How they strike
Nine of the insiders in these cases inserted malicious code with the intent of causing harm to their organization or to individuals. Six of the insiders used logic bombs to carry out their attacks. Other attacks methods included
• social engineering
• sabotaging backup tapes
• compromising accounts
• deleting and modifying log files
• unauthorized access
• intentionally deploying a virus on customer systems
Spotlight On: Programming Techniques Used as an Insider Attack Tool
Spotlight On: Programming Techniques Used as an Insider Attack Tool
Spotlight On: is a quarterly report issued by the CERT Insider Threat Team.
The Insider Threat Team receives significant funding from CyLab.
As one of their benefits, CyLab's corporate partners receive each issue of Spotlight On three months prior to its public release.
So as Programming Techniques Used as an Insider Attack Tool is released to the public, CyLab's partners are now moving on to Malicious Insiders with Ties to the Internet Underground Community, which we will post here on CyBlog in 3Q09.
Spotlight On: Programming Techniques Used as an Insider Attack Tool includes analysis of numerous cases.
Similarities across Cases
While the number of cases analyzed for this article is limited, there are similarities worth noting. The majority of these cases were IT Sabotage cases,1 which follow the escalation patterns documented in CERT’s MERIT model.2 The MERIT model is a system dynamics model of the insider IT sabotage problem that elaborates complex interactions in the domain and unintended consequences of organizational policies, practices, technology, and culture on insider behavior.
In each of the fifteen cases, changes made by the insider may have been detected prior to the malicious code being deployed had the organization had change controls in place to detect unauthorized modifications to critical systems and software. Some of the organizations did use configuration management tools to track and log changes to critical software. However, either the tools did not prohibit software from being released without approval from a trusted second person, or the organization failed to audit the change control logs for unauthorized changes. Programming Techniques Used as an Insider Attack Tool
Spotlight On: Programming Techniques Used as an Insider Attack Tool also articulates a number of practices to help in mitigating this particular aspect of the insider threat
See also the third edition of CERT's Common Sense Guide to Prevention and Detection of Insider Threats, and its empirically-based insider threat risk assessment diagnostic.
To read a CyLab Chronicles Q&A with CERT Insider Threat Team leader Dawn Capelli, click here.
For information on the benefits of partnering with CyLab, contact Gene Hambrick, CyLab Director of Corporate Relations: hambrick at andrew.cmu.edu
-- Richard Power