The Threat from Inside

Disasters come from many directions. When we think about Business Continuity Planning and Disaster Recovery, we often consider threats such as fires, floods, earthquakes, tornados, or hurricanes. We also think of malicious attacks from outside our organizations. These would include hackers, viruses, malware, Trojan horses, etc. But in many cases the threat is inside the organization.

There are two major types of internal threats to IT which organizations face: accidents and malicious attacks or sabotage.

In a May 2008 technical report from The Software Engineering Institute and Carnegie Mellon University entitled “The ‘Big Picture’ of Insider IT Sabotage Across U.S. Critical Infrastructures” threats from insiders are discussed in detail. You can read the full 46 page report at http://www.cert.org/insider_threat/.

The report analyzes data from a previous study of approximately 150 insider incidents that occurred in critical infrastructure sectors in the U.S. between 1996 and 2002.Of particular interest are the following observations reported. These observations, summarized below, can serve as an outline to help businesses improve controls, monitor behavioral risks and prepare more effectively in safeguarding IT infrastructure.

Most insiders had personal predispositions that contributed to their risk of committing sabotage. These include mental health disorders such as addictions and physical abuse; social skill concerns such as bullying, intimidation of coworkers; and inability to conform to rules, and histories of rules violations.

Most insiders who committed sabotage were disgruntled due to unmet expectations. This included lack of promotion, restriction of online actions, limitations on use of company resources, diminished authority or responsibilities, perceived unfair work requirements, and poor coworker relations.

Stressful events, including organizational sanctions, contributed to the likelihood of insider sabotage. Stressful events observed in cases include poor performance evaluations, reprimands for unacceptable behavior, suspensions for excessive absenteeism, disagreements about compensation or severance packages, new supervisors hired, divorce, and death in the family.

Behavioral precursors were often observable in insider sabotage cases but ignored by the organization. These include drug use, conflicts with coworkers, aggressive or violent behavior, inappropriate purchases on company accounts, poor job performance, sexual harassment, deception about qualifications, violations of dress code, and poor hygiene.

In many cases organizations failed to detect technical precursors. Technical precursors observed in cases include the download and use of hacker tools, failure to create backups, failure to document systems or software, unauthorized access of customers’ or coworkers’ systems, system access after termination, and the setup and use of backdoor accounts.

Insiders created or used access paths unknown to management to set up their attack and conceal their identity or actions. The majority of insiders attacked after termination. Many insiders in the cases analyzed used privileged system access to take technical steps to set up the attack before termination. For example, insiders created backdoor accounts, installed and ran password crackers, installed remote network administration tools, and took advantage of ineffective security controls in termination processes.

Lack of physical and electronic access controls facilitated sabotage. Ninety-three percent of the insiders in the studied sabotage cases exploited insufficient access
controls. Access control vulnerabilities observed in cases include coworkers’ computers unattended while logged in, ability to create accounts unknown to organization, and insufficient disabling of electronic and physical access at termination.

Every organization occasionally errs in hiring. Most of the cases reported in this study illustrate cases of such mistakes. Organizations can prepare as illustrated by this study by improving controls – particularly access controls. Handling disgruntled employees well is clearly critical. Additional preparation includes having a full plan to recover after the event.