Insider Threat Study: Illicit Cyber Activity Involving ...

Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector

Adam Cummings Todd Lewellen David McIntire Andrew P. Moore Randall Trzeciak

July 2012

SPECIAL REPORT CMU/SEI-2012-SR-004

CERT Program



Copyright 2012 Carnegie Mellon University. This material is based upon work funded and supported by the United States Department of Homeland Security Science and Technology Directorate under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Homeland Security or the United States Department of Defense. This report was prepared for the Contracting Officer ESC/CAA 20 Shilling Circle Building 1305, 3rd Floor Hanscom AFB, MA 01731-2125 NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT? is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

SEI markings v3.2 / 30 August 2011

Table of Contents

Foreword

v

Acknowledgments

vi

Executive Summary

vii

Abstract

xi

1 Introduction

1

1.1 Terms and Definitions

1

1.2 Related Empirical Research

2

1.2.1 Surveys

2

1.2.2 Simulations

3

1.2.3 Case Studies and Other Empirical Research

3

1.3 Theory Related to the Insider Threat

5

2 Research Method

6

2.1 Case Identification and Selection

6

2.2 Coding Method and Database Description

7

2.3 Modeling and Analysis Approach

8

3 Crime Profile and Findings

9

3.1 Subject and Crime Description

9

3.2 FINDING ONE: Criminals who executed a "low and slow" approach accomplished more

damage and escaped detection for longer.

12

3.2.1 Description

12

Case Example #1

15

3.2.2 Conclusions / Recommendations

15

3.3 FINDING TWO: Insiders' means were not very technically sophisticated.

16

3.3.1 Description

16

Case Example #2

18

Case Example #3

19

3.3.2 Conclusions / Recommendations

19

3.4 FINDING THREE: Fraud by managers differs substantially from fraud by non-managers by

damage and duration.

20

3.4.1 Description

20

Case Example #4

22

Case Example #5

22

3.4.2 Conclusions / Recommendations

22

3.5 FINDING FOUR: Most cases do not involve collusion.

23

3.5.1 Description

24

Case Example #6

25

3.5.2 Conclusions / Recommendations

25

3.6 FINDING FIVE: Most incidents were detected through an audit, customer complaints, or

co-worker suspicions.

25

3.6.1 Description

26

Case Example #7

27

3.6.2 Conclusions / Recommendations

27

3.7 FINDING SIX--Personally identifiable information (PII) is a prominent target of those

committing fraud.

27

3.7.1 Description

28

CMU/SEI-2012-SR-004 | i

Case Example #8

31

3.7.2 Conclusions / Recommendations

31

4 Fraud Dynamics

32

4.1 System Dynamics

32

4.2 Fraud Triangle

33

4.3 Manager Model

35

4.4 Non-Manager Model

38

5 Strategies for Prevention, Detection, and Response

41

5.1 Behavioral and Business Process Recommendations

43

5.2 Monitoring and Technical Recommendations

44

6 Conclusion and Next Steps

46

6.1 Considerations for Insider Threat Program Implementation

46

6.2 Identify Technical Gaps

47

6.3 Conclusion

48

6.4 Next Steps

48

Appendix A: The Insider Threat Center at CERT

49

Appendix B: The Structure of the CERT Insider Threat Database

51

Appendix C: Other Insider Threat Concerns in the Financial Sector

54

Bibliography

58

CMU/SEI-2012-SR-004 | ii

List of Figures

Figure 1: Number of Insider Fraud Cases by Age

9

Figure 2: Average and Median Actual and Potential Damage (in Dollars)

10

Figure 3: Comparison of Damages for Internal and External Cases

11

Figure 4: Average and Median Sentence Outcomes (in Years)

12

Figure 5: Average Timeline of a Case (in Months)

13

Figure 6: Damages Compared to Crime Duration

14

Figure 7: Insider Position Types

17

Figure 8: Actual Damages by Position Type

20

Figure 9: Cases by Type of Collusion

24

Figure 10: PII and Non-PII Cases by Type of Subject

28

Figure 11: Average and Median Damage by PII and Non-PII Cases

29

Figure 12: Level of Seniority in Cases Involving PII

30

Figure 13: System Dynamics Notation

33

Figure 14: Fraud Triangle

34

Figure 15: Manager Model

36

Figure 16: Non-Manager Model

39

Figure 17: High-Level Structure of the CERT Insider Threat Database

51

CMU/SEI-2012-SR-004 | iii

List of Tables

Table 1: Comparison of Damage and Crime Duration by Non-managers

21

Table 2: Comparison of Crimes by Their Involvement of PII

30

Table 3: Comparison of Fraud by Managers and Non-Managers

40

Table 4: Summary of Recommended Controls

42

Table 5: Organization Information Collected

52

Table 6: Subject Information Collected

52

Table 7: Incident Information Collected

53

CMU/SEI-2012-SR-004 | iv

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download