Insider Threat Deep Dive: IT Sabotage
By CERT Insider Threat Center on 09/22/2010 | Permalink
This entry is the first in a series of "deep dives" into insider threat.
Hi, this is Chris King from the CERT Insider Threat Center. Through the course of our research, we noticed that insiders couldn't be lumped into a single category. There are individuals who steal or commit fraud for profit, others who steal because of a sense of entitlement, and some who want to exact revenge against an organization simply because they are angry. We noticed a pattern in the ways insiders acted and were able to separate them into three main categories of crime: IT sabotage, theft of IP, and fraud. This entry focuses on IT sabotage.
IT sabotage is the type of crime many people associate with insider threat. We define IT sabotage as cases in which current or former employees, contractors, or business partners intentionally exceeded or misused an authorized level of access to networks, systems, or data with the intention of harming a specific individual, the organization, or the organization's data, systems, and/or daily business operations. The following are samples of the type of IT sabotage cases we have in our database:
- A system administrator who was fired refused to give up the administrator passwords, holding an entire organization hostage.
- A system administrator at a financial institution was terminated with no notice because his employer was dissatisfied with his work. After termination, the administrator used his remote access connection to gain entry to the organization's primary server and shut it down, causing a three-day outage for the organization.
- After resigning from her employer, a database administrator and project manager became disgruntled when she discovered that her equal employment opportunity (EEO) complaint was denied against her previous employer. She logged in to the organization's network using a coworker's account and was able to delete critical data from a system when she discovered the organization hadn't changed the shared password on the database administrator (DBA) account.
Based on the information in our database about insiders who commit IT sabotage, 86% held technical positions, and the majority of the crimes used sophisticated technical means to harm the organization. Of those insiders, 90% had administrator or privileged access at their organization, and 75% of the organizations experienced disruptions in business operations. Organizational reputation was affected by IT sabotage at 28% of the organizations.
These statistics can be frightening to any information security professional. How can you protect your organization from someone who has administrator access, knowledge of the systems, and often unlimited access to the network? Using a technique called systems dynamics modeling, we were able to understand how insiders commit IT sabotage, model how the crime tend to evolve over time, and identify what "pivot points" can be manipulated to possibly affect how an insider acts. Here is how you may be able to reduce your susceptibility to IT sabotage:
- Unmet expectations (not receiving a promotion, failing to receive a salary increase or bonus, being put on "boring" projects, etc.) are some of the top reasons insiders in our database committed their crimes. You can reduce the number of unmet expectations by promoting communication between managers and employees (such as encouraging regular employee reviews), taking action to address employee dissatisfaction when possible, and consistently enforcing policies for all employees.
- Employee disgruntlement is another reason insiders commit IT sabotage. While sanctioning an employee is one way to reduce negative behavior, it may backfire and cause an employee to act out more. Positive intervention in the form of employee assistance programs (EAP) can reduce negative behavior without causing further disgruntlement.
- Targeted monitoring is a technique that can help detect insiders before they commit their crime. If you notice an employee becoming disgruntled, begin focused monitoring of the insider's actions on the network. Look at items such as their browsing activity, network access, and accounts they are using (or creating). Escalate the issue if the employee's negative or suspicious behavior, both technical and non-technical, increases. Be aware of the legal issues associated with this type of monitoring—it may not be allowed in some states or countries. Consult your organization's legal counsel before implementing a monitoring strategy that focuses on higher risk employees.
- Eliminate unknown access paths, including backdoor accounts, shared system administrator accounts, and other group accounts. Identify how your privileged users access your systems—do they have remote access? Are there shared DBA accounts? Are firewalls using a common password? Then either reduce the use of shared accounts or remove them entirely. The goal is to be able to attribute every transaction to a specific individual.
- Take action upon demotion or termination. Demotions and terminations are some of the most common events that motivate an insider to sabotage an organization. When one of these events occurs, disable accesses immediately by reducing privileges, disabling accounts, or updating access controls.
More information about IT sabotage is available in our Common Sense Guide to Prevention and Detection of Insider Threat and our "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures.