Insider Threat: Your Greatest RisksInterview with Dawn Cappelli of Carnegie Mellon University's Software Engineering Institute
In an exclusive interview, Dawn Cappelli of Carnegie Mellon University's Software Engineering Institute, discusses:
- Insider threat trends;
- Biggest challenges for organizations looking to prevent crimes;
- Steps organizations can take to reduce risk.
Cappelli is Technical Manager for the Threat and Incident Management Team of the CERT Technical Staff at Carnegie Mellon University's Software Engineering Institute (SEI). She has over 25 years experience in software engineering, including programming, technical project management, information security, and research. She is technical lead of CERT's insider threat research, a CyLab-funded project including the Insider Threat Study conducted jointly by the U.S. Secret Service and CERT. Before joining CERT in 2001, Cappelli was the Director of Engineering for the Information Technology Development Center of the Carnegie Mellon Research Institute (CMRI). Cappelli has a BS in Mathematics and Computer Science from the University of Pittsburgh.
TOM FIELD: What is the latest on the insider threat?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking about the insider threat today with Dawn Cappelli, Technical Manager for the Threat and Incident Management Team with the CERT Technical Staff at Carnegie Mellon University's Software Engineering Institute.
Dawn, it is a pleasure to talk with you again.
DAWN CAPPELLI: Thank you.
FIELD: Now Dawn, you have got a new role here, so maybe you can tell us a little bit about that and what you are doing with CERT now?
CAPPELLI: Well, I have actually another team under me now in addition to the Insider Threat Team. But I started the Insider Threat Team in 2001, and so it is still going strong. We have actually expanded our work recently. In the past we have been collecting cases, and we continue to collect actual cases of insider threats, but over the past nine years we have been looking at the problem. What is the problem? Who does it? Why do they do it? How do they do it?
Over the past year, we have decided to start looking at solutions, and so instead of just looking at how they do it and why, now we are starting to really work with organizations and vendors on, okay, what are effective mitigation strategies? We have set up an insider threat lab where we are actually hands-on starting to test some solutions, and so we are very excited about the direction that our work is going.
FIELD: Well, Dawn, I want to ask you about the insider threat; it was a huge topic of conversation in 2009. What trends did you see emerge in the past year?
CAPPELLI: Well, we have seen a lot of fraud cases. I actually asked one of our database guys to pull the latest stats of the number of cases that we saw in 2009. Before I give you those stats, though, I just want to point out that a lot of times these cases don't really see the light of day for a while. So I am sure that there are more cases that are going to start hitting the press that happened in 2009, and they are just coming to light now, but of the cases that we collected last year, we have 20 fraud cases.
The fraud cases continue to grow, and you know I have to think that that's probably because of the data breach laws, because now organizations have to report data breaches, and so we keep seeing this upswing in fraud cases. So we had 20 of those; we had 14 cases of IT sabotage, and I still try to point out to organizations that everyone is susceptible to IT sabotage, so this is a crime that no matter what sector you are in, you need to pay attention to; and we had eight cases of theft of intellectual property; and we had 13 cases that really can't even categorize yet because we just don't have enough information on exactly what they did or how they did it or why they did it.
As far as what sectors we saw hit, the government sector had the most cases. Second was public health, which was pretty interesting because in the past that has not even gotten a very big slice of our pie when we do the breakdown, the pie chart by sector, so public health had a fair number. And then third was banking and finance.
FIELD: Dawn, as we are a quarter of the way into 2010 now, what do you see as the biggest concerns for organizations, particularly in these sectors that you have just identified?
CAPPELLI: Well, I think the biggest concern, and this is what we are hearing from people and why we decided to set up this lab, is that there are tons of tools out there. You can go to any major conference, and the exhibit floor is full of displays and vendors, and there is a lot of good technology out there. There is a lot of good technology, and there are a lot of good people. The problem is: How do you use them together.
We saw this in our eCrime Survey that we do every year. Our survey this year showed that data leakage tools were way down at the bottom of the list when asked what are the most effective tools that you are using at detecting or preventing insider threats. And there are a lot of really good data leakage tools out there, but the problem is that you can result in information overload. There is so much information to look at -- where do you look? Because you can't look at everything. But we really believe that organizations can use those kinds of tools and other technologies effectively; it is just a matter of figuring out what kind of practices and procedures you need to put around the use of those tools.
The good thing about insider threat is you have people working in your organization, you see them every day, and there are indicators that you can look for, unlike external attacks where you have to really rely on the technology alone.
Another big concern is just the global nature of the economy and the global nature of organizations. We hear repeatedly that, for instance in IT sabotage, the indicators that we need to rely on are in large part behavioral indicators. You can look for your disgruntled system administrator who is obviously very disgruntled and getting worse. Well, in other cultures, is that same pattern going to hold up? Because that is how we are in the U.S., that is not necessarily how people behave in other cultures. So, culture issues are also a big concern for organizations.
FIELD: Now, Dawn, it seems like we have raised awareness about the insider threat, and as you say there are incidents that aren't being reported, maybe that aren't being detected. What do you see as being the biggest challenges for organizations that want to prevent insider crimes?
CAPPELLI: Well, I think the biggest challenge, like I said, you can buy tools, you can hire people, but in order to really detect insider threats I think organizations need to get pieces of their organization working together.
So, for instance that disgruntled system administrator example. We know from our research that if you have a disgruntled system administrator who is about to be fired or quit because they are so angry, they are going to create some unknown access path so they can get back into the organization. Well what is that going to be? They may plant a malicious code. Well, that is what they do everyday, they edit scripts, they write scripts, they release programs; so relying on technology to say this system administrator just released a new program, well that is what they do everyday. Or they may create a backdoor account; well, what do system administrators do every day? They create accounts.
So relying on just the technology, you are not going to catch it. But these people are on the HR radar, so management knows they are a problem. HR knows that they are a problem. Someone needs to tell the information security staff, so that they can look in your logs and see what has this person been up to because they are on the HR radar and they have the privilege and the ability to be able to carry out an IT sabotage attack.
Likewise, we know that theft of IT is typically committed by scientists, engineers, programmers, someone who steals what they created, and they steal it on their way out of the organization. So typically within 30 days of resignation they take some IP with them. Now they may have been stealing it over the course of a few months, but they are going to take something on their way out. So, if HR can communicate to the information security staff, this person just turned in their resignation, look back in the logs and see what they have been doing. You also need a proactive strategy; you need to have proactive technology in place, so that you can go back and see what have they been doing with their laptop at home for instance.
I think the biggest challenge is to get the organization to work together, and it is really hard, and I am not going to try to say that it is easy. But we also know that there are some organizations out there that have done and successfully done it. So it can be done, but it requires really planning ahead and addressing legal issues, policy issues, employee privacy issues, and getting your legal department involved. I think that is the biggest challenge.
FIELD: Dawn, one last question for you. If you could boil it down for organizations, and even individuals, what are some simple steps that they can take now to at least reduce their risk?
CAPPELLI: Well, I think the first thing I would do is go to our website, not that I am trying to promote our materials, but we have a lot of freely available information out there such as our Common Sense Guide for Prevention and Detection for Insider Threats. That is a guide that based on all of these cases in our database (we now have over 450 cases), we have looked at what best practices would have prevented these things from happening or enabled organizations to detect them more quickly.
I think it really pays to pay attention to what has happened in the past because we see distinct patterns in what these insiders do. We also offer an Insider Threat Assessment by CERT based on all of these cases. We have workshops that they can attend. I think they really need to think ahead and put together an incident response plan. If an insider does successfully attack, what are we going to do? Who is going to respond? And a lot of organizations that we have been talking to don't really even know whose job it is to detect insider attacks, so it is really a good idea to just start from the ground up and put together an incident response and incident handling plan for insider threats.
FIELD: Well, Dawn, it is a pleasure to hear from you, and I appreciate your time and your insight today. Thank you so much.
CAPPELLI: Okay, you are welcome.
FIELD: We have been talking about the insider threat. We have been talking with Dawn Cappelli with Carnegie Mellon University's Software Engineering Institute.
For Information Security Media Group, I'm Tom Field. Thank you very much.