The Insider Threat Problem: The Case of a Jamaican Government Organization

(1)

MASTER'S THESIS

The Insider Threat Problem

The Case of a Jamaican Government Organization

Dwight Allison

2013

Master (120 credits)

Master of Science in Information Security

Luleå University of Technology

(2)

The Insider Threat Problem:

The Case of a Jamaican Government

Organization

2013

Dwight Allison

Luleå University of Technology

June 25, 2013

Masters Thesis

Luleå University of Technology -

Computer and Systems Science

Department

(3)

The Insider Threat Problem: The Case of a Jamaican Government Organization

by Dwight Allison

Thesis submitted in partial fulfilment of the requirements for the degree of Master of Science in Information Security in the Computer and Systems Science Department of

Luleå University of Technology

June 25, 2013

Copyright by Dwight Allison

(4)

Abstract

The history of Information Security started with computer security concentrated primarily around the securing of the computer hardware and the physical environment from outside threats. In most instances, the physical hardware comprises the major component of Information Systems and therefore attracts the major efforts in terms of security. In fact, for most information Security breaches, the hardware components can be the object of the attack where it is the entity being attacked or the subject of the attack where it is used as the active tool to perpetrate the attack. However, an important characteristic of Information Security that often gets overlooked is the role that people play in an organization’s Information Security posture.

In my opinion people who are familiar with the operations of an organisation such as the hardware, software and procedures and most importantly are trusted by the organisation and its stakeholders pose as significant a threat as persons external to the organisation.

A National Security Institute (NSI) special report published in 2004 makes the important point that the internal threat poses one of the greatest risks to corporations, organizations and governments today and estimates that as much as 75 percent of security breaches can be categorized as “inside jobs”. The report also states that 70 percent of infringements of company networks occur from the inside. Even with these eye opening statistics, less than 30 percent of expenditure on information security is directed at addressing information security threats posed by insiders (NSI, 2004).

This thesis is therefore aimed to highlight the significance of threats posed by people to the Information Security posture of an organisation with special emphasis paid to people affiliated to and trusted by these organisations. The work took the form of a case study conducted at the Electoral Office of Jamaica, one of Jamaica’s primary governmental organisations and is contextually based on the Insider Threat Security Reference

(5)

Architecture (ITSRA) which proposes a multi-tiered approach to mitigating information security threats and enforcing security controls.

The work highlights the fact that although most of the cases involving activities such as hacking and virus cases are more heavily highlighted and publicized, company insiders such as employees and contractors constitute as great or possibly an even greater risk to an organisation. This is because of the fact that the majority of information security incidents are not perpetrated as a result of technology failure but primarily because of human failure, negligence or greed. Using an abductive or theory oriented approach with inductively defined classifications supported by the constructs defined in the Insider Threat Security Reference Architecture (ITSRA) as the primary guide, the work demonstrated that Information Security is everyone’s responsibility and requires a culture where management not only creates the environment for proper procedures, policies and controls but where each and every employee is expected to understand and follow the security procedures set out.

(6)

Acknowledgments

This has indeed being a long and challenging journey but I want to extend sincere gratitude to my supervisor professor Helena Karasti who has provided valuable and insightful guidance and supervision throughout the entire process. I also wish to thank the management and staff of the Electoral Office of Jamaica for their kind cooperation in allowing me to use their organisation for this case study. I also want to thank my family and friends for all the encouragement they gave me throughout the process. Last but not least, I want to say a big thank you to all the other members of Group Helena Karasti, who provided valuable feedback and critique on my work throughout the seminars.

(7)

List of Tables

Table 1: ITSRA Model and Classifications derived

Page 70

Table 2:Categories derived from inductive analysis of

interviews Page 75

Table 3: The ITSRA Matrix depicting a Sample Subset of

(12)

List of Figures

Figure 1: The relationship between Risk Management and

Risk Assessment (Marios, 2006) Page 33

Figure 2: The CIA Triad (Johnson, 2010) Page 35 Figure 3: Insider Threat Security Reference Architecture

Montelibano & Moore, 2012). Page 48

Figure 4: Opportunities for Prevention, Detection, and Response for an Insider Attack (Montelibano & Moore, 2012).

Page 49

Figure 5: The EOJ/ECJ Organisational Structure (ECJ

Website) Page 66

Figure 6 : An overview of the inductive coding process

(Thomas, 2006) Page 74

Figure 7: Summary Comparison by Type of Insider Incident

(Cappelli et al, 2009). Page 98

Figure 8: Trusted Business Partner Insiders By Industry

Sector (Lewellen et. al 2010) Page 99

Figure 9: Statistic showing percentage breakdown of insiders

engaged in breaches Contos (2006) Page 103

Figure 10: Snapshot of the “Authorized Access” column of the ITSRA matrix, focusing on select controls per security layer ( Montelibano & Moore, 2012

(13)

List of Important Acronyms and Abbreviations

USB Universal Serial Bus eSATA

external Serial Advanced Technology Attachment

ITSRA Insider Threat Security Reference Architecture IT Information Technology

EOJ Electoral Office Of Jamaica ECJ Electoral Commission Of Jamaica

IDPS Intrusion Detection and Prevention Systems SDLC Software Development Life Cycle (SDLC) CERT Computer Emergency Response Team DBA Database Administrator

NSI National Security Institute JIS Jamaica Information Service

NIST National Institute of Standards and Technology EOPUS Executive Office of Public Safety and Security CIOC Chief Information Officers Council

EDGE Enhanced Data rates for GSM Evolution CMCs Computer Mediated Communications PC Personal Computer

TBP Trusted Business Partner ACLs Access Control Lists

(14)

Chapter 1 – Thesis Introduction

1.1 Background

In recent times, there will be very few persons who will disagree with the fact that Information Technology has been a pivotal part of how we operate in today’s modern world both in business and also from a recreational point of view. The reach and

influence of Information technology has not been limited to private organizations but has also extended heavily into government organizations as well.

As can be expected, there must be some drawbacks with the increased use of Information Technology in business. In the digital information age which we now live in,

organizations are seeking to use automation by way of Information Technology to process information in order to better serve their customers and support their missions, goals and objectives. Unfortunately, not everyone wants to use this advancement for the greater good. Some persons have different motivations that are not in keeping with the use of Information Technology within the confines of proper ethical and sometimes even legal conduct. So, even though the use of IT offers so many advantages to organizations, there are numerous inherent risks that must be mitigated in order to successfully use IT as an extender or enhancer of services. The majority of these risks are attributed to the fact that IT is not just a technical or technological phenomenon as the name leads us to believe but is greatly dependent on the involvement of humans as articulated earlier.

Over the years a lot of emphasis has been placed on attacks from outside the

organisations perpetrated by hackers and also utilizing tools such as social engineering. However, it is becoming increasingly evident that the threats posed by persons with legitimate professional links to the organisations and who are therefore trusted by the organisations are on the increase.

(15)

For the purpose of this thesis work, an insider can be considered to be a current

employee, a contractor, or a business partner. These categories of persons will normally have authorized access to the critical company resources such as the network,

applications and systems and therefore perhaps more importantly the organisations critical data, information and intellectual property. It is often the case that either greedy or malicious employees are the ones who will attempt to take advantage of their position of trust by manipulating or exploiting the organisation they work for. These types of threats are very difficult to eliminate but can be minimised and effectively controlled by having good security policies, controls and procedures.

Information Security breaches occur quite frequently and in most instances the attempted risk mitigation is of a technical nature only, with little or no considerations for the human element in the possible breach or the existing risk. The equation gets even more

complicated when the human element involved is one with legitimate permission to access data and information and can do so on a daily basis. It should also be noted that the threats posed by these trusted insiders can be perpetrated by either intentional or unintentional acts. Either way, they must be mitigated against as there are numerous threats out there that take advantage of such situations.

Past work done on the subject demonstrates that when it comes to the issue of

Information Security, human threats score much higher than those posed by technology or purely technical threats. A survey that was conducted by consulting firm Deloitte of more than 100 technology, media and telecommunications companies worldwide showed that seventy-five percent of companies listed human error as the leading cause of security failures such as breakdowns and systems outages. Forty-eight percent also cited

operations and technology lapses as key causes of Information Security failures. Problems resulting from third parties such as contractors and business partners, meanwhile, received 28 percent of the votes as a root cause of security failures.

(16)

Human errors are not the only concern as employees deliberately misbehaving or acting in a malicious fashion also figure prominently in Information Security Breaches. Ninety-one percent of respondents say the risk of employee misconduct related to information systems worried them (Daniel, 2008).

To elaborate even further, a technical report published by Carnegie Mellon University in 2012 noted that a substantial amount of information security threats are posed by persons known and in fact trusted by the organisations they are associated with, hence why I call them trusted personnel. The report cited a 2011 Cyber Security Watch Survey,

conducted by the U.S. Secret Service, the CERT Insider Threat Center, CSO Magazine, and Deloitte found that 21% of all electronic crimes were committed by insiders. Additionally, 43% of persons surveyed indicated that they had experienced at least one intentional malicious insider incident in the previous year. It was also very instructive to note that a total of 46% of the surveyed respondents indicated that more often than not the damages caused by insider attacks were more severe than damages caused by attacks from external sources. Typically, insiders attacks normally manifests themselves as unauthorized access to or use of company information, unintentional exposure of private or sensitive information or sometimes even the theft of intellectual property (Silowash et al, 2012).

To mitigate these insider security threats, it is recommended that Information Security goals be integrated into business strategies and plans ensuring that efforts to enforce Information Security activities are practiced throughout the entire organization and are not restricted to just technical measures alone (Daniel, 2008). The effects and

implications of human behavior will have to be a major consideration of any such effort to the extent that all employees need to be educated about the possible occurrence of insider security threats and their consequences.

(17)

In our specific work, the focus will be on the Electoral Office of Jamaica, hereafter called the EOJ which is a government organization established in 1943 to administer the

holding of Parliamentary and Local Government Elections. The mission of the EOJ is to conduct national elections so that no advantage is given to any party or individual contesting these said elections and to ensure that the primary principle of democracy which is one man one vote is observed.

Additional the EOJ also monitor electoral funding and financial disclosure requirements, performs continuous registration of electors and residence verification of applicants, updates the voters list every six months and also prints and issue voter identification cards (ECJ Website).

It should be noted that these voter ID cards are considered a popular method of national identification in Jamaica and this is one of the many ways persons try to commit fraud. It often starts with the acquisition of false identification. Based on the nature of the services offered by EOJ, it is a prime candidate for persons seeking to do the wrong thing and these are some of the factors that could lead to Information Security risks attributed to employees. For example, there have been complaints in the past of impersonations or identity theft especially of persons attempting to steal the identity of dead persons. There are also cases of persons attempting to register with incorrect demographics information such as name, addresses, age and other similar personal data.

Persons will attempt these unethical and sometimes illegal activities because it is

perceived that they will always be able to find an individual in the system who can either be either intentionally or unwilling manipulated.

As a result of these problems, greatly influenced by human or employee behavior, this thesis work is being proposed to examine employee behavior in relation to how Information Security is carried out within the organization and also how overall

(18)

information security can be enhanced to minimise the risks posed by employees trusted by the organisation.

1.2 Motivation / Problem Description and Rationale

Many companies have made securing their information infrastructure a major priority. You may think the reason for this may be obvious but sometimes not every organisation will see this as an important requirement for them. The fact, however, is that protection of an organization’s information infrastructure is essentially protecting the organizations’ ability to function on a day to day basis. It is also very important to note that information security is more of a management function than a technology related one (Whitman and Mattord, 2003).

Even though numerous global studies indicate a trend of companies in first world counties coming to this realization and defining information security governance frameworks with defined responsibilities, policies, and procedures to encourage desired behavior, I don’t believe the importance of this phenomenon has caught up in Jamaica as yet. Information Security as a concept is fairly new in Jamaica and the primary focus is on cybercrimes where they see the primary threats existing externally.

This observation is one that is of great concern to me personally especially considering that it has been rumored for long periods that corruption exists in most Jamaican statutory and government organizations and that this corruption runs from the very top down to the bottom of the organizational structures. This corruption is somehow fostered by the high level of bureaucratic red tape that hinders service delivery in many of these government agencies. As a result, you will find many persons willing to pay “under the table” to

(19)

expedite the delivery of their goods or services instead of following the established legal channels.

The Electoral Office of Jamaica (EOJ), which is the entity identified for this thesis work is said to be one of the best run government organizations in Jamaica. That said, if we look back in history we will realize that Jamaica has had a history of frequent and regular political party alternations in the past, especially those of the 1970s leading to the general elections in 1980 being quite violent. In that election, the Jamaica Labour Party, led by Edward Seaga, won a landslide victory. The JLP gained 51 of the 60 seats in the House of Representatives and almost 59 per cent of the vote, defeating the People's National Party government led by Michael Manley who had been prime minister from 1972 (Burke, 2010).

The results highlighted above are representative of every single parliamentary election held in the Jamaica since the establishment of the Electoral Office Of Jamaica in 1943 and the administration of the first set of elections in 1944. The results emphatically demonstrate that the country effectively has a two-party system, or it may be more appropriate to say that there are two dominant political parties rendering it extremely difficult for other parties to achieve electoral success.

It was demonstrated in 1980 that these 2 political parties will go to the extreme in order to gain political power. In the minds of many, attempting to corrupt or otherwise influence the electoral process and are officials charged with administering the process is by no means beyond the realm of possible actions that may be attempted.

Because of these types of possibilities and the fact that the Electoral Office Jamaica, is in charge of the collection, storage and communication of such critical pieces of information such as electors demographic information, photographs, and perhaps most importantly fingerprints, it is important that not only the technical infrastructure but also the

(20)

information security management aspects of the organization’s operations are kept at a high level to mitigate against the many and varied risk to information security that exist for the organization especially for those trusted with managing the actual day to day operations of the organisation.

One of the main motivation factors influencing this thesis work was a quote from the infamous Kevin Mitnick. For those of us who might not be familiar with him, Kevin David Mitnick is now an American computer security consultant and author but gained notoriety as a computer hacker. After a number of alleged criminal acts including stealing computer passwords, hacking computer networks, wiretapping and breaking into and reading people’s emails, he was finally caught.

In 1999, he confessed to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication, as part of a plea agreement and was sentenced to 46 months in prison plus an additional 22 months for violating the terms of a 1989 supervised release sentence for computer fraud. He went on to spend five years in prison and was released on January 21, 2000 but was prohibited from profiting from films or books based on his criminal activity for seven years. He now operates Mitnick Security Consulting LLC, a computer security consultancy (Wikipedia).

Mitnick was quoted at a computer security conference as saying, "People are the weakest link. You can have the best technology, firewalls, intrusion-detection systems, biometric devices - and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything” (Abreu, 2000).

That to me is a simple but very profound statement. Even though his statement highlighted the unsuspecting employee, information security practitioners must also be prepared to mitigate risks posed by all employees within an organization.

(21)

A National Survey on Managing the Insider Threat published by Computer World magazine (www.computerworld.com) and joints reports of FBI and Computer Security Institute (www.gocsi.com) cited that more than 90% of the companies and the organizations have had damages from internal intrusions in the past.

D'Arcy et al (2006) also noted that intentional insider misuse of information systems resources represents a significant threat to organizations and in fact statistics suggest that between 50%–75% of security incidents originate from within organizations. Because of the large number of misuse or dare I say incidents of abuse, it has become increasing important to understand how to reduce such behavior by the people in the organization.

I will sum up my motivation by echoing the sentiments echoed by the country’s previous Contractor General, Mr. Greg Christie as published in the Jamaica Gleaner on June 28, 2012. Mr. Christie stated that while corruption was by no means a phenomenon confined to Jamaica, it is considered by many to be the largest single impediment to our country's attainment of sustained economic growth and development. Corruption he believes is often driven by individual greed and dishonesty, but is now a major global concern with the capacity to undermine democracy, the rule of law, as well as to drive fragile and developing countries, like Jamaica, towards State failure (Christie, 2012).

I believe that all this information and the current willingness to accept the status quo influences and motivates me even further to do this work to ensure that sufficient attention is brought to this seemingly neglected fact.

(22)

1.3 Research Questions

Based on the research objectives, a total of three research questions were defined, which the research tried to obtain suitable answers to, in order to add to the knowledge capital especially to the relevant stakeholders at the EOJ. The questions were answered by utilizing information collected from the actual case study in addition to the literature reviewed. The three research questions are:

Question 1: What are the threats that the organisation is exposed to from trusted insiders

and which set of trusted insiders can be considered to be the threat agents?

Question 2: How does the behaviour of the employees influence or contribute to the

Information Security Threats posed by Trusted Insiders?

Question 3: What kind of safeguards and strategies can be implemented to manage and

mitigate insider threats, thus providing an operating environment to better secure critical organisational information?

(23)

1.4 Delimitation

The focus of the work was on how the behavior of people classified as trusted, influenced the various risk factors that can possibly affect the secure operation of the EOJ and can possible threaten their status of being one of the best run government organizations in Jamaica. To establish baselines or benchmarks for the study, some of the better known international Information Security best standards such as BS7799 and the International Standard derived from BS7799 (ISO17799) now defined in the ISO/IEC 27000 family of Security Standards among others were consulted. However, these standards were not the focus of the work. The investigation and research focused mainly on personnel involved directly with the data collection, storage and distribution aspects of the Electoral

Registration System (ERS) but also involve support staff such as Human Resources and all the Senior Directors of the organization.

The study did not focus on the running of elections. It however attempted to sensitize the readers to how the information flow is handled in a typical election to ensure that the integrity of the data is enforced.

The work also did not look at the technical aspects of biometrics and other similar technology but focused more on how the use of such technology could improve Information Security within the systems.

Issues of risks related to terrorism were not examined. The thesis did not explore whether enhancing the process of identity in fact improve security. The focus was instead on the strategies, policies and practices required to maximize the security, integrity, availability and utility of the data.

(24)

1.5 Aims and Objective Of The Research

The aim of the research study was to attempt to understand the influence of insiders or trusted personnel on the Information Security process at the EOJ. A critical part of this entire process was to identify and understand the threats that insiders posed to the organisation and to device mechanisms to minimize risks when handling information within the organisation or information the organisation shares with other entities as part of its mandate. This approach aimed to ensure that the critical tenets of confidentiality, integrity and availability of the information are maintained.

The analysis and understanding of Information Security threats encourages the adoption of an Information Security Management cycle which promotes a Plan, Do, Check, Act (PDCA) cycle within the organization.

The objectives for each step of the cycle PDCA cycle are listed as:

1. Plan: To establish information security policy and objectives to manage risk and improve the level of risk exposure.

2. Do: Implement the security controls planned for the Information Security Management System in accordance with established information policy and security objectives.

3. Check: To evaluate and measure process performance and controls against established guidelines.

4. Act: Take corrective and preventive actions based on the results of

verification in order to implement a continuous improvement to the Information Security Management System (Humberto, 2010).

This scheme requires the interaction of humans at each phase which cannot be emphasized enough.The threats posed by insiders can be viewed in my opinion as a microcosm of general employee or human behaviour. From a general perspective a

(25)

number of initiatives have been conducted to explore the effects of employees and their behaviour and influence on Information Security. These initiates include surveys, workshops to as far as in-depth case studies. These initiatives have helped to inform the observers more on the prevailing issue. These initiatives can of course be used as a reference point to the specifics of the insider threat. However, gaps still exists that have made it difficult for organizations to develop a comprehensive understanding of this particular type of threat but what is evidently clear is that any approach to address the issue must inculcate an approach that draws upon human resources, corporate security, and information security perspectives (Keeney et al, 2005).

Preliminary checks have so far shown that there is no documentation of any such initiatives been conducted at a government organisation in Jamaica so this thesis work provided a good opportunity to share new knowledge gained from this work with a broader audience not restricted to just the Electoral Office of Jamaica.

With this in mind, it is hoped that at the end of the exercise, we would have ascertained whether or not the EOJ is operating using good Information Security Management practices not just concentrating on technical information security measures but also non-technical issues surrounding human behaviour. This human behaviour could be malicious insider threats or non-malicious actions caused by negligence or lack of awareness or training. As such, it is important that any information security strategy adopted must be geared towards protection information assets from threats emanating from both outside and inside of the organisation. It is also very important that all of employees and not just managers and senior personnel be educated and aware of the consequences of

information security breaches such as the damage, loss or exposure of company information.

It is my aim and objective that this work will enable not just the EOJ but other

government organizations to articulate their information security goals by establishing an appropriate Information Security Governance Policy with the appropriate support from

(26)

Executive Management that dictates the day to day Information Security management and operational policies and practices. One of the most important features of a

governance framework is that it defines the roles of different members of the

organization and in this particular instance the roles of different organizations in the delivery of a complete, secure and trusted solution. This approach will therefore

ultimately ensure that both technical and non-technical factors, such as understanding the threat posed by trusted insiders are effectively understood and evaluated.

It is desirous that the work will also have an overall positive impact on the overall Information Security posture of the organisation and at the very least increase the employee’s awareness and education levels especially those relating to the threats posed by insider actions and behaviour.

(27)

Chapter 2 – Literature Review

2.1 Introduction

The literature review is viewed as a critical component of this research work as it aims to provide a medium to the audience to get an understanding of the work being conducted from a number of different perspectives. This is important to ensure that the work that I am presently conducting can be seen as relevant with research work done in the past. It also provides me with an avenue to establish the theories on which the research is being developed. The essence of both the thesis topic and the three proposed research questions is being used as guide to ensure that there is a strong correlation to the literature being reviewed and the actual research work being conducted.

As such, this literature review seeks to compile and relate as much literature on the relevant salient points relating to our work as possible. These include:

• Information Security in General • Insiders and Insider Threats

• Objectives of Information Security such as Confidentiality, Integrity and Availability (CIA)

• Role of People in Information Security and their behavioural patterns in relation to Information Security

• Mitigation steps to minimise the risks posed by Information Security threats with particular relevance on the insider threats

Enforcing any form of security is itself a difficult prospect but that prospect will become even more difficult if the enemy you are attempting to protect yourself from is within or has free access to your environment, space or resources that you are attempting to protect.

(28)

2.2 Key Literature Related To Insider Information Security

Threats

2.2.1 Information Security

Security in the broad sense can be defined as the state of being free from danger. The environment or situation creating danger could be intentional or otherwise such as accidental or caused by negligence. In order to adequately protect its operations and assets including its employees an organisation has to provide multiple layers of security. These include: • Physical Security • Personal Security • Operations Security • Communications Security • Network Security • Information Security

All these different levels of security are important and in many cases a breakdown or lapse in one area can directly or indirectly compromise efforts in another area. Information Security can be defined as the protection of the information and the hardware used to collect, store and transmit such information. In order to adequately protect the above-mentioned information and associated hardware, tools such as policies, awareness, training and education are necessary in addition to relevant technological tools. As such it is clear that Information Security is both a technological and human driven phenomenon. The threats posed to Information Assets are vast and include accidental or intentional damage, theft, destruction, unintended or unauthorized modification or other similar cases of misuse or abuse from both human and nonhuman entities. As such, models are required to handle these threats by analyzing the critical characteristics of information. A product of this work is what is termed the CIA triangle which looks at the characteristics

(29)

of information as Confidentiality, Integrity and Availability (Whitman and Mattord, 2003).

In general, the functional aims or Information Security includes the protection of data and information within an organisation and also protection of other technology assets within the organisation. The enforcement of these objectives will ultimately result in the organisation being able to function and effectively carry out its stated day to day activities and operations. It should be noted that Information Security seeks to support the organization’s business needs first and technology needs after as it is the business needs that dictate the type of technology that is adopted (Whitman and Mattord, 2003).

A critical component of Information Security is to know the threats that face the organisation. A threat is defined in object, person or entity that represents a constant danger to an asset. There are a wide range of threats and there has been a lot of research into understanding Information Security threats and their consequences on the operations of businesses. A categorization scheme has been devised to provide a better understanding the large amounts of threats faced by organisations.

Five groups and categories identified in (Whitman and Mattord, 2003) are: 1. Inadvertent Acts

2. Deliberate Acts 3. Acts of God 4. Technical Failures 5. Management Failures

The use of categorisations are aimed at providing management and Information Security practitioners a more focused mechanism of mitigating these threats through Information Security Policies, employee education and training and where appropriate the use of technology controls. It should be noted that enforcement of Information Security Policies and Procedures must abide by all the legal and ethical principles that are in place in the respective jurisdictions. This is important as we live in a modern society and the rights of

(30)

everyone needs to be respected when consideration is given to Information Security concerns primarily privacy issues and the possible breach of any ethical code of conduct within an organisation or law within a country.

That said, each organisation must have a process to identify and classify the threats that face them because you cannot mitigate what you don’t know about. Furthermore, each threat will have different potential to result in an actual attack or information security breach and the likelihood of occurrence is also different for each threat.

It should also be noted that a threat cannot be exploited without an avenue that can be used to facilitate an attack or breach. This is called a vulnerability and can be better defined as done by (Whitman and Mattord, 2003) as a flaw or weakness in an information security asset, security procedure, design or control that can be either accidentally or intentionally with the objective of causing a security breach.

As such, another critical consideration relating to the understanding of what Information Security is relates to the assessment and controlling of Information Security risk. Even though this thesis will not involve any in-depth risk assessment exercise, I believe it is important to understand the concept and how it relates to the Information Security initiatives of an organisation. This is because although there are many threats affecting an organisation, not all of them have the same effect or level of importance to the organisation. It is important to assess and evaluate risk in order to ensure that plans to mitigate existing risk are properly scoped and are not made too complex, thereby, compromising the ability to plan properly or put what was planned into action.

The business dictionary defines risk as the probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action

(31)

I intentionally highlighted this particular definition of the many possible definitions of risk that are available in literature because it is simple and clearly illustrates the fact that risks to a business are not caused by only external factors such as hackers attempting to break in from outsider but also by internal vulnerabilities such as the those created by insider threats. The definition also clearly highlights the fact that risks can be minimised or even avoided by putting in place preemptive actions to plan for the possible risk.

(Whitman and Mattord, 2003) has offered another definition of risk which is more in keeping fitting or specific to the realm of Information Security. It states that an Information Security risk is the probability or likelihood of the occurrence of a vulnerability times the value of the information asset less the amount or percentage of that risk that is mitigated by current or existing controls plus the uncertainty of current knowledge of the control.

Here again, the key points to not in the definition are that risks are based on the probability of the occurrence and that controls can be implemented to mitigate the risk. This definition, however, includes a new dimension in that of the value of the asset that is at risk. This consideration is very important when you consider the fact that it could cost an organisation large amounts of money to recover from the exploitation of successful execution of some threats. Some can even put a company out of business. As such organisation should have a means of ranking their critical assets based on their value of worth to the organisation. Some organisations will utilize a simple numerical scale to do this with the asset with the highest value assigned the highest number and the one with the least significant value assigned the lowest number or rank.

In the case of the EOJ, their most valuable asset and the one that would cost the organisation the most if compromised is it’s Elector Registration Database which stores demographic information (names, addresses, date of birth etc.), photographs and fingerprints of every Jamaica citizen registered to vote.

(32)

Understating and mitigating information security threats as mooted in the thesis topic must therefore not only identifying and determining the risks but also taking steps to ensure the confidentiality, integrity and availability of the organisation’s valuable data and information and also the systems and mechanisms that store, transmit and access them.

The identification and assessment of the risks posed by insider threats and indeed other forms of information security threats are important but it cannot stop there. In order to counter these threats by implementing the appropriate security controls and safeguards, a more a more comprehensive Risk Management approach is required. The distinction should be clearly made that Risk Management is a recurrent activity that deals with the analysis, planning, implementation, control and monitoring of implemented measurements and the enforced security policy while Risk Assessment is executed at discrete time points to provide a temporary view of assessed risks and to serve as a guide to the broader Risk Management process (Marios, 2006). This view of the relationship of Risk Management to Risk Assessment is depicted in figure 1 below:

(33)

The ultimate objective of Risk management activities is to ensure the Confidentiality, Integrity and availability (CIA) of valuable information by implementing and performing risk control strategies. We will therefore look at what CIA is in relation to this thesis work.

2.2.2 Confidentiality, Integrity and Availability (CIA)

The term confidentiality, integrity, availability (CIA) is widely used collectively as a measure to evaluate information systems security by focusing on the three core goals of confidentiality, integrity and availability of data or information. Ensuring CIA is one of the principal objectives of this work so some mention is being made here. In fact, these are the three principles on which good information security practices are built on.

Data confidentiality: Confidentiality refers to limiting information access and

disclosure to authorized users thereby preventing access by or disclosure to unauthorized persons. The central tenets permeating around the goal of confidentiality are

authentication methods like user-IDs and passwords, which uniquely identify users, and also the supporting control methods that limit each authenticated user to only the data he or she is authorized to access.

Data integrity: Integrity relates more to the trustworthiness of information resources. It is more focused on ensuring that data has not been changed inappropriately, whether deliberately or accidentally. It also seeks to ensure that the origin or source of

transmitted data can be corroborated, that is, that the data actually came from the person or entity you expect it to come from.

Data availability: Availability refers to ensuring that the information resources are available for use when required. An information system that is not available when needed is almost as bad as having no system at all, as most organisations have now

(34)

become very reliant on a functioning computer and communications infrastructure (Johnson, 2010).

It might not be obvious to most at first but the basic building blocks of Information Security within an IT organization are built on the well-known CIA triad for security policy development which is built around the three critical areas of integrity,

confidentiality, and availability just discussed. Those concepts are handled within the confines of your hardware, software, and communications information systems.

The CIA Triad as shown in figure 2 was developed specifically to assist with the development of information security policies. While each of the 3 terms are words commonly used in day to day life, they have clear and important implications on what needs to be done to have good information security controls and safeguards (Johnson, 2010).

(35)

2.2.3 The Information Security Framework

When building anything, it is normally recommended to have a blueprint or a plan to guide you. Creating an Information Security Program is no exception so we will also take the opportunity to provide some information on the role of the Information Security Framework in the establishment and operation of the Information Security Program in an organisation. Based on the approach we are advocating which is the use of a holistic approach to Information Security, the ISO 27002 standard is a good model to use as the basic for such a framework because it is an enterprise-wide definition of the types of resources and controls needed to develop an information security program. The ISO 27002 model identifies and clearly differentiates the fact that an effective program must involve the integration of both business and technology if it is to be successful in

improving security. Therefore, I will agree with Johnson who puts forward the suggestion that using the ISO 27002 standard as a framework helps in building an Information Security program that cover the important aspects required to protect organisations information Assets. It should be noted that the current ISO 27002 standard is a rename of the previous ISO 17799 standard which had about 130 recommended objectives. A list of what are considered to be 12 of the more important information security areas by

(Johnson, 2010) are listed below.

A number of these areas will be utilized in the planned thesis work especially in determining the kinds of safeguards and strategies that can be implemented to manage insider risk and better secure critical organisational information.

The 12 major sections of ISO 27002 framework alluded to earlier are: 1. Risk Assessment

2. Security Policy

3. Information Security Organization 4. Asset Management

(36)

6. Physical and Environmental Security

7. Communications and Operations Management 8. Access Control

9. Information System Acquisition 10. Incident Management

11. Business Continuity Management 12. Compliance (Johnson, 2010) .

A major consider when considering security and using ISO 27002 or any other

Information Security framework for that matter is that people are a constant. As such, the next section of the literature review will look at the role people or humans play and then look specifically on insiders.

2.2.4 Role Of People In Information Security

It is well accepted that Information Security is not only a technology issue but is influenced a lot by people. We will have to deal with people in most aspect of

organisations and in the case of our work, people are very integral to the process. They will be required to collect, record and then later communicate information about people. As such, a certain amount of inherent trust in afforded to these individuals. It is also assumed that they are educated and well trained to perform the duties assigned to them. But is this always the case? The fact is that we are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of the organisation (Morrill, 2007).

While the relative risks associated with each and every aspect of Information Security, the general consensus among many industry experts is that humans are the weakest link. This means that a user's ability, honesty and willingness to use an information system in the way it was intended cannot always be guaranteed.

(37)

People are important resources in the information security activities of an organization. In his doctoral thesis Albrechtsen, (2008) has an interesting view on the role of people in information security activities. He agrees that it would be foolish to neglect employees as a possible malicious threat, but also went on to state that in principle users are not the enemies within. Even though I do not fully agree with his statement, I understand the point he was making. The broader point he was making is that even though employees have been found directly or indirectly responsible for a number of information security incidents, technology or organizational policies should be in place to prevent these threats from finding a vulnerability to exploit. Where I take some issue with Albrechsten is if you do not view the users as enemies within, then it could lead to a relaxation of the same technology and organisational security policies which he advocates should be preventing these actions in the first place.

Of course, not all employees set out to cause damage intentionally, For example there have being incidents from an employee mistakenly sending confidential company information to a newspaper by accident prior to the company going public to a stock broker incorrectly entering the value of a trade and inadvertently buying millions in stocks which had to be sold off at a massive loss. There is also the case of the Norwegian National Security Authority finding trade secrets and security information in Facebook profiles of some of their employees just to name a few (Albrechtsen, 2008). These examples we found to have resulted from poor user behaviour or insufficient awareness on the path of the offending employees.

There are other scenarios where the employees have been tricked into security breaches. In fact, Mitnick and Simon (2002) identifies a number of these scenarios such as the use of social engineering to attack information systems by getting hackers to manipulate people by using social techniques to perform the actions they desire. Similarly, the use of phishing attacks which are also based on tricking people to perform actions unethical or even illegal actions are widely used.

(38)

Then, there are those employees who will intentionally and maliciously seek to prevent our earlier stated information security objectives of confidentiality, integrity and

availability of information by actions such as abuse of rights and privileges, unauthorised access, sabotage or theft (Albrechtsen, 2008).

The fact is that employees pose a serious threat by providing various vulnerabilities to effective information security management whether they are negligent, ignorant, tricked or act deliberately.

As seen by the different types of scenarios described above, it is clear that human behaviour in relation to information security is not predictable. As such, I believe all employees have to be treated with equal suspicion and that proper mechanisms are put in place to prevent information security breaches by all employees. These mechanisms must include both physical and functional and cannot be dependent totally on technology as a one dimensional approach will result bad results (Sklet, 2006).

2.2.5 Insiders And Their Threats

As shown in the previous section of our literature review, humans play an integral role in the operation of organisations. In the context of our work, the focus will be one people we call Trusted Insiders. Firstly, I think the term should be clearly understood by everyone to fully understand the subject area being researched. Burke and Christiansen (2009) define insiders as people with authorised and legitimate access to the

organisations resources such as the corporate networks, applications, and data. They believer insiders include but are not necessarily restricted to regular employees, company executives, board members, managers, IT staff, consultants, outsourcers, contractors, and even business partners.

(39)

According to Cornelissen (2009), an insider is not only determined by system specific characteristics, but also by the organization’s standards and policies. There are a number of key characteristics that distinguish insiders from outsiders. These key characteristics include:

1. Trust: Insiders are normally persons trusted by the organisation and their stakeholders. These trusted persons are usually employees, but could also be contractors and consultants, temporary helpers and even personnel from third party business partners that have formal or informal business relationship with the organization (Schultz, 2002). The difference with an outsider is the fact that insiders can be trusted because they are assumed to be part of the organization’s culture and are assumed to pursue goals that are in the interest of the organization.

2. Access: Insiders typical have legitimate access to organisational resources. In this instance, it is important to note that there is a distinction to be made between having legitimate access and having authorised access (Brackney and Anderson, 2004). For example, a cleaning attendant may have been provided with legitimate access to offices, but not authorised to capture or even read information that may reside in these offices. Having legitimate access to a resource can result in physical access or network access or even both been available to a person that could lead to unauthorised access.

3. Knowledge and skills: Insiders are normally in the privileged position where they have knowledge of information, systems and services used in organizations (Wood, 2000). This knowledge can extend to valuable information that is stored within information systems and procedures and security measures that have been taken to protect the information from CIA breaches. Because of the fact that insiders have this type of knowledge, it is more difficult for breaches to be detected if insiders violate policies as skilled insiders have the ability to cover their tracks.

(40)

There are of course different types of insiders with different motives, types of misuse they perpetrate and the threats levels and vulnerabilities they expose the organisation to. Differences among users may involve physical presence and logical presence in that there may be logical insiders who operate from outside the organisation. Therefore, the person viewed as an insider really depends on what the user is trusted to be able to do, what privileges are required, what data or programs are being referenced using a particular level of user access, privileges and user authentication (Neumann, 2010).

Neumann also points out that in addition to the different types of insiders, there are also a variety of types of insider misuse. One of the classification used to differentiate the types of issue involves user intent, that is whether the intent is intentional or a case of

accidental misuse Even among intentional misuse, there is a wide range of possibilities ranging from outright malice to just an action to cause annoyance or embarrassment.

2.2.5.1 The Insider Threat

It is quite common to hear or read about security breaches involving outsiders because these types of attacks are usually highly published. However Schultz (2002) reasons that insider threats pose a significantly greater level of risk. Schultz (2002) also highlights the fact that some literature uses the terms Insider threat and Insider attack interchangeable. The fact however is that they are 2 different terms and our thesis work treats them as such.

An insider attack can be defined as an actual act of misuse performed by an insider. The attack is the actual sequence of events or actions that result in an information security breach. Attacks can be successful or unsuccessful. Of course, the objective of research work similar to what is being carried out in this thesis is to ensure that insider attacks are unsuccessful.

The insider threat, on the other hand, is the potential for an insider to perform an attack. Insiders can either intentionally or unintentionally exploit vulnerabilities to initiate an

(41)

attack (Bishop, 2005). These vulnerabilities can be defined as flaws or weaknesses in system security procedures, design, implementation or internal controls that could be exercised and result in a security breach or a violation of the system’s security policy (Schultz, 2002).

Therefore based on these definitions, I will frame my thesis work by saying that it will seek to highlight the potential of trusted insiders such as employees, contractors, office helpers, consultants and even third party companies to exploit vulnerabilities and what the organisation can do to prevent or mitigate these threats.

Schultz (2002) also highlights that malicious insider attacks can be predicted by a number of potential indicators such as:

• Deliberate markers where an attacker leaves an intentional marker to send a message or make an association.

• Meaningful errors where an attacker makes a mistake in the process of perpetrating an attack. These mistakes could lead actions being logged and tracked back to the attacker. OF course, some attackers will attempt to clear all the evidence of an attack from log files where possible.

• Correlated usage patterns where consistent patterns can be found on different systems that may point to an individual.

Personality traits which are indicators linked to the psychological personality of attackers. Schultz’s argument is supported by Capelli et al. (2009) who suggest that personality factors especially those related to stress and frustration can be used in predicting insider attacks. The argument is further solidified with revelations that more than 50% of the cases involving sabotage were caused by insiders who acted out of revenge for some negative event such as termination, transfers or demotions, or issues with remuneration.

(42)

Blackwell (2009) indicates that the aim of organisations should always be to reduce if not stop the effect of insider attacks by considering protective measures at multiple stages before, during and after the attack, which equate to attack surface reduction, hardening the target and limiting the impact zone. The defence may also attempt to reduce the motivation of the attacker by making systems and resources difficult to damage, remove, alter or use in undesirable ways. This objective will require comprehensive protection at all layers and should result in limiting the access paths and operations allowed at all layers to stop unauthorized access and resource use. In general, mitigation or defences measures can be applied on the system boundary, within the system and on the target itself to provide defence-in-depth.

Blackwell (2009) also added that most attacks are normally classified by their actions as sabotage, fraud or theft. However, some attacks are motivated by curiosity or enjoyment without a clearly defined goal to cause problems. In either of the cases, the attacks cause the undesirable breach of the fundamental information security objectives of confidentiality, integrity and availability. These problems may also be caused by accidental failure or external attack, which are allowed by internal weaknesses.

The main characteristics of the three major classes of attack are:

• Damage and sabotage: The loss of availability and integrity of the targeted resources with possible consequential effects on the ability of the organization to perform its normal business activities.

• Fraud: The interference or modification of internal financial records or making unauthorized transactions which negatively affect the organisation or its customers.

• Theft: The dislocation of logical resources such as information and physical resources such as equipment often with high impact on the organisation. The disclosure of sensitive business information often has a much higher impact than the loss of physical assets.

(43)

There are some other important term that relates to the concept of a threat and which the understanding of what these are enhances our overall understanding of the phenomenon under study. One such concept is vulnerability. Whitman and Mattord (2003) defines vulnerability as a weakness or fault in a system that exposes that system or the

information in it to attack or damage. A vulnerability can range from a software flaw, an unprotected server to an unlocked door. The difference between a risk and a

vulnerability is that risk can be measured in qualitative terms, for example “25% chance for an attack occurring”. Another term of importance is that of an attack. Again we use a definition from Whitman and Mattord (2003) which states that an attack is an act that can be intentional or unintentional that can cause damage or otherwise compromise

information or the systems that support such information. It is important to note that the attack need not be intentional.

According to Silowash et al (2012), insider attacks have occurs across all organizational sectors, often causing significant damage to the affected organizations. These ranges from low profile attacks such as modifying or stealing confidential or sensitive information for personal gain to technically sophisticated crimes that sabotage the

organization’s data, systems, or network oftentimes resulting in the damage of the victim organization’s reputation. An organisation that suffers damage to its reputation will almost always also suffer financial losses as well. Insiders have a significant advantage over others who might want to harm an organization because they are usually aware of their organization’s policies, procedures, and technology, some especially the ones that are more technically inclined may also be aware of existing vulnerabilities, such as loosely enforced policies and procedures, or technical flaws in networks or application systems that can be exploited.

(44)

2.2.6 Mitigating Against The Insider Threat

Protecting an organisation against the insider threat is a difficult process but insiders can be stopped. However, insider attacks can only be prevented through a layered defence strategy consisting of policies, procedures, and technical controls. Management must pay close attention to many aspects of the organization, including its business policies and procedures, organizational culture, and technical environment. Management must look beyond IT to the organization’s overall business processes and the interplay between those processes and any deployed technologies (Silowash et al, 2012).

Therefore, in addition to policies, there must be protective measures at multiple stages before, during and after the attack, which equate to attack surface reduction, hardening the target and limiting the impact zone. Protection at all layers will mean that systems and resources should be difficult to damage, remove, alter or use in undesirable ways. In order for the organisation to adequately protect resources from insider threats, there must be a clear understanding of where the weaknesses exist and also the users that may want to abuse these weaknesses. System activities should be monitored to detect problems and determine their causes and effects. This may enable undesirable changes to be fixed rapidly to limit the impact and pinpoint weaknesses that can be mitigated to stop similar attacks in the future (Blackwell,2009).

(45)

Chapter 3 - Theoretical Framework

The theoretical framework of this thesis is built on literature from the research domain defining the Insider Threat Security Reference Architecture (ITSRA). It should however be articulated that the theoretical framework in this thesis work served as support to the inductively defined classifications based on the use of the theory oriented or abductive approach adopted.

The Insider Threat Security Reference Architecture (ITSRA) is a plan developed by the Software Engineering Institute under the CERT Program that provides an enterprise wide solution to insider threats by drawing from existing best practices and standards as by devising actionable guidelines for organizations to adopt in order to improve their position in regards to insider threats. The ITSRA is in fact a product of the NIST Enterprise Architecture Model [EOPUS 2007, NIST 2009] and the Federal Enterprise Architecture [CIOC 2001, EOPUS 2007] (Montelibano & Moore, 2012).

The architecture consists of four security layers, namely the Business, Information, Data, and Application layers. Organizations are expected to have enforceable controls at each of these layers in order detect and prevent attacks.

The fact is that data related to an attack can exist in a number of different places across the enterprise and correlating all the data to make it useful is a problem. The primary goal of the Insider Threat Security Reference Architecture (ITSRA) is to provide a mechanism to correlate this type of data of information security staff without overwhelming them (Montelibano & Moore, 2012).

(46)

3.1 The Components of The ITSRA

The ITSRA consists of four distinct layers as highlighted above and shown in Figure 3 below. The first layer, the Business Security layer contains high-level business

requirements, such as an organization’s mission and also involves the creation of policies, procedures, and other guidance that determines the level of security to be implemented in other layers.

Layer 2 or the Information Security layer describes the organization’s information

infrastructure including the network and associated components such as routers, switches, and servers. This layer also contains the operating systems and software required to manage the infrastructure.

Layer 3 or the Data Security layer involves information assets considered to be owned exclusively by the organisation such as documents, spreadsheets, or databases.

The final layer called the Application Security layer addresses both the development of software that contribute to the organisation mission by ensuring that policies defined at the Business Security layer are enforced.

(47)

Figure 3: Insider Threat Security Reference Architecture (Montelibano & Moore, 2012).

The one constant at all four levels is that Security Controls exists at all levels. Even though there is a wide body of research and products designed to assist organisations to implement good security measures to mitigate risks, most organisations still have

problems integrating the different aspects into one comprehensive strategy and that is gap that the ITSRA seeks to fill (Montelibano & Moore, 2012).

The fundamental principle defining the ITSRA is the that it consist of four security layers namely the Business, Information, Data and Application layers. The importance of this is that organizations must set up and enforce controls at each layer to successfully mitigate insider threats. An equally important component defined in the ITSRA that is in

mitigating insider threats is the fact that organisations must employ the three security principles of authorized access, acceptable use and continuous monitoring in order to be successful in mitigating insider attacks (Montelibano & Moore, 2012).

One of the tenets of the ITSRA is that there are numerous opportunities on a time

continuum to detect and prevent an attack from the time an insider decides to attack to the point at which damage is done. In the worst case scenario the organisation should be at

The Insider Threat Problem: The Case of a Jamaican Government Organization

MASTER'S THESIS

The Insider Threat Problem

The Case of a Jamaican Government Organization

Dwight Allison

2013

The Insider Threat Problem:

The Case of a Jamaican Government

Organization

2013

Dwight Allison

Luleå University of Technology

June 25, 2013

Masters Thesis

Luleå University of Technology -

Computer and Systems Science

Department

Abstract

Acknowledgments

Contents

List of Tables

List of Figures

List of Important Acronyms and Abbreviations

Chapter 1 – Thesis Introduction

1.1 Background

1.2 Motivation / Problem Description and Rationale

1.3 Research Questions

1.4 Delimitation

1.5 Aims and Objective Of The Research

Chapter 2 – Literature Review

2.1 Introduction

2.2 Key Literature Related To Insider Information Security

Threats

2.2.1 Information Security

2.2.2 Confidentiality, Integrity and Availability (CIA)

2.2.3 The Information Security Framework

2.2.4 Role Of People In Information Security

2.2.5 Insiders And Their Threats

2.2.6 Mitigating Against The Insider Threat

Chapter 3 - Theoretical Framework

3.1 The Components of The ITSRA