Managing Network Security

The New Cyber Gang - A Real Threat Profile

by Fred Cohen

Series Introduction

Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

Yesterday's Lunch

I spent lunch yesterday with the local FBI person in charge of liasing with corporate types on computer crime issues, and along the way, we were talking about profiles of the most effective modern computer criminals. I thought you would be interested in what we discussed.

But before I go there, I thought I would discuss one of the most commonly debated and misunderstood issues in risk management over the last 20 years... the insider vs. outsider threat.

The Insider Threat

Everyone knows, or should know, that an insider is potentially more dangerous as an information threat than an outsider. The insider has lots of advantages; access, authorization, operational knowledge, people knowledge, situation awareness, and so on. Everything the outsider has to find or figure out, the insider has at their disposal. But the statistics on computer crime are not very supportive of this obvious maxim.

The problem seems to be that we don't have any good statistics to measure computer-related crimes. The annual CSI/FBI survey and the bi-annual ASIS survey are among the various sources that tell us that insiders are responsible for 80% of the identified lost value from computer-related crimes. This figure changes from year to year, sometimes being characterized as 40% insider acting alone, 20% outsider acting alone, and 40% insider acting with outsider. Of course these 'loss' figures are, at a minimum, very confusing.

There are no real crime statistics in this area. I asked the FBI folks if they kept statistics on the number of computer crimes reported, investigated, arrests, convictions, etc. and they said they did not track this. This is pretty strange to me because they would be very quick to provide statistics on bank robberies, but when it comes to computers, it seems they can't or won't keep statistics.

So who are they?

The big wall I keep running into is who get considered an insider as opposed to an outsider? Obviously, when a random IP address is selected by someone across the Internet and it results in a web-site defacement it's an outsider - right? Well... not always. There have been cases where an insider was involved in such a thing, but the vast majority of these cases today appear to be outsiders breaking in.

But how about a vendor? Vendors are not really outsiders because we have a relationship with them. But depending on who you ask and what the incident is, they may be called insiders or outsiders. The same is true of customers. Because of the Web and E-commerce, anyone in the world might be a customer. When a customer changes a URL to lower the price of an item, does this make them an insider or an outsider? I would think outsider, but I have seen very similar things called insider attacks. If an employee does the same thing for their own purchase is it any different?

With outsourcing, partnering agreements, web-based collaborations, joint ventures, and so forth, it's just plain hard to make a clear distinction between insider and outsider.

The Wrong Words

I think we have been using the wrong words to talk about these threats for some time. Of course I don't have a corner on the market of good words, but I think few people today can clearly identify insiders and outsiders in the average enterprise and in most substantial organizations, different people would disagree about who is an insider and who is an outsider under different circumstances.

There are other words we can use to describe those who commit criminal acts and acts of disloyalty (civil liability implied). But to do so, we have to spend some time studying them and, ultimately, describing them to decision makers.

The right words are sometimes hard to find, but I think I can reasonably identify at least one group in this article that seems to me to be one of the most dangerous sorts or threats we face. They are insiders - or at least they become insiders - and they are fairly common - or perhaps I should say there are a substantial number of them and they are responsible for a large number of large losses. There is another feature, but I will get there.

Back to the FBI

I was giving a presentation and having a discussion with graduate students at UC Davis earlier in the month, and one of the discussion points that came up was the statistic on 80% of losses being due to computer crime. This supposition was challenged, and I responded that this statistic is not a very good one because it is not very clear, that the statistics are poor when they are kept, and so forth, but I also took the line that it's probably true.

The FBI discussion was worth participating in, although there wasn't anything really unexpected, but then when the FBI guy started discussing the insider threat, I took the opportunity to reflect on my previous discussion at Davis and tried to push this issue a bit. When I did, we entered into a discussions of some cases, and I noticed that the typical 'insider' case that was being discussed was not just an insider, but an outside who set out to become an insider in order to perpetrate a crime. In many cases more than one person is involved. Of course this is not the classic insider notion that people might imagine when thinking about an insider.

The image I tend to get and hear about in security briefings is an employee who was good but went bad, acting on their own. Or perhaps someone elicited from the outside and eventually tricked or coerced into doing bad things. Or perhaps its someone who is day trading on company time instead of doing their work.

The Cyber Gang

A recent case I investigated involved a group of people who seem to go from one company to another using the same scheme in each place. I have seen small snippets of this sort of behavior before, but what triggered my interest was a descriptions given by the FBI agent of another case that seemed to me to be very similar, and the profiles of they cyber criminals they are currently seeing. The pattern seems to me to be indicative of a new era of the roving cyber gang.

Cyber gangs have existed for some time, but historically, they have acted predominantly as outsiders using rapid penetrations to steal some money or information or do some other harm to their victims. The sorts of groups that seem to be emerging today are quite different in their characteristics and behavior. Here is a typical profile:

Interested readers may want to review January, 1999 - Anatomy of a Successful Sophisticated Attack - in which we give an example of a variation on this theme.

And What Happens to Them?

These folks are crooks and there are no two ways about it. But the real crime comes in what happens to them, or more accurately, what doesn't happen to them. It turns out that the odds are in their favor. First and foremost, they are often not caught. If the group's overall performance is not very good over this time period, the manager may be associated with the poor performance, but it's pretty easy to hide 5-10 people in a large company for a few years. If the manager is not getting the job done, the company may be glad to see them leave after a year or two and may help them get that next job so they will leave without a scandal or other problems.

If one of them is caught, even if it is one of the higher ranked ones, chances are the investigation will not go very far or discover the true nature of their efforts. They use some security precautions in their activities and it may be hard to get at all of the details unless you know to look for them. Investigations like this are quite expensive and time consuming and the information security staff doesn't typically have time or resources to support it. If outside consultants or private detectives are brought in, and if they start to find this sort of information, chances are they will be told not to follow through till the end of the case because of the high cost and the embarrassment to the next level of management who let this happen.

Even if a whole group of them are detected, the company may be too embarrassed to prosecute, or perhaps they will not see any profit in prosecution. The net effect is that these gangs gain money, strength, and people over time, move from company to company, and are largely successful. If there is a law suit or prosecution, chances are very good that the net effect will be negligible for the gang member. The typical sentence for someone who is convicted of stealing $20 million through embezzlement is only about 1.5 years, while those who steal $20,000 get 5-10 years. The typical settlement is only a small percentage of the amount detected as being taken and an even smaller percentage of what was actually taken.


Crime pays and bigger crime pays better. At least for now.

It saddens me to say that morality is not typically a corporate value. The value is the money and nothing else. And the worst part of it is that the people who don't chase these folks down are creating the problems for the next group of folks. This has to change, and I can think of a few ways to do it. Here they are:

Finally, I have to say that I believe that morality carries its own rewards. Make morality a business value and back it up with your actions.

About The Author:

Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at or visiting