SecurePuter

Insider Threat Defined

Yesterday I defined who hackers could potentially be . Today I want to focus on the most dangerous prospect, an insider threat. Attacks from company employees, whom have direct access to systems inside the outer defenses, are of serious concern. Employees and contractors already have access to the systems, and administrators, in particular, have superior permissions on the network. Information Technology staff know where the network infrastructure is weak, and where the vital information is stored. They also have the expertise, tools, and privileges to do as they wish. Due to the nature of their job, IT personnel are difficult to apply controls to and are given quite a bit of trust.

It’s exceedingly difficult for companies to put in enough controls to completely protect from someone with system administrator level authority and access. If someone is taking out the trash for you, they don’t have a lot of power. But your system administrator has a lot of power because it’s part of the job. If you put too many controls on them, they can’t do their work. There are measures that can be put in place, but they require a company to be very observant, hire additional staff, and employ specific procedures. It is usually too complicated and expense of an endeavor. Therefore, identifying insider threats depends on everyone being vigilant.

Insider Threat Example

A couple years ago, I followed the case of Roger Duronio and his inside attack of UBS PaineWebber Inc. through InformationWeek journalist Sharon Gaudin. You can read my summary or view the entire archive of news reports at Resource Center: UBS PaineWebber Insider Trial .

In June 2006 Roger Duronio’s trial began. He had used his technical expertise to injure his employer by infecting their computer systems with a “logic bomb.” Logic bombs are viruses that are programmed to activate and destroy data or files on a certain date. Duronio’s “bomb” consisted of between fifty and seventy lines of code, and was designed to delete every file on a system. Duronio infected UNIX machines at the central office, two thousand computers across the national network, and the company’s backup servers.

The bomb triggered every Monday beginning March 4, 2002 at 9:30 am for three months. By 10 am hundreds of phone call complaints were received by system administrators of computers rendered inoperable. Duronio’s plan was to interrupt UBS Painewebber’s ability to operate when the stock market opened each week.

The Damages
Three hundred and fifty IBM support staff and $3.1 million were required to recover the network. It is still undetermined how much was lost in business during the downtime. Elvira Rodriguez, the Information Technology manager, said “the attack had a ‘catastrophic impact,’ bringing operations to a standstill and wiping out servers not just in the central data center, but around the country.” The incident left 14,000 brokers and 400 branch offices unable to perform their daily tasks. UBS PaineWebber Inc. mobilized hundreds of IT staff to locate and isolate the malicious code. Within a matter of days, they were able to restore critical servers that had solid backup tapes. Rodriguez stated, “It would have taken me a year to make all the servers right again, even if that was all I had to do every day. We just had to learn to live with it.” The rest of the network still suffers even today.

Motivation
The lead prosecutor on the case, Assistant U.S. Attorney Mauro Wolfe, claims “The defendant was motivated by the fact that he was a disgruntled employee who was not happy with his salary. He wanted an annual salary of $175,000 guaranteed. And I think for the year 2001 he was paid about $13,000 less than that. (Duronio also) purchased $21,000 worth of ‘put option’ contracts for PaineWebber’s parent company, UBS, A.G.’s stock.”

A put option is a contract to sell shares for a profit if the stock price falls. For example, if I purchase a put contract to sell 10 shares for $10 when the current price is $12. I would need to pay a $2 premium, but if the price falls to, say, $5 before expiration then I can enforce my right to buy 10 shares for $50 and sell to a put writer for $100. The profit is $100 minus the $50 share cost and the $20 premium fee equaling $30.

On a larger scale, the profit potential is enormous, especially if the buyer knows a company stock will fall. Wolfe claimed, “Duronio engaged in an artifice or scheme to defraud investors. He bet the attack would cripple the company’s network, and its stock would fall in the aftermath, allowing him to cash in.”

The Verdict
Duronio was found guilty of computer sabotage for building, planting and distributing the malicious code that brought down nearly 2,000 servers on the company’s nation-wide trading network, securities fraud, and was sentenced to 97 months in jail and ordered to pay 3.1 million in restitution to UBS PaineWebber Inc.

Four years after the incident, the UBS network was still in recovery. The Duronio case illustrates the danger of someone with malicious intent having access to a company’s network. The damages caused were severe, even thou the financial gain of the perpetrator would have been relatively small. This case highlights the importance of internal controls and employee awareness in addition to external security measures.

Insider Threat Identification, Research, and Analysis

Carnegie Mellon University’s CERT team has been conducting Insider Threat Research for many years. I have yet to find a better collection of documentation, case analysis, tactics, controls, or research in support of thwarting insider attacks. Instead of reiterating the finer points, I feel visiting the CERT Insider Threat Research archive is your best bet for defensive knowledge.