Financial Institutions â€“ Can You Identify An Inside Threat?
As an information security professional at your institution, would you know what signs and indicators to monitor for an insider attack? Dr. Eric Cole, a noted information security expert who has studied insider threats and investigated them at financial institutions describes the problems arenâ€™t only in identifying potential insider attacks, but how much attention is being focused on this continuing threat.
During a recent interview Cole described the typical breakdown of information security budgets at financial institutions, â€œIf you go into the average financial institution now, and you track its security budget and map it, around 80 percent of the budget is spent on external attack security and only 20 percent is spent, if that, on mitigating insider threats.â€ Cole continued, â€œExternal or internal, attacks cost an institution both time and money. When a worm or virus hits your network, you immediately know, or can pinpoint when and where it started. But in the case of an insider attack, you donâ€™t always know when it started, or what damage has been inflicted, until you investigate and track it.â€
Institutions should address both, he says. â€œMost institutions have been focusing on external threats for a while and are doing a good job at stopping them, so spending more time and money on something youâ€™re already good at, and a small percentage of your budget on a problem thatâ€™s causing lots of issues is something that should change.â€
It is also a good explanation why, â€œAt least in the near future, weâ€™re going to see so many insider attacks.â€
Cole noted that financial institutions should also review their hiring practices to determine if the criteria used for hiring a candidate is missing some indications of potential problems. â€œIâ€™ve always been a strong believer that the past is a great indicator of the future, so if someone has worked for several institutions over a short period of time, that should be something to look at.â€ While many candidates will have excuses why they left, the candidate that has spent only six months at a time at several institutions, would not be a choice candidate, in Coleâ€™s opinion. â€œThere is a training curve, and if someone has only been at a position for six months, the investment alone to hire that person would be questionable.â€
Institutions can do more to stem potential insiders and uncover fraud and theft, he explained. While many institutions once required their staff to take their vacation time in two week periods, the increased need for manpower at many institutions have dropped the mandatory two week vacations in key positions down to seven days. â€œThe reasoning behind the two week vacation periods was, if there was something going on, it would usually be uncovered during that personâ€™s time away. The institutions that are only requiring staff to take one week are lowering the bar, making it easier for perpetrators to cover their tracks,â€ he said.
Cole also sees much less tracking of the separation of duties. â€œIâ€™m seeing less diligence at the institutions I visit of making sure that the same people donâ€™t work together all the time, breaking up shifts and shift rotation. This is making it easier for the insider, if they are doing something, it will be harder to detect, and easier for them to cover their tracks.
What heâ€™s seen during investigations of insider crime, â€œIt is hardly ever one person working alone, it is usually two, three or more people working together. My point to make is if I am an insider planning or in the midst of doing something, and if the person covering for me is in on the attack, then this wonâ€™t help uncover what is happening.â€
This tends to be a problem with the various fraud detection systems set up to monitor activity for insider threats, he noted. â€œYou must look at work relationships, if Eric and Mary are always working on 80 percent of the shifts together, and they go to lunch together, then make them take vacation together.â€ He stressed separation of duty is important, especially in critical operation areas.
Despite efforts to identify the typical â€œemployeeâ€ who would commit an insider attack, Cole noted it isnâ€™t as easy as naming off disgruntled workers or poor performers. â€œThere is no set profile, and it is a big problem. You can readily identify who would be more likely to commit a physical, armed bank robbery.â€
But when it comes to identifying the typical employee who would commit an insider attack, Cole said, â€œIâ€™ve seen people whoâ€™ve been at a bank for 25 years, or less than six months, many working in a variety of positions within the bank, from technical positions to and administrative positions itâ€™s across the board.â€
One quote Cole likes to use (from a recent movie) is â€œI trust everyone, but itâ€™s the devil inside that I donâ€™t trust.â€
â€œEveryoneâ€™s got a little devil inside; the question is you donâ€™t know what is going to take to make that person commit a crime. Anybody has the potential to commit insider fraud. They will say, well if I only take three accounts, itâ€™s not really a big deal. From what Iâ€™ve seen, there is no set profile, and I think weâ€™re not casting a big enough net when looking for the potential insider,â€ he said.
Cole explained his reasoning on this, â€œI think the only way to get a profile, is to look at behavioral characteristics that on the surface look totally unrelated, but then you will start noticing a trend.â€ One point he correlated was that many people who tend to have trouble with their supervisors or authority figures also tend to have a history of speeding tickets. â€œSo here is a great profile indicator. But again, I donâ€™t think weâ€™ve done enough work on identifying and profiling these indicators.â€
He postulated an example to illustrate this, â€œDo you look for an employee who has a few speeding tickets, or even the lack of any?â€
A good example of one of the common points uncovered in many of the FBI and CIA spy cases was the accused spy most had one thing in common; they all got through the polygraph tests with no problem. So this may be the best indicator, if the person got through clean, that there might be a problem, Cole said.
Translating this to financial institutions, Cole said the person who has the â€œperfectly clean backgroundâ€ and is someone who is your model employee, who has a clean work record and has never done anything wrong, â€œthis actually might be the one who you would want to keep a closer eye on, rather than the one who has a few blemishes on their record. Because the fact if they were terminated from a company, or they have an â€œXâ€ or â€œYâ€ noted on their record, there has been no proof to date or correlation to show this is an indicator of insider threat.â€
What troubles Cole about this approach? â€œIn essence, banks are using these artificial indicators, performing a background check, and if it shows up clean, then theyâ€™re okay. The problem I have with that is when I perform an assessment for a bank and I ask them, â€˜Okay these are the three things you check on a potential employee, and if theyâ€™re clean, you hire them. But then I ask them to show me factual, historical data to prove that these indicators are a good test of whether someone would steal data or not.â€™ So far, I have not had any bank come back with an answer.â€
Cole believes that there hasnâ€™t been enough data collected on this, and there hasnâ€™t been enough research to find the commonalities. â€œI think in another year or two as this problem continues to grow and get more attention, I think weâ€™re going to see a wider net being cast to identify these indicators and develop profiles that might not be obvious. Any attempt to do this now would be futile, because now weâ€™re trying to use things that are closely related, but there is absolutely no proof that those are indicators for the problem.â€
About Dr. Eric Cole:
Dr. Eric Cole is an industry recognized security expert, technology visionary and scientist, with over 15 yearâ€™s hands-on experience. He co-authored Insider Threat, Protecting The Enterprise From Sabotage, Spying and Prevent Employees and Contractors from Stealing Corporate Data. He currently performs leading edge security consulting and works in research and development to advance the state of the art in information systems security. Dr. Cole has more than a decade of experience in information technology, with a focus on perimeter defense, secure network design, vulnerability discovery, penetration testing, and intrusion detection systems. He also the inventor of more than 20 patents and is a researcher, writer, and speaker for SANS Institute and faculty for The SANS Technology Institute, a degree granting institution.