Dawn M. Cappelli - The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes

How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

Dawn Cappelli
Andrew Moore
Randall Trzeciak

Upper Saddle River, NJ Boston Indianapolis San Francisco
New York Toronto Montreal London Munich Paris Madrid
Capetown Sydney Tokyo Singapore Mexico City

The SEI Series in Software Engineering

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

CMM, CMMI, Capability Maturity Model, Capability Maturity Modeling, Carnegie Mellon, CERT, and CERT Coordination Center are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

ATAM; Architecture Tradeoff Analysis Method; CMM Integration; COTS Usage-Risk Evaluation; CURE; EPIC; Evolutionary Process for Integrating COTS Based Systems; Framework for Software Product Line Practice; IDEAL; Interim Profile; OAR; OCTAVE; Operationally Critical Threat, Asset, and Vulnerability Evaluation; Options Analysis for Reengineering; Personal Software Process; PLTP; Product Line Technical Probe; PSP; SCAMPI; SCAMPI Lead Appraiser; SCAMPI Lead Assessor; SCE; SEI; SEPG; Team Software Process; and TSP are service marks of Carnegie Mellon University.

Special permission to reproduce portions of Carnegie Mellon University copyrighted materials has been granted by the Software Engineering Institute. (See page for details.)

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales, (800) 382-3419, .

For sales outside the United States, please contact: International Sales, .

Visit us on the Web: informit.com/aw

Cataloging-in-Publication Data is on file with the Library of Congress.

Copyright 2012 Pearson Education, Inc.

All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458, or you may fax your request to (201) 236-3290.

ISBN-13: 978-0-321-81257-5
ISBN-10: 0-321-81257-3

Text printed in the United States on recycled paper at Courier in Westford, Massachusetts.
First printing, January 2012

For Fred, Anthony, and Alyssa. You are my lifeI love you!

Dawn

For those who make my life oh so sweet: Susan, Eric, Susans amazing family, and my own Mom, Dad, Roger, and Lisa.

Andy

For Marianne, Abbie, Nate, and Luke. I am the luckiest person in the world to have such a wonderful family.

Randy

A night-shift security guard at a hospital plants malware on the hospitals computers. The malware could have brought down the heating, ventilation, and cooling systems and ultimately cost lives. Fortunately, he has posted a video of his crime on YouTube and is caught before carrying out his illicit intent.

A programmer quits his job at a nuclear power plant in the United States and returns to his home country of Iran with simulation software containing schematics and other engineering information for the power plant.

A group of employees at a Department of Motor Vehicles work together to make some extra money by creating drivers licenses for undocumented immigrants and others who could not legally get a license. They are finally arrested after creating a license for an undercover agent who claimed to be on the No Fly List.

These insider incidents are the types of crimes we will discuss in this bookcrimes committed by current or former employees, contractors, or business partners of the victim organization. As you will see, consequences of malicious insider incidents can be substantial, including financial losses, operational impacts, damage to reputation, and harm to individuals. The actions of a single insider have caused damage to organizations ranging from a few lost staff hours to negative publicity and financial damage so extensive that businesses have been forced to lay off employees and even close operations. Furthermore, insider incidents can have repercussions beyond the victim organization, disrupting operations or services critical to a specific sector or creating serious risks to public safety and national security.

We use many actual case examples throughout the book. It is important that you consider each case example by asking yourself the following questions: Could this happen in my organization? Could a night-shift security guard plant malicious code on our computers? Do we have employees, contractors, or business partners who might steal our sensitive information and give it to a competitor or foreign government or organization? Do we have systems that our employees could be paid by outsiders to manipulate?

For most of you, the answer to at least one of those questions will be an unequivocal yes! The good news is that after more than ten years of research into these types of crimes, we have developed insights and mitigation strategies that you can put in place in your organization to increase your chances of avoiding or surviving these types of situations.

Insider threats are an intriguing and complex problem. Some assert that they are the most significant threat faced by organizations today. High-profile insider threat cases, such as those conducted by people who stole and passed proprietary and classified information to WikiLeaks, certainly support that assertion, and demonstrate the danger posed by insiders in both government and private industry.

Unfortunately, insider threats cannot be mitigated solely through hardware and software solutions. There is no silver bullet for stopping insider threats. Furthermore, malicious insiders go to work every day and bypass both physical and electronic security measures. They have legitimate, authorized access to your most confidential, valuable information and systems, and they can use that legitimate access to perform criminal activity. You have to trust them; it is not practical to watch everything each of your employees does every day. The key to successfully mitigating these threats is to turn those advantages for the malicious insiders into advantages for you. This book will help you to do just that.