September 13, 2004, CERT/CC Insider Threat Study, article by Dawn Cappelli of CERT/CC
The CERT Coordination Center (CERT/CC) and United States Secret Service (USSS) published the first report of findings from their Insider Threat Study on August 24: /Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector. /This research was initiated in 2001 to perform in-depth case analysis of actual insider incidents that occurred in critical infrastructure sectors between 1996 and 2002. The cases examined are incidents perpetrated by insiders (current or former employees or contractors) who intentionally exceeded or misused an authorized level of network, system, or data access in a manner that affected the security of the organizations' data, systems, or daily business operations. In addition to reviewing case file materials, in most cases the team was able to obtain supplemental information via interviews with one or more of the following: representatives from the victim organization, investigators, prosecutors, and even a few of the insiders who committed the incidents. The objective of the study is to develop information to help private industry, government, and law enforcement better understand, detect, and ultimately prevent harmful insider activity. The project combines the Secret Service's expertise in behavioral and incident analysis with CERT/CC's technical expertise in network systems survivability and security to provide a comprehensive analysis of the insider threat problem.

The findings in the first report, specific to the Banking and Finance sector, revealed that most of the incidents examined were not technically sophisticated or complex, typically involving exploitation of non-technical vulnerabilities such as business rules or organization policies rather than vulnerabilities in an information system or network, and were carried out by individuals who had little or no technical expertise. Since most insiders used simple, legitimate user commands, and many used their own computer accounts, detection was primarily via manual mechanisms, rather than automated detection methods. Once detected, however, system logs were often utilized to investigate and identify the perpetrator. Although most incidents took place in the workplace during working hours, almost one third of the incidents were carried out from the insiders' homes through remote access, and of those attacks, over half involved actions both at the workplace and from home. The paper, located at http://www.cert.org/archive/pdf/bankfin040820.pdf, contains aggregate statistical data and implications of the research findings. Subsequent reports in this study will examine insider activity within the information and telecommunications sector and government sector, as well as incidents across critical infrastructure sectors.