In the second of a series of reports focusing on insider threats to information systems and data, the United States Secret Service and Carnegie Mellon Software Engineering Institute's Computer Emergency Response Team found that the majority of insiders who committed attacks were former, disgruntled employees.
"The power of a terminated employee with system administrator access should not be underestimated," said Dawn Cappelli, senior member of the technical staff with CERT. "Some organizations completely neglect disabling access upon termination. Others go through the steps to disable access, but the insider is able to find that one access control gap that was overlooked."
The study found that negative work-related events triggered most of the insiders' actions. Of the 49 incidents examined, 80 percent of the saboteurs exhibited unusual behavior in the workplace prior to taking action, while less than half (43 percent) had authorized access at the time of the incidents.
In 62 percent of the incidents, the attacks were planned in advance, with 57 percent exploiting systemic vulnerabilities in applications, processes, or procedures. Relatively sophisticated attack tools were used by 39 percent. Nearly two-thirds of the insiders compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. Most incidents were carried out via remote access.
Insider sabotage resulted in financial losses in 81 percent of the cases, negative impacts to business operations in 75 percent, and damage to the organizations' reputations in 28 percent.
The report also outlined strategies to mitigate insider threats, including best practices for information security and human resources that, historically, have not been implemented consistently. Specifically, the report suggests increased management attention to negative events in the workplace, establishing formal grievance procedures as an outlet for insider complaints, and creating reporting processes for when employees notice or suspect unusual behavior. In addition, organizations should disable computer access following terminations; enforce comprehensive password policies, computer account management practices, and layered security for remote access; use configuration management practices for detection of logic bombs and malicious code; and monitor system logging, as well as backup and recovery procedures.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.