Security experts: Insider threat looms largest

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nwfusion.com/news/2003/1208infowar.html

By Ellen Messmer
Network World
12/08/03

WASHINGTON, D.C. - While the U.S. military is building up defenses to 
fend off network-based attacks from enemy states and terrorists, some 
say the more-insidious security problem is the threat of an insider 
bent on sabotage or stealing data. 

At last week's Forum on Information Warfare, researchers from the FBI 
and George Washington University emphasized the insider threat during 
presentations that drew military personnel and academics from around 
the world. In particular, IT systems administrators increasingly are 
seen as the most potentially dangerous insider threat - and military 
concern - because of their power over networks. 

In his keynote speech, Lt. Gen. Kenneth Minihan, former head of the 
National Security Agency (NSA), compared today's systems 
administrators to the encryption-code clerks of past wars who broke 
enemy secrets. He said systems administrators deserve greater 
attention from the military and should be better paid. Some 
researchers say they have seen the systems administrator go bad and 
see it as the Achilles' heel of national defense. 

FBI and George Washington researchers have studied the case histories 
of criminal computers use, including interviews with prisoners. 

"The systems administrator responsible for designing computer systems 
has the extraordinary ability to do damage," said Jerrold Post, 
professor of psychiatry, political psychology and international 
affairs at George Washington. He cited cases that occurred at Fort 
Bragg in North Carolina, and in banking and other industries, to 
underscore the danger posed by IT insiders who exploit power over 
networks. 

Post noted that insiders who commit computer-based crimes, such as 
fraud, extortion, sabotage and espionage, have a variety of 
motivations, including revenge and financial gain. He said it is 
critical to understand the psychology of IT administrators in general 
to recognize possible danger signs. 

IT specialists are "overwhelmingly represented by introverts" who 
"internalize stress and express themselves only online," he said. A 
study of IT specialists caught for computer-based crimes reveals them 
typically to share some character traits. 

Post said close analysis of work histories of IT administrators who 
sabotaged their employers' networks or did other damage reveals that 
they often first commit less-serious infractions, such as refusing to 
train their backup. Intervention by management early on could help 
prevent problems from escalating, because introverted people usually 
don't seek help. 

The FBI has started its own study of those who commit computer crimes 
- not necessarily focusing on IT administrators - by interviewing 
those now in jail, said John Jarvis, an FBI behavioral research 
scientist. "Cybercrime is primarily an insider phenomenon," Jarvis 
said. Only a quarter can be classified as "outsider," he said. 

Guarding against that minority is the job of insiders such as Timothy 
Vieregge, deputy of the systems and architecture branch in computer 
network operations at Fort Belvoir's First Information Operations 
Command in Virginia. Vieregge helped set up a network-monitoring 
system for the Army before the start of the war in Iraq. 

The system, based on more than 500 intrusion-detection monitors at 
Army network facilities around the globe, captured information on 
cyberattacks and sent it to the security information management 
product the Army uses, Symantec's CyberWolf, with NSA-developed 
visualization software called Renoir. 

While Vieregge said he couldn't say where attacks against Army 
computers originated, the monitoring systems showed which attacks 
succeeded and which failed. 

While attempted attacks increased 84% between October 2002 through 
March, the number of successful intrusions against Army facilities has 
dropped from a high of 16 in October to six in March. Vieregge said 
the monitoring system helped the Army prioritize areas that needed 
strengthening - where proper software patching hadn't been done, for 
example - and setting up routers to block IP addresses from attack 
points. 

Vieregge said the Army isn't using intrusion-prevention systems yet to 
automatically block attacks but is following the technology's 
development. 



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.