Read an Excerpt

Insider Threat

Syngress

Chapter One

Introduction

I was sitting at my desk when my phone rang. I answered the phone and it was a large pharmaceutical company who was interested in consulting services. They started off the conversation stating that they had some problems and thought that my company might be able to help. They had noticed a trend with one of their foreign competitors. Every time they went to release a new product (in this case a new drug), one of their competitors would release a similar drug with a similar name several weeks before them and would beat them to market. If you understand the drug industry, you'll know that this is a serious problem. The first company to get a product to market usually is able to obtain a higher market share and higher demand than its competitors. Therefore, this represented a huge monetary loss to the company and the executives were concerned.

This initially sounded like a potential problem but I needed more details. My follow-up question was how often had this occurred and over what time period. The executive I was talking with said it had happened eight times over the prior 12 months. I was sitting there thinking: You think there is a problem? My next question was, "Why did you wait so long to call someone?" Their answer was, "We figured it was just a coincidence, because the only way this could have happened was if an insider was giving the information to a competitor and we trust all of the employees so this could not be the case." Over the next several months they were going to realize how wrong that previous statement was.

I led an internal assessment team and over the course of several months found three different groups of people (each consisting of 2-4 people), working for two different competitors. Actually, one group was working for a foreign competitor and the other two groups were working for a foreign government.

The fact that this story is true is scary, but what makes it even more troubling is that this happened more than 18 months ago and I have worked on and am aware of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million annually.

The Devil Inside

"I trust everyone, it is the devil inside that I do not trust," is a great line from the movie The Italian Job. Everyone has the potential do to harm, including your employees. If you look at the minimal background checks that most companies perform on their employees, you have to wonder what that trust is based on. Why is it that once a total stranger is hired at your company, you now completely trust that person? Just because they are now called an employee does not mean they have loyalty to your organization and would do nothing to hurt the company. We do not want you to be so paranoid that your company cannot function, but a healthy dose of paranoia is good.

Aldrich Ames, Robert Hanssen, and other spies had one thing in common: they passed the polygraph (lie detector test) with almost a perfect score. How could a machine that tests whether people are lying not catch the biggest liars that cost so many people their lives? The reason is a polygraph does not detect lies, it detects guilt. In these cases, either the people felt justified by their actions and did not feel guilty about them or they were trained to be able to bypass and deceive people. Only by closely watching people over time will you start to understand that there are certain people who cannot be trusted.

Insider threat and corporate espionage rely on the fact that it is sometimes better to live in denial and be happy than to know the truth and have to deal with it. One of my associates recently found out his wife was cheating on him and was very annoyed with the person who told him. The person who told him said, "Why are you mad at me? Didn't you want to know?" And the person's response was, "No." It was easier to live with a lie than deal with the truth. While most executives might not be bold enough to admit this, it is very true in corporations and governments around the world. It is easier to trust your employees and keep life simple, than to suspect everyone and deal with the complexities it creates. However, if it will put your company out of business, cause hundreds of millions of dollars' worth of loss, or cause people to die, you might think differently about the answer.

Nobody wants to believe the truth, but corporate espionage via the insider threat is causing huge problems. Many companies either do not have the proper monitoring to realize or do not want to admit that it is happening to them. For some reason, with many crimes, including insider threat, victims feel embarrassed and ashamed. They are the victims, they did nothing wrong, but for some reason these criminals turn the tables on who is at fault. I have heard rape victims say that it was their own fault they were raped. I have also heard numerous times that it is a company's fault if they are stupid enough to be a victim to insider threat. With that mentality, who is going to admit that this happened to their company? The only person at fault is the attacker—not the victim.

The Importance of Insider Threat

Organizations tend to think that once they hire an employee or a contractor that that person is now part of a trusted group of people. Although an organization might give an employee additional access that an ordinary person would not have, why should they trust that person? Many organizations perform no background checks and no reference checks and as long as the hiring manager likes them, they will hire them. Many people might not be who you think they are and not properly validating them can be an expensive, if not a fatal, mistake. Because many organizations, in essence, hire complete strangers who are really unknown entities and give them access to sensitive data, the insider threat is something that all organizations must worry about.

If a competitor or similar entity wants to cause damage to your organization, steal critical secrets, or put you out of business, they just have to find a job opening, prep someone to ace the interview, have that person get hired, and they are in. The fact that it is that easy should scare you. Many companies have jobs open for several weeks and it could take a couple of weeks to set up an interview. That gives a competitor focused on your company a four-week period to prep someone to ace an interview. This is what foreign governments do when they plant a spy against the U.S. They know that a key criterion for that person is passing the polygraph, so they will put that person through intensive training so that he or she can pass the polygraph with no problem. This points out a key disadvantage that organizations have. The attacker knows what process you are going to follow to hire someone and all they have to do is prep someone so they ace that part of the process.

In terms of the importance, I often hear people say that it is only hype and that it cannot happen to us. This is synonymous to thinking that bad things only happen to others, they never happen to you; until they happen to you and then you have a different view of the world. I remember several years ago when my father got diagnosed with having a cancerous brain tumor. It shocked me, devastated me, and changed my views forever. Prior to that I knew that people had brain cancer but it was something that I could not relate to or understand because I never thought it could really happen to me or someone I love. Bad things happened to others, not to me. This is the denial that many of us live in, but the unfortunate truth is bad things do happen and they could be occurring right now and you just do not know about it.

Insider threat is occurring all the time, but since it is happening within a company, it is a private attack. Public attacks like defacing a Web site are hard for a company to deny. Private attacks are much easier to conceal.

Because these attacks are being perpetrated by trusted insiders, you need to understand the damage they can cause; how to build proper measures to prevent the attack; how to minimize the damage; and, at a minimum, how to detect the attacks in a timely manner. Many of the measures companies deploy today are ineffective against the insider. When companies talk about security and securing their enterprise, they are concerned with the external attack, forgetting about the damage that an insider can cause. Many people debate about what percent of attacks come from insiders and what percent of attacks come from outsiders. The short answer is who cares? The real answer is this:

* Can attacks come from external sources?

* Can an external attack cause damage to your company?

* Can an external attack put you out of business?

* Can attacks come from internal sources?

* Can an internal attack cause damage to your company?

* Can an internal attack put you out of business?

Since the answer to all of these questions is YES, who cares what the percent is? Both have to be addressed and both have to be dealt with. I would argue that since the insider has access already, the amount of damage they can cause is much greater than an external attacker and the chances of getting caught are much lower. If an attacker comes in from the outside, he has access only to systems that are publicly accessible and he has to break through security devices. If an attacker comes from the inside, she has full access and minimal if any security devices to deal with. As our digital economy continues to grow and the stakes increase, anyone who wants serious access to an organization is not even going to waste his time with an external attack, he is going to go right for the trusted insider.

Finally, to highlight the importance of insider threat, everyone is getting on the bandwagon. The Unites States Secret Service is conducting a series of studies on the insider; conferences are popping up on the subject. Why? Because billions of dollars are being lost and something has to be done to stop the bleeding. You will never be able to completely remove the insider threat because companies need to be able to function. If you fire all your employees, you might have prevented the insider attack, but you will also go out of business. The key is to strike a balance between what access people need and what access people have.

Insider Threat Defined

Since everyone uses different terminology, it is important to define what we mean by insider threat. The easiest way to get a base definition is to break the two words apart. According to www.dictionary.com, insider is defined as "one who has special knowledge or access to confidential information" and threat is defined as "an expression of an intention to inflict pain, injury, evil, or punishment; an indication of impending danger or harm; or one that is regarded as a possible danger." Putting this together, an insider threat is anyone who has special access or knowledge with the intent to cause harm or danger.

There is a reason that the insider threat is so powerful and most companies are not aware of it; it is because all the standard security devices that organizations deploy do little if anything to prevent the insider threat.

However, as much as we do not want to admit it, this is no longer true (if it ever was). The problem with insider threat is that it takes only one person who is disgruntled and looking for a quick payoff or revenge and your company is compromised. Unfortunately, it is really that easy and one of the many reasons that the problem has gotten so out of hand.

The world is also a different place than it once was. Most people today, by the time they are at the age of 30, have had more jobs than both their parents combined across their entire careers. In the past, people worked for one company for 30 years and retired. Having worked for one company for an entire career builds loyalty. However, today people switch companies fairly often and while most people are not intentionally out to perform corporate espionage, there is a high chance they can inadvertently perform it. When you switch companies, you most likely are going to stay within the same industry, unless you are making a complete career change, which is unlikely. Therefore, the chance that you are going to work for a competitor is very high. This means some of your knowledge from your previous employer, despite your best efforts, will leak over into this new company.

(Continues...)

---

Excerpted from Insider Threat by Eric Cole Sandra Ring Copyright © 2006 by Syngress Publishing, Inc.. Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---