Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.

Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.

Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.

From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem

- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments

- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions

- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.

- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.

- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.

- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.

- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn't be underestimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :

Understanding the Insider Threat - Proceedings of a March, 2004 Workshop

A Target-Centric Formal Model For Insider Threat and More

Analysis and Detection of Malicious Insiders

Insider Threat : Real Data on a Real Problem

Insider Threat Study : Computer System Sabotage in Critical Infrastructure Sectors

Preliminary System Dynamics Maps of the Insider Cyber-threat Problem

Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage

Preventing Insider Sabotage : Lessons Learned From Actual Attacks

Technorati tags : insiders,insider,espionage,enterprise risk management,security,information security

Cyberterrorism - don't stereotype and it's there!

I wrote my first article on “Cyberterrorism – an analysis”(in Bulgarian, HiComm Magazine) back in 2003, arguing that Cyberterrorism is a fully realistic scenario, given you don’t picture terrorists melting down nuclear power plants over the Internet, but an organization determined to achieve all of its objectives, and using the digital medium to do so.



My second article "Cyberterrorism and Cyberwars - how real's the threat?"(in Bulgarian, CIO.bg) was greatly extended, and so was my understanding of the concept by the time. I often come across badly structured articles on the topic, even worse, ones starting to discuss the wrong concept -- the biased one! Where terrorists try to attack the critical infrastructure, well, they wouldn’t, they’d rather abuse instead of destroying it!

Merely evaluating a terrorist groups ability to conduct devastating DDoS attacks, or hack into U.S government computers, is the biased wrong concept I just mentioned. If terrorist groups want DDoS power, they wouldn’t rewrite their training manuals, instead, they would simply hire the people to do it, or request on point’n’click interface for their actions. Can this kill a person? If yes, how come, if not, is this Cyberterrorism at all?

Thinking about complex topics always involves dimensional approach, understanding of motives, and implying a little bit of marginal thinking to grasp the big picture. Terrorists killing people over the Internet myth is greatly influenced by the success of any terrorist organization’s “PR” activities – spread fear, and build active propaganda though taking lives, and distributing the freely available media later on. So, if no lives are taken, why call it terrorism? Mainly because, cyberterrorism in my point of view isn’t an entirely new concept as some try to put it, it’s an extension of real life terrorism activities into cyberspace, and its evolution at a later stage.

Starting from the basic premises that terrorists need to communicate with each other, keep themselves up-to-date in today’s OSINT(open-source intelligence world), recruit potential members, and continue their active propaganda taking advantage of Internet’s many joys, in respect to anonymity(given it’s achieved), speed, and a bit of a black humor – interactivity!

Cyberterrorism as a concept from my point of view consists of their need for :

- platform for communication
No other medium can provide better speed, connectivity, and most importantly anonymity, given it’s achieved and understood, and it often is. Plain encryption might seem the obvious answer, but to me it’s steganography, having the potential to fully hide within legitimate (at least looking) data flow. Another possibility is the use secret sharing schemes. A bit of a relevant tool that can be fully utilized by any group of people wanting to ensure their authenticity and perhaps everyone’s pulse, is SSSS - Shamir's Secret Sharing Scheme. And no, I’m not giving tips, just shredding light on the potential in here! The way botnets of malware can use public forums to get commands, in this very same fashion, terrorists could easily hide sensitive communications by mixing it with huge amounts of public data, while still keeping it secret.

- platform for open source intelligence

Undoubtedly, there has never been so much publicly accessible information that could aid in the organizing and plotting terrorist acts. Measure the impact of a certain bombing? – check out the news and figure out what has changed ever since, research and obtain digital photos, even satellite imagery, it’s available. Try to figure out the latest specifications for RFID passports to come, and why it matters to you – keep on reading the specifications..! Transparency is always tricky!

The way a government can successfully identify terrorist sentiments around the Web, even precise sites to be put under close surveillance, terrorists on the other hand keep track of each and every major/minor global change anyhow affecting their goals or ambitions.

- platform for propaganda/recruitment

Now, don’t picture “Outstanding CV, here’s the address of our training camp in Pakistan, please, first introduce the idea to your friends, then share the address. Nuke the planet!” type of conversation :-)

Recruitment over the Internet is a contradictive topic, and many will argue that it’s irrelevant. I can argue too that there are people for all kinds of things, from maintaining mailings lists, to acting as freelancers whenever a resource, like an infected PC for anonymous communication is needed. Believe it or not, terrorists are silently but very actively building a web presence. In fact, these days you could even download execution clips directly from a terrorist’s web site. What’s else to note is the irony of how many terrorists web sites are actually hosted on U.S service provider’s servers, and you keep on looking for them around the world, check your backyard before looking at the neighbors :-)

Another important aspect of recruiting in such a way, is the location of people with obsessive
islamic views, someone actively expressing his/her hate towards the U.S and actually being of any use. For instance, there are cases of terrorist propaganda malware, where the author(a teenager, or sophisticated attacks?!) clearly expresses his/her support towards a “cause”.

This case is like the one I mentioned in my previous post concerning insiders, that is the way U.S government looks for democracy minded individuals in restrictive regime countries(the Win32/Cycle.A.worm), the very same way terrorists could spot similarly minded individuals holding important positions or knowledge on certain topic. Are any of these people screaming for recruitment, and would somebody listen?

- direct attack exploitation possibllities (people eventually die?!)

Is the electronically obtained a major food manufacturer's facility truck schedules of any use to terrorists interested in eventually hijacking and

Someone once mentioned a scenario related to U.S RFID passports, namely a bomb could automatically detonate, given there’re certain number of "broadcasted", note the term, U.S citizens around, that’s scary, but how about the same applies to mobile malware detecting U.S carriers for the same purpose?!

In the last article I wrote on the topic, I made an argument on where’s the line of a 19 year’s old boy shutting down 911 through ingenious technique for the fun of it, and a terrorist organization exploiting vulnerability in the system at a crucial moment in time let’s say?! What if people die out of the teen’s actions, but the terrorists’ attempt is quickly detected? Should cyberterrorism be judged based on the motives, or who’s actually behind it? I think it’s a combination of both!

- indirect attack exploitation possibilities
Should a terrorists’ use of phishing attacks, where the revenues go directly into funding further terrorist activities, both, cyber, real-life actions be considered an option?

Should a terrorist’s actions for hiring a person, directly obtaining certain social numbers, sensitive and detailed financial information, or anything else to assist a successful identity theft, with the idea to impersonate for a real-life terrorist scenario be considered an option? Yes, they both should!

This particular list is endless, the scenarios I can only leave to someone else’s psychological
imagination!

My worst case scenarios,though, consist of terrorists realizing the impact a target/mass directed intellectual property theft, cryptoviral extortion attack targeting the majority of U.S businesses. And as I often say, it’s all a matter of coordination with the idea to increase the impact!

To conclude, Terrorists are not rocket scientists unless we make them feel so!
Consider going through the following research for different point of views, and key facts :

How Modern Terrorism Uses the Internet

Examining the Cyber Capabilities of Islamic Terrorist Groups

The Power Failure and the Internet

Telecom - The Terrorism Risk

Emerging Terrorist Capabilities for Cyber Conflict against the U.S. Homeland

Myths and Realities of Cyberterrorism

Terrorism, Cyberspace and The First Amendment

Information Warfare: The Perfect Terrorist Weapon

Cyberland Security: Organised Crime, Terrorism and The Internet

Cyber Terrorism: Mass Destruction or Mass Disruption?

Cyber Warfare: An Analysis of the Means and Motivations of Selected Nation States

Technorati tags : cyberterrorism, terrorism, al qaeda, internet terrorism

Insiders - insights, trends and possible solutions

A recent research of the content monitoring market, and the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" I've recently read, prompted me to post an updated opinion on this largely unsolved issue.

I have been keeping an eye on the insider problem for quite some time, in fact, I have featured a short article entitled “Insiders at the workplace - trends and practical risk mitigation approaches” in Issue 18 of the monthly security newsletter you can freely subscribe yourself to!

Insider as a definition can be as contradictive as the word “cheater” is :-) Does an individual become an insider even when thinking about it, or turns into such prior to initiating an action defined as insider’s one? The same way, can someone be defined as a “cheater” just for thinking about what’s perceived as cheating, compared to actually doing anything?! :-) When does one become the other, and is this moment of any importance to tackling the problem?

The biggest trade-off as far as the insider’s problem is concerned is between dealing with the problem while ensuring productivity, and that the company’s work environment isn’t damaged -- exactly the opposite. And while productivity is extremely important, the direct, or most often indirect and long-term loss of intellectual property theft is currently resulting in a couple of billion dollar unmaterialized revenues for nations/enterprises across the globe.

Going through 2004's “Annual Report to Congress on Foreign Economic Collection and Industrial Espionage”, a major trend needs to be highlighted as I greatly believe it’s a global one, namely, private enterprises efforts to obtain access to sensitive technologies in unethical way, outpaces a foreign government’s efforts to do the same. Corporations spy more on one another than governments do, but is this truly accurate? I don’t think so! The use of freelancers, among them ex-intelligence officers or experienced detective agencies to conduct national funded economic espionage is a growing trend, and the lines in this area are so blur, we should therefore try to grasp the big picture when it comes to national competitiveness -- both companies and nations directly/indirectly benefit from possible economic/industrial espionage, and you can’t deny it!

Yet another important fact to keep in mind, is the unusually high success of the oldest, and most common sense social engineering attack -- asking!! In certain cases a social engineer will inevitably establish contact with customer-service obsessed personnel taking care of you all your requests! A certain organization’s members may experience troubles differentiating sensitive and secret information, not taking the first one as serious as they should. Even worse -- U.S Secret Service and CERT’s “Insider threat Study : Illicit Cyber Activity in the Banking and Finance sector” reveal that,”83% of the insider threat cases took place physically from within the insider’s organization, and another 70% in all cases, the incidents took place during normal working hours”! No secretaries or CEO’s logging in at 3:00AM, and in this case, the lack of detected security incidents posed by insiders, means they are already happening!

Though, I have always looked at the insider’s issue, from both negative and positive point of view. Can an insider be of any use for the good of a free speech organization or a government? Yes, it can if you take into account the U.S government’s efforts to locate democratically minded individuals living in countries with restrictive regimes, or active Internet censorship efforts.
Now given, you are truly interested in the democratization of this particular region, and not another successful PSYOPS operation, being able to locate, establish, and actually, maintain contact with these individuals will prove crucial in case of a objective picture of what exactly is going on there! Ignoring the local, totally biased news streaming for certain regions, and focusing on locating insiders within rogue states has been a common practice for years.

Is there a market for protecting from intellectual property theft and sensitive information leakage? If so, how does it ensures today’s digital workplace, and road warriors’s flexibility is not sacrificed for the sake of protecting the company’s resources? Mind you, the current solutions scratch only the surface of the issue -- creating digital signatures of data and trying to spot it leaving the network. While a commonly accepted approach, it’s like one way authentication(passwords) when it comes to access control-- the first line of defense, but among the many other!

The insiders’ problem is far more broader one and given the today’s complexity and connectivity, a possible insider’s actions will most often constitute of normal daily activities. But what is the market up to anyway?

Currently, the content monitoring market is steadily growing fueled by the need of ensuring information marked as sensitive, or intellectual property doesn’t leave the company’s premises, or is alerted when someone attempts to transfer it, due to negligance or on purposely!

The main players are : Vontu, Tablus, Reconnex, and Vericept.

Whereas these solutions are a great concept,they all mainly rely on content analysis,and sensitive information signatures,monitoring multiple exit point)(email,web,chats,forums,p2p,ftp, even telnet), namely, reactive protection, while sophisticated insider’s actions may remain hidden due to covert channels or 0day vulnerabilities in the vendor’s product for instance!

Something else to consider, is should a IP(intellectual property) trap be considered as a benchmark for insider tensions?! In other words, should you consider an employee that has been on purposely sent a link containing company information he/she isn’t supposed to have access to, but has clicked to obtain it? Stanford thinks – yes! The University suspended potential candidates for obtaining info on their admission process only by following a link..you are either a one or zero, right?

Honeypots targeting insiders have also been discussed a long time ago by Lance Spitzner, from the Honeynet Project. Another proactive protection would be to look for patterns defined as malicious behavioral based mostly.

From an organization’s point of view, take into consideration the following :
- Clearly communicate the consequences, both individual and career, in case an insider is somehow identified, based on the company’s perception of the problem

- Ensure the momentum of negative attitude towards the organization is minimized to the minimum to ensure the lack of to-be-developed post-effect negative sentiments

- Do no fell victim of the common misunderstanding that technology is the key to the solution. Insiders are the people your technology resources empower to do their daily tasks, technology is as often happens, the faciliator of certain actions

- Does system identification accountability have any actual effect? My point, does as user’s loss of accounting data, resulting in successful attack is anyhow prosecuted/tolerated. If it isn’t, this puts any employee in extremely favorable “it wasn’t my fault” position, where the data could be shared, on purposely exposed, sold, pretended to be stolen etc.

- Building active awareness towards the company’s efforts and commitment to fighting the problem will inevitably discourage the less motivated wannabe insiders, or at least make them try harder!

From a nation’s point of view, the following issues should be taken into consideration :
- In today’s increasingly transparent and based on digital flow of information marketplace, open source intelligence capabilities played a leading role in the development of cost-effective competitive intelligence solutions. Even though, nations or their companies are very interested in exploiting today’s globalized world.

- Ensuring the adequate security level of the private and academic sectors’ infastructure(where research turns into products and services, or exactly the opposite) through legislations, or further incentives, will improve the national competitiveness, while preserving the current R&D innovations, as secret as necessary.

- Outsourcing should be considered as a important factor contributing to information leakage, and the individuals involved, or the company’s screening practices, should be carefully examined.

- A fascinating publication that I recently read is “Quantifying National Information Leakage” describing the implications of the Internet’s distributed nature, namely to what extend, U.S Internet traffick is leaking around the world, where it “passes by”. A nation’s habit or lack of efficient alternative of plain-text communications can prove tricky if successfully exploited. Of course, this doesn’t include conspiracy scenarios of major certificate authorities breached into.

The insiders’ problem will remain an active topic for discussion for years to come given its complexity and severity of implications. Insiders’s metrics are a key indicator for patterns tracking, whereas their creativity shouldn’t be understimated at any cost!

In case you are interested in various recommended reading, statistics, and other people’s point of view, try this research :

Understanding the Insider Threat - Proceedings of a March, 2004 Workshop

A Target-Centric Formal Model For Insider Threat and More

Analysis and Detection of Malicious Insiders

Insider Threat : Real Data on a Real Problem

Insider Threat Study : Computer System Sabotage in Critical Infrastructure Sectors

Preliminary System Dynamics Maps of the Insider Cyber-threat Problem

Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage

Preventing Insider Sabotage : Lessons Learned From Actual Attacks

Technorati tags : insiders,insider,espionage,enterprise risk management,security,information security