Transcript Insider Threat Awareness

Approvals
1
Insider Threat Awareness
Module 80132
Rev. F1
3
What is an Insider Threat?
 Typically described as disgruntled or
unscrupulous employee trying to gain access to
information they shouldn’t, and sharing it for
personal gain, espionage or revenge.
 Current or former employees or contractors who
 Intentionally exceeded or misused an authorized level of
network, system or data access in a manner that affected
the security of the organizations’ data, systems, or daily
business operations (Carnegie Mellon, April 2008).
4
The Insider Threat
 A summer 2006 E-Crime Watch
Survey by CERT and the U. S.
Secret Service stated the following:
 Of 434 responses to the survey,
55% of organizations were
victims of electronic crimes
and ~30% of those were from
insiders.
One complex fraud case involving a financial
institution reportedly resulted in the loss of
$700 million.
5
Recent Cases


Greg Chung – spied for China from 1979-2006.
Federal charges against Chung consisted of
stealing trade secrets about the space shuttle,
the Delta IV rocket and the C-17 military cargo jet
for the benefit of the Chinese government.
Chung’s motive was to “contribute to the
Motherland.” He was an engineer that stole
hundreds of thousands of documents. He
traveled to China under the excuse of giving
lectures, while secretly meeting with Chinese
government officials and agents. Chung was
arrested in February 2008 and in February 2010
he was sentenced to 15 years in prison.
Sergey Aleynikov - a computer programmer,
worked for a company on Wall Street from May
2007 until June 2009. During his last few days at
that company, he downloaded, and transferred
32 megabytes of proprietary computer codes– a
theft that could have cost his employer millions
of dollars. He hoped to use the computer codes
at his new Chicago-based employer. He
attempted to hide his activities, but the company
discovered irregularities through its routine
network monitoring systems. In December 2010,
Aleynikov was found guilty of theft of trade
secrets and transportation of stolen property in
foreign commerce.
6
History of Insider Threat
 Espionage and spying
are amongst the oldest
political and military
trades. There are
references to spies in
ancient Greek history
and ancient Egyptian
spies were among the
first to develop
methods of carrying
out acts of internal
sabotage.
7
Case 1: Can you guess who this is?


Position: He was an Insider
Motive:



How was the threat implemented?



He had a plan (Obfuscation, Gesture,
Diversion).
He had expert knowledge.
What was the cost?



Money
Prestige/power
The cost was significant.
The punishment was severe.
Can you guess who?
8
Case 2: Can you guess who this is?
 Position: He was an insider.
 Motives:
 His pride was damaged (disgruntled, revenge).
 He needed money.
 He had prior problems with the law.
 How was the threat implemented?
 He defected with all the knowledge he had gained
as an insider and made a plan.
 He passed a message as a note.
 He had expert knowledge.
 The cost was significant due to loss of trust.
 The punishment was severe.
 Can you guess who this is?
9
Case 3: Can you guess who this is?
 Position: He was an insider
 Motives:
 He wanted prestige/Power.
 He wanted money.
 How was the threat implemented?
 He had unlimited access to all past insider attacks
and investigations of his organization.
 No due diligence by organization.
 He had expert knowledge.
 Cost to organization and the United States was
priceless due the type of secrets that were
released and number of lives loss.
 Punishment was severe.
 Can you guess who this is?
10
Case 4: Can you guess who this is?
 Position: Insider
 Motive:
 He was a disgruntled employee.
 He wanted power.
 He had prior problems with the law.
 How was the threat implemented?
 He developed a plan.
 He had unlimited access.
 He had expert knowledge.
 What was the cost?
 Significantly High.
 Reputation of organization was severely damaged.
 Can you guess who this is?
 How could this threat have been prevented?
11
What kind of Insider Threat profile does
these four cases create?
Case 1
Expert
Knowledge
Disgruntled
Employee
Wanted
Power /
Prestige
History of
Bad
Behavior
Needed
Money
Had a
Plan
Yes
Yes
Yes
No
?
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
?
Yes
Ancient, Judas
Case 2
Colonial,
Benedict Arnold
Case 3
The eighties,
Robert Hanssen
Case 4
??
12
Why are we concerned?
 Theft of intellectual property is an increasing threat to
organizations, and can go unnoticed for months or
even years.
 There are increased incidents of employees taking
proprietary information when they believe they will be
or are searching for a new job.
13
Organizational Factors
 Employees are not trained on how to
properly protect sensitive information
 Sensitive information not labeled
properly
 The ease that someone may exit the
facility with Sensitive information
 The perception that security is lax and
the consequences for theft are
minimal or non-existent
14
Personal Motives
 Greed or Financial Need
 A belief that money can fix anything.
Excessive debt or overwhelming
expenses
 Anger/Revenge
 Disgruntlement to the point of
wanting to retaliate against the
organization
 Ego/Self-Image

An “above the rules” attitude, or desire to
repair wounds to their self-esteem.
 Ingratiation

Desire to please or win the approval of
someone who could benefit from insider
information.
 Problems at work
 Lack of recognition, disagreements
with co-workers or managers,
dissatisfaction with the job, a pending
layoff
 Divided Loyalty
 Allegiance to another person,
company, or to a country besides the
United States
 Vulnerability to blackmail
 Extra-marital affairs, gambling, fraud
15
Behavioral Indicators
 Without need or authorization, takes
sensitive information or other
materials home (Documents, thumb
drives, computer disks, or e-mail)
 Remotely accesses the computer
network while on vacation, sick leave,
or at other odd times
 Disregard of company computer
 Inappropriately seeks or obtains
sensitive information on subjects not
related to their work duties
 Interest in matters outside the scope
of their duties, particularly those of
interest to foreign entities or business
competitors
 Unnecessarily copies material,
especially sensitive information
policies
 Working odd hours without
authorization; notable enthusiasm for
overtime work, weekend work, or
unusual schedules
 Unreported foreign contacts
(particularly with foreign government
officials or intelligence officials) or
unreported overseas travel.
16
Behavioral Indicators Cont.
 Frequent unexplained foreign travel
 Shows unusual interest in the
personal lives of co-workers
 Unexplained affluence
 Buying things they cannot afford on
their household income
 Engaging in suspicious personal
Contacts

Such as with competitors, business
partners or other unauthorized
individuals
 Asking inappropriate questions
regarding finances or relationships
 Concern that they are being
investigated
 Leaving traps to detect searches of
their work area or home
 Overwhelmed by life crises or career
disappointments
Many people experience or exhibit some or all of the traits in the
past few slides; however, most people will not cross the line and
commit a crime
17
Commonalities of those who have
committed espionage since 1950:
 More than 1/3 of those who committed
espionage had no security clearance
 Twice as many “insiders” volunteered as were
recruited
 1/3 of those who committed espionage were
naturalized U.S. citizens
 Most recent spies acted alone
 Nearly 85% passed information before being
caught
 Out of the 11 most recent cases, 90% used
computers while conducting espionage and 2/3
used the Internet to initiate contact.
18
Reportable Behaviors
The following actions should be reported to security
immediately:
• Keeping classified materials in an unauthorized location
•Attempting to access sensitive information without authorization
•Obtaining access to sensitive information inconsistent with present
job requirements
•Using an unclassified medium to transmit classified materials
•Discussing classified materials on a non-secure telephone
•Removing classification markings from documents
•Attempting to conceal foreign travel
19