Countrywide and Solving the Insider Threat
The recent arrest of a former Countrywide employee in the insider identity theft case, where an estimated 2 million mortgage loan customers at mortgage lender Countrywide were taken, is just chock full of "but for the grace of God" examples for other financial institutions.
The fact is that a determined insider is the hardest person to stop. But the detailed, long-term movement of information by senior financial analyst Rene Rebollo while he worked at Countrywide could be viewed in hindsight as a neon blinking light on the Vegas strip that says "I'm Stealing Data From My Employer."
The fact is that a determined insider is the hardest person to stop.
He was copying and transferring information on Sunday evenings - a big neon flashing arrow should have been lit up. Was there a reason for this individual to be working on Sunday nights? And nearly every Sunday night for an extended period of time? I mean, some of us work on the weekends every now and then, (me included). But if my job doesn't require me to be in the office every Sunday night, shouldn't that ring some warning bells that this activity is somewhat of an exception?
The really big clue would have been: He wasn't using his computer, but a machine nearby that didn't have its USB ports disabled. (Countrywide's effort to stop users from copying data onto USBs or thumb drives, iPods or other portable storage drives was to disable all the USB ports on all machines.) The mortgage lender stopped there, and didn't deploy any method for detecting or stopping downloads to USB devices since it was already stopping downloads by blocking USB connections. Whoops, they missed one.
What about Countrywide's policies, procedures and internal controls? The insider's immediate management should have also been clued in, but wasn't aware, because he was coming in during non-working hours. If they did know he was coming in, through signature access logs, cameras, or computer logs, they didn't realize he was logging into a different machine. Couldn't a good dose of identity access management software solve that problem?
Looking back at the two years this insider was able to pull off his data thefts, some managers would probably think, "That guy who works for me is really a hard worker. He comes in every Sunday night to get a jump start on the next week. He is a smart, dedicated employee. Hmmm, maybe I should look into giving him a raise."
Rebollo, as the FBI affidavit reveals, wasn't that smart. He voluntarily told the FBI that he would charge $400 to $500 for thousands of leads. At that rate, his criminal actions would end up costing the buyers of this stolen data about 2.5 cents per customer profile. Now that's what a criminal would call a real bargain, as experts say that Social Security numbers by themselves cost dollars, not merely a few pennies. The type of information stolen from Countrywide customers (name, address, SSN, date of birth) could be used to open new bank accounts, the golden dream of every identity thief, (emphasis on the golden part.)
How to tell the difference between a dedicated employee and the evil insider thief? I wish I could say there's a birthmark on the scalp of the evil insider, but there isn't (most times). What companies need to realize is they have to take this threat seriously. One place to start is a study done by the National Threat Assessment Center, US Secret Service and the CERT Coordination Center at Carnegie Mellon University, "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Center".
Next thing to do is realize this: Technology alone won't solve the problem. Just having internal controls and policies in place doesn't solve the problem, either. A wise, well-planned, multi-pronged risk management strategy will work with a combination of appropriate physical controls and logical controls. Also don't forget the need of complete support of senior management. Combine this all with a strong employee education and awareness program - and you've now cut the chances your institution's name being splattered everywhere in the headlines.
Finally, just imagine if Rebollo's co-workers had spotted signs of his caper, say after a month's worth of downloads, and remembered they could call and report his suspicious activity to Countrywide's information security officer anonymously? Can we estimate the saving of money and reputation? Think of the human firewall Countrywide could have had in place if its employees had been educated on the importance of information security and their responsibility to report "suspicious" activity by other employees. It certainly wouldn't be more than what they're spending on the investigation and subsequent fallout and reputation loss because of this insider's data theft.