• United States
Senior Editor, Network World

Security experts: Insider threat looms largest

Dec 08, 20034 mins

WASHINGTON, D.C. – While the U.S. military is building up defenses to fend off network-based attacks from enemy states and terrorists, some say the more-insidious security problem is the threat of an insider bent on sabotage or stealing data.

Why you shouldn’t pooh-pooh the risk

Winn Schwartau explains.

At last week’s Forum on Information Warfare, researchers from the FBI and George Washington University emphasized the insider threat during presentations that drew military personnel and academics from around the world. In particular, IT systems administrators increasingly are seen as the most potentially dangerous insider threat – and military concern – because of their power over networks.

In his keynote speech, Lt. Gen. Kenneth Minihan, former head of the National Security Agency (NSA), compared today’s systems administrators to the encryption-code clerks of past wars who broke enemy secrets. He said systems administrators deserve greater attention from the military and should be better paid. Some researchers say they have seen the systems administrator go bad and see it as the Achilles’ heel of national defense.

FBI and George Washington researchers have studied the case histories of criminal computers use, including interviews with prisoners.

“The systems administrator responsible for designing computer systems has the extraordinary ability to do damage,” said Jerrold Post, professor of psychiatry, political psychology and international affairs at George Washington. He cited cases that occurred at Fort Bragg in North Carolina, and in banking and other industries, to underscore the danger posed by IT insiders who exploit power over networks.

Post noted that insiders who commit computer-based crimes, such as fraud, extortion, sabotage and espionage, have a variety of motivations, including revenge and financial gain. He said it is critical to understand the psychology of IT administrators in general to recognize possible danger signs.

IT specialists are “overwhelmingly represented by introverts” who “internalize stress and express themselves only online,” he said. A study of IT specialists caught for computer-based crimes reveals them typically to share some character traits.

Post said close analysis of work histories of IT administrators who sabotaged their employers’ networks or did other damage reveals that they often first commit less-serious infractions, such as refusing to train their backup. Intervention by management early on could help prevent problems from escalating, because introverted people usually don’t seek help.

The FBI has started its own study of those who commit computer crimes – not necessarily focusing on IT administrators – by interviewing those now in jail, said John Jarvis, an FBI behavioral research scientist. “Cybercrime is primarily an insider phenomenon,” Jarvis said. Only a quarter can be classified as “outsider,” he said.

Guarding against that minority is the job of insiders such as Timothy Vieregge, deputy of the systems and architecture branch in computer network operations at Fort Belvoir’s First Information Operations Command in Virginia. Vieregge helped set up a network-monitoring system for the Army before the start of the war in Iraq.

Psychological profile

Likely to be seen in an insider threat:
Introvert; lives online.
History of significant frustrations relating to family, peers, co-workers.
Divorce or romantic discord.
Propensity for anger toward authority.
Grandiosity covers fragile ego.
Extreme attachment to IT infrastructure.

The system, based on more than 500 intrusion-detection monitors at Army network facilities around the globe, captured information on cyberattacks and sent it to the security information management product the Army uses, Symantec’s CyberWolf, with NSA-developed visualization software called Renoir.

While Vieregge said he couldn’t say where attacks against Army computers originated, the monitoring systems showed which attacks succeeded and which failed.

While attempted attacks increased 84% between October 2002 through March, the number of successful intrusions against Army facilities has dropped from a high of 16 in October to six in March. Vieregge said the monitoring system helped the Army prioritize areas that needed strengthening – where proper software patching hadn’t been done, for example – and setting up routers to block IP addresses from attack points.

Vieregge said the Army isn’t using intrusion-prevention systems yet to automatically block attacks but is following the technology’s development.