Register for Free Membership to solutions@syngress.com Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing One of the reasons for the success of these books has been our unique solutions@syngress.com program Through this site, we’ve been able to provide readers a real time extension to the printed book As a registered owner of this book, you will qualify for free access to our members-only solutions@syngress.com program Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book Each booklet is approximately 20-30 pages in Adobe PDF format They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search web page, providing you with the concise, easy-to-access data you need to perform your job ■ A “From the Author” Forum that allows the authors of this book to post timely updates and links to related sites, or additional topic coverage that may have been requested by readers Just visit us at www.syngress.com/solutions and follow the simple registration process You will need to have this book with you when you register Thank you for giving us the opportunity to serve your needs And be sure to let us know if there is anything else we can to make your job easier Insider Threat Protecting the Enterprise from Sabotage, Spying , and Theft Dr Eric Cole Sandra Ring Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 GHVV56329M CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft Copyright © 2006 by Syngress Publishing, Inc All rights reserved Printed in Canada Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in Canada ISBN: 1-59749-048-2 Publisher: Andrew Williams Acquisitions Editor: Gary Byrne Cover Designer: Michael Kavis Page Layout and Art: Patricia Lupien Copy Editor: Michelle Melani Indexer: Julie Kawabata Distributed by O’Reilly Media, Inc in the United States and Canada For information on rights, translations, and bulk purchases, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585 Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands v Author Dr Eric Cole is currently chief scientist for Lockheed Martin Information Technology (LMIT), specializing in advanced technology research Eric is a highly sought-after network security consultant and speaker Eric has consulted for international banks and Fortune 500 companies He also has advised Venture Capitalist Firms on what start-ups should be funded He has in-depth knowledge of network security and has come up with creative ways to secure his clients’ assets He is the author of several books, including Hackers Beware: Defending Your Network from the Wiley Hacker, Hiding in Plain Sight, and the Network Security Bible Eric holds several patents and has written numerous magazine and journal articles Eric worked for the CIA for more than seven years and has created several successful network security practices Eric is an invited keynote speaker at government and international conferences and has appeared in interviews on CBS News, “60 Minutes,” and CNN Coauthor Sandra Ring is the founder of Pikewerks Corporation (www.pikewerks.com), an information security company that specializes in Insider Threat Previously, Sandra was the deputy director of research for The Sytex Group, Inc While working at Sytex, Sandra participated in original research of rootkit detection, volatile memory forensics, self-healing, and zero configuration networks Sandra has worked for the Central Intelligence Agency, operated closely with the National Security Agency, and conducted research at the National Aeronautics and Space Administration’s Langley Research Center She is an author of Cyber Spying:Tracking Your Family’s (Sometimes) Secret Online Lives (Syngress Publishing, ISBN: 1-931836-41-8) and a contributing author to the Network Security Bible vii Contents Part I Insider Threat Basics Chapter What Is There to Worry About? Introduction The Devil Inside The Importance of Insider Threat Insider Threat Defined Authorized versus Unauthorized Insider Categories of Insider Threat 10 Key Aspects of Insider Threat 13 Acceptable Level of Loss 14 Prevention versus Detection 15 Insider versus External Threat 16 Why the Insider Threat Has Been Ignored 17 Organizations Do Not Know It Is Happening 17 It Is Easy to Be in Denial 18 Fear of Bad Publicity 19 Why the Insider Threat Is Worse Than the External Threat 19 Easier 20 Current Solutions Do Not Scale 20 High Chance of Success 21 Less Chance of Being Caught 21 The Effect of Insider Threats on a Company 21 How Bad Is It—Statistics on What Is Happening 23 Insider Threat Study 23 Conclusion 23 Analysis 23 Conclusion 24 Analysis 24 ix 384 Chapter 10 • Survivability Summary Insider threat is a big problem and will only increase in intensity as more and more hostile entities start to understand and realize its value as it applies to digital assets Governments have long known the value of insider threats and the fundamental principle behind spying and espionage Now commercial entities are starting to realize the value More and more cyber-mercenaries and cyber-hit-men will pop up, which for the right price will get you whatever information you need all through the power of computers and technologies The first part in dealing with any problem is acceptance Hopefully you have accepted that insider threat is occurring, it will continue to get worse, and measures must be put in place immediately at your organization to solve it Hopefully, if you are an executive and reading this, you know you have to push this knowledge down throughout your organization, raise awareness, and implement changes If you are not an executive and reading this, you have an even more important job to become an evangelist for the problem and make people aware so that changes can be implemented Selling upper management and executives on new problems and issues that they not understand or see is not an easy job, but not give up.The rewards will be well worth the journey Once you accept that there is a problem and you have raised awareness so key components and division across your organization understand the criticality of the problem, the next step is to figure out your exposure point Identifying and prioritizing assets is critical If you not know what is important, then how can you go about protecting it? If you are having trouble figuring out the critical assets, another trick is to ask,“If I were an attacker, what would I go after?” Asking yourself questions like what would have the most value to the competition or what information if it appeared on the front page of the Washington Post would cause the most monetary loss or embarrassment to the organization, helps to scope the problem Wording the problem in different ways is a helpful clue to be able to figure out the real answers After you identify the critical assets, you then calculate the risk exposure starting with threat, working through vulnerabilities, and tying in likelihood and impact Once the full calculation has been performed, you figure out what the appropriate countermeasures are, and you implement the solution Remember that the ultimate goal is survival Remember, this is a new area so there is no right way to solve the problem, just many ways that not work or are not effective.The trick is through trial and error you will find the solution Work hard, be diligent, document your results, and I look forward to reading the book that you are going to write once you figure out all the answers www.syngress.com Index A academic conferences See conferences acceptable levels of loss, 14–15, 332–334 access authorized vs unauthorized, 8–10 controlling, 11, 41, 44, 334–335, 374–377 as driving force in insider attack, 11, 13 and principle of least privilege, 8–9, 10, 41, 335, 371, 374–377 access cards, 56–57 Adkins, Chad R., 126 AFOSI (Air Force Office of Special Investigations), reports of suspicious activity, 195 Agriculture Department, employee visa fraud, 169–171 Air Force Office of Special Investigations (AFOSI), reports of suspicious activity, 195 Allfirst Bank, 249–254 Alternative Data Streams feature, 65–68 America Online, employee case study, 234–236 Ames, Aldrich, 5, 113, 114, 175–178 anger, as factor in insider attacks, 306–307, 310 Angle, Patrick, 218–220 anomaly detection, 346–347 anonymizers, 79–80 AOL, employee case study, 234–236 appearance, profiling based on, 298, 301–302 archiving critical data, as way to prevent or minimize insider threat, 42 See also backing up files armed bank robberies, 245, 259–260, 338 Atlanta Journal-Constitution, 231–233 attrib command, 64 auditing and logging, as way to prevent or minimize insider threat, 41–42 authorized vs unauthorized insiders, 8–10 availability, as core area of network security, 357–358 awareness, importance of, 11, 12, 41, 350, 379 B backdoors, 34, 45, 173–175, 289 background checks, 4, 5–6, 45, 149, 158, 323, 351, 378 backing up files, 370–371, 372 bad publicity, 19 Bank of America, 267, 268 bank robberies, 245, 259–260, 338 banks See financial sector Barings Bank, 254–256 Beauchamp, Steven P., 156 behavioral patterns See profiling Benson, Duane, 211 Bentham, Jeremy, 113 biometrics in lock technology, 57 role in DMV licensing process, 117 Blackberrys, as insider threat, 71–72 blackmail, 323–324 Bookbinder, Adam J., 219 Booker, Lynn, 265 385 386 Index Border Patrol, employee drug smuggling, 172–173 bribery, 158–159 See also blackmail Brizzi, Carl, 122, 126 Brown, James W., 158–159 Burleson, Donald Gene, 210–213 Byrne, Peter, 126 C Calhoun, Jimmy, 134 California Notice of Security Breach Law, 271 Campbell, Carroll Lee Jr., 231–233 Carroll, Eugene, 245 Central Intelligence Agency (CIA), case of Aldrich Ames, 5, 113, 114, 175–178 CERT (Carnegie-Mellon), 23, 31, 33, 104, 193, 243, 366 Champagne, Quinzel, 260 Chase Financial Corporation, 266 check “kiting,” 265 Cherkashin, Victor, 180 Chinese nationals, 15, 117, 170–171, 278, 288–290 ChoicePoint, 271 CIA (Central Intelligence Agency), case of Aldrich Ames, 5, 113, 114, 175–178 Cisco Systems, 236–237 Clark, Kimberlee L., 160–161 classified data, 27, 33, 124–125 See also Ames, Aldrich; Hanssen, Robert; Regan, Brian Patrick cleaning services See janitorial services Coast Guard, employee sabotage, 182–183 Collingwood, John, 181 Colmer, William, 289, 290 Comey, James, 262 Commerce Bank, 259–260, 267 Commerce Department, employee time fraud, 161–162 commercial companies impact of insider attacks, 312–313 sabotage as threat, 193–194 theft of customer information, 196 theft of intellectual property, 194–195 threat overview, 191–196 companies See commercial companies competitors case studies, 230–233 and high-end insider threats, 318–321, 322 and job switchers, and planted employees, 6, 47–48, 318–321, 322 Computer Crime Institute, 191 Computer Security Institute, 35 computers hidden files, 60–68 laptops as insider threat, 70–71, 349 laws regarding fraud and related activity, 197–201 conferences, 224–225, 278 confidentiality, as core area of network security, 356 Conley, Jimmy Lee, 134 consequences, making understood, 304–305 contractors, as insider associates, 11–12 See also government contractors controlling access, 11, 41, 44, 334–335, 374–377 conventions, 224–225, 278 copiers, 52 corporate espionage See also plants, employees as Index focus on intellectual property, 302–303, 308 and high-end insider threats, 318–321, 322 insider threat overview, 5, 33 and recruited attackers, 322–323 corporations See commercial companies Corr, Joseph, 196 cost-benefit analysis, 333, 364–365 credit cards See also identity theft fraudulent use of account information by financial insiders, 264–265 government employee fraud, 151, 166–169 Cronin, David, 250, 252–253 cryptography detecting encryption, 85–87 overview, 84–87 vs steganography, 88 Cui, Jing, 221 Cummings, Philip, 261–263 customers See also identity theft; personal information as insider threat, 225–227 theft of their information, 229–237 Customs agents, employee drug smuggling, 172–173 Czubinski, Richard, 151–154 D data centers, 376–377 data hiding See cryptography; steganography dead drop, defined, 177 default allow security stance, 348 default deny security stance, 348–349 defense in depth, 41, 42, 369, 371, 379 387 Defense Intelligence Agency, employee time fraud, 163 Defense Security Services (DSS) employee time fraud, 164–165 reports of suspicious activity, 195 denial, living in, 5, 18–19 denial of service (DoS) attacks, 216–217 desktop computers hidden files, 60–68 laws regarding fraud and related activity, 197–201 detection vs prevention, 15–16, 330–331, 333–334 deterrence vs prevention, 120 die pads, 338–339 digital die pads, 338–339 directories, computer attaching alternative data streams to, 67–68 hiding files in, 60–61 disgruntled employees, 182–183, 191, 206–220, 227–228, 306–307, 310 DMV (Department of Motor Vehicles) employee sale of personal information, 118–119 and fraudulent licenses, 114–117 and Real ID Act, 127–128 Dobbs, Brenda, 162 documents See also information extraction classification schemes for, 51–52 cover sheets for, 55–56 stealing copies before computers and the Internet, 50–53 traditional methods of protecting, 55–58 watermarks for, 51–52, 55 DOE (Department of Energy), employee misconduct case, 158–159 388 Index DoS (denial of service) attacks, 216–217 driver’s licenses, acquiring fraudulently, 114–117 DSS (Defense Security Services) employee time fraud, 164–165 reports of suspicious activity, 195 dumb terminals, 350 Dunaway, Sean, 235 Duronio, Roger, 246–249 E e-mail encrypting, 84–87 as insider threat, 80–84 laws regarding fraud and related activity, 201–203 potential for data security violations, 34–35 running servers on desktop PCs, 80–84 sale by AOL employee of customer addresses to spammers, 234–236 spoofing, 82–84 Web-based, 78–79 Eastman Kodak, 228–229 EBT cards, 121–124 Economic Espionage Act, 213, 221, 222 educating employees, 350, 378–380 electricity, threats and vulnerabilities, 109 electronic voting, 112, 136 Elite Web Hosting, 233–234 Ellery Systems, Inc., 221–222 employees See also social engineering creating user-awareness about insider threat, 11, 12, 41, 350, 379 as devil inside, 4–5 disgruntled, 182–183, 191, 206–220, 227–228, 306–307, 310 educating, 350, 378–380 federal government case studies, 151–183 as high-end insider attackers, 318–321, 322 individual and group profiling, 340–342 as moles, 44–45, 339 monitoring, 342–346 and need-to-know, 124–125, 374–375 as plants in competitor companies, 6, 47–48, 318–321, 322 profiling potential attackers, 40–41, 299–313 psychosocial factors, 377–378 as pure insiders, 10–11 reporting knowledge of insider attacks by others, 306, 316–317 state and local government case studies, 114–136 encryption, 84–87 Energy Department, employee misconduct case, 158–159 Equifax, 261 espionage See Ames, Aldrich; Hanssen, Robert; Regan, Brian Patrick Experian, 261 external vs insider threat, 16–17, 380–383 F failure points, limiting, 367–369 fax machines, 53 FBI (Federal Bureau of Investigation) case of Robert Hanssen, 5, 178–182 employee misconduct cases, 155–158 Index fear, Bentham’s view, 113 Federal Bureau of Investigation (FBI) case of Robert Hanssen, 5, 178–182 employee misconduct cases, 155–158 federal government employee misconduct case studies, 151–183 legal regulation related to identity theft, 269–272 threat overview, 147–151 time and attendance fraud, 151, 160–166 FedEx packages, 50 Ferguson, Charelle, 163 Ferguson, Jim, 207 filename extensions, 62 files, computer attaching as alternative data stream, 65–68 backing up, 370–371, 372 changing attributes, 62–64 changing extensions, 62 hidden attribute, 62–64 as honeytokens, 335, 337 with similar names, 61–62 ways to hide, 60–68 financial sector bank robberies, 245, 259–260, 338 case studies Allfirst Bank employee case study, 249–254 Barings Bank employee case study, 254–256 Commerce Bank employee case study, 259–260 Daiwa Bank employee case study, 257–259 fraudulent use of customer account information, 263–268 Teledata Communications employee case study, 260–263 389 USB Paine Webber employee case study, 246–249 financial theft cases, 245, 259–260 intellectual property theft, 245, 260–263 rogue trading cases, 245, 246–259 role of die pads in banking, 338 sabotage cases, 244, 246–249 threat overview, 242–245 Financial Services Modernization Act, 270 first responders, threats and vulnerabilities, 108 Flagg, Delva, 116 Folder Options dialog box, 64 Foley, Linda, 262 Foltz, Daniel J., 126 food stamps, theft and corruption of benefit, 121–124 Forbes, Inc., 213–216 foreign governments See also Chinese nationals; visa fraud corporate espionage by, 324 laws regarding economic espionage, 203–204 Foreman, William, 126–127 framing others, 48 Francis, Michelle, 115 fraud, defined, 22 Friedberg, Eric, 217 friends, using employee’s credentials, 12–13 frustration, as factor in insider attacks, 306–307, 310 Fudge, Jeffrey D., 155–156 G Garland, Scott, 219 GE Money, 268–269 Gottschlich, Gary W., 290 390 Index government See federal government; foreign governments; state and local government government contractors Chinese nationals case study, 288–290 and outsourcing, 45, 277 threat overview, 276–277 TRW case study, 278–288 Government Printing Office (GPO), employee time fraud, 165–166 GPO (Government Printing Office), employee time fraud, 165–166 Gramm-Leach-Bliley Act, 270 Gray, Montgomery Johns, 174–175 Green, Crystal, 166–168 group profiling, 342 guards as form of physical security, 57 as insider associates, 11–12 guilt vs innocence, 325 and polygraph tests, Gwinnett Daily Post, 231–233 H Hanssen, Robert, 5, 178–182 Harper, Geraldine, 121–122 Health Insurance Portability and Accountability Act (HIPAA), 270–271 Hebel, John, 230–231 Herberg, Cliff, 129 Herrera, Ricardo, 116 hidden files changing file attribute, 62–64 NTFS Alternative Data Streams feature, 65–68 showing in Windows Explorer, 64 ways to hide on desktop PCs, 60–68 hiding data See cryptography; steganography high-end insider threats, 318–321, 322 HIPAA (Health Insurance Portability and Accountability Act), 270–271 Hoffman, William, 208 Hollcraft, Matthew, 126 honeypots, 335, 336–337 honeytokens, 335, 337 Hotmail, 78–79 Hsu, Hsin Hui, 15, 170–171 human factor See social engineering Hussein, Saddam, 281 I identity theft California Notice of Security Breach Law, 271 fraudulent use of financial account information by insiders, 263–268 legal regulations, 269–272 proposed federal laws, 271–272 Teledata Communications employee case, 260–263 top cause, 32 Iguchi,Toshihide, 257–259 incident response, 380–383 information extraction by hiding files on computers, 60–68 overview, 59–60 via laptops, 70–71 via PDAs and Blackberrys, 71–72 via removable media, 68–70 via wireless exfiltration, 72–77 insider affiliates, defined, 12–13 insider associates, defined, 11–12 insider attackers bragging by, 316–317 Index characteristics, 299–313 confidants of, 305–306 greed of, 315–316 high-end profile, 318–321, 322 making repercussions understood, 304–305 profiling of, 297–299 reasons they get caught, 314–318 setting traps for, 335–337 sloppiness of, 317–318 stupidity of, 318 types of motivations, 322–323 use of malicious acts by, 91–92 insider threat authorized vs unauthorized access, 8–10 categories of insiders, 10–13 characteristics of attackers, 299–313 before computers and the Internet, 50–58 corresponding vulnerabilities, 358–359 countermeasures, 360–362 defined, defining acceptable level of loss, 14–15, 332–334 determining critical assets, 331–332 ease of attack, 20–21 effect on companies, 21–23 external indicators, 307–312 vs external threat, 16–17, 380–383 in federal government, 147–151 future trends, 43–44 levels of attacks, 321–322 limitations, 314–318 overview, 7–13 preventing vs detecting attacks, 15–16, 330–331, 333–334 prevention overview, 41–42 prevention vs detection, 15–16, 330–331, 333–334 probability aspect, 359 391 profiling attackers, 40–41 reacting to, 380–383 as reality, 37–42 reasons attackers are caught, 314–318 reasons for ignorance about, 17–19 reasons it’s worse, 19–21 responses, 330–351 and risk, 355–358 in state and local government, 105–112 statistics on extent, 23–31 targets of attack, 35–37 Insider Threat Study, 23–31, 104, 193–194, 243–244 insiders See also employees authorized vs unauthorized, 8–10 categories, 10–13 and principle of least privilege, 8–9, 10, 41, 335, 371, 374–377 profiling, 40–41, 299–313, 340–342 pure, 10–11 insurance, 362 integrity, as core area of network security, 356–357 Intelink, 286, 287 intellectual property (IP) in financial sector, 245, 260–263 as focus of insider attacks, 22, 36–37, 39, 194–195, 302–303 targeted technologies, 194–195 theft, case studies, 220–229 theft, overview, 220 Internal Revenue Service, employee misconduct case, 151–154 Internet, threats and vulnerabilities, 110 Internet Trading Technologies Corp (ITTI), 216–217 IRS (Internal Revenue Service), employee misconduct case, 151–154 392 Index J janitorial services, 11–12, 52–53, 376 Johnson, Newton, 135 Jones, Robert, 116 K Kalbacher, Stacie, 118 key-based locks, 56 Kissane,Timothy, 223–224 “kiting” checks, 265 L Lang, Elizabeth, 116 laptops, as insider threat, 70–71, 349 least privilege, 8–9, 10, 41, 335, 371, 374–377 Leeson, Nick, 245, 254–256 legal liability, 32, 46, 336, 337 Lembo, Orazio, 267 levels of loss, acceptable, 14–15, 332–334 liability, 32, 46, 336, 337 Liang, Qiao, 39 licensing organizations, threats and vulnerabilities, 112 lie detector tests, and spies, Lightwave Microsystems, Inc., 227–228 Liptak, Vincent, 118 Little, Hettie, 115 Litton PRC, 288–290 Liu, Zhangyi “Steven,” 288–290 Lloyd, Jameil, 166–168 Lloyd,Timothy, 206–210 local government See state and local government locks, 56–57 logging and auditing, as way to prevent or minimize insider threat, 41–42 Lomia, Frank, 267 loss, acceptable levels, 14–15, 332–334 lottery fraud, 125–128 Luckey, Curtis, 266 Luzhin, Boris, 181 M Madden, Patrick, 134 malicious attacks, 91–92 malware, 263 Martinez, Juan, 172–173 Martynov, Valeriy, 181 mass transit, threats and vulnerabilities, 111–112 McNabb, Joanne, 271 mean time between failures, 369 Meerovich, Alexander, 171–172 memory sticks, as insider threat, 68–70 Menyweather, Dorothy, 168–169 Merz, Michael, 289 miniaturization, 44 miniaturized cameras, 52–53 Miracle, Mary, 121–122 moles, 44–45, 339 money, as motivator, 11, 27–28, 303–304, 322 monitoring, employee application-specific, 343 comprehensive, 344 overview, 342–343 probationary, 345 problem-specific, 343–344 using trend analysis, 344–345 Morales, Jacemyein, 166–168 Motorin, Sergey, 181 Index N National Library of Medicine (NLM), employee misconduct case, 173–175 National Reconnaissance Office (NRO), 279, 280, 286 National Threat Assessment Center, 23, 243 natural gas, threats and vulnerabilities, 109–110 need-to-know, 124–125, 374–375 network security availability aspect, 357–358 confidentiality aspect, 356 controlling connectivity, 377 core areas, 356–358 integrity aspect, 356–357 leakage overview, 45–46, 77–78 vulnerability of Web access, 78–80 Network Stumbler, 73–74 Newsome, Donnie, 134, 135 NLM (National Library of Medicine), employee misconduct case, 173–175 non-technology-based solutions, as way to prevent or minimize insider threat, 42 nondisclosure agreements, 279–280, 366 Northern, Charmaine, 264 Notification of Risk to Personal Data Bill, 272 NTFS (NT File System), Alternative Data Streams feature, 65–68 O Office of National Counterintelligence, 150, 195, 224, 238, 278 Olson, Greg, 207–208 O’Malley, Grady, 207 393 Omega Engineering Corporation, 206 Osowski, Geoffrey, 236–237 outsider affiliates, defined, 13 outsourcing, 45, 277 P Paine Webber, 246–249 Parente, George Mario, 214–216 passwords, lax security case study, 288–290 Patent and Trademark Office, employee time fraud, 160–161 pattern analysis, 347–349 Pattiniemi, Pekka, 269 PCs hidden files, 60–68 laws regarding fraud and related activity, 197–201 PDAs (personal digital assistants), as insider threat, 71–72 personal digital assistants (PDAs), as insider threat, 71–72 personal information See also identity theft case study of sale by DMV insider, 118–119 cases of customer data theft, 229–237 fraudulent use of account information by financial insiders, 263–268 sale of consumer credit information, 260–263 personality changes, 311–312 photocopiers, 52 physical security, 57, 375–377 Pigman, Keith, 135 Pitts, Earl, 113, 114, 181 plants, employees as, 6, 47–48, 318–321, 322 394 Index PNC Bank, 267 policies and procedures about insider affiliates, 12–13 importance of having, 350 making repercussions of insider attacks understood, 304–305 overview, 43–44 as way to prevent or minimize insider threat, 42, 325, 379–380 political views, as motivator, 322–323 polygraph tests, and spies, Ponemon Institute, 35 prevention vs detection, 15–16, 330–331, 333–334 vs deterrence, 120 preventive maintenance, 368, 369 Price, Richard, 225 Priceline.com, 266 principle of least privilege See least privilege private shares, 14 profiling based on actions, 298 based on appearance, 298, 301–302 based on instinct, 299 characteristics of apprehended insider attackers, 299–313 creating cyber profiles, 340–342 high-end insider attackers, 318–321, 322 individual vs group, 341–342 methods, 297–299 overview, 40–41, 297–299, 340–342 programmers, as insider threat, 34, 173–175, 206–210 proxy servers, 78 psychosocial factors, 377–378 publicity, bad, 19 Puckett, Catherine, 118 pure insiders, defined, 10–11 Q Qadhafi, Muammar, 285 Qiao Liang, 39 Qiao Wei, 225 R Real ID Act, 127–128 redundancy, increasing, 369–374 Regan, Brian Patrick, 279–288 relay sites, 46 removable media, as insider threat, 68–70 repercussions, making understood, 304–305 retirees, as insider threat, 228–229 risk and acceptable levels of loss, 14–15, 332–334 accepting, 360–361 calculating, 364–367 countermeasure options, 360–362 and impact, 360 insurance model, 362 key components, 355–362 managing, 333 overview, 354–367 and probability, 359 real vs perceived, 375 reducing, 361–362 and threat, 355–358 transferring, 361–362 and vulnerabilities, 358–359 risk analysis overview, 362 qualitative, 362–363 quantitative, 363–364 Risu, Jukkapekka, 269 Roberts,Tifane, 266 Rock, Patsy Ann, 164–165 rogue trading Index Allfirst Bank case study, 249–254 Barings Bank case study, 254–256 Daiwa Bank case study, 257–259 overview, 245 rotation of duties, as way to prevent or minimize insider threat, 41, 372–373 Rusnak, John, 249–254 S S-tools program, 88–91 sabotage See also employees, disgruntled case studies, 182–183, 206–220, 244, 246–249 characteristics of saboteurs, 215–216 overview, 193–194, 205–206 Schumer-Nelson ID Theft Bill, 271–272 Secret Service, 7, 23, 104, 193, 199, 208, 243, 366 security awareness, as way to prevent or minimize insider threat, 11, 12, 41, 350, 379 security clearances, 278 Sellers, Bobbie J., 165–166 separation of duties, as way to prevent or minimize insider threat, 41, 58, 372 SETA (Scientific, Engineering and Technical Assistance), 277 Shan,Yan Ming, 225–227 Shaw, Eric, 209, 215–216 Shaw, Geoffrey, 222 signature analysis, 347–349 Singla, Shakuntla Devi, 182–183 SL Mail program, 81–82 Smalls, Narissa, 157–158 Smart, Kimberly Molette, 265 Smathers, Jason, 234–236 Smires, Abdelkader, 216–217 Smith, Willard, 135 395 social engineering, 47, 92–95 Soucy, Paul Edward, 231–233 Speight, Angelique, 163 Spence, Reginald, 115 spies, and lie detector tests, See also Ames, Aldrich; Hanssen, Robert; Regan, Brian Patrick Spillman, Melvyn M., 128–134 spoofing e-mail, 82–83 spouses, using employee’s credentials, 12–13 spyware, 263 Standard Duplicating Machines Corporation, 230–231 state and local government DMV corruption, 114–119 food stamp fraud, 121–124 incident case studies, 113–136 legal regulation related to identity theft, 271 lottery fraud, 125–128 probate clerk case study, 128–134 specific threats, 108–112 statistics on officials charged with corruption, 136–141 threat overview, 105–108 vote tampering, 112, 134–136 State Department employee credit card fraud, 166–168 employee visa fraud, 171–172 State of Texas v Melvyn M Spillman, 128–134 steganography vs cryptography, 88 overview, 88 role of S-tools program, 88–91 Stickey, Jim, 268 studies See Insider Threat Study Sullivan, Michael J., 219 Sumitomo Bank, 263 survivability, 354–383 396 Index System Management Arts, Inc (SMARTS), 223–224 T Tang,Wilson, 236–237 targets of attack, 35–37 Taylor, Glenda, 123 telecommuting, 218–220 Teledata Communications (TCI), 260–263 telephones, threats and vulnerabilities, 110 Telesca, Michael, 229 terrorism, and cyberspace, 39 thin clients, 349–350 Thomas, Dorian Patrick, 264 time and attendance fraud, 151, 160–166 Torrez, Ramon, 173 TraceSecurity, 268 trade secrets defined, 192 laws regarding theft, 204 and prosecution, 222 and trade shows, 278 trade shows, 224–225, 278 traffic control, threats and vulnerabilities, 111 training employees, 350, 378–380 TransUnion, 261 TRW, 278–288 Tucows, 81 Turner, Makeebrah A., 266 U UNIX, 60 unmanned aerial vehicles (UAVs), 195 Unrestricted Warfare (book), 39 U.S Attorney’s Office, employee credit card fraud, 168–169 U.S Border Patrol, employee drug smuggling, 172–173 U.S Central Intelligence Agency (CIA), case of Aldrich Ames, 5, 113, 114, 175–178 U.S Coast Guard, employee sabotage, 182–183 U.S Code relevance to insider threat, 197–205 Section 1030, 197–201 Section 1037, 201–203 Section 1831, 203–204 Section 1832, 204 Section 2314, 204–205 U.S Customs agents, employee drug smuggling, 172–173 U.S Defense Intelligence Agency, employee time fraud, 163 U.S Defense Security Services (DSS) employee time fraud, 164–165 reports of suspicious activity, 195 U.S Department of Agriculture, employee visa fraud, 169–171 U.S Department of Commerce, employee time fraud, 161–162 U.S Department of Energy, employee misconduct case, 158–159 U.S Department of State employee credit card fraud, 166–168 employee visa fraud, 171–172 U.S Federal Bureau of Investigation (FBI) case of Robert Hanssen, 5, 178–182 employee misconduct cases, 155–158 U.S Government Printing Office (GPO), employee time fraud, 165–166 Index U.S Internal Revenue Service, employee misconduct case, 151–154 U.S National Reconnaissance Office (NRO), 279, 280, 286 U.S Office of National Counterintelligence, 150, 195, 224, 238, 278 U.S Patent and Trademark Office, employee time fraud, 160–161 U.S Secret Service, 7, 23, 104, 193, 199, 208, 243, 366 USB drives, as insider threat, 68–70 USB Paine Webber, 246–249 USDA (Department of Agriculture), employee visa fraud, 169–171 V value at risk (VaR), defined, 252 ValuJet, 196 Varian Semiconductor, 218–220 Vega, Daniel, 115 video recording, in DMV licensing process, 117 visa fraud, 169–172 voting electronic, 112, 136 tampering with, 134–136 threats and vulnerabilities, 112, 134–136 vulnerabilities, overview, 358–359 W Wachovia Corporation, 267 Wall Street (movie), 11, 52–53 Wang, Liaosheng, 221–222 Wang Xiangsui, 39 Warner, Ragina, 126 water, threats and vulnerabilities, 108 397 watermarks, 51–52, 55 weaknesses See vulnerabilities Web access, as insider threat, 78–80 Web-based e-mail, 78–79 Web browsers, e-mail access via, 78–79 Wei, Qiao, 225 Williams, Patrice M., 266 Windows operating systems, 60 wireless networks ad-hoc connections, 76–77 attempted bank theft, 268–269 authorized connections, 74–75 as insider threat, 72–77 map of commercial antennas, 73 outsider access to 13 rogue connections, 75–76 vulnerabilities in, 72–77 Wolf, Ean, 259–260 Wood, Jeffrey, 289 Woodard, Brent Alan, 227–228 Worden, Harold, 228–229 workshops See conferences World Wide Web, as insider threat, 78–80 Wynn, Al, 211 X Xerox machines, 52 Xiangsui, Wang, 39 Y Yan Ming Shan, 225–227 Z Zhangyi Liu, 288–290 Syngress: The Definition of a Serious Security Library Syn•gress (sin-gres): noun, sing Freedom from risk or danger; safety See security AVAILABLE NOW order @ www.syngress.com Cyber Spying: Tracking Your Family’s (Sometimes) Secret Online Lives Dr Eric Cole, Michael Nordfelt, Sandra Ring, and Ted Fair Have you ever wondered about that friend your spouse e-mails, or who they spend hours chatting online with? Are you curious about what your children are doing online, who they meet, and what they talk about? Do you worry about them finding drugs and other illegal items online, and wonder what they look at? This book shows you how to monitor and analyze your family's online behavior ISBN: 1-93183-641-8 Price: $39.95 US $57.95 CAN Cyber Adversary Characterization: Auditing the Hacker Mind AVAILABLE NOW order @ www.syngress.com Tom Parker, Marcus Sachs, Eric Shaw, Ed Stroz, Matt Devost The ever-increasing emphasis and reliance on the use of computers and the Internet, has come in hand with the increased threat of cyber-crime Many systems and infrastructures are exceedingly vulnerable to attacks, as the complexity of computer networks is growing faster than the ability to understand and protect them Heightened vigilance is not enough, but needs to be coupled with active defensive measures to guarantee the best protection This book provides the reader with understanding of and an ability to anticipate that “cyber adversary” silently waiting in the wings to attack ISBN: 1-93183-611-6 Price: $49.95 US $69.95 CAN AVAILABLE NOW order @ www.syngress.com Hacking a Terror Network: The Silent Threat of Covert Channels Russ Rogers, Matthew G Devost Written by a certified Arabic linguist from the Defense Language Institute with extensive background in decoding encrypted communications, this cyber-thriller uses a fictional narrative to provide a fascinating and realistic "insider's look" into technically sophisticated covert terrorist communications over the Internet The accompanying CD-ROM allows readers to "hack along" with the story line, by viewing the same Web sites described in the book containing encrypted, covert communications ISBN: 1-92899-498-9 Price: $49.95 U.S $69.95 CAN ... chapter: ■ The Devil Inside ■ The Importance of Insider Threat ■ Why the Insider Threat Has Been Ignored ■ Why the Insider Threat Is Worse Than the External Threat ■ The Effect of Insider Threats... 02370 Insider Threat: Protecting the Enterprise from Sabotage, Spying, and Theft Copyright © 2006 by Syngress Publishing, Inc All rights reserved Printed in Canada Except as permitted under the. .. easier Insider Threat Protecting the Enterprise from Sabotage, Spying , and Theft Dr Eric Cole Sandra Ring Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing,