Project topics and materials
Get Complete Project Material File(s) Now! »
CHAPTER TWO THE INSIDER THREAT PROBLEM
Introduction
In this chapter, the problem of insider threats will be discussed, reviewing literature in the field, as it is one of the requirements for design research to build on prior research (Peffers et al., 2007). The chapter discusses the insider threat problem, including its definition, the types of threats, the types of insider crimes and the approaches to the insider threat domain The chapter includes a discussion of the current models for insider threat prediction and prevention in order to identify gaps in the extant literature. Finally, the chapter discusses the motivations to develop the model for this research, based on the discussion on the limitations of the current models to mitigate insider threats.
Insider Threat
In this section, the definition of the insider threat will be presented, followed by a discussion of the various categories of attacks and insider crime. Finally, the various approaches to contain insider threats will be discussed.
Definition of ‘insider threat’
As the insider threat lacks a common definition, this section will review the various definitions as identified in the literature. The most common understanding of the term ‘insider’ is illustrated in the definition given by Anderson, Bozek, Longstaff, Meitzler and Skroch (2000). They state that an insider is “an authorized user who performs unauthorized actions that result in loss of control of computational resources” (p.21). According to this definition, an insider threat is a trusted and authorised user who uses their access to commit maleficence.
There are other definitions that emphasize the intention behind a malicious act. Some users may intentionally abuse computational resources to gain some advantage like financial gain while others may be involved in malicious activities accidentally without intention Cappelli, Moore, Trzeciak and Shimeall (2009) postulate that a “malicious insider is a current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems” (p.5).
While other definitions include non-human actors in addition to the people involved in malicious acts. Walker (2008) defined an ‘insider’ as a “current or former human or non-human actor who intentionally exceeded or misused an authorized level of access to CIS, networks, systems, services, resources or data in a manner that targeted a specific human or non-human actor or who affected the confidentiality, integrity or availability of the nation’s data, systems and/or daily operations” (p.226).
Some definitions even include insider types and the motivation behind committing a crime. One example of such a definition is suggested by the Centre for the Protection of National Infrastructure (CPNI): “Insiders can take a variety of forms including disaffected staff, single-issue groups (such as animal rights activists), journalists, commercial competitors, terrorists or hostile intelligence service agents. Their motivations are similarly varied and can range from political or religious ideologies to revenge, status, financial gain, and coercion” (Centre for the Protection of National Infrastructure, 2008, p.9).
The insider workshop that was held at Dagstuhl in 2008 derived a definition, emphasizing authorization and trust: “An insider is a person that has been legitimately empowered with the right to access, represent, or decide about one or more assets of the organization’s structure” (Probst, Hunker, Gollmann & Bishop, 2008, p.5). In their definition, empowering a user with providing a right to access and deciding on computational resources implies that the organization trusts the individual, however, the level of trust will vary from organization to organization, depending on the level of monitoring and control policies that are implemented.
Sanzgiri and Dasgupta (2016) define an insider as “a malicious user who has or at some time had authorization to an organization’s resources and involved in any one of the following activities:
• Unauthorized extraction, exfiltration of data
• Tampering with data or resources of an organization
• Destruction or deletion of critical data and assets
• Eavesdropping and packet sniffing with ill intent
• Impersonation of other users via social engineering” (p.25)
The above definition focuses on authorization as well as involvement in criminal activities.
This research adopts a definition by Elmrabit et al. (2015). The authors define an ‘insider threat’ as
(a) “Any malicious activities that cause damage to an organization’s IT and network infrastructure, applications, or services” (p.1);
(b) “On the part of an employee (current or former), contractor, subcontractor, supplier, or trusted business partner” (p.1);
(c) “Who has or has had authorized access to the organization’s IT assets” (p.1);
(d) And poses a significant negative impact on the information security elements (confidentiality, integrity, and availability) of the organization” (p.1). This comprehensive definition considers authorization, insider types and also the attack nature that may be carried out.
Categories of insider threats or attacks
There are different types of attacks committed by insiders. The most common types of attacks, as reported in the literature, are misuse of access, defence bypass, and access control failure (Elmrabit et al., 2015; Hunker & Probst, 2011; Sanzgiri & Dasgupta, 2016; Stolfo, Bellovin, Hershkop, Keromytis, Sinclair & Smith, 2008). The mitigation approach should also be different for each type of attack. The types of attacks are discussed below.
Misuse of access
In this type of attack, the insider misuses the legitimate access granted by the organization for illegal acts. Since insiders are using authorized accounts, it is difficult to tackle the use of technical defences unless the usage patterns of the insiders are monitored as with their file access behaviour, download patterns, and logging patterns. For instance, a library circulation attendant may have been authorized to check books in and out to his or her pattern with legitimate access credentials. The attendant may allow the check-in of books without the patron returning the borrowed books. The fraud may not be noticed within a short time until the library undertakes a physical inventory of its books.
Defence bypass
Most of the organizations have a technical defence like a firewall to protect their systems from external access but insiders are already within that firewall and it is easy for them to attack the system. Insiders also have legitimate credentials so that they can log in to the system and abuse the system by means of their authorized activities. For this attack, organizations may design detection systems that can identify anomalous behaviour or actual attacks on nominally-protected systems.
Access control failure
In this type of attack, the problem lies with the organization’s authentication system which may allow erroneous access details due to technical problems in the configuration. The insiders may attempt to access the system since they have proper authorization. Organizations should periodically monitor their systems to check any types of access control failure and they can also implement a technical solution to distinguish any anomalous behaviour from normal activities.
Categories of insider crimes
There are three common types of crime that insiders commit, namely information technology (IT) sabotage, theft of intellectual property (IP), and fraud, as reported in the literature (Agrafiotis, Erola, Happa, Goldsmith & Creese, 2016; Cappelli, Moore & Trzeciak, 2012; Elmrabit et al., 2015). The three categories of insider crimes will be discussed below.
IT sabotage
IT sabotage refers to a case where insiders exploit information technology to harm an individual or an organization directly. Every organization that uses IT to manage its activities is in danger of facing IT sabotage threats. As per the database collected by Computer Emergency Response Team (CERT), in one of the cases an insider destroyed a database of research works on cancer which was never recovered (Cappelli et al., 2012). In another case, critical data of a financial institution was deleted when all servers of the organization were affected by a logic bomb and there was no data for operation when the institution opened for business in the morning.
According to Cappelli et al. (2012) and Elmrabit et al. (2015), these types of attacks are committed by technically sophisticated IT professionals, as system administrators suggest both technical and non-technical solutions to mitigate IT sabotage (Cappelli et al., 2012; Elmrabit et al., 2015; Sanzgiri & Dasgupta, 2016).
A study conducted by Keeney, Kowalski, Cappelli, Moore, Shimeall and Rogers (2005) affirms that “40% of insiders who have committed IT sabotage have a criminal history, including being involved in violent offenses, alcohol or drug-related offenses and non-financial/fraud-related theft offenses” (p.12). Another suggestion by the authors is that clearly communicating organizational IS security policies are important so that employees will not commit a crime unknowingly, and hence eliminating any excuse for fraudulent behaviour. They also suggest that supervisors should be trained in security precautions so that they will clearly understand any deviation from normal behaviour to take the necessary action such as sanctioning a potential insider.
One of the technical solutions suggested by the authors is to monitor and eliminate any unknown access paths such as shared accounts and logic bombs and to disable the paths once they are known. Monitoring any change in source codes of the organizational information system is also important. It is very important to secure system logs, as the logs show the activities of the insider. It is suggested that organizations take measures to protect electronic back-ups, as the back-ups may be targeted by insiders and used to recover a system that has been attacked by IT sabotage.
Theft of intellectual property (IP)
Theft of intellectual property refers to attempts by insiders to steal the intangible assets created and owned by the organization that is very important to achieve its mission (Cappelli et al., 2012).
Cappelli et al. (2012) compiled a database in which they show previous incidents with stolen intangible assets through theft of IP, including:
• Proprietary software/source code
• Business plans, proposal, and strategic plans
• Customer information
• Product information (designs, formulas, schematics)
In one of the incidents compiled by CERT, an insider stole trade secrets worth $40 million by copying them to removable media. She later used these secrets to start her own business with her husband. In another case, an engineer who was working for a high-tech company stole trade secrets from his organization and initiated similar businesses by acquiring funding from foreign organizations.
According to Cappelli et al. (2012), most of the insiders stole IP not to gain financial advantage by selling it to external parties but rather to gain business advantage to either -21- start their own businesses or to use it for their work in another organization or to start businesses by partnering with foreign governments and companies.
An interesting finding by Cappelli et al. (2012) is that all of the intellectual property (IP) theft cases were committed not by IT staff like system administrators as most people would assume; rather it was committed by other employees such as scientists, engineers, programmers or salespeople. These insiders committed the crimes by using their authorized credentials and during normal working hours, which makes it challenging to tackle. Cappelli et al. (2012) suggest organizations adopt technical solutions like “digital watermarking, digital rights management, and data loss prevention systems to prevent the problem from occurring” (p.352). It is also suggested that employees who are leaving the organization should be monitored, as most of the cases concerning IP theft were committed by such employees (Cappelli et al, 2012).
Insider fraud
Insider fraud, as defined by Weiland, Moore, Cappelli, Trzeciak & Spooner (2010) “is an insider’s use of IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or the theft of information that leads to an identity crime (identity theft, credit card fraud)” (p.8). This crime will seriously affect the organization as it may lose its customers’ trust; for instance, if the credit card number of a customer is stolen.
In one instance, as compiled by CERT databases, a customer service representative who was responsible for processing health insurance claims intentionally changed the address of medical care providers who rarely filed claims. He then laid a claim on behalf of the medical care providers and later collected $20 million from his fraudulent activities.
In another case, a database administrator who was responsible for maintaining the customer records of an insurance company downloaded the personal information of customers, including their credit card details by using removable media in an attempt to take revenge on his organization. He complained that he was not fairly paid for his work.
He also planned on using the database to make money by selling it to online fraudsters. As revenge, he posted the credit card details of the employees in an online newsgroup of fraudsters and also encouraged them to abuse the credit cards. He carried out these fraudulent activities for more than two years until an undercover agent who approached him as a buyer of credit cards caught him.
CHAPTER ONE INTRODUCTION
1.1 Background
1.2 Definition of key terms
1.3 Problem statement and purpose of this study
1.4 Research questions
1.5 Research objectives
1.6 Significance of the study
1.7 Scope of the study
1.8 Research design and methodology
1.9 Structure of the thesis
1.10 Conclusion
CHAPTER TWO THE INSIDER THREAT PROBLEM
2.1 Introduction
2.2 Insider Threat
2.3 Extant Insider Threat Prevention and Prediction Models
2.4 Chapter summary
CHAPTER THREE CONCEPTUAL FRAMEWORK
3.1 Introduction
3.2 Fraud Diamond
3.3 Situational crime prevention (SCP)
3.4 Context-aware systems
3.5 Privacy-preserving techniques
3.6 Chapter summary
CHAPTER FOUR Methodology
4.1 Introduction
4.2 Research paradigm
4.3.1 Problem identification and motivation
4.4 Research methodology validation
4.5 Sampling
4.6 Validity and reliability
4.7 Data collection methods
4.8 Data analysis
4.9 Research ethics
4.10 Chapter summary
CHAPTER FIVE A PRIVACY-PRESERVING, CONTEXT-AWARE, INSIDER THREAT PREVENTION AND PREDICTION MODEL (PPCAITPP)
5.1 Introduction
5.2 Derivation of the model
5.3 The model
5.4 Comparison to similar models
5.5 Chapter summary
CHAPTER SIX EVALUATION: CYCLE I
6.1 Introduction
6.2 Prototype – Asset management system
6.3 Data analysis
6.4 Discussion of the findings
6.5 Validity
6.6 Chapter summary
CHAPTER SEVEN EVALUATION: CYCLE II
7.1 Introduction
7.2 Refined model
7.3 Revised prototype
7.4 Data analysis
7.5 Discussion of findings
7.6 Validity
7.7 Chapter summary
CHAPTER EIGHT CONCLUSIONS, IMPLICATIONS AND FUTURE RESEARCH
8.1 Introduction
8.2 Overview of the study
8.3 Achieving the research objectives
8.4 Contributions of the study
8.5 Limitations of the study
8.6 Future research
8.7 Conclusions
REFERENCES
APPENDICES
GET THE COMPLETE PROJECT
