as anetwork of independent, mostly privately-owned, man-madesystems and processes that function collaboratively and synergis-tically to produce and distribute a continuous flow of essentialgoods and services. Critical components of the infrastructure,those affecting national security and the general welfare, include:transportation, oil and gas production and storage, water supply,emergency services, government services, banking and finance,electrical power, and Information and communication clinical experience indicates that seemingly simple cases ofgreed are rarely so simple when it comes to perpetrator motiva-tion.