|
In the last decade, network security has been synonymous with the external threat. IT professionals have been tasked with protecting against viruses, hackers and other attacks that could devastate the organization. As a result, security spending has focused on technology to combat these threats. In 2004, companies spent more than $4.6 billion on technology associated with antivirus, web filtering and messaging security software, according to analyst firm IDC.
With the focus on “keeping the bad guys out,” Corporate America has left itself wide open for attacks from trusted insiders – employees, contractors, vendors, customers and partners. According to the U.S. Secret Service and CERT Insider Threat Study, 83 percent of the security incidents took place from within the organization. Industry analysts also point to trusted insiders as being responsible for 70 to 80 percent of the security breaches in the United States (with similar statistics existing throughout the world).
If 83 percent of the attacks originate from the inside, then why has so little been done to protect against insider hacker activity and the internal threat? According to IDC, only $253 million was spent on Outbound Content Compliance solutions in 2004 equating to less than 6 percent of content security budgets. With multiple cases of reported insider attacks from well known companies such as Bank of America, Progressive and Wachovia Bank, the mindset is slowly beginning to change, and companies are starting to look inward to ensure protection against the newest and perhaps the most costly threat.
Introducing the Newest Threat
Why has malicious insider activity only recently become front-page news? Prior to California Senate Bill 1386 enacted in 2003, companies did not have to publicly reveal if a security breach had occurred. With the passing of this legislation, organizations conducting business in California are required to inform residents if their unencrypted Personal Information was obtained by an unauthorized individual. With identity theft on the rise, several states have followed California’s lead and passed security breach notification legislation. To date, 33 states have enacted laws and a new federal regulation is expected in 2007.
Because companies are now required to report security breaches, it has become apparent that trusted insiders have not been as loyal as many people once believed. In the last year, the Privacy Rights Clearinghouse has reported more than 19 million accounts stolen by dishonest insiders and this number continues to grow at an alarming rate. A recent Ponemon Study reported that 69 percent of data security breaches are the result of insiders, while only 16 percent were caused by outside hackers or external penetration.
So, why is this newest threat proving to be the most costly? Companies tend to believe in the team mentality of when you are in, you are one of the trusted few. As a result, corporations provide employees with access to the crown jewels - databases filled with customer lists, personnel information, product roadmaps and plans, intellectual property and other valuable company secrets. User ids and passwords are freely issued to authorized individuals.
What happens to this authorization and access if an employee leaves the company or moves to another department or division? Oftentimes authorization remains intact. The Georgia Technology Authority found this out the hard way when it caught an employee who stole 465,000 customer records over a three year period. The employee downloaded the data from a server he was no longer supposed to have access to. Couldn’t happen at your company? Think again.
How to Identify Insider Hacker Behavior
Inside hacker attacks and internal breaches don’t just happen; they are planned over the course of weeks, months and even years. According to the U.S. Secret Service and CERT Insider Threat Study, not only did insider threat cases take place within the insider’s organization, but 81 percent of the incidents were planned in advance, and 70 percent were planned during working hours. In addition, in 85 percent of the incidents, another party had knowledge about the insider’s intentions, plans and/or activities. That’s why it’s crucial for companies to recognize behavioral patterns that can indicate the potential for malicious activity such as:
1. Disgruntled behavior
2. Conflict with other employees
3. Violent language
4. Hacker research and discussions
5. Potential resignation
6. Unauthorized access to systems
7. Excessive and repetitive Internet abuse
These behaviors indicate an inherent lack of loyalty and interest to the company and can be barometers for potential insider hacker activity and/or other insider risk.
Dishonest insider activity is no longer an abnormal occurrence and companies throughout the United States are feeling the impact. In April 2005, seven employees from Wachovia, Bank of America, PNC Financial Services Group and Commerce Bancorp stole more than 676,000 customer accounts and sold them for $10 each. The simple cost of replacing a debit or credit card costs more than the information was sold for, not to mention all the media attention and other financial, legal and reputation costs associated with this breach. These employees were treated as trusted insiders and instead displayed a total disregard for the banks that employed them.
The Cost of the Inside Hacker
From 2005 to the present, more than 93 million cases of stolen account information occurred in hundreds of organizations across the United States. Regardless of whether it was an internal or external hacker attack, the consequences have been startling. There are several costs a company can expect to experience as a result of a security breach including:
1. Immediate decrease in stock price
2. Communication fees to alert affected individuals
3. Legal fees
4. Unwanted media attention
5. Scrutiny from the Board of Directors and Stakeholders
6. FTC fines
7. Civil action law suits
8. Increased spending on security technology and personnel
9. Audits every two years for next 20 years
10. Brand and reputation damage
11. Potential loss of customers
Content Monitoring & Categories
Considering the enormous consequences, corporations need to take proactive measures to protect themselves against the internal threat. Security guidelines around user authorization are imperative, but do not provide insight into the behavior of potential malicious activity.
Multi-protocol content monitoring solutions are a new breed of software that have emerged to provide security professionals with visibility into all insider risk and provide advance warning to potential insider hacker attacks. Multi-protocol content monitoring analyzes all internet-based communication by reading the actual content, understanding the context of the communication and examining the structure and metadata associated with it to identify a violation. This software goes far beyond keyword searches and can not be fooled by changing file names or internal document content.
Pre-defined categories or policies search communication and attachments for violations of corporate policy and suspicious activity that can lead to compliance violations, customer data loss or intellectual property theft.
Insider Hacker Activity Categories
Categories specifically addressing insider hacker activity look for incidents such as hacker research, suspicious IMAP or POP activity, installation of backdoors or keylogger applications, unauthorized server attempts and suspicious root activity. By analyzing the content and the activity, content monitoring software can provide a string of events that can track intent of action by an insider who may be working independently or with outsiders to plan an attack.
A string of events for insider hacker activity may look something like this:
In each event, the actual communication or data is displayed exactly as it was at the time of capture. This allows the reviewer to immediately identify the violation and the seriousness of the incident to prevent customer data loss, intellectual property thefts or a compliance violation.
Content monitoring software goes beyond traditional monitoring by identifying hacker conversations via email, instant messaging, personal blogs or web postings. It can identify exactly what information is being transmitted regardless of file type, port or protocol. It can identify research, download attempts and transmission. And, it can identify suspicious behavior three days, three weeks or even three months before an attack is going to occur.
By analyzing all insider behavior that could lead to a potential security breach, security professionals are provided with the information necessary to protect themselves against the new insider threat and identify insider hacker activity before it ever becomes an issue.
Looking forward
It is clear that Corporate America must begin to more diligently address the threat posed by organizational insiders. With alarming statistics surrounding the affects of insider hacker activity and its consequences on an organization, security professionals are seeking visibility into potentially damaging attacks before they occur. Multi-protocol content monitoring solutions provide these professionals with the visibility and insight needed into the who, what, where and when allowing Corporate America to protect itself from the financial, reputation and legal pitfalls of an attack.
About the Author:
Karen Hirschhorn is the Director of Partner and International Strategy for Vericept Corporation. She has worked in both the U.S. and Europe holding key positions for Fortune 500 companies and small/medium companies. She can be reached at khirschhorn@vericept.com.
Go Back
|
