Editor’s Note: The Carnegie Mellon University/Software Engineering Institutes Special Report, by Adam Cummings, Todd Lewellen, David McIntire, Andrew P. Moore, and Randall Trzeciak, and funded by the United States Department of Homeland Security Science and Technology Directorate, is attached here.
The document highlights the private sector need for effective cybersecurity and illustrates the productive role of the federal government in supporting national cybersecurity objectives.
The Special Report’s Conclusion and Next Steps section is reprinted below.
Conclusion and Next Steps
This report describes six findings of a study of insider fraud in the U.S. Financial Services Sector:
• FINDING ONE: Criminals who executed a “low and slow” approach accomplished more damage and escaped detection for longer.
• FINDING TWO: Insiders’ means were not very technically sophisticated.
• FINDING THREE: Fraud by managers differs substantially from fraud by non-managers by damage and duration.
• FINDING FOUR: Most cases do not involve collusion.
• FINDING FIVE: Most incidents were detected through an audit, customer complaints, or coworker suspicions.
• FINDING SIX—Personally identifiable information (PII) is a prominent target of those committing fraud.
The description of each finding includes frequency statistics on important aspects of the finding, case examples illustrating the finding, and preliminary recommendations. The recommendations discussed are fairly general in nature, but are the start of what we hope will be a fruitful discussion with organizations to elaborate what members of the financial services community should do in the face of these findings.
6.1 Considerations for Insider Threat Program Implementation
In their enterprise-wide risk assessments, organizations should consider the threat posed by insiders to the organization’s critical assets, people, technology, information, and facilities. The first step is to identify and prioritize assets, followed immediately by locating the critical assets and determining who has, or should have, authorized access. Many organizations fail during this step when they allow authorized access to extend beyond what is required for employees to fulfill their job responsibilities. Privileges tend to accumulate over time as employees migrate among departments and accept new job responsibilities. It is imperative that
• employees have only the appropriate privileges with critical assets
• employee privileges are known by the organization
• the organization can modify or disable access if an employee changes roles, responsibilities, or employment status
If an organization asks what an employee has access to or where critical assets exist when an employee is walking out the door, it is too late. Diligent access control to critical assets is essential and organizations should not allow this control to degrade over time; recovery from lapses in control can be time consuming.
Most organizations begin assessing an employee or contractor’s trustworthiness as part of the hiring process. Background checks, employment and personal references checks, and individual screenings are valuable; however, organizations should continue to assess trustworthiness after the individual is hired. Organizations should regularly evaluate employees for potential motivators of malicious insider activity, including detecting the presence of financial and professional stressors and employee disgruntlement. Individuals showing such signs are at greater risk for committing a malicious act. Additionally, organizations should similarly scrutinize their contractors, subcontractors, suppliers, and other trusted business partners.
Finally, separation of duties is an effective way to prevent unauthorized transactions in financial systems. Organizations should extend the “separation of duties” model from their business process to their IT processes. There should not be a single point of failure in any IT operation. Also, when possible, more than one person should be required to complete critical IT functions, including creating and deactivating accounts and modifying privileges. Consistent enforcement of such monitoring and auditing strategies in critical business processes may help to prevent or detect malicious insider activity. Recall that approximately 50 percent of the fraud crimes included in this study was committed by someone in a management-related position; therefore, someone outside an employee’s management chain should audit such transactions. Organizations should implement the same type of consistent auditing in IT processes.
6.2 Identify Technical Gaps
Most organizations face the challenge of differentiating anomalous and normal network activity.
Many IT tools exist to meet this challenge, but it takes significant effort to customize these tools to a specific organization’s business processes. In addition, organizations often struggle to determine and maintain baseline behavior at the individual level and scale it across the enterprise. It is time consuming to achieve a degree of confidence in distinguishing normal variations in baseline behavior from abnormal variations.
Relying on technical controls alone to differentiate anomalous but acceptable behavior from malicious behavior may not be the most effective way to address the threat posed by insiders. Organizations should consider combining the results of IT log aggregation and analysis tools with nontechnical indicators that may be derived from internal and external data sources such as those listed below:
• results of employee and contractor performance management processes
• employee dispute resolution processes
• employee assistance processes
• credit rating systems
• law enforcement and criminal history databases
• facility-tracking systems
Such tools may help organizations to identify 1) individuals who are susceptible to recruitment into a fraud scheme and 2) disgruntled employees who may be more likely to sabotage an IT system or steal critical data when they leave.
The topic of employee monitoring draws together a mixture from different areas of the law, from labor to constitutional. As technology continues to evolve, legislators and the judiciary will continue to be confronted with new questions. Employers will need to keep a watchful eye on this process to avoid violating internal policy, regulatory requirements, or legal statutes. Collaboration among staff, including legal staff, will widen your knowledge base and lead to a more informed set of policies and processes.
6.3 Conclusion
As long as there are institutions that hold money, internal and external adversaries will make every attempt to subvert control mechanisms to illegally profit. To defeat those who are defrauding financial services companies, security professionals in this sector must master both the technical and behavioral aspects of the problem as well as ensure compliance with external regulators and internal governance initiatives, all while protecting their organizations’ profits, shareholders, and customers. This report will not solve the problem entirely or give the financial sector a set of procedures guaranteed to prevent employees from conducting illegal activities. Rather, it paints a relatively complete picture of 80 recent cases of insider fraud and provides important insights into those cases.
The insider fraud models presented in this report round out the CERT series of insider threat models. Security professionals have used our previous models to establish countermeasures in dealing with insider IT sabotage, insider theft of IP, and national security espionage. We hope that these previous models and this new insider fraud model have a similar impact on the financial sector. Certainly the study of future cases may yield different insights, but we have found that our past models have stood the test of time. Although we published our other insider threat models quite some time ago (beginning in 2005), we have discovered that in the interim the overarching patterns in the cases have not changed.
We also hope this report will encourage the continued dialog between public, private, and research entities. Conversations about these findings will help us to learn even more and supplement the community’s collective knowledge. The CERT Insider Threat Center has been conducting research into the problem of malicious insiders for more than a decade. In that time, we have seen progress in some areas of the problem; we have also seen other issues repeatedly resurface. Perhaps the most important message we can convey to those who are unfamiliar with the issue is that defeating insider threats is not solely the problem of IT, HR, or security—it’s everyone’s problem.
6.4 Next Steps
Upon publication of this report, the USSS and the CERT Insider Threat Center will present its findings at financial service sector venues as well as at Secret Service Electronic Crime Task Force (ECTF) chapter meetings across the country. We gladly accept comments and suggestions, which we may incorporate into an addendum to this report. We welcome ongoing feedback on any practices and technical solutions that members of the financial sector have implemented to successfully counter insider threats. Finally, we will attempt to answer any questions not covered in this report by querying and further analyzing our database of insider incidents. Contact us at insider-threat-feedback@cert.org.
Leave a Reply