September 27, 2004

Financial institutions are full of insiders. That's why the Secret Service National Threat Assessment Center (NTAC) and the CERT Coordination Center (CERT/CC) of Carnegie Mellon University's Software Engineering Institute conducted a behavioral and technical study of insiders who committed crimes using information technology.

The study examined 23 incidents that occurred between 1996 and 2002. Here are some of the findings and recommendations:

Findings: Most incidents required little technical sophistication.

Recommendations: Secure networks from the full range of users. Use mandatory password protection and policies to prevent insiders from using another employee's computer to carry out an attack.

Findings: Perpetrators planned their actions.

Recommendations: Security personnel and others can stop insiders before an incident occurs. Encourage employees to report suspicious behavior, such as attempts to bypass technical safeguards. Widespread employee awareness of the consequences of computer crime can also stave off attacks.

Findings: Financial gain motivated most perpetrators.

Recommendations: Establish organizational designs to ensure appropriate oversight of insider activity. Conduct auditing and take steps to ensure the integrity of financial-related data.

Findings: Perpetrators did not share a common profile.

Recommendations: Even well-respected, non-technical people commit computer crime, but background checks may be valuable.

Findings: Incidents were detected by various methods and people.

Recommendations: Establish a formal process for employees to report suspected abuses. Detection and assessment often requires manual diagnosis and analysis.

Findings: Perpetrators committed acts while on the job.

Recommendations: Workforce education can reduce insider risk. Be careful when providing remote access to critical data or systems, and perform frequent auditing and logging when necessary.