Insider Threat Blog

Hello, this is Todd Lewellen, information systems security analyst for the CERT Insider Threat Center. We recently conducted a cursory search through our MERIT database for case examples across different industry sectors. This search reminded us just how indiscriminately insider attacks can appear throughout public and private sectors. In other words, while certain insider attacks tend to manifest themselves more often in specific industry sectors, no sector is free from the actions of malicious insiders.

Hi, this is Randy Trzeciak of the CERT Insider Threat Center. Recently, we completed a study that revealed insights into the type of insiders who commit insider financial cyber fraud, how they do it, and what they steal. The study, funded by the U.S. Department of Homeland Security (DHS) Science and Technology Directorate, involved 80 real cases of insider cyber fraud in the financial services sector. We conducted the study working with the U.S. Secret Service, the U.S. Department of the Treasury, and project partners from the U.S. financial services sector.

Hi, this is Bill Claycomb and Alex Nicoll with installment 2 of a 10-part series on cloud-related insider threats. In this post, we present three types of cloud-related insiders and discuss one in detail—the “rogue administrator.” This insider typically steals the cloud provider’s sensitive information, but can also sabotage its IT infrastructure. The insider described by this threat may be motivated financially or by revenge.

The CERT Insider Threat Center has been busy this spring developing publications, presenting podcasts, and attending conferences to extend the knowledge and research we’ve collected into the public domain. This blog post contains a few highlights of recent accomplishments and a sneak peak of what we’re planning for the future.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Addison-Wesley Professional has recently been published. The book is available for purchase at Addison-Wesley’s InformIT website at http://www.informit.com/store/product.aspx?isbn=9780321812575.

The term organized crime brings up images of mafia dons, dimly lit rooms, and bank heists.  The reality today is more nuanced; especially as organized crime groups have moved their activities online.  The CERT Insider Threat Center recently released a publication titled Spotlight On: Malicious Insiders and Organized Crime Activity. This article focuses on a cross-section of CERT’s insider threat data, incidents consisting of 2 or more individuals involved in a crime. What we found is that insiders involved in organized crime caused more damage (approximately $3M per crime) and bypassed protections by involving multiple individuals in the crime.

This is the second of two blog entries that explore questions we were asked during a recent meeting with leaders from the U.S. financial services sector. In this entry, we focus on what role malicious insiders typically hold in an organization: a non-technical position, a technical position, or both. "Non-technical" includes positions such as management, sales, and auditors. "Technical" includes positions such as system or database administrators, programmers, and helpdesk employees. "Both" includes overlapping jobs such as IT managers.

Hi, this is Chris King. Any organization that stores data about individuals has a responsibility to protect that information. We regularly hear news stories about celebrities' personal information being stolen and released to the media. Some of these leaks are caused by unauthorized individuals at organizations who are entrusted with confidential data. Recently, the media reported on an incident in which the confidential records of a contestant on a popular reality television show were improperly accessed by employees in multiple law enforcement agencies, a municipal court, a prosecutor’s office, and the state department of motor vehicles. These people were eventually identified and punished, but this incident should remind organizations that deal with confidential information that it is important to be proactive about monitoring for unauthorized access.