The document summarizes insider threats and data theft by employees or contractors. It discusses how insiders pose a major security risk as they have legitimate access to internal networks and data. Several case studies are presented that resulted in large losses of sensitive data and intellectual property. Common motives for insider theft include financial gain, business advantage for a new employer, and espionage. The document also outlines various technical methods insiders could use to steal data, such as installing malware, exploiting system vulnerabilities, and physically copying files. Strong access controls, monitoring of employee behavior, and encryption of sensitive data are recommended to mitigate risks from malicious insiders.
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Insider Attacks: Theft of Intellectual and Proprietary Data
1. Insider Attacks: Theft 1
Running Head: INSIDER ATTACKS: THEFT
Insider Attacks: Theft of Intellectual and Proprietary Data
Lindsey Landolfi
Towson University
Network Security
Professor Charles Pak
June 2011
1
2. Insider Attacks: Theft 2
While hacking and malware are major threats responsible for data compromise, the
misuse of insider privileges is the leading threat action in 2009. The term insider refers to an
individual who has or has had access privileges and is knowledgeable of the organization and its
functioning such as employees of the organization, former employees, or contractors. Malicious
insider threats are becoming increasingly prevalent. The 2010 Data Breach Investigations Report
(DBIR) analyzed a compilation of “900+ breaches, and over 900 million compromised records”,
(Verizon RISK Team, 2010, p. 5) their investigation of computer crime revealed that “48% were
caused by insiders”. (Verizon RISK Team, 2010, p. 2) That is an approximate 26 percent
increase from the previous year. Specifically, the United States Secret Service has observed
notable increases of insider threat incidents in their own data breaching cases.
As network security is becoming increasingly advanced the threat of internal attacks is a
greater concern. Privileged data is much more accessible to insiders in comparison to external
attackers; therefore a system is more vulnerable to an organized or sporadic internal malicious
incident. The motivations and intentions for theft of intellectual property occur for various
reasons. Behavioral catalysts for employee theft range from disgruntle employees who have
experienced dissatisfaction with their job or organization, to those employees who possess a
sense of entitlement to the data. In some cases encouragement from an external source will
persuade an insider to take advantage of their access privileges. “A striking finding is that in over
two-thirds of the cases of theft for financial gain, the insider was recruited to steal by someone
outside the organization.” (Carnegie Mellon, 2008, p.12)
There are numerous incidents when unintentional insider incidents result in damages, but
“malicious attacks have surpassed human error for the first time in three years”. (Identity Theft
Resource Center, 2010) This paper will specifically address those insiders with malicious
2
3. Insider Attacks: Theft 3
intentions. Prevalent thievery objective categories include espionage in the government sector,
the attempt for business advantage, and for financial gain. The use of proprietary intellectual
property can be beneficial in creating a new business or used to coordinate with competition to
sell trade secrets for new position; this is the concept supporting the business advantage. Theft
for profit typically occurs in the banking and finance sector, a typically example would be fraud.
Typically intellectual property theft is either targeted at the organization’s product such as a
software system, or specific organization data such as strategic plans or client information. The
thievery techniques tend to be different depending on the intentions of the attacker. It is possible
for the insider to be a rouge employee for an extended period of time while they slowly steal
small amounts of data or they can plan for a major malicious attack that will compromise
massive amounts of data and then resign from their position with the company.
A recent insider data theft case which is still undergoing investigation resulted in an
estimated 10 million dollar loss for Bank of America. An employee had accessed and stolen,
"names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's
license numbers, birth dates, email addresses, mother's maiden names, PINs and account
balances." (Lazarus, 2011) The insider then proceeded to leak out this information to external
scammers; the information was then used to execute identity theft fraud. Since insiders are
inside of the firewall on the network or their section of the network, they have access via
network privileges. If there is a lack of access control it is relatively easy for a malicious insider
to exploit their technical access. They can proceed to snoop around the network and discover
privileged information much like the Bank of America employee. This case and similar security
breaches may have been prevented if a form of encryption was used to secure the customers
personal identity information.
3
4. Insider Attacks: Theft 4
The catastrophic WikiLeaks incident highlights the seriousness of insider breaches.
Bradley Manning was a United States military analyst in Iraq who had access to classified
information via the secure Secret Internet Protocol Router Network. He disclosed confidential
military data to a database driven website called WikiLeaks. WikiLeaks describes their service as
an “uncensorable system for untraceable mass document leaking”. (Moss, 2010) The release of a
massive cache of sensitive government records has potential to do serious damage to national
security. Manning is being charged with delivering secure national defense information including
diplomatic cables to an unauthorized source, the illegal transfer of classified data onto a personal
device, and for adding unauthorized software onto a classified computer system. Manning
explained in an online chat with fellow hackers that "weak servers, weak logging, weak physical
security, weak counter-intelligence, inattentive signal analysis"(Dilanian, 2010) made it possible
for him to execute the data theft.
The evolution of technical infiltration and theft is progressing, insiders are able to exploit
their organization specific knowledge and use it to support their technical expertise while
executing an attack. Insiders are knowledgeable of the system and are aware of the security holes
within it; this makes it easier for them to exploit the vulnerabilities of the system or procedures.
Due to their system privileges and supporting knowledge it is reasonable to state that insiders
have a higher probability for successfully breaching a system than an external hacker. The
following paragraphs will discuss the major alternative techniques and strategies that are possible
to execute in an insider theft attack scenario.
There are different possible locations where attacks can originate from, for example
within the internal system perimeter, remote access, and internet. With insiders it is especially
necessary to consider the direct physical security of an authenticated computer network.
4
5. Insider Attacks: Theft 5
According to a major survey conducted by the U.S. Secret Services and the CERT, “the majority
of crimes were committed during normal working hours using authorized access.” (Carnegie
Mellon, 2008, p.11) There are many possibilities for an attack to access a secure system. For
example, if the data the attacker is attempting to access in on a computer they do not have the
password to the attack can use the trust established with co-workers to trick them into providing
access to the system. If they can not directly gain access they could verbally pry to learn secrets
into getting access to the system, this form of attack is known as social engineering. Social
engineering can be as simple as an attacker probing a computer that was left logged on. An
attacker who can gain access to a secured machine could quickly install malicious code onto the
machine and steal data undetected.
An insider may plant malware internally that will shoot to a server on the outside, that
way when an unsuspecting user logs in the data outside the company making it harder to trace.
The malware can be set on a timer and run behind a program; doing so will make it less likely
that the user will notice. The prior knowledge to the organizational programs and procedures that
an insider would posses makes it easier to facilitate an attack. Explicit deception will make it
more difficult for the organization to suspect or detect the rogue employee. “About a third (34%)
of the insiders used deception to hide their plans for the theft of IP.” (Moore, 2009, p.10) This
figure may seem lower then expected, but it is important to consider that many insiders
especially those who feel a sense of entitlement may not feel it necessary to dissimulate their
activities.
Address Resolution Protocol poison routing can be use by an insider to attack the local-
area network and take or block information. By sending out rouge spoof messages the attacker
can associate their MAC address with the IP address of another node, hence any traffic intending
5
6. Insider Attacks: Theft 6
for the compromised IP address will be forwarded to the attacker instead. The attacker can then
choose to forward the information back to the actual node or modify before sending. An insider
may choose to passively sniff the data, stealing information they consider valuable. Generally, it
is easier to manipulate TCP/IP communication as an insider since they are already within the
organizations firewall.
Insider could construct, test, plant, and deploy a logic bomb into the system. The
malicious function specified in the code of a logic bomb is activated when certain conditions are
met inside the network or when commanded by the attacker. A computer programmer can design
the logic bomb code to facilitate data theft by having it send proprietary information to
unauthorized systems. Logic bombs do not replicate themselves or spread over the network as
some other malicious programs do; therefore it is easier to target a specific victim or goal. In a
series of case studies conducted by Carnegie Mellon University “an insider prepared for the
future release of a logic bomb by systematically centralizing the critical manufacturing programs
for his organization onto a single server.” (Band, 2006, p.27) This technique will make the attack
easier to execute and result in greater damages. This is form of attack is difficult to detect within
the system and it is not necessary for it to be exfiltrated, therefore it is unlikely to identify the
attacker through tracing the communication. Certain deployment methods can even be used to
frame other employees for example, using a hacked into account of a colleague to commit the
attack.
It is also plausible for the insider to use their legitimate access to create a backdoor
account and then use this account to plant and deploy the bomb or other malicious code. A
backdoor account is an unauthorized account that has been created by the attacker and is
unknown to the operators of the system. Another illegitimate system access path is the use of
6
7. Insider Attacks: Theft 7
disregarded inactive accounts. It is also possible to search for and use old password files that
may have been created during a system backup that are now forgotten in the system storage.
There are many circumstances where the attacker held a position at an institution with full data
access privileges, a malicious insider can simply copy proprietary files onto CD or USB. This is
one of the techniques used by Bradley Manning in the WikiLeaks incident. At that time workers
were permitted to use CD or other media for data transfer among the computer system, Manning
explained that he "would come in with music on a CD-RW labeled with something like ' Lady
Gaga' … erase the music … then write a compressed split file. No one suspected a thing."
(Dilanian, 2010)
Damages resulting from insider theft are vast ranging from monetary repercussions, to
operational impacts, to reputation hindrance. High profile infrastructures tend to suffer greater
reputational damages due to the massive public exposure. Countermeasures enable organizations
to minimize risk and potential losses due to insiders. Compliance to prevention techniques such
as an auditing system will have a positive effect on security efforts. Finally, it is vital to be
observant of employees, there are often technical and behavioral violations exhibited by
malicious insiders such as testing after work hours that could have indicated a potential theft
attack.
7
8. Insider Attacks: Theft 8
References
2008 CERT Research Annual Report, Carnegie Mellon University Software Engineering
Institute and U.S. Department of Defense and CERT (2008)
http://www.cert.org/research/2008research-report.pdf.
2010 Verizon Data Breach Investigations Report, Verizon RISK Team in cooperation with the
United States Secret Service (2010)
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-
report_en_xg.pdf
Band, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F.
Comparing insider IT sabotage and espionage: a model-based analysis. Technical
Report, Carnegie Mellon University, Software Engineering Institute (2006)
www.cert.org/archive/pdf/06tr026.pdf
Dilanian, K. (2010, December 4). Leaks may clog up anti-terrorism intelligence sharing. Los
Angeles Times. Retrieved from http://articles.latimes.com/2010/dec/04/nation/la-na-
wikileaks-siprnet-20101205/2
Franqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework for
gathering goal-based requirements. Technical Report TR-CTIT-06-75, University
of Twente (2006) http://eprints.eemcs.utwente.nl/9615/01/EMMSAD07_TR_v2.pdf.
Identity Theft Resource Center. (2010, January 8). Data breaches: the insanity continues.
Retrieved June 10, 2010, from
http://www.idtheftcenter.org/artman2/publish/lib_survey/Breaches_2009.shtml
Lazarus, D. (2011, May 24). Bank of America data leak destroys trust. Los Angeles Times.
Retrieved from http://www.latimes.com/business/la-fi-lazarus-
20110524,0,3701056,full.column
Moore, A.P., Cappelli, D.M., Caron, T.C. Shaw, E.D. and Trzeciak, R.F. Insider theft of
intellectual property for business advantage: A Preliminary Model. paper delivered at
The First Workshop on Managing Insider Security Threats, Purdue University (2009)
www.cert.org/archive/pdf/11tn013.pdf
Moss, S. (2010, July 14). Julian Assange: the whistleblower. Retrieved from guardian.co.uk
home website: http://www.guardian.co.uk/media/2010/jul/14/julian-assange-
whistleblower-wikileaks
8
9. Insider Attacks: Theft 9
Appendix A - Tree structures of attack strategies
Pre-attack tree structure
Gain access tree structure
9
10. Insider Attacks: Theft 10
Abuse access tree structure
Abuse access tree structure
Franqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework for gathering goal-
based requirements. Technical Report TR-CTIT-06-75, University of Twente (2006)
http://eprints.eemcs.utwente.nl/9615/.
10