Wednesday, August 25, 2004

Fascinating .gov and .mil Docs

Perhaps "fascinating" is too strong a word, but I've come across several intriguing government reports and documents which security professionals might find interesting. First, the CERT/CC and the Secret Service released a joint report titled Insider Threat Study. It's based on "23 incidents carried out by 26 insiders in the banking and finance sector between 1996 and 2002. Organizations affected by insider activity in this sector include credit unions, banks, investment firms, credit bureaus, and other companies whose activities fall within this sector. Of the 23 incidents, 15 involved fraud, four involved theft of intellectual property, and four involved sabotage to the information system/network." One of the incidents, mentioned in the beginning of the report, was the case prosecuted by the DoJ on behalf of UBS.

The major findings include:

"- Most of the incidents in the banking and finance sector were not technically sophisticated or complex. They typically involved the exploitation of non-technical vulnerabilities such as business rules or organization policies (rather than vulnerabilities in an information system or network) by individuals who had little or no technical expertise. In 87% of the cases the insiders employed simple, legitimate user commands to carry out the incidents, and in 78% of the incidents, the insiders were authorized users with active computer accounts.

- The majority of the incidents (81%) were devised and planned in advance. Furthermore, in most cases, others had knowledge of the insider's intentions, plans, and/or activities. Those who knew were often directly involved in the planning or stood to benefit from the activity.

- Most insiders (81%) were motivated by financial gain, rather than a desire to harm the company or information system.

- Insiders in this report fit no common profile. Only 23% held a technical position, 13% had a demonstrated interest in hacking and 27% had come to the attention of a supervisor or co-worker prior to the incident.

- Insider incidents were detected by internal, as well as external, individuals including customers.

- The impact of nearly all insider incidents in the banking and finance sector was financial loss for the victim organization: in 30% of the cases the financial loss exceeded $500,000. Many victim organizations incurred harm to multiple aspects of the organization.

- Most of the incidents (83%) were executed physically from within the insider's organization and took place during normal business hours."

The report also cites a 2000 study titled "DoD Insider Threat Mitigation," available in .doc format. I like reading these sorts of studies because they focus on threats, not vulnerabilities. I am always pleased when I see organizations working with law enforcement to prosecute intruders. A new firewall is not going to stop future intrusions; putting criminals in jail will. Don't focus on the vulnerability and forget about the threat!

On the .mil side, I came across fairly new documents from the Air Force describing their new network operations and security posture. It seems after four years of debate the dust is settling around a hierarchical structure led by the Air Force Network Operations and Security Center (AFNOSC). Several Air Force Instructions (AFIs), led by AFI33-115V1 "Network Operations (NETOPS)" (3 May 04) and other 33 series AFIs have redefined the relationship between the AFNOSC and the Air Force network. While the new structure looks good, I was sad to see the name "AFCERT" officially be replaced by "AFNOSC Network Security Division." I understand the desire to give the AFCERT the authority of being AFNOSC-NSD, but the AFCERT name has twelve years of history behind it. My friends still in the AFCERT report they still use the old name and plan to do so.


William Geer said...

And Yet again the AF changes names of the Net Defenders. Today the 33 IOS split and became two different squadrons, the 33 NWS (Old AFCERT ) and the 91 NWS. Ending an era

red said...
This comment has been removed by a blog administrator.