Interesting study out today that took an in-depth look at 80 insider security cases and developed patterns of behavior that could help private companies, government, and law enforcement more better prevent, deter, detect, investigate, and manage this devious problem.
The study, "Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector" funded by the U.S. Department of Homeland Security (DHS) in collaboration with the U.S. Secret Service (USSS) and the CERT Insider Threat Center, part of Carnegie Mellon University's Software Engineering Institute looked at what they called technical and behavioral patterns from 67 insider and 13 external fraud cases that occurred between 2005 and now to develop "insights and risk indicators of malicious insider activity."
"As long as there are institutions that hold money, internal and external adversaries will make every attempt to subvert control mechanisms to illegally profit. To defeat those who are defrauding financial services companies, security professionals in this sector must master both the technical and behavioral aspects of the problem as well as ensure compliance with external regulators and internal governance initiatives, all while protecting their organizations' profits, shareholders, and customers," the report states.
As part of the 76 page report, the group developed six far-reaching findings. From the report these findings include:
- 1. Criminals who executed a "low and slow" approach accomplished more damage and escaped detection for longer.
- On average, over 5 years elapse between a subject's hiring and the identified start of the fraud, and it takes an average of almost 32 months to be detected by the victim organization.
IN THE NEWS: Prototype system goes after DNS-based botnets
- The lower 50% of cases (under 32 months in length) had an average actual monetary impact of approximately $382,750, while the upper 50 percent (at or over 32 months in length) had an average actual monetary impact of approximately $479,000.
- Insiders' means were not very technically sophisticated.
- Very few subjects served in a technical role (e.g., database administrator) or conducted their fraud by using explicitly technical means.
- In more than half of the cases, the insider used some form of authorized access, whether current or authorized at an earlier time but subsequently withdrawn for any number of reasons, including change in job internally or a change in employer, and in a few of the cases, the insider used some non-technical method to bypass authorized processes.
- Fraud by managers differs substantially from fraud by non-managers by damage and duration.
- Fraud committed by managers consistently caused more actual damage ($200,105 on average) than fraud committed by non-managers ($112,188 on average).
- Fraud committed by managers lasted almost twice as long (33 months) as compared to nonmanagers (18 months).
- Of all the non-managers, accountants cause the most damage from insider fraud ($472,096 on average) and evade detection for the longest amount of time (41 months).
- Most cases do not involve collusion.
- Only 16% of the fraud incidents involved some type of collusion, with 69% of those involving collusion exclusively with outsiders.
- Only 1 case involved collusion with other insiders.
- Most incidents were detected through an audit, customer complaint, or coworker suspicion.
- Routine or impromptu auditing was the most common way that an attack was detected (41%). In terms of who detected the attack, internal employees were the most common (54%) followed by customers (30%).
- Only 6% of the cases were known to involve the use of software and systems to detect the fraudulent activity.
- Transaction logs, database logs, and access logs were known to be used in the ensuing incident response for only 20% of the cases.
- Personally identifiable information (PII) is a prominent target of those committing fraud.
- Roughly one-third (34%) of the cases involved PII being the target by the insider or external actor with younger, non-managers stealing PII more often than older employees.
- The average tenure of employees who stole PII was shorter than the tenure of malicious insiders who did not steal PII.
Check out these other hot stories: