Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
•
2 likes•1,909 views
More Related Content
What's hot
What's hot (20)
Similar to Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
Similar to Monitoring, Detecting And Preventing Insider Fraud And Abuse V2 (20)
Monitoring, Detecting And Preventing Insider Fraud And Abuse V2
- 1. Monitoring, detecting and preventing insider frauda presentation based on dansullivan’s journal article in Realtime nexus Kevin M. Moker, CISSP-ISSMP, CISM Senior Risk Consultant WCSU ‘99
- 2. Who am I Served in the United States Army as a Communication/Information Security Analyst Been in the IT field for 21 years Graduated WCSU in ‘99 with a MIS degree and a concentration in InfoSec Management Graduated Norwich University in ‘07 with a Master of Science in Information Assurance Hold several certifications Currently pursuing my Certified Fraud Examiners certification
- 3. Agenda What is insider abuse Cost of insider abuse Barriers to prevention Techniques for prevention Tool selection Summary Questions & Answers More information on this presentation can be found in the Realtime Publications, “Monitoring, Detecting and Preventing Insider Fraud and Abuse” by Dan Sullivan
- 4. What is insider Fraud New opportunities Most difficult to prevent Most costly to recover Authorized employee, contractor, consultant engaging in unauthorized activities Firewalls, authentication & authorization systems, and network access controls inefficient to prevent insider abuse Figure 1.1: An insider with access to accounts payable and accounts receivable Question: Why is this a problem?
- 5. Alice is an employee that works for M&B Bank. Her primary job is accounts payable. Alice has been with M&B for 15 years. Alice is an authorized employee with physical access to her branch and access to accounts payable applications. Bob is the Security Officer of M&B Bank. His primary role is to detect and investigate internal fraud. Bob has been with M&B for 10 years. Think of Bob as the internal cop. Bob works closely with Charlie who is the Information Security Officer. Charlie’s primary role is to maintain the firewalls, authentication & authorization systems, and network access controls. Charlie has been with M&B for 10 years. Scenario: Marshall & Bach Bank
- 6. Types of insider attacks Financial theft Intellectual property theft Sabotage Privacy breaches and data theft
- 7. This scenario will deal with all four major types of insider attacks You will see how Alice executes Financial theft IP theft and sale Sabotage Breach customer privacy Scenario: Marshall & Bach Bank
- 8. Financial Theft In spite of all the technical advances of the past decades, banks are still “where the money is”, whether physical or “0s” and “1s”. Examples of financial fraud: IT Contractor steals $2 million from clients bank (The Register) Three Indicted in Conspiracy to Commit Bank Fraud and Identity Theft (US DOJ) Water utility auditor resigns, transfers $9m offshore (The Register) In all three of these examples, employees or contractors used their knowledge of the business in conjunction with their privileged access to applications to defraud the business.
- 9. Alice has had fantastic performance reviews over the past 14 years. However, this year her performance has dropped significantly (red flag #1) Her manager asks if everything is OK and she’s says she’s having some financial difficulties at home (red flag #2) [note: this does not mean she’s a thief automatically] Alice has been coming in late to work, which has been due to drug use. Scenario: Marshall & Bach Bank
- 10. Intellectual property theft Imagine a computer hardware vendor who did not have to invest in engineers to design a new product or an oil company that did not have to hire teams of geologists to collect and analyze data about potential oil fields. Examples of intellectual property theft: Chemist steals OLED technology intellectual property and tries to start own business Engineer steals $1 billion in next-generation microprocessor intellection property while on vacation Even though the victim company seems to have implemented security best practices, an insider was able to circumvent these controls and steal essential intellectual property.
- 11. M&B has been working on upgrading their core banking solution M&B is creating their own core banking solution that will revolutionize the banking industry by: Hiring less staff More customer service interaction Lower maintenance fee Their projections for this development will save them several million dollars over the course a year The database used to protect this information is an unencrypted format and access to the database is not restricted to necessary employees (red flag #3) Scenario: Marshall & Bach Bank
- 12. Sabotage Revenge, like greed, is motivation for insider abuse. A disgruntled insider with the right combination of knowledge and access can wreak havoc on business operations using only a handful of scripts. Forms of sabotage: Deleting or altering data Disabling system logging Destroying or corrupting backup files Denying administrative access to systems Altering the functionality of legitimate programs Examples of Sabotage In 2008 an IT Admin at a mortgage company plants a logic bomb A former IT consultant who cause $1.2 million (Australian) in damages to his former employer by deleting more than 10,000 user accounts on government servers. A subcontractor to the IRS planted a logic bomb on three servers prior to being dismissed
- 13. Sabotage: Common elements of a logic bomb Figure 1.2: Common elements of logic bomb attacks include installing malicious code, blocking logging, and preventing administrative access by other privileged users. Question: How do you think a logic bomb could be prevented?
- 14. Alice had her 2010 performance review, which was dismal to say the least Alice is visibly upset and her manager does not address the situation well Alice goes back to her desk and is stewing Alice then starts to make friends with the technology folks asking some innocuous questions (red flag #4) Scenario: Marshall & Bach Bank
- 15. Privacy breaches and data theft The ease with which personal information is collected, disseminated, and stored has developed along with growing concerns for the need to protect privacy Two general categories for privacy breaches Broad privacy breaches Targeted privacy breaches Examples of broad privacy breaches Call center employee steals private customer information to commit credit card fraud Insider stole Countrywide applicants' data, FBI alleges Examples of targeted privacy breaches Employee inappropriately accessed one patient record Celebrity snooping Farrah Fawcett’s health records by hospital worker
- 16. M&B has been sited by the FDIC about not having well established access controls and lack of encryption, which are both requirements per the GLBA M&B has been trying to plug these gaps working with Charlie Charlie’s budget is a fraction of a percentage of the overall IT budget (red flag #5) Charlie has built a plan to deploy monitoring solutions to at least detect incidents Charlie’s 2012 plan calls for more restrictive software solutions help protect IP & Customer information Scenario: Marshall & Bach Bank
- 17. The cost of insider abuse Financial Losses Due to Insider Abuse Money stolen directly by the malicious activity Credit extended to a fake customer account set up by an insider Payments to customers, clients, or patients who are victims of privacy breaches Cost of restoring systems and data destroyed by a disgruntled employee due to logic bomb Less direct loss. For example, opportunity cost, lost interest, incident response Compliance Violations Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) Sarbanes/Oxley (SOX) Gramm Leach Bliley Act (GLBA) Brand Damage Loss of Confidence As is often the case, the cost of prevention is less than the cost of the cure
- 18. Alice realizes that she still has her access to the accounts receivable system. Remember, Alice is an accounts payable clerk (this is known as “access creep”) Alice creates a phony payable account and leaves it dormant for a few weeks Once Alice is comfortable with the fact that the monitoring system didn’t pick up the account she’s starts funding the account from her payables access. Alice puts in $100.00 and waits Alice has plenty of time Scenario: Marshall & Bach Bank
- 19. Basic Requirements for Monitoring and Detecting Abuse Monitoring Web traffic Email communications System access File Servers Correlation of Activities Logging Timing (e.g, Network Time Protocol – NTP) Credit Checks
- 20. Alice became good friends with one of the IT staff members Alice was inquisitive about the logging techniques and the IT member said, “logging, what logging”. This place over rights logs every 24 hours. Alice knew her plan to steal funds, personal identifiable information (PII) would work like a charm Scenario: Marshall & Bach Bank
- 21. Barriers to prevention Special challenges with insider abuse Trust Probability & Impact Median duration of a fraud instance is 18 months (Source: Association of Certified Fraud Examiners, 2010 Report to the Nations on Occupational Fraud and Abuse) Three common characteristics of an inside threat: Legitimate access to resources Logical Access to Applications and Data Resources Physical Access Insider knowledge Insider Knowledge about Business Processes Colluders Potential ability to tamper with security controls
- 22. For 12 months Alice funded her account (Financial Loss) Stole PII to create false identifications (Identity Theft) Setup a logic bomb in the new core banking system (Sabotage) Finally, she emailed all the customer information from the back in clear text via her email account over the course of the same timeframe (Privacy Breach) Scenario: Marshall & Bach Bank
- 23. Barriers to prevention Example Scenario of Financial Fraud Summary Disgruntled Alice Family difficulties Financial difficulties Knowledgeable about internal systems (plus access creep) Access to electronic funds transfer services Knowledge of accounting structures, accounts receivable and accounts payable Slow and methodical observation (patience) Social engineering attacks to gain small tidbits of information from multiple internal people Attempts to avoid detection Doesn’t ask too many questions to one person Creates bogus documentation Steals identity to create the account Keep transactions small Knows her adversary (monitors security controls that admins are monitoring)
- 24. Barriers to Prevention Five (5) key challenges to detecting insider abuse Traditional access controls are insufficient to prevent potentially abusive access Perimeter defenses, such as firewalls Access controls, such as authentication and authorizations Encryption, such as disk encryption and virtual private networks (VPNs) Vulnerability scanning and patch management Insiders can collect data from multiple systems Insiders can perform malicious activities over an extended period of time Insiders can tamper with logs and other audit controls It is difficult to distinguish malicious from legitimate transactions
- 25. Techniques for prevention Four key area for mitigating risks of insider fraud: Multi-channel monitoring Application activity analysis Information security response Demonstration of compliance
- 26. Multi-Channel monitoring Identify systems that are likely targets Monitor and record high risk transactions Understand IP address conversations Other system transactions Abnormal activities performed Monitoring Strategy Monitor all applications components and all activity that makes use of those components (e.g., system infrastructure components) Collect key attributes about each activity Monitor at the lowest level
- 27. Collecting activity attributes Data is useless without context We want to know the following: Who read the record When was the record read What application used the record Monitor at the network level For command sent Direct connections Collecting data with multi‐channel monitoring is just the first step in the process. The next step is to mine potentially large volumes of data for indications of fraud and abuse
- 28. Application activity analysis Application activity analysis entails three steps: Specifying patterns of abuse Detecting potential abuse patterns in data Analyzing findings to determine actual case of fraud and abuse Three step process of analyzing multi-channel data:
- 29. Benefits of Application activity analysis Normal behavior patterns are detected Known patterns of abuse are detected System/Application errors detected
- 30. Analyzing findings Looking Before You Leap: Understanding the Context of Suspicious Events False Positives: Accusing the Innocent False Negatives: Getting Away with Fraud
- 31. Information security response Incident response Forensic investigations and case management processes Post-event assessment and policy review
- 32. Incident response Create an Incident Response Team Contain the breach Investigate the breach Identify the breach subject (e.g., human) and object (e.g., target) Close the vulnerability Review the breach and actions taken to prevent future breaches
- 33. Forensic Investigations Need to develop a sound forensic investigation process BEFORE the breach occurs Next is the “How did it happen” process Description of the sequence of events initiated by the perpetrator Information about the applications and hardware used to commit the fraud or abuse A list of possible parties involved, which in some cases might involve unknown persons Vulnerabilities in applications and weaknesses in business procedures that were exploited
- 34. Post-Event assessment & policy review Review current policies Update policies if necessary Train on new polices
- 35. Demonstrating compliance Supports governance and compliance (a.k.a., GRC) PCI DSS GLBA HIPAA Multi-channel monitoring integrates into controls and procedures
- 36. Tool selection Key functional requirements Business functional requirements Industry specific heuristics Useable interfaces Configurable heuristics Technical requirements Support for multi-platforms Real-time application monitoring Searchability Pattern analysis and reporting
- 37. Tool selection Key Non-Functional Requirements Scalability Security Maintainability Vendor Support
- 38. Summary Difficult to prevent Most organizations may not understand may not prepared for it may not understand the dollar loss may not have management commitment Cost of insider abuse is high Techniques for prevention are not rocket science Tool selection and analysis are critical components Ben Franklin, “An ounce of prevention is worth a pound of cure”
- 39. After Charlie put in proper controls he was able to detect Alice’s nefarious actions Charlie did not mention any of these controls to Alice Charlie trained the IT employees not divulge any control information to the employees Alice was arrested and sent to jail Scenario: Marshall & Bach Bank
- 41. Thank You Kevin M. Moker, CISSP-ISSMP, CISM For more information: kevin.moker@gmail.com
Editor's Notes
- With new business opportunities using complex business systems, comes new ways to commit fraudInsider fraud is the most difficult to detect and preventInsider fraud is the most costly because an insider could steal intellectual property worth billions to a companyWith fraud, there are authorized individuals engaging in unauthorized activities. They have to be given this access in order to do their work, but what happens when they go bad.Security technologies to keep the bad guys out is rendered useless against internal fraudFigure 1 illustrates a major no-no when it comes to AP & AR. Question: why is it a problem to have an AP clerk access to create AR records?
- Types of Insider AbuseThose with knowledge of business operations, access to enterprise applications and data, and a willingness to exploit that knowledge can threaten businesses in multiple ways by committing a number of crimes:• Financial theft• Intellectual property (IP) theft• Sabotage• Privacy breaches and data theftSome of these attacks can incur direct and easily measured costs, but the impact of other crimes can be more difficult to measure. Financial theft is often easily quantified, but there are exceptions. When news of a data breach or a fine for violating regulations hits the press, customer trust and brand value can be adversely affected. Regardless of whether we can precisely quantify the full impact of fraud and abuse, there are clear consequences for businesses.
- Financial TheftA disgruntled employee looking to defraud a financial institution or other business probably has more options today than ever before. Take for example how we work with our banks.Advances in Information Technology Exploited for FraudIn the not too distant past, businesses would conduct commercial banking using private networks and electronic data interchange (EDI) protocols and standards. (And before that, people actually interacted in person in bank offices to conduct their financial business.) This method is well structured, comprehensive enough for many business transactions, and fairly limited in access. EDI is still used, of course, but in addition, we now have more general‐purpose Web applications. A CFO can conceivably be anywhere in the world and, as long as she had access to a browser, could move funds between accounts at any time of the day.Moving away from business‐process–specific protocols and standards to general information exchange protocols used across the Internet has become a double‐edged sword. Applications are more easily developed and deployed, but they are also accessible to more employees and other insiders than in the past.Examples of Insider Financial FraudIn spite of all the technical advances of the past decades, banks are still “where the money is.” It is not surprising to see news stories of bank employees who attempt to outwit their employers and steal from the bank.For example, an IT contractor used his insider knowledge and access to steal $2 million from his client banks by exploiting his ability to upgrade software on the bank’s computers. With that kind of access, he was able to install software that posted fraudulent transactions to his accounts. He managed to get away with this for almost two‐and‐a‐half years. (See http://www.theregister.co.uk/2010/04/30/it_consultant_sentenced/ for more details.)In a case that combines financial fraud with privacy breaches, three Sacramento, California men, including a former bank employee, conspired to gain unauthorized access to the bank’s computer systems, steal personally identifying information, and commit bank and computer fraud. One of the convicted collected customer information such as name, address, date of birth, Social Security Number (SSN), driver’s license number, and credit card account details. The information was used to commit identity theft, including creating fraudulent financial instruments in the victims’ names. (See http://www.justice.gov/criminal/cybercrime/thomasIndict.htm for further details.)Banks are not the only victims of insider financial fraud. A former auditor to a California water utility attempted to transfer $9 million from the utility’s bank account shortly after resigning his position. He did this by accessing two password‐protected computers. Neither physical access controls nor logical access controls prevented the fraudulent transfers. (Seehttp://www.theregister.co.uk/2009/05/26/utility_transfer_heist/ for more details.)In all three of these examples, employees or contractors used their knowledge of the business in conjunction with their privileged access to applications to defraud the business. Clearly, existing controls are insufficient. In some cases, proper policies and procedures may not have been followed, such as in the case of the former auditor who was able to access building and computers after resigning. In other cases, existing controls may not have taken into account all the ways insiders might exploit security weaknesses; the IT contractor who continued to steal for more than two years seemed to have found such an exploit. In other businesses, it is not their funds but their ideas that lure unscrupulous employees to commit insider fraud.
- Intellectual Property TheftImagine a computer hardware vendor who did not have to invest in engineers to design a new product or an oil company that did not have to hire teams of geologists to collect and analyze data about potential oil fields. That time and cost savings could be enormous—and therein lies the allure of intellectual property theft. Why develop the knowledge and understanding the hard way when you can have it for a fraction of the cost in very little time? A few different scenarios seem to play out in intellectual property theft:• An employee steals intellectual property, such as a client list, and starts a competingbusiness• After stealing trade secrets, an employee sells them to a competitor• An employee steals intellectual property in order to secure a position with acompetitorAs the following examples show, bankers, auditors, and IT consultants are just the start of the list of potentially abusive insiders.Consumers are eager for display devices that provide high‐quality images and consume little power. Liquid crystal displays (LCDs) are popular but organic light emitting diodes (OLEDs) devices can be lighter, thinner, and provide deeper contrasts. One can imagine that developing OLED technology and dealing with thermal evaporation in a vacuum, electroluminescent conductive polymers, and other chemical and material science issues is difficult to say the least. One chemist for an international chemical company tried to advance his career by stealing trade secret information on improving the longevity and performance of OLEDs. He stole samples and documents describing chemical processes that could have been used to jump start development of a competitive product. (For further details, see http://www.justice.gov/criminal/cybercrime/mengPlea.pdf.)In another case, a low‐level engineer managed to steal $1 billion (yes, that is with a ‘b’) worth of intellectual property. The engineer resigned his position working for a major microprocessor manufacturer to go to work for a competitor. While still employed by the victim and supposedly using remaining vacation time, he went to work for the competitor. His access to the victim’s computer systems were not terminated until a week after he started with the competitor. During this period, the engineer downloaded 13 “top secret” (internal classification) documents from his soon to be former employer. The documents contained details on the process for developing next‐generation microprocessors. There were multiple controls in place to prevent IP theft:• Physical access restrictions• Authentication and authorization controls on computer systems• Use of encryption in the document management system• Restriction on remote access through the use of a virtual private network (VPN)Even though the victim company seems to have implemented security best practices, an insider was able to circumvent these controls and steal essential intellectual property. As in the earlier bank example, we have a case where an insider can avoid detection and prevention mechanism of common security measures. (For more details on this case, see http://regmedia.co.uk/2008/11/06/amdintelpaniindictment.pdf.)
- SabotageRevenge, like greed, is motivation for insider abuse. A disgruntled insider with the right combination of knowledge and access can wreak havoc on business operations using only a handful of scripts. Sabotage of computer systems can come in many forms:• Deleting or altering data• Disabling system logging• Destroying or corrupting backup files• Denying administrative access to systems• Altering the functionality of legitimate programsTake the 2008 case of a disgruntled IT professional at a mortgage company. According to an indictment, shortly after being fired from a mortgage company, a former IT administratorplanted a series of scripts that would execute a few months in the future and destroy data on all production, test, and development servers at the company. Known as logic bombs, these scripts could have disrupted operations for a week and cost the company millions of dollars to recover had they not been discovered and disabled.The former employee’s position gave him access to servers throughout the organization. Between the time he was notified of being fired and his access privileges were actually terminated, the former IT administrator embedded several malicious scripts inside a legitimate application. The script included commands to:• Copy malicious files to a server and begin running them• Block monitoring programs to mask the activities of this script as it executed• Disable administrative logins to the administrative and backup production servers• Remove root password access• Overwrite data on the server with zeros• Disrupt software supporting high availabilityThe script would then copy itself from initial target server to the other 4000 servers in the company. Taking a practice from high‐reliability design, the former employee designed the scripts to repeat the process from another administrative server in the event some of the servers were not available during the initial attack.The company was fortunate that an engineer came across the scripts several days after the former employee was terminated. (For more details on this case, see http://www.theregister.co.uk/2009/01/29/fannie_mae_sabotage_averted/.)Other examples of insider sabotage include:• A former IT consultant who cause $1.2 million (Australian) in damages to his former employer by deleting more than 10,000 user accounts on government servers. The man was trying to demonstrate security vulnerabilities in the systems; he was also drunk and upset that his fiancé had broken off their engagement. (http://www.theregister.co.uk/2009/03/13/nt_hack_convict/)• A subcontractor to the IRS planted a logic bomb on three servers prior to being dismissed. The scripts included commands to disable system logs, delete files, and overwrite the malicious code to prevent detection. (http://www.justice.gov/criminal/cybercrime/carpenterPlea.htm)• A former network administrator changed passwords on a city FiberWAN and refused to disclose the new passwords to administrators leaving the city without administrative control of the network for 12 days. (http://www.computerworld.com/s/article/9176060/Childs_found_guilty_in_SF_network_password_case).These examples of insider abuse by trusted IT professionals demonstrate how readily disgruntled employees with knowledge and access can inflict significant damage. Another form of insider abuse with consequences for compliance and brand damage are privacy breaches.
- Loss of Privacy and Data TheftsThe ease with which personal information is collected, disseminated, and stored has developed along with growing concerns for the need to protect privacy. As early as 1995, the European Union (EU) began implementing a data protection initiative; and the United States passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, which includes regulations governing personal health information. Protections for financial information were established by the Gramm‐Leach Bliley Act (GLBA) of 1999. Many states have also passed legislation defining privacy protections for consumers, such as California’s California SB‐1386 passed in 2002. Compliance with privacy regulations has become a significant concern for businesses; remaining in compliance is especially challenging when companies have insiders with access to protected information.Privacy breaches tend to fall into two general categories:• Broad privacy breaches in which a large number of customer, client, or patient records is disclosed in an unauthorized manner.• Targeted privacy breaches, otherwise known as VIP snooping, in which detailed information about a well‐known person’s personal, health, or financial information is disclosed in an unauthorized way.Both types of privacy breaches are vulnerable to insider abuse.Insider Abuse and Broad Privacy BreachesAccess to tens of thousands of records with personal, financial, and health information can prove to be too tempting for some to resist. Sometimes greed, fueled by hopes of selling confidential information for lucrative gains, motivates insiders to abuse their privileges. This is especially problematic when financial information is involved. Here are a few telling examples.In one case, a call center employee for a major US bank stole private customer information in an attempt to establish fraudulent credit card accounts. The employee attempted to sell name, date of birth, and other personal information in return for a share of gains from credit card fraud. The incident could have potentially cost the bank $1.3 million. (See http://www.theregister.co.uk/2010/06/08/bank_insider_data_theft/ for further detailsA financial analyst for a subprime division of a major mortgage company sold up to 2 million records containing personal and financial information of mortgage applicants. The analyst sold batches of approximately 20,000 records for $400 to $500 each. The perpetrator was able to continue for about two years, in part because he used a computerwithout the same security controls as the others in the office. (See http://articles.latimes.com/2008/aug/02/business/fi‐arrest2 for further details.)Each of the victim companies no doubt had security controls in place, but the malicious insiders were able to at least begin the process of breaching private information and in at least one case were able to continue for almost two years. The mortgage company employee was probably more familiar with the weaknesses in one office computer than the IT staff and that proved to be a critical piece of information for carrying out his crime. Other privacy cases show that targeted attacks on individual’s private information are also a known risk.Targeted Attacks and VIP SnoopingGiven the number of magazines and gossip columns dedicated to the lives of famous and popular persons, there must be sizeable demand for even the slightest bit of private news about those individuals. It is little wonder that some employees with access to private information about celebrities are tempted for their own interest or for profit to breach the privacy of others.A California‐based medical center was recently fined $130,000 for a violation of a patient’s privacy. On seven occasions, the medical records of a single patient were accessed in unauthorized ways from five doctors’ offices, a credit agency, and by a medical center employee. The medical center discovered the violation through its monitoring of high profile cases. (See http://www.enloe.org/about_us/news_and_publications/2010/enloe_protests_health_privacy_citation.asp for further details.)This case shows just how difficult it can be to protect the privacy of individual customers when many types of users have access to data from multiple systems. It is not, however, the only instance of such a breach. The New York Times has reported on multiple instances where popular actors and singers have had their privacy violated by employees at medical facilities, possibly leaking the information to the press. (Tara Parker‐Pope “More Celebrity Snooping by Hospital Workers” at http://well.blogs.nytimes.com/2008/04/03/morecelebrity‐snooping‐by‐hospital‐workers/.)Business data and assets from personal healthcare information to financial assets to intellectual property are subject to insider attacks. Employees, contractors, and business partners may all have legitimate requirements for access to applications and data. Most will use those privileges in a manner consistent with the way they are expected to be used, but as the previous intellectual property case demonstrates, even a single instance of a breach of that trust can have significant costs.
- The Cost of Insider AbuseIt is clear from the previous examples that insider abuse can have clear and immediateconsequences for the corporate bottom line. In addition, there are costs associated withviolating regulations and the potential for less easily quantified damage to brand andreputation. We will consider each of these.Financial Losses Due to Insider AbuseFinancial losses come in several forms, some of which are direct and some are moreindirect. Direct financial losses, including costs of recovering from an insider abuseincident, include:Funds stolen directly by the malicious activity, such as wiring funds from corporateaccounts to an attacker]controlled accountCredit extended to a fraudulent customer account set up by an insiderPayments to customers, clients, or patients who are victims of privacy breachesCost of restoring systems and data destroyed by a disgruntled employee who left alogic bomb on the corporate network, including additional labor costs to restoresystems and verify data up to the point of the attackFinancial losses may be less direct but they ultimately affect the bottom line. These indirectcosts include:Opportunity cost of missed investments because funds were not available due toinsider fraudInterest on funds borrowed to meet short]term expenses that would otherwise notbe covered because funds were stolen by an insiderThe cost of post]incident response and forensic investigationsIronically, additional security investments before the attack might deter or discourage thetypes of insider abuse before there is significant damage. As is often the case, the cost ofprevention is less than the cost of the cure. These direct and indirect costs may be only thebeginning if the incident demonstrated insufficient compliance with regulations governingcorporate management or privacy protections.Compliance ViolationsToday's business world is more complex and interconnected than ever before. Privateinvestors and institutions make major decisions about how they allocate their investmentsbased on corporate earnings reports and other financial and management informationprovided by businesses. If that data cannot be trusted, the investment markets will notfunction. It was not long ago that names such as Enron, Adelphia, and WorldCom becamealmost synonymous with corporate accounting scandals. To prevent a repeat of suchcorporate management failures, regulations were created to require firms not only toprovide accurate information but also to protect the information systems that managecorporate accounts.At roughly the same time, major accounting scandals were prompting new financial controls and growing concerns about privacy were driving the adoption of privacy regulations around the globe and at jurisdiction levels ranging from states to nations and transnational organizations. The best known of these regulations that also have consequences for insider abuse incidents are:HIPAAPayment Card Industry (PCI) Data Security Standards (DSS)Sarbanes‐Oxley (SOX)GLBAEach of these address different types of protections which may be violated during insider abuse incidents.HIPAAHIPAA defines levels of protection that need to be in place when managing, distributing, or storing protected health information. These regulations apply to businesses in the healthcare industry and include hospitals, clinics, doctor’s offices, health insurance companies, and healthcare clearinghouses. The regulation covers what types of healthcare information are considered private and who it can be disclosed to. Another part of the regulation specifies administrative, physical, and technical safeguards required for business processes and information systems used to process protected healthcare information. Penalties for violations can be as high as $1.5 million per violation.HIPAA EnforcementHIPAA enforcement has received a boost recently with additional funds and a shifting of security enforcement responsibilities. See NielVersel “OCR Stepping Up HIPAA Privacy, Security Enforcement” at http://www.fiercehealthit.com/story/ocr‐stepping‐hipaa‐privacy‐securityenforcement/2010‐05‐17.PCI DSSThe PCI DSS is an industry regulation specifying security controls to mitigate the risk of credit card fraud and information theft. The regulations include policies on:• Maintaining a secure network• Protecting cardholder data when stored or transmitted• Implementing a vulnerability management program to maintain systems security• Implementing access control methods to limit access to cardholder data• Monitoring network and systems and testing them regularlyAs this is an industry standard, there are no government penalties for violations, but businesses that fail to comply may suffer restrictions on their use of payment card services. The failure to comply with PCI regulations may also indicate failure to comply with government regulations, which in turn, could result in fines and penalties.SOXSOX was passed in direct response to corporate accounting scandals. Much of the regulation addresses corporate governance and financial reporting. One section is of particular interest to IT professionals: Section 404. Section 404 regulates the need for internal controls over how financial data is collected, managed, and reported. Companies are responsible for:• Having controls in place to prevent misstatements on financial reports (CFO & CEO attest to these)• Risk assessment with regards to information management systems• Controls on the financial reporting processObviously, if insiders are able to manipulate internal records, commit fraud, and hide their activities, controls are insufficient to protect the integrity of a company’s financial system.GLBAGLBA applies to financial institutions and includes protections for consumer privacy. Financial institutions are required to provide customers with details on what information is collected, how it is shared with other institutions, and what safeguards are in place to protect that information. Requirements include:• Access controls on systems containing customer data• Use of encryption• Physical access controls• Monitoring for abuse, attacks, and intrusion• Incident response plans• Third party management (K. Moker added this because this is significant.)The examples described earlier of bank employees selling account information demonstrate the kinds of incidents that constitute violations of GLBA. The cost of compliance violations to businesses will vary according to the type of violation, the level of enforcement, and other factors regulators may take into account, such as past violations, negligence, and response to incidents.Brand DamageCompanies can damage their reputations when insider abuse incidents become public. Would customers trust a bank that cannot trust its own employees not to sell customer information at a rate of pennies per record? How would investors react to a significant loss of intellectual property because a company’s IT department did not adequately monitor networks and applications? Brand damage can adversely affect a company from a customer and revenue perspective as well as from an investor and market capitalization perspective.Insider abuse can impose significant financial and nonfinancial costs on a company, including direct costs of fraud, the expense of recovering from sabotage, and lost competitive advantage due to intellectual property theft, as well as the less easily quantified but just as real brand damage. Insider abuse is an established risk and, like other known security risks, requires a well‐designed mitigation plan to protect the business.Loss of ConfidenceCustomers will lose confidence in your organization and may sway away from your products. How can this be measured? It can’t and that’s the issue with a lot of these issues above. If humans can’t physically see it they don’t care if it’s there.
- Basic Requirements for Monitoring and Detecting AbuseCommonly used security controls, such as access controls, intrusion prevention systems, and anti‐malware systems are critical to keeping outsiders away from a business’ computer systems and data. Taken separately or together, none of these security controls provides enough protection against insider abuse. Some of the examples of insider abuse come from banks and high‐tech companies that probably have some of the most comprehensive security controls across a range of industries. Old security models such as perimeter defenses and the “block and tackle” approaches of access controls and intrusion prevention are not designed to protect against insiders.Insider abuse requires us to deal with an apparent contradiction. We grant insiders access because we trust them but we still need to protect against them. The problem is that although companies can trust their employees in general there is some small probability that one or more of those employees will exploit that trust for their personal gain. If the cost of insider abuse was as small as the probability that a specific employee will commit abuse, we might be able to absorb the cost; unfortunately, that is not the case. A single incident can have damaging consequences for a company. To address the threat of insider abuse, we need new types of security controls including the ability to monitor multiple types of system and to correlate activities across the enterprise.Monitoring Multiple Types of SystemsDistributed systems are commonplace. Businesses continue to use mainframes for high volume, core business processes. Web applications are opening opportunities for delivering new types of services. Databases collect, store, and manage data from multiple applications. Specialized servers are used throughout organizations to provide services such as document management, file transfer, email, and other collaboration services. An insider attack can involve all of these different types of systems.Imagine how an insider might use knowledge of a business process to commit fraud. The insider knows how one Web application is designed to create new customer accounts through a multi‐step process. The insider might bypass the first steps of the process that validate an application and insert data into a queue of applications that are processed by a mainframe job. The mainframe programmers assume anything in the queue must have been validated, so all applications, including the fraudulent ones, are accepted. The insider then uses the bogus customer account to order several expensive items. With some further tampering, he inserts a payment transaction into the database supporting a customer Web application. The bogus payment is credited to the account after which the insider creates a return order which in turn generates a refund check to the “customer.”In spite of the obvious problems these transactions would create on reconciliation reports, this fictional example shows how an insider can use multiple systems to commit fraud. Complex business processes do not always have well‐defined reconciliation procedures and even when they do, small discrepancies may not warrant detailed investigations. An insider who understands the parameters of the review process can effectively “fly below the radar.”In later chapters, we will go into further detail on the need to monitor mainframes, Web applications, databases, file servers, and other servers.Correlation of ActivitiesOne of the challenges with monitoring multiple systems is correlating events across those systems. For example, an event on an application server might indicate that a customer record is being updated. Shortly after that, there is a change to the database and a customer record is updated. It is reasonable to assume that a Web application called a service on the application server that in turn executed an update procedure on the database. Now consider an event in which a record is added to a queue for processing transactions but there is no corresponding event in any of the applications that generate new queue entries. This may be a case of someone purposefully bypassing the normal business process. Only by monitoring all the systems involved in business processes, can we collect the data we need to monitor insider activity.In addition to correlating events from multiple systems and multiple activities, we need to carefully account for the timing of events. One of the most basic problems we have in correlating events is the lack of a universal time reference. Each system will use its own internal clock to timestamp events. If all monitored computers are running time synchronization services, such as Network Time Protocol (NTP), this is less of a problem. With synchronized times, we can use event timestamps to order events and measure the time difference between events. Anomalies in event times can be an indication of tampering. For example, if event A usually occurs 1 second after event B but sometimes occurs 8 seconds after A, the latter may be an indication of tampering (for example, additional code is executing in the process, perhaps covering tracks). (It may also be an indication of a performance problem but such problems would likely be consistent across many transactions).This type of monitoring introduces the problem of erroneously classifying a legitimate event as malicious. These are known as false positives. For example, the transaction that takes 8 seconds instead of 1 to complete may have been due to a network error, an unrelated error on a server that delayed processing, or some other unexpected but not malicious event. Event monitoring across systems and across time is a powerful method for detecting insider abuse, but we must remember it is based on patterns and statistical inference. Sometimes we get it wrong. In later chapters, we will delve further into the challenges of multi‐system monitoring and ways to address those challenges.SummaryInsider abuse can take many forms: financial fraud, privacy breaches, intellectual property theft, and sabotage are some of the most costly. Each of these different types can result in substantial costs to businesses that range from the direct cost of fraud to the cost of remediating sabotage to the cost of brand damage when the press publishes details of the incident. Commonly used security controls that are designed to keep outsiders out are insufficient when dealing with insiders. By definition, we are dealing with individuals who have been entrusted with access to business systems and have knowledge of business processes. Detecting and preventing abuse by these individuals will require a new level of monitoring and control.
- Insufficient Traditional ControlsEach of these controls assumes there are two sets of users: those who should have access to an application or data and those who should not. Once a user is deemed trustworthy, thesecontrols are no longer relevant.For example, an employee with a desktop workstation connected to an internal local areanetwork (LAN) is unaffected by firewalls. Users who need an application to perform theirjobs are given usernames and passwords (or other authentication mechanisms), so accesscontrols can block functions unrelated to a user’s job but they still have access toauthorized functions. Encryption works well in preventing eavesdropping but is of littleuse when an employee has legitimate access to encryption/decryption keys. Vulnerabilityscanning and patch management help reduce the chance that an attacker can exploit avulnerability in an application. Insiders already have access to enterprise applications, soexploiting bugs may actually be more work than using legitimate functions in fraudulentways. Additional security controls are needed to detect and block insider fraud and abuse.Insiders Can Collect Data from Multiple SystemsApplication designers are well versed in creating systems that meet some set of requirements but no more. This reduces the business functions and data exposed through a single application, which is sometimes an advantage and sometimes a disadvantage. The fact that functions and data are limited means someone with access to the system can only do so much, and this promotes security. It is sometimes a disadvantage if applications become silos of functions and employees need access to multiple systems to perform a single business process. This is not uncommon: insiders have access to multiple systems with different functions.From a monitoring perspective this means that monitoring a single application is not enough. We need to monitor multiple applications and look for patterns indicative of abuse that span multiple systemsInsiders Can Perform Malicious Activities Over Extended Periods of TimeInsiders can use time to mask their activities. For example, an insider in the early stages of planning fraud might run reports or create fraudulent transactions and then wait to see if anyone notices. If the actions are detected, the insider gains knowledge about monitoring practices; if they are not detected, the insider is similarly rewarded with knowledge about monitoring, or lack thereof. In some cases, insiders can move even more quickly. For example, in a major case of fraud in the United Kingdom, a temporary employee in the social housing sector created a bogus company and submitted invoices for more than £2 million in merely 3 weeks (See “The Internal Betrayal: A CIFAS Report on Beating the Growing Threat of Staff Fraud,” August 2010).Insiders Can Tamper with Logs and Other Audit ControlsInsiders might gain access to privileged accounts, either through malicious means, such as those described in the previous section, or because they have been granted elevated privileges in order to do their jobs. One of the challenges in protecting applications and data is that administrators are effectively granted the “keys to the kingdom.” Although some key infrastructure providers, such as relational database vendors, address this situation with restrictions on privileged users, we will always have the case where some users are allowed to do more than others. With that comes the risk that privileged users will employ their privileges to either commit fraudulent activity directly and/or cover it up after the fact.Difficult to Distinguish Malicious from Legitimate TransactionsFraudulent transactions do not carry markers identifying themselves as illegitimate. Insiders can use their knowledge of the range and frequency of transaction amounts and types to design transactions that blend in with legitimate transactions. In systems with a large number of transactions, it is especially difficult to find small numbers of fraudulent transactions unless we have more information than what is contained in a transaction. For example, names and amounts may not indicate fraud, but the way a transaction was entered, the other events that preceded and followed the transaction, and other information that provide a context for the transaction can provide valuable indicators of potential fraud and abuse. Furthermore, baseline measures of the number and types of transactions performed by others in the same department or with the same role in the organization can be used to identify unusual activity. A teller that performs two to three times the average number of a particular type of transaction warrants some investigation because this is an indicator of potential fraud.SummaryDetecting insider abuse is challenging. Insiders have detailed knowledge about business processes as well as legitimate access to applications that can be used to perpetrate fraud. Insiders can leverage their knowledge about weaknesses in security practices and monitoring procedures. Conventional security controls, such as perimeter controls, access controls, and encryption are not sufficient to address these challenges. Fortunately, techniques exist for monitoring application activity in ways that can detect anomalous and suspicious activity. Those will be the topic of the next chapter
- Techniques for PreventionThere are four key areas for mitigating the risk of insider fraud and abuse:• Multi‐channel monitoring (detect and prevent)• Application activity analysis (detect and prevent)• Information security response (detect and prevent)• Demonstration of compliance (Governance)As their names imply, the first three areas constitute the monitoring, analysis, and response phases one would expect in any ongoing process to detect and prevent security breaches. Demonstrating compliance is not strictly required to control the threat of abuse itself. Rather, it is a governance requirement that is equally well served when subjected to the same techniques used to control insider abuse.
- Techniques for PreventionThe first step to effectively monitoring for insider fraud and abuse is to identify systems that are likely targets of insider abuse. These can fall into multiple categories:• Databases that maintain information on financial and physical assets, such as accounts receivable, accounts payable, and inventory management• Messaging systems used to communicate transaction information between distributed systems• User interface (UI) applications, such as Web applications, that are provided for interactive activities• Application servers that host Web services or other programs that provide specialized functionality to multiple business processesIt is important to remember that insiders can take advantage of various types of software infrastructure, not just the obvious candidates like end user applications. For example, an insider with sufficient knowledge of application design could inject transactions in the middle of a workflow rather than at the beginning. For this reason we need to monitor activities across multiple channels.
- Collecting Activity AttributesData is often useless without information about the context. For example, if a sales reportsimply listed 10,000 units sold, it would be virtually worthless. We would need to know10,000 units of which product, over what specific period of time, in what geographiclocations, and through which channels. Similarly, knowing that a record containing privatefinancial information was read is insufficient to determine whether a privacy breach hasoccurred. In such as case, we would want to know:• Who read the record?—This would be used in conjunction with information abouttheir role in the business, which may require them to view such data.• When was the record read?—Reading such a record outside of normal businesshours is somewhat suspicious but perhaps insufficient on its own to warrantconcern.• What application was used to read the record?—Reading it with an applicationother than the end user application commonly used for this type of operation wouldbe somewhat suspicious.
- Application Activity AnalysisData is not information. Multi‐channel monitoring provides us with raw data but not information we can act upon. The goal of application activity analysis is to derive such information from monitoring data. The process entails three essential steps:1. Specifying patterns of abuse2. Detecting potential abuse patterns in data3. Analyzing findings to determine actual cases of fraud and abuseThe first step creates filters for detecting fraud and abuse, the second step applies thosefilters to raw data, and the final step applies more in‐depth analysis to the most likelycandidates of fraudulent or abusive activity.
- Industry specific heuristics means how fraud is executed per industryCommon business processes across industries are things like:Accounts payableAccounts receivableInventory controlPayrollAs we move away from common business procedures, there is greater need for industry specific heuristics for detecting fraud. Consider some examples of industry‐specific fraud:• An employee of a credit card company works with identity thieves to tamper with the customer profiles associated with fraudulent cards to minimize the chance transactions will be declined by risk assessment systems.• A mortgage processor in a commercial bank receives kickbacks from a third‐party mortgage originator in return for falsifying records to bypass underwriting procedures and ensure risky mortgages are underwritten.• An engineer at an electronic manufacturer steals design documents related to a new product line before leaving the company to join a competitor.• A clerk in a medical records processing department uses his access to confidential patient data to collect information on public figures and sell that information to disreputable media outlets.Usability interfaces for Fraud and Security ProfessionalsJust as we do not need to be automotive mechanics to drive a car, fraud prevention and security professionals should not have to be programmers or systems administrators in order to use an insider fraud control system. Several usability factors are especially important in insider fraud control systems:• Ability to assess various high‐level activity indicators• Ability to drill down into the details of any suspicious activity• Comparative metrics for key activities, for example, cash outlays, incomplete purchase transactions, large numbers of small transactions involving the same vendor, supplier, or buyer• Ability to define triggers that alert the user when an event occurs or some threshold is passed• Ability to navigate between different types of information without rigid or complex stepsIdeally, an insider fraud control system will provide security professionals with a high‐level view of activities on a particular system or set of systems. Details about the number of users currently using an application, the types of operations being performed, and the set of activities in which a key metric falls outside of a normal range can all help focus the security professional on areas that need attention. For example, if the past 24‐hour period has seen a significant increase in the number of new customer accounts created, a fraud professional might want to drill down into details about the distribution of those new accounts. Were they created by a number of account representatives, as we would expect if this were the result of a new promotion or marketing campaign? Or were they primarily created by a single employee?Comparative statistics are also necessary for many kinds of assessments. If a customer service representative has updated 60 customer credit profiles in the past week, is that unusual? We should compare that rate with rates of other representatives with comparable responsibilities and access privileges to get a better sense of what is typical and expected.Configurable Heuristics for Business‐Specific NeedsAnother functional requirement we should consider is the need for configurable heuristics. An insider fraud control system will have heuristics for common types of fraud, such asthose targeting core finance, and should have industry‐specific heuristics. These heuristics represent a substantial investment on the part of the vendor providing the solution, but no matter how much effort they put into developing industry‐specific rules for detecting fraud, customers should have the ability to customize fraud detection rules.Support for Multiple PlatformsMost business information technology platforms are heterogeneous. Even within small and midsized businesses, it is not uncommon to have a mix of platforms. In larger enterprises, there is a broader array of platforms and infrastructure that must be monitored. A typical enterprise‐scale IT operation will support some or all of the following:• Multiple generations of PCs and laptops• Mobile devices• Linux and Unix servers• Windows servers• MainframesBusiness processes often depend upon multiple platforms to deliver services. Even a relatively simple business service, such as email, will require servers running one operating system (OS) to provide email access to client devices including desktops, laptops and mobile phones. More complex business processes can include multi‐tiered mainframe applications that write data to messaging queues which in turn deliver data to Linux servers where it’s consumed by an application that provides back‐end services to a Web application.