Insider Attacks: Theft of Intellectual and Proprietary Data


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insider Attacks: Theft of Intellectual and Proprietary Data

  1. 1. Insider Attacks: Theft 1Running Head: INSIDER ATTACKS: THEFT Insider Attacks: Theft of Intellectual and Proprietary Data Lindsey Landolfi Towson University Network Security Professor Charles Pak June 2011 1
  2. 2. Insider Attacks: Theft 2 While hacking and malware are major threats responsible for data compromise, themisuse of insider privileges is the leading threat action in 2009. The term insider refers to anindividual who has or has had access privileges and is knowledgeable of the organization and itsfunctioning such as employees of the organization, former employees, or contractors. Maliciousinsider threats are becoming increasingly prevalent. The 2010 Data Breach Investigations Report(DBIR) analyzed a compilation of “900+ breaches, and over 900 million compromised records”,(Verizon RISK Team, 2010, p. 5) their investigation of computer crime revealed that “48% werecaused by insiders”. (Verizon RISK Team, 2010, p. 2) That is an approximate 26 percentincrease from the previous year. Specifically, the United States Secret Service has observednotable increases of insider threat incidents in their own data breaching cases. As network security is becoming increasingly advanced the threat of internal attacks is agreater concern. Privileged data is much more accessible to insiders in comparison to externalattackers; therefore a system is more vulnerable to an organized or sporadic internal maliciousincident. The motivations and intentions for theft of intellectual property occur for variousreasons. Behavioral catalysts for employee theft range from disgruntle employees who haveexperienced dissatisfaction with their job or organization, to those employees who possess asense of entitlement to the data. In some cases encouragement from an external source willpersuade an insider to take advantage of their access privileges. “A striking finding is that in overtwo-thirds of the cases of theft for financial gain, the insider was recruited to steal by someoneoutside the organization.” (Carnegie Mellon, 2008, p.12) There are numerous incidents when unintentional insider incidents result in damages, but“malicious attacks have surpassed human error for the first time in three years”. (Identity TheftResource Center, 2010) This paper will specifically address those insiders with malicious 2
  3. 3. Insider Attacks: Theft 3intentions. Prevalent thievery objective categories include espionage in the government sector,the attempt for business advantage, and for financial gain. The use of proprietary intellectualproperty can be beneficial in creating a new business or used to coordinate with competition tosell trade secrets for new position; this is the concept supporting the business advantage. Theftfor profit typically occurs in the banking and finance sector, a typically example would be fraud.Typically intellectual property theft is either targeted at the organization’s product such as asoftware system, or specific organization data such as strategic plans or client information. Thethievery techniques tend to be different depending on the intentions of the attacker. It is possiblefor the insider to be a rouge employee for an extended period of time while they slowly stealsmall amounts of data or they can plan for a major malicious attack that will compromisemassive amounts of data and then resign from their position with the company. A recent insider data theft case which is still undergoing investigation resulted in anestimated 10 million dollar loss for Bank of America. An employee had accessed and stolen,"names, addresses, Social Security numbers, phone numbers, bank account numbers, driverslicense numbers, birth dates, email addresses, mothers maiden names, PINs and accountbalances." (Lazarus, 2011) The insider then proceeded to leak out this information to externalscammers; the information was then used to execute identity theft fraud. Since insiders areinside of the firewall on the network or their section of the network, they have access vianetwork privileges. If there is a lack of access control it is relatively easy for a malicious insiderto exploit their technical access. They can proceed to snoop around the network and discoverprivileged information much like the Bank of America employee. This case and similar securitybreaches may have been prevented if a form of encryption was used to secure the customerspersonal identity information. 3
  4. 4. Insider Attacks: Theft 4 The catastrophic WikiLeaks incident highlights the seriousness of insider breaches.Bradley Manning was a United States military analyst in Iraq who had access to classifiedinformation via the secure Secret Internet Protocol Router Network. He disclosed confidentialmilitary data to a database driven website called WikiLeaks. WikiLeaks describes their service asan “uncensorable system for untraceable mass document leaking”. (Moss, 2010) The release of amassive cache of sensitive government records has potential to do serious damage to nationalsecurity. Manning is being charged with delivering secure national defense information includingdiplomatic cables to an unauthorized source, the illegal transfer of classified data onto a personaldevice, and for adding unauthorized software onto a classified computer system. Manningexplained in an online chat with fellow hackers that "weak servers, weak logging, weak physicalsecurity, weak counter-intelligence, inattentive signal analysis"(Dilanian, 2010) made it possiblefor him to execute the data theft. The evolution of technical infiltration and theft is progressing, insiders are able to exploittheir organization specific knowledge and use it to support their technical expertise whileexecuting an attack. Insiders are knowledgeable of the system and are aware of the security holeswithin it; this makes it easier for them to exploit the vulnerabilities of the system or procedures.Due to their system privileges and supporting knowledge it is reasonable to state that insidershave a higher probability for successfully breaching a system than an external hacker. Thefollowing paragraphs will discuss the major alternative techniques and strategies that are possibleto execute in an insider theft attack scenario. There are different possible locations where attacks can originate from, for examplewithin the internal system perimeter, remote access, and internet. With insiders it is especiallynecessary to consider the direct physical security of an authenticated computer network. 4
  5. 5. Insider Attacks: Theft 5According to a major survey conducted by the U.S. Secret Services and the CERT, “the majorityof crimes were committed during normal working hours using authorized access.” (CarnegieMellon, 2008, p.11) There are many possibilities for an attack to access a secure system. Forexample, if the data the attacker is attempting to access in on a computer they do not have thepassword to the attack can use the trust established with co-workers to trick them into providingaccess to the system. If they can not directly gain access they could verbally pry to learn secretsinto getting access to the system, this form of attack is known as social engineering. Socialengineering can be as simple as an attacker probing a computer that was left logged on. Anattacker who can gain access to a secured machine could quickly install malicious code onto themachine and steal data undetected. An insider may plant malware internally that will shoot to a server on the outside, thatway when an unsuspecting user logs in the data outside the company making it harder to trace.The malware can be set on a timer and run behind a program; doing so will make it less likelythat the user will notice. The prior knowledge to the organizational programs and procedures thatan insider would posses makes it easier to facilitate an attack. Explicit deception will make itmore difficult for the organization to suspect or detect the rogue employee. “About a third (34%)of the insiders used deception to hide their plans for the theft of IP.” (Moore, 2009, p.10) Thisfigure may seem lower then expected, but it is important to consider that many insidersespecially those who feel a sense of entitlement may not feel it necessary to dissimulate theiractivities. Address Resolution Protocol poison routing can be use by an insider to attack the local-area network and take or block information. By sending out rouge spoof messages the attackercan associate their MAC address with the IP address of another node, hence any traffic intending 5
  6. 6. Insider Attacks: Theft 6for the compromised IP address will be forwarded to the attacker instead. The attacker can thenchoose to forward the information back to the actual node or modify before sending. An insidermay choose to passively sniff the data, stealing information they consider valuable. Generally, itis easier to manipulate TCP/IP communication as an insider since they are already within theorganizations firewall. Insider could construct, test, plant, and deploy a logic bomb into the system. Themalicious function specified in the code of a logic bomb is activated when certain conditions aremet inside the network or when commanded by the attacker. A computer programmer can designthe logic bomb code to facilitate data theft by having it send proprietary information tounauthorized systems. Logic bombs do not replicate themselves or spread over the network assome other malicious programs do; therefore it is easier to target a specific victim or goal. In aseries of case studies conducted by Carnegie Mellon University “an insider prepared for thefuture release of a logic bomb by systematically centralizing the critical manufacturing programsfor his organization onto a single server.” (Band, 2006, p.27) This technique will make the attackeasier to execute and result in greater damages. This is form of attack is difficult to detect withinthe system and it is not necessary for it to be exfiltrated, therefore it is unlikely to identify theattacker through tracing the communication. Certain deployment methods can even be used toframe other employees for example, using a hacked into account of a colleague to commit theattack. It is also plausible for the insider to use their legitimate access to create a backdooraccount and then use this account to plant and deploy the bomb or other malicious code. Abackdoor account is an unauthorized account that has been created by the attacker and isunknown to the operators of the system. Another illegitimate system access path is the use of 6
  7. 7. Insider Attacks: Theft 7disregarded inactive accounts. It is also possible to search for and use old password files thatmay have been created during a system backup that are now forgotten in the system storage.There are many circumstances where the attacker held a position at an institution with full dataaccess privileges, a malicious insider can simply copy proprietary files onto CD or USB. This isone of the techniques used by Bradley Manning in the WikiLeaks incident. At that time workerswere permitted to use CD or other media for data transfer among the computer system, Manningexplained that he "would come in with music on a CD-RW labeled with something like LadyGaga … erase the music … then write a compressed split file. No one suspected a thing."(Dilanian, 2010) Damages resulting from insider theft are vast ranging from monetary repercussions, tooperational impacts, to reputation hindrance. High profile infrastructures tend to suffer greaterreputational damages due to the massive public exposure. Countermeasures enable organizationsto minimize risk and potential losses due to insiders. Compliance to prevention techniques suchas an auditing system will have a positive effect on security efforts. Finally, it is vital to beobservant of employees, there are often technical and behavioral violations exhibited bymalicious insiders such as testing after work hours that could have indicated a potential theftattack. 7
  8. 8. Insider Attacks: Theft 8 References2008 CERT Research Annual Report, Carnegie Mellon University Software Engineering Institute and U.S. Department of Defense and CERT (2008) Verizon Data Breach Investigations Report, Verizon RISK Team in cooperation with the United States Secret Service (2010) report_en_xg.pdfBand, S. R., Cappelli, D. M., Fischer, L. F., Moore, A. P., Shaw, E. D., & Trzeciak, R. F. Comparing insider IT sabotage and espionage: a model-based analysis. Technical Report, Carnegie Mellon University, Software Engineering Institute (2006), K. (2010, December 4). Leaks may clog up anti-terrorism intelligence sharing. Los Angeles Times. Retrieved from wikileaks-siprnet-20101205/2Franqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework for gathering goal-based requirements. Technical Report TR-CTIT-06-75, University of Twente (2006) Theft Resource Center. (2010, January 8). Data breaches: the insanity continues. Retrieved June 10, 2010, from, D. (2011, May 24). Bank of America data leak destroys trust. Los Angeles Times. Retrieved from 20110524,0,3701056,full.columnMoore, A.P., Cappelli, D.M., Caron, T.C. Shaw, E.D. and Trzeciak, R.F. Insider theft of intellectual property for business advantage: A Preliminary Model. paper delivered at The First Workshop on Managing Insider Security Threats, Purdue University (2009), S. (2010, July 14). Julian Assange: the whistleblower. Retrieved from home website: whistleblower-wikileaks 8
  9. 9. Insider Attacks: Theft 9Appendix A - Tree structures of attack strategies Pre-attack tree structure Gain access tree structure 9
  10. 10. Insider Attacks: Theft 10 Abuse access tree structure Abuse access tree structureFranqueira, V.N.L., van Eck, P.: Defense against insider threat: a framework for gathering goal- based requirements. Technical Report TR-CTIT-06-75, University of Twente (2006) 10
  11. 11. Insider Attacks: Theft 11 11