Approvals 1
2 Chg #DateChangeSlide #Completed ByReason 18/9/2013From G Washington to B Arnold12Chris OWrong threat profile
Insider Threat Awareness Module Rev. F1 3
What is an Insider Threat? Typically described as disgruntled or unscrupulous employee trying to gain access to information they shouldn’t, and sharing it for personal gain, espionage or revenge. Current or former employees or contractors who Intentionally exceeded or misused an authorized level of network, system or data access in a manner that affected the security of the organizations’ data, systems, or daily business operations (Carnegie Mellon, April 2008). 4
The Insider Threat A summer 2006 E-Crime Watch Survey by CERT and the U. S. Secret Service stated the following: Of 434 responses to the survey, 55% of organizations were victims of electronic crimes and ~30% of those were from insiders. One complex fraud case involving a financial institution reportedly resulted in the loss of $700 million. 5
Recent Cases Greg Chung – spied for China from Federal charges against Chung consisted of stealing trade secrets about the space shuttle, the Delta IV rocket and the C-17 military cargo jet for the benefit of the Chinese government. Chung’s motive was to “contribute to the Motherland.” He was an engineer that stole hundreds of thousands of documents. He traveled to China under the excuse of giving lectures, while secretly meeting with Chinese government officials and agents. Chung was arrested in February 2008 and in February 2010 he was sentenced to 15 years in prison. Sergey Aleynikov - a computer programmer, worked for a company on Wall Street from May 2007 until June During his last few days at that company, he downloaded, and transferred 32 megabytes of proprietary computer codes– a theft that could have cost his employer millions of dollars. He hoped to use the computer codes at his new Chicago-based employer. He attempted to hide his activities, but the company discovered irregularities through its routine network monitoring systems. In December 2010, Aleynikov was found guilty of theft of trade secrets and transportation of stolen property in foreign commerce. 6
History of Insider Threat Espionage and spying are amongst the oldest political and military trades. There are references to spies in ancient Greek history and ancient Egyptian spies were among the first to develop methods of carrying out acts of internal sabotage. 7
Case 1: Can you guess who this is? Position: He was an Insider Motive: Money Prestige/power How was the threat implemented? He had a plan (Obfuscation, Gesture, Diversion). He had expert knowledge. What was the cost? The cost was significant. The punishment was severe. Can you guess who? 8
Case 2: Can you guess who this is? Position: He was an insider. Motives: His was pride was damaged (disgruntled, revenge). He needed money. He had prior problems with the law. How was the threat implemented? He defected with all the knowledge he had gained as an insider and made a plan. He passed a message as a note. He had expert knowledge. The cost was significant due to loss of trust. The punishment was severe. Can you guess who this is? 9
Case 3: Can you guess who this is? Position: He was an insider Motives: He wanted prestige/Power. He wanted money. How was the threat implemented? He had unlimited access to all past insider attacks and investigations of his organization. No due diligence by organization. He had expert knowledge. Cost to organization and the United States was priceless due the type of secrets that were released and number of lives loss. Punishment was severe. Can you guess who this is? 10
Case 4: Can you guess who this is? Position: Insider Motive: He was a disgruntled employee. He wanted power. He had prior problems with the law. How was the threat implemented? He developed a plan. He had unlimited access. He had expert knowledge. What was the cost? Significantly High. Reputation of organization was severely damaged. Can you guess who this is? How could this threat have been prevented? 11
What kind of Insider Threat profile does these four cases create? Expert Knowledge Disgruntled Employee Wanted Power / Prestige History of Bad Behavior Needed Money Had a Plan Case 1 Ancient, Judas Yes No?Yes Case 2 Colonial, Benedict Arnold Yes Case 3 The eighties, Robert Hanssen Yes Case 4 ?? Yes ? 12
Why are we concerned? Theft of intellectual property is an increasing threat to organizations, and can go unnoticed for months or even years. There are increased incidents of employees taking proprietary information when they believe they will be or are searching for a new job. 13
Organizational Factors Employees are not trained on how to properly protect sensitive information Sensitive information not labeled properly The ease that someone may exit the facility with Sensitive information The perception that security is lax and the consequences for theft are minimal or non-existent 14
Personal Motives Greed or Financial Need A belief that money can fix anything. Excessive debt or overwhelming expenses Anger/Revenge Disgruntlement to the point of wanting to retaliate against the organization Problems at work Lack of recognition, disagreements with co-workers or managers, dissatisfaction with the job, a pending layoff Divided Loyalty Allegiance to another person, company, or to a country besides the United States Vulnerability to blackmail Extra-marital affairs, gambling, fraud Ego/Self-Image An “above the rules” attitude, or desire to repair wounds to their self-esteem. Ingratiation Desire to please or win the approval of someone who could benefit from insider information. 15
Behavioral Indicators Without need or authorization, takes sensitive information or other materials home (Documents, thumb drives, computer disks, or ) Inappropriately seeks or obtains sensitive information on subjects not related to their work duties Interest in matters outside the scope of their duties, particularly those of interest to foreign entities or business competitors Unnecessarily copies material, especially sensitive information Remotely accesses the computer network while on vacation, sick leave, or at other odd times Disregard of company computer policies Working odd hours without authorization; notable enthusiasm for overtime work, weekend work, or unusual schedules Unreported foreign contacts (particularly with foreign government officials or intelligence officials) or unreported overseas travel. 16
Behavioral Indicators Cont. Frequent unexplained foreign travel Unexplained affluence Buying things they cannot afford on their household income Engaging in suspicious personal Contacts Such as with competitors, business partners or other unauthorized individuals Overwhelmed by life crises or career disappointments Shows unusual interest in the personal lives of co-workers Asking inappropriate questions regarding finances or relationships Concern that they are being investigated Leaving traps to detect searches of their work area or home Many people experience or exhibit some or all of the traits in the past few slides; however, most people will not cross the line and commit a crime 17
Commonalities of those who have committed espionage since 1950: More than 1/3 of those who committed espionage had no security clearance Twice as many “insiders” volunteered as were recruited 1/3 of those who committed espionage were naturalized U.S. citizens Most recent spies acted alone Nearly 85% passed information before being caught Out of the 11 most recent cases, 90% used computers while conducting espionage and 2/3 used the Internet to initiate contact. 18
Reportable Behaviors Keeping classified materials in an unauthorized location Attempting to access sensitive information without authorization Obtaining access to sensitive information inconsistent with present job requirements Using an unclassified medium to transmit classified materials Discussing classified materials on a non-secure telephone Removing classification markings from documents Attempting to conceal foreign travel The following actions should be reported to security immediately: 19