Thursday, September 13, 2012

Protecting your network from insider threats

A recent government report analyzed 80 cases of computer-based fraud within the banking and finance sector. The findings include six common patterns and activities of the perpetrators as well as recommendations for organizations to protect themselves.

The report was sponsored by (we're not making this up) the Department of Homeland Security Science and Technology Directorate's Homeland Security Advanced Research Projects Agency Cyber Security Division. Wow. Also contributing was the US Secret Service and the CERT Insider Threat Center of Carnegie Mellon University. Of the 80 cases, 67 were insider fraud cases, and the remaining 13 were external to the organizations harmed.

FINDINGS
  1. Criminals who executed a "low and slow" approach accomplished more damage and escaped detection for longer
    • On average 5 years went by between a subject's hiring and the start of their fraud, with detection averaging almost 32 months before they were caught.
    • This is real money too -- cases less than 32 months averaged over $380,000 and longer cases averaged about $479,000.
  2. Insiders' means were not very technically sophisticated
    • Few of the subjects were in technical roles like a database administrator
    • In more than half the cases, the insider used some form of authorized, but often expired access
  3. Fraud by managers differs substantially from fraud by non-managers in damage and duration
    • Manager fraud caused nearly twice the economic damage and was took twice as long to detect
  4. Most cases do not involve collusion
    • Only 16% of fraud involved some type of collusion, and these subjects were mostly working with outsiders
  5. Most incidents were detected through an audit, customer complaint or coworker suspicion
    • Routine auditing caught 41%, with only 6% of cases involving detection by software and systems designed to detect fraudulent activity
  6. Personally identifiable information (PII) is a prominent target of those committing fraud
    • Roughly 1/3 of cases were targeting PII, with younger, non-managers generally being the ones committing this type of fraud

RECOMMENDATIONS

So, with the analysis of the types of fraud going on, what do they suggest to avoid it? They are really pretty basic, but the key is an effective implementation.

Behavioral and/or Business Process
  • Clearly document and consistently enforce policies and controls.
  • Institute periodic security awareness training for all employees.
Monitoring and Technical
  • Include unexplained financial gain in any periodic reinvestigations of employees.
  • Log, monitor, and audit employee online actions.
  • Pay special attention to those in special positions of trust and authority with relatively easy ability to perpetrate high value crimes (e.g., accountants and managers).
  • Restrict access to PII.
  • Develop an insider incident response plan to control the damage from malicious insider activity, assist in the investigative process, and incorporate lessons learned to continually improve the plan.
How can Uplogix help?

Uplogix local management enhances enterprise security by extending role based administrative access policies to network devices and by providing detailed auditing and reporting in support of attaining and demonstrating regulatory compliance. All of these capabilities are maintained even in the event of a network outage.

 By automating many routine network management actions, we ensure that your policies are followed to the letter, each and every time. No shortcuts because an admin is in a hurry to get to lunch, no sessions left open on a device.

See how this is working today in the financial industry in the Uplogix Global Financial Institution case study.