Bituminous Insurance Companies

Key Findings of Study on the Insider Threat in the IT Sector

The insider threat is a problem faced by all industries and sectors. The consequences of insider incidents can include lost staff hours, negative publicity, and financial damage so extensive that a business may be forced to lay off employees or close its doors. Furthermore, insider incidents can have repercussions extending beyond the affected organizations to include disruption of operations or services within critical infrastructure sectors, such as banking and finance, transportation, and continuity of government, or the issuance of fraudulent identities that create potential risks to the public and homeland security.

In 2002, the federal government initiated the Insider Threat Study (ITS), a collaborative endeavor of the United States Secret Service’s National Threat Assessment Center (NTAC) and the CERT® Program (CERT) of Carnegie Mellon University’s Software Engineering Institute. The study stems from concern about the ability of employees with intent to exploit known system vulnerabilities and the effect of their activities on organizations, particularly those within critical infrastructure sectors.

The ITS is an exploration of employees who perpetrated acts of harm against organizations via computer, system, or network to include theft of intellectual property, fraud, and acts of sabotage within critical infrastructure sectors. The overall objective of the ITS is to help private industry, government, and law enforcement better understand, detect, and possibly prevent harmful insider activity. A particular focus of the study is to identify information that may have been discernable prior to the incident from both a behavioral and technical perspective.

To date, the ITS has issued four reports. These include: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, an examination of incidents within the Banking and Finance Sector, published in August 2004; Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, an examination of sabotage incidents across critical infrastructure sectors, published in May 2005; and, Insider Threat Study: Illicit Cyber Activity in the Government Sector, an examination of incidents within federal, State, and local government agencies, published in January 2008.

Organizations affected by insider activity in this sector included Internet service providers; companies conducting e-business; software, hardware, network, and telecommunication equipment manufacturers and suppliers; newspapers; and companies that provide information technology and telecommunications-related technical consulting services. The key findings of the study were:

• Current and former employees carried out insider activities in nearly equal numbers.
• Sixty–three percent of the insiders held technical positions within the targeted organizations.
• Thirty–eight percent of insiders had prior arrests.
• A specific work–related event triggered most (73%) insider actions.
• The majority (76%) of insiders planned their activities in advance.
• Half (50%) of the insiders had authorized access to the system/network at the time of the incident.
• Over half (58%) of the insiders used relatively sophisticated tools or methods for their illicit activities, including scripts or programs, autonomous agents, toolkits, probing, scanning, flooding, spoofing, compromising computer accounts, or creating unauthorized backdoor accounts.
• Insiders committed their illicit activities both from the workplace (51%) and remotely (43%) in nearly equal numbers.
• The incidents took place during (51%) and outside (49%) normal working hours in nearly equal numbers.
• Most (80%) of the insider incidents were only discovered through manual (non–automated) detection of an irregularity or failure of an information system.
• The majority (74%) of the insiders took steps to conceal their identities and their activities.

Go to http://www.cert.org/insider_threat/ to view the complete texts of the four reports.

COPYRIGHT ©2008, ISO Services Properties, Inc.

The information contained in this publication was obtained from sources believed to be reliable. ISO Services Properties, Inc., its companies and employees make no guarantee of results and assume no liability in connection with either the information herein contained or the safety suggestions herein made. Moreover, it cannot be assumed that every acceptable safety procedure is contained herein or that abnormal or unusual circumstances may not warrant or require further or additional procedure.