Insider Threat Study

From Cybersecurity Wiki
Jump to navigation Jump to search

Full Title of Reference

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector

Full Citation

United States Secret Service, Computer Emergency Response Team (2004): Insider Threat Study. Illicit Cyber Activity in the Banking and Finance Sector. U.S. Government. Online Paper. Web



Key Words

Credit Card Fraud, Cybercrime, Disclosure Policy, Software Vulnerability


In the past, most incidents of fraud against the banking or financial services industry were committed by insiders. It is difficult to estimate how often and to what degree companies face attacks from within; insider attacks are probably under-reported, out of fear for the negative publicity or increased liability that may arise as a consequence.

The Insider Threat Study examines a series of unique insider incidents from a behavioral and technical perspective.

Scope and Procedure of the Insider Threat Study

The report examines 23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002. Organizations affected by insider activity in this sector include credit unions, banks, investment firms, credit bureaus, and other companies whose activities fall within this sector. Of the 23 incidents, 15 involved fraud, four involved theft of intellectual property, and four involved sabotage to the information system/network.

The study consists of an aggregated case-study analysis that provides an in-depth look at insider incidents that have occurred in critical infrastructure sectors between 1996 and 2002, a review of the prevalence of insider activity across critical infrastructure sectors over a 10-year time frame, and a survey of recent insider activity experienced by a sample of public- and private-sector organizations.

Cases were identified through public reporting or as a computer fraud case investigated by the Secret Service.

The ITS adapted methods used in previous research performed by the Secret Service and CERT/CC to conduct in-depth examinations of network, system, and data compromises and other insider activity. Researchers focused primarily on tracing insider incidents from the initial harm backward in time to when the idea of committing the incident first occurred to the insider. In tracing the incidents backward, researchers tried to identify the behaviors and communications in which the insiders engaged – both online and offline – prior to and including the insiders’ harmful activities.

Insider Fraud Requires Little Technical Sophistication

Most of the incidents examined in the banking and finance sector were not technically sophisticated or complex. That is, they typically involved exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) and were carried out by individuals who had little or no technical expertise.

This suggests it is important for organizations to secure their networks from the full range of users, from persons responsible for data entry to management to system administrators. Proactive practices, such as mandatory password protection and change policies, and use of password-protected screen savers, can minimize the possibility of insiders using another employee’s computer and/or account to carry out the attack.

Perpetrators Planned Their Actions Most of the incidents were thought out and planned in advance. In most cases, others had knowledge of the insider’s intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

Financial Gain Motivated Most Perpetrators Most insiders were motivated by financial gain (81%), rather than a desire to harm the company or information system. Other motives included revenge, dissatisfaction with company management, culture or polices, and a desire for respect.

Additional Notes and Highlights

Expertise Required: None