Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
I spent lunch yesterday with the local FBI person in charge of liasing with corporate types on computer crime issues, and along the way, we were talking about profiles of the most effective modern computer criminals. I thought you would be interested in what we discussed.
But before I go there, I thought I would discuss one of the most commonly debated and misunderstood issues in risk management over the last 20 years... the insider vs. outsider threat.
Everyone knows, or should know, that an insider is potentially more dangerous as an information threat than an outsider. The insider has lots of advantages; access, authorization, operational knowledge, people knowledge, situation awareness, and so on. Everything the outsider has to find or figure out, the insider has at their disposal. But the statistics on computer crime are not very supportive of this obvious maxim.
The problem seems to be that we don't have any good statistics to measure computer-related crimes. The annual CSI/FBI survey and the bi-annual ASIS survey are among the various sources that tell us that insiders are responsible for 80% of the identified lost value from computer-related crimes. This figure changes from year to year, sometimes being characterized as 40% insider acting alone, 20% outsider acting alone, and 40% insider acting with outsider. Of course these 'loss' figures are, at a minimum, very confusing.
There are no real crime statistics in this area. I asked the FBI folks if they kept statistics on the number of computer crimes reported, investigated, arrests, convictions, etc. and they said they did not track this. This is pretty strange to me because they would be very quick to provide statistics on bank robberies, but when it comes to computers, it seems they can't or won't keep statistics.
The big wall I keep running into is who get considered an insider as opposed to an outsider? Obviously, when a random IP address is selected by someone across the Internet and it results in a web-site defacement it's an outsider - right? Well... not always. There have been cases where an insider was involved in such a thing, but the vast majority of these cases today appear to be outsiders breaking in.
But how about a vendor? Vendors are not really outsiders because we have a relationship with them. But depending on who you ask and what the incident is, they may be called insiders or outsiders. The same is true of customers. Because of the Web and E-commerce, anyone in the world might be a customer. When a customer changes a URL to lower the price of an item, does this make them an insider or an outsider? I would think outsider, but I have seen very similar things called insider attacks. If an employee does the same thing for their own purchase is it any different?
With outsourcing, partnering agreements, web-based collaborations, joint ventures, and so forth, it's just plain hard to make a clear distinction between insider and outsider.
I think we have been using the wrong words to talk about these threats for some time. Of course I don't have a corner on the market of good words, but I think few people today can clearly identify insiders and outsiders in the average enterprise and in most substantial organizations, different people would disagree about who is an insider and who is an outsider under different circumstances.
There are other words we can use to describe those who commit criminal acts and acts of disloyalty (civil liability implied). But to do so, we have to spend some time studying them and, ultimately, describing them to decision makers.
The right words are sometimes hard to find, but I think I can reasonably identify at least one group in this article that seems to me to be one of the most dangerous sorts or threats we face. They are insiders - or at least they become insiders - and they are fairly common - or perhaps I should say there are a substantial number of them and they are responsible for a large number of large losses. There is another feature, but I will get there.
I was giving a presentation and having a discussion with graduate students at UC Davis earlier in the month, and one of the discussion points that came up was the statistic on 80% of losses being due to computer crime. This supposition was challenged, and I responded that this statistic is not a very good one because it is not very clear, that the statistics are poor when they are kept, and so forth, but I also took the line that it's probably true.
The FBI discussion was worth participating in, although there wasn't anything really unexpected, but then when the FBI guy started discussing the insider threat, I took the opportunity to reflect on my previous discussion at Davis and tried to push this issue a bit. When I did, we entered into a discussions of some cases, and I noticed that the typical 'insider' case that was being discussed was not just an insider, but an outside who set out to become an insider in order to perpetrate a crime. In many cases more than one person is involved. Of course this is not the classic insider notion that people might imagine when thinking about an insider.
The image I tend to get and hear about in security briefings is an employee who was good but went bad, acting on their own. Or perhaps someone elicited from the outside and eventually tricked or coerced into doing bad things. Or perhaps its someone who is day trading on company time instead of doing their work.
A recent case I investigated involved a group of people who seem to go from one company to another using the same scheme in each place. I have seen small snippets of this sort of behavior before, but what triggered my interest was a descriptions given by the FBI agent of another case that seemed to me to be very similar, and the profiles of they cyber criminals they are currently seeing. The pattern seems to me to be indicative of a new era of the roving cyber gang.
Cyber gangs have existed for some time, but historically, they have acted predominantly as outsiders using rapid penetrations to steal some money or information or do some other harm to their victims. The sorts of groups that seem to be emerging today are quite different in their characteristics and behavior. Here is a typical profile:
The attackers are a group of people who infiltrate a company by getting jobs. It would be common for the first employee to come from a management position in another company and hire in a number of other team members from that company.
As the team reforms in the new company, the manager assures that the team members get excellent reviews and do work on projects that is not easily verified by others. Typically, the idea is to create a team that has limited involvement in other projects. The team members can get credit for the successes of the other projects while gathering information on a wide range of activities and gaining access to a large number of systems and quantity of data. They can work as a group on some special advanced projects that don't make much progress over a 2-year period and it won't have a negative effect on their performance reviews because the boss is on the team and they will be gone by the end of that period anyway.
They are stealing their pay checks along the way, and this is of course substantial, but in addition, they will engage in a variety of related activities for profit.
They may also run another business or two using corporate assets (cell phones, accounts on yahoo accessed from company computers during the day, meeting rooms, travel on company business that is largely for non-company business matters, business meals paid for by you but with their clients served, development of new business plans, and so forth). They may buy items from other companies they own or co-own with their partners.
Along the way, they may sell trade secrets, copies of customer lists, and all sorts of other items to competitors or, more often, other gang members (and who get percentages of sales) who are still in the previous business.
The move-out happens in a similar way. The leader and team members start by getting other jobs, typically at the same firm again. The leader is most likely to jump first because of the leverage gained by the management position. While they are at it, they will take along any useful information from the previous employer, like customer lists and so forth. This will enhance their position in the new company, if used wisely, and as they move their folks out of the old company, they may take computers, software, supplies, and other such things with them. Another tactic is to start at the new company without resigning from the previous one. Since they don't have to do very much at the new company due to their manager being on their team, they can collect double pay for several months along the way.
Interested readers may want to review January, 1999 - Anatomy of a Successful Sophisticated Attack - in which we give an example of a variation on this theme.
These folks are crooks and there are no two ways about it. But the real crime comes in what happens to them, or more accurately, what doesn't happen to them. It turns out that the odds are in their favor. First and foremost, they are often not caught. If the group's overall performance is not very good over this time period, the manager may be associated with the poor performance, but it's pretty easy to hide 5-10 people in a large company for a few years. If the manager is not getting the job done, the company may be glad to see them leave after a year or two and may help them get that next job so they will leave without a scandal or other problems.
If one of them is caught, even if it is one of the higher ranked ones, chances are the investigation will not go very far or discover the true nature of their efforts. They use some security precautions in their activities and it may be hard to get at all of the details unless you know to look for them. Investigations like this are quite expensive and time consuming and the information security staff doesn't typically have time or resources to support it. If outside consultants or private detectives are brought in, and if they start to find this sort of information, chances are they will be told not to follow through till the end of the case because of the high cost and the embarrassment to the next level of management who let this happen.
Even if a whole group of them are detected, the company may be too embarrassed to prosecute, or perhaps they will not see any profit in prosecution. The net effect is that these gangs gain money, strength, and people over time, move from company to company, and are largely successful. If there is a law suit or prosecution, chances are very good that the net effect will be negligible for the gang member. The typical sentence for someone who is convicted of stealing $20 million through embezzlement is only about 1.5 years, while those who steal $20,000 get 5-10 years. The typical settlement is only a small percentage of the amount detected as being taken and an even smaller percentage of what was actually taken.
Crime pays and bigger crime pays better. At least for now.
It saddens me to say that morality is not typically a corporate value. The value is the money and nothing else. And the worst part of it is that the people who don't chase these folks down are creating the problems for the next group of folks. This has to change, and I can think of a few ways to do it. Here they are:
1) Do through background checks on people you hire. Check their references - all of them. Spend $150 on a decent check for all employees and $500-$1000 on management employees. Make sure these checks are done by more than one person and that they are reviewed by competent specialists who have a say in the decision. If they have samples of previous work, get the samples and ask them about details during the interviews. In my interviews, I tend to ask people to demonstrate the skills they claim to have by giving them sample problems to solve. Plenty of folks who claim to be experts in one thing or another end up not being able to solve even the simplest problems in their interviews.
2) Don't let managers hire away staff from previous jobs into their own organizations in substantial numbers. I know this is how you get many of your teams, but it's not nice and it tends to lead to legal issues down the line. In addition, it is important that there be a break from the old company and its old ways and that you have the chance to evaluate and get used to new employees. I know that the pace of business can be daunting, but speed carries risks and these risks need to be offset by prudence. If these people are so good that you want to hire them, hire them to work for someone else in your company and have one of your well established employees work for the new manager. It will help all three of them succeed.
3) If you suspect such a group, investigate it throughly, prosecute, sue, and sue anyone who gave you a false or misleading reference (if you didn't do number 1 above you can forget about this part). You might have a case and you could get back a lot of money if it turns out that the previous company sent you these employees knowing that they were crooks or if due diligence on their part was not done when they hired these people.
Finally, I have to say that I believe that morality carries its own rewards. Make morality a business value and back it up with your actions.
About The Author:
Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at all.net or visiting http://all.net/