implications) as well as commercial systems (industrial espionage). With current trends, the overlap between systems with national security implications and commercial systems will grow. The “insider” remains an intrinsic part of this problem, since high-value targets will be attacked no matter what controls are placed on them, and those attacks may often be accomplished through the actions of insiders.
3. Psychological, Social, Legal and Managerial Aspects of the Insider Threat
Meeting participants discussed a number of issues related to the intersection of psychology, sociology, and management policy that affect how best to combat the insider threat to information systems. The first concerns the definition of the term ‘insider’ and methods for understanding the motivations of persons who present an insider threat. The second is the pressing need for more data in this area. The third addresses the complexity of managing employees who are often working with seemingly contradictory or unclear goals (for example, managers who encourage substantive inter-group or inter-institutional collaboration while insisting on protection of sensitive information). The fourth concerns the legal issues that arise with respect to insider security concerns.
Differing Categories of and Motivations for Insiders
Participants acknowledged that defining the term ‘insider’ is difficult.1 Persons who constitute insider threats range from incompetent users making critical mistakes to moles who have been recruited, trained, and planted by nefarious outsiders; their motivations also vary widely and include the desire for recognition for hacking skills, ideological convictions, and monetary incentives. Determining what techniques are most appropriate in defending against the insider threat requires the consideration of at least three dimensions: the individual’s access privileges, their intent, and their technical abilities.
Need for Data and Modeling Techniques
A compelling case was made at the meeting for the need for more data on insider threats and better modeling techniques. Models of a typical ‘hacker’ have been available for a long time; while similar kinds of composites of persons likely to present an insider threat would also be useful, the requisite repository of data does not yet exist. One challenge to constructing the models and compiling the data needed for such a repository is the fact that insiders can be characterized in many different ways. For example, the behavior of the insider will likely vary depending on a wide variety of factors, including whether that person is unwitting, incompetent, coerced, vengeful, and so on. Such factors imply that simply relying on externally observable traits and behaviors in order to identify potential insiders may not prove useful.
An additional point was made at the meeting about the need for hard data on insider attacks. The salient question to be answered satisfactorily before any particular organization will contribute large numbers of resources to solving the insider threat is: What is the threat, both in terms of number of occurrences and in potential risks or losses
per occurrence? Financial institutions, for example, are required to report such information, but very few others do. In recent years, however, the opportunities for profit through attacks on information systems seem to have proliferated. Participants emphasized that more investigation is needed before meaningful answers to this sort of question will be possible.
A suggestion was made to examine case law in areas such as fraud or other classes of misbehavior that are similar to or include insider attacks on information systems. The challenge here is that, for reasons ranging from settlements out of court to unverifiability, the data is not always readily available or accessible. Further, there are, in fact, reasons not to make that data available on the part of those who have been compromised. Even military base commanders may not generally report their insider problems, for example. Banks also are loathe to disclose insider security breaches for obvious reasons. Information Sharing and Analysis Centers (ISACs)2 (the Financial Services ISAC3 is an example of one) may prove helpful in gathering and exchanging information.
Within the DOD and other parts of the government that relate to national security, psychophysiology detection (polygraph) is reportedly one of the best investigative tools. It does have limitations, however. The accuracy of the screening exam is around 84%. In addition, polygraph exams can only provide information on events that have taken place in the past; they are unable to provide information about intent. Further, there is a limited number of polygraph examiners, which makes widespread use of this tool within the DOD infeasible. More generally, use of the polygraph test is not accepted in the corporate world.
These and other observations led some at the meeting to put forth an argument that focusing on the individual rather than the act itself is problematic in both the government and in the private sector. Spies, broadly speaking, have always existed and it is highly unlikely that means for detecting potential spies will be developed; therefore barriers to particular acts are necessary instead. Others suggested that learning to infer behavior and intent from usage signatures could be very powerful, although it is not clear how to achieve that at this point. Furthermore, any such techniques inevitably run the risk of incorrectly labeling problematic behavior acceptable, or, arguably worse, determining benign usage signatures to be indicative of inappropriate behavior or intent.
Management Issues
The structure of the workplace today produces challenges for managers who are attempting to minimize risks and maintain system security. One observation made was the need for better training and security awareness education. This could be especially helpful in the case of the unwitting insider or the incompetent user. An effort on the part of management to find ways to motivate people not to do ‘bad things’ might also be
2 |
An ISAC is a private sector entity that facilitates the collecting and sharing of incident and response information among its members as well as information exchange between government and the private sector. ISACs were promoted by the Critical Infrastructure Assurance Office (http://www.ciao.gov/) in response to the President’s Commission on Critical Infrastructure Protection’s 1997 report Critical Foundations: Protecting America’s Infrastructures (http://www.ciao.gov/PCCIP/report_index.html). |
3 |
effective. Taking into account psychological profiles when hiring is another tactic; this can be problematic though, especially without consistent metrics to distinguish merely quirky employees from potentially dangerous individuals. Research into organizational and functional work design as it pertains to making it easier (or possible) to audit activities that would reveal undesirable insider activities was also mentioned as a way to provide management with better tools to address the problem. The broad implications of employee monitoring were not discussed.
Recent movements toward more open architectures along with more collaboration and teamwork within and across institutions present even more management challenges. In a classified environment, for example, information is supposed to be distributed on a need-to-know basis, but given a shift towards more collaborative exercises, determining who needs to know what and constraining the sharing of information to that end is difficult. Similarly, in the business world, there has been a significant movement toward embracing cooperation across organizations and sectors, but this, of course, introduces security problems. One participant characterized the dilemma in both domains by paraphrasing directives from senior management and government as, “Collaborate with everybody but build systems that are resistant to attack.”
Legal Issues
There are many legal aspects to the problem of the insider threat. First, the usual privacy and workplace surveillance issues need to be addressed when determining how, within an organization, to implement tools to decrease the possibility of insider malfeasance. In addition to this, though, is the issue of building technology that produces data (audit logs, for example) that meet acceptable legal and forensic standards. The interplay between employment laws and the need for system security is also a concern. For example, termination of suspected individuals may not occur immediately, and thus such people may maintain access to sensitive information while the necessary paperwork goes through channels. Finally, sophisticated adversaries can take advantage of jurisdictional differences and route their attacks through non-cooperating jurisdictions. The jurisdictional challenges are complicated by the fact that under U.S. law search warrants are geographical in nature.
4. Technology, Present and Future
Participants in the meeting discussed several technological tools and strategies that may help mitigate the insider threat. These technological approaches ranged from better authentication, and access control techniques to biometrics and application-based audit trails. The pros and cons of many of these approaches were debated.
Technologies in Use and Their Limitations
Authentication, access control, and audit trails are three well-understood technologies that can be used in combating the insider threat. Using these mechanisms to enforce strict accountability can be effective, but in practice they are often not as successful as