WASHINGTON – Hacks get the headlines, but insiders can cause major headaches, according to a new study from the U.S. Secret Service and a major cyberspace anti-threat consortium. And one of the three main examples in the report – titled "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector" – comes from an unnamed credit union that lost $215,000 to an inside scheme. The report from the Secret Service and the CERT Coordination Center at Pittsburgh's Carnegie Mellon University focuses on a series of incidents from 1996 through 2002. In addition to the CU case, the report cites a $600 million loss to foreign currency trade fraud and the "detonation" of a "logic bomb" that deleted some 10 billion international financial files. The report – prepared at the request of the Department of Homeland Security – is available online at www.cert.org/archive and offers best practices credit unions and others can adopt to thwart the threat of insider attacks. Management practices as much as technology factor into the defense, the study found, adding that "insider attacks on organizations in the banking and finance sector required minimal technical skill to execute." "Reducing the risks of these attacks," the study concluded, "requires organizations to look beyond their information technology and security to their overall business practices. Management attention on financial performance, to the exclusion of good risk management practices, seems to be a recurrent theme." Institutions affected by insider activity included credit unions, banks, investment firms, credit bureaus and similar organizations. Among the 23 incidents studied, the insiders – current or former employees or contractors – carried out 15 acts of fraud, four thefts of intellectual property, and four acts of sabotage to information systems or networks. Many of the attacks were against small institutions, and only about a fourth of the insiders involved held technical positions, with only about a sixth holding system administrator, or root, access. Three-fourths, however, were authorized users and almost all used "simple, legitimate user commands." In fact, almost half used their own user names and passwords. In the study, the four attacks involving system or network sabotage were carried out by the only four insiders in tech positions. In the case of foreign currency trading fraud, the insider created and gradually modified much of his own organization's trading software. Meanwhile, there was organizational cover for the fraudster because his supervisor also supervised the auditing department. Here's what the report said about the credit union incident: "For several months, beginning in the fall of 1996, two credit union employees worked together to alter credit reports in exchange for financial payment. As part of their normal responsibilities, the employees were permitted to alter credit reports based on updated information the company received. "However, the employees intentionally misused their authorized access to remove negative credit indicators and add fictitious indicators of positive credit to specific credit histories in exchange for money. The total amount of fraud loss from their activities exceeded $215,000. "The risk exposure to the credit union was incalculable." Based on this finding, an organization might want to enlist all employees, not just IT security staffers, in observing and reporting suspicious activity, the report said. The authors also recommended creating a single touchpoint for reporting suspicious activity, and announcing that the organization is determined and prepared to act against illicit acts. As far as motivation, financial gain was the clear winner, the study found. In 81% of the cases studied, the insider was motivated by a desire for financial gain at the organization's expense, including in one case a desire to keep his job despite criminal activity. Additional motivations included revenge (in 23% of the cases), dissatisfaction with the organization (15%), and "a desire for respect" (15%). Interestingly, one former insider committed his attack not only to shame those who had fired him but also "to demonstrate to company management that they should not have ignored his suggestions regarding computer security. … He said that management did not listen to him because of the cost of implementing improved security." -

[email protected]