Insider Attacks

Insider Attacks

Insider attacks are defined as security breaches where a person with access to a corporate system and or network misappropriates information from that system; or when an internal employee of a given company commits a security violation against that company. (Einwechter)[i] The NIST articulates that the most prevalent and common threat to any company is the insider attack as it is the least monitored and most difficult to detect; this was as of 1994 and has remained a constant fixture in network and systems security throughout the years. (Bassham et al.)[ii]

Forensic Techniques

The forensic techniques available currently include local system analysis, network traffic analysis and log file reporting and analysis; however these techniques are primarily used to detect and compile evidence where a case is known or where an external and foreign entity has compromised an internal system or network. Insider attacks may compromise a system but they may do so with user accounts that have administrative access to said system or with tools used internally to gain access to privileged information. Thus forensic techniques are not designed to detect and alert security personnel to internal violations as they may be mistaken for routine administration and operations. Examples include any case where an employee conducts network traffic analysis to obtain the usernames and passwords of individuals with access to sensitive information and then impersonates those individuals within their own network to facilitate the changes they desire; or where an employee with administrative access to network infrastructure changes said infrastructure against the policy of the company they are employed by; such as modifying their salary within the Accounting Database or damaging systems intentionally due to a grievance with their employer.

Anti-Forensics

According to Kerckhoff’s principal and it’s reformulation as Claude Shannons Maxim “The Enemy knows the System”. (Kerckhoff)[iii] Although we are referring to internal systems and operations that may or may not involve cryptography; when the “Enemy” is an internal employee this truth determines the maxim extent of the systems risk and its potential for grievous damage to the company.

Anti-forensic techniques and tools include Alternative OS and Systems use methods, Data Manipulation (Secure Data Deletion, Overwriting Meta-data, Preventing Data-creation), Encryption, Encrypted Network Protocols, Program Packers, Steganogarphy, Generic Data Hiding and Targeting Forensic Tools directly to exploit them. (Garfinkel)[iv]

Although anti-forensic techniques were initially developed to secure systems for military operation, these tools may also be used by malicious persons during internal attacks against the targeted internal systems, combined with the intimate knowledge that an internal attacker will maintain of the company and its operations, the personnel involved the methods used to detect these attacks become even more difficult.

Synopsis

One may argue that the best method to prevent internal attacks is to employ good people and to keep them happy. However since companies can’t please everyone all the time there’s bound to be conflicts that arise as the result of corporate restructuring, salary and pay differences and general employee alienation.

Technical methods to prevent internal attacks include the “Segregation of Duties”(ISACA)[v] and “Segregation of Systems and Networks”; (Kupersanin)[vi] Thus by logically segregating access to resources by both function, location and internal client access requirements we may mitigate the potential for one employee to commit attacks. In addition to this internal financial systems are of paramount concern and should have segregated administrative, functional and operational client accounts that are limited to those resources that require access for their duties. Examples of this are that a payroll clerk should not have the ability to modify salaries in the financial application used to control payroll; that function should be limited to the executive & middle management as well as human resources personnel; general LAN WAN administrative accounts should not have access to these systems and access should be limited to only one or two people that act at the managerial level of network support and operations. Thus a LAN/WAN administrator would not have either the permission, nor the access required to change their own salary.

References

---

[i] Einwecher, Nathan (Security Focus, March 20^th 2002) Preventing and Detecting Insider Attacks Using IDS [Online] World Wide Web, Available from: http://www.securityfocus.com/infocus/1558 (Accessed on April 25th 2009)

[ii] Bassham, Lawernece E.; Polk, Timothy W. (NIST, Security Division, March 10^th 1994) Threat Assessment Of Malicious Code and Human Threats [Online] World Wide Web, Available from: http://csrc.nist.gov/publications/nistir/threats/subsection3_4_1.html (Accessed on April 25th 2009)

[iii] Kerckhoff, Auguste (Journal de Science Militare, February 1883) LA CRYPTOGRAPHIE MILITAIRE. [Online] World Wide Web, Available from: http://www.petitcolas.net/fabien/kerckhoffs/#english (Accessed on April 25^th 2009)

[iv] Garfinkel, Simon (Naval Postgraduate School, 2007) Anti-Forensics Detection and Countermeasures [Online] PDF Document, Available from: http://simson.net/clips/academic/2007.ICIW.AntiForensics.pdf (Accessed on April 25th 2009)

[v] N.a. (ISACA, 2008) CISA Review Manual 2008, Chapter 2, Page 112 [Online] PDF Document, Available from: http://www.isaca.org/AMTemplate.cfm?Section=CISA1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=40835 (Accessed on April 25^th 2009)

[vi] Kupersanin, William (Insecure.org, November 15^th 2002) Security Basics: Contractors on Company Networks – Network Segregation [Online] World Wide Web, Available from: http://seclists.org/basics/2002/Nov/0426.html (Accessed on April 25th 2009)