Insiders are employees, board members, and other internal team members who have legitimate access to information and/or information technology. Insiders have traditionally been the source of most corporate information security breaches and the most expensive breaches. Current cases and statistics are presented to demonstrate that this is still accurate. The concepts of insider and the threat of insider security breach are examined from the perspective of scope, definition, and the complexity of access, knowledge of controls and authorized use of systems. Common characteristics of insiders are discussed, along with cases that demonstrate the rise of the threat potential as these characteristics change. Consideration of current trends and future technology indicates that insider threat to information systems will likely continue to grow.
Insiders can be defined as:
"Employees, board members, and other internal team members who have legitimate access to information and/or information technology." [1]
Key to this definition is the possession by these actors of "legitimate access to information and/or information technology".
Most employees are in a good position to possess the combination of skills, knowledge, resources, authority and motive that Donn Parker [2] points out as characteristics of the class of actor that poses the greatest potential threats to information systems. This would seem to lead to a simple threat classification of "insider" or "outsider". As Parker also points out "these stereotypes are much too simplistic in this age of worldwide computer networks, contract employees, and mergers and acquisitions that continually change the face of our business partners". [3]
The insider threat to information systems derives from abuse of legitimate access. Not all employees can be considered insiders, though most employees will be. Not all insiders are employees; though most insiders will be. Insiders are those persons who have some amount of legitimate access to information and/or information technology. This wide definition of insider brings into sharp focus some of the complex operational issues facing security and systems managers today. In the past, legitimate access to information systems was almost always restricted to employess. New working environments (like the "home-worker"), new access methods (such as the web), and new computing models (like client server and distributed computing) act together to force a wider definition.
Published incidents of abuse of information systems can be found in early writings on computer crime. In the early 1970's, Whiteside [6] tells of a 'trusted' employee who used a scheme based on truncation (verses rounding; so-called salami slicing) to skim millions of dollars based on stealing a few percentages of a cent at a time (the case of "Zwana"). These attacks were in the main successful, partly because of their unique nature and difficulty of detection, but also because prior to the late 1970's, there were no computer crime laws. "The courts had to apply the laws of the physical world to the digital computer world". [7] Thus such thefts as "Zwana" went unpunished when courts were forced to find the defendant "not guilty" on the grounds that there had not been the theft of "an article or thing" (a fraction of a cent was not held in law to be a thing and therefore could not be stolen). [8]
"The largest (known) computer crime in the world occurred in Los Angeles in 1973 and resulted in the destruction of the Equity Funding and Insurance Company, with losses of two billion dollars. The government convicted twenty-two top executives, including two from the firm that audited the company, and sent them off to prison." [9]
Modern examples of attacks (successful or otherwise) by insiders abound. In the largest fraud case ever investigated by the IRS (the "Equity 2" case), the top executive of one of America's large food retailers, a man previously applauded as an entrepreneurial genius, plead guilty to skimming $17 million in sales to avoid paying $6.7 million in taxes. [10] It is asserted that insider activities remain the most common source of intentional disruption to computer systems [11] and "employees are the greatest threat to any computer system". [12]
Of the types of "hackers" identified by the FBI Computer Crime Squad "insiders are the real corporate threat. These often self-motivated hackers are the most dangerous of hackers." "Because of the nature of insider corporate computer crime, these incidents usually go unreported and represent the least number of referrals to law enforcement". [13]
The role of insider (verses outsider) is not as clear as it once was. "The distinction of inside verses outside is blurring quickly in these times of downsizing, contract employees and freelancers". [14]
Insiders will not necessarily lose their special knowledge of internal controls when they switch roles from "insider" to "outsider". These persons may remain a threat to the information system for some time. The distinction becomes even cloudier when some access to information systems remains, without all of the formal controls applied to other employees. An example would be an employee who role changes to a consultant in a contract position while they still perform much the same work (as is becoming more common with retiree "double dipping" for example).
Even when there should be no further system access (for example, in the case of a former employee), persons and sometimes processes within the system may perceive them as still being insiders. These outsiders could gain many of the advantages of insider access (such as physical access without keys, insiders discussing controls with them, or even allowing them to "borrow" systems access). While their formal classification remains that of an outsider (because their access is not legitimate) access from such persons has all of the appearance of legitimate insider access (and few of the controls).
Employees may be working in a physically remote setting, and communicate
with
corporate information systems using the same communication channels. In
such
cases, the same set of controls might apply to both "insiders" and
"outsiders". In other instances, employees may have little or no access
to
information systems as part of their employment. One special case of
note is
the staff of a janitorial/custodian company, who, while they may have
little or no
access to the information systems of their own employer, may have
special
access to someone else's while bypassing many traditional "outsider"
controls.
(For more information, see the threat of maintenance worker.) [15]
Special knowledge of internal controls provide the insider with the ability to avoid security controls in place to deter unauthorized access (such as passwords, directory access controls, user groups, knowledge required for operations, knowledge of business process, etc.).
As an employee rises in the corporate hierarchy, the degree of control placed on the user in fact may diminish, even as access may be increasing. "In some cases, (insiders) perform only authorized actions - as far as the information systems have been told. They are typically trusted and those in control often trust them to the point where placing internal controls against their attacks are considered offensive." [17] In one reported case, the bypassing of controls became a status symbol. Not wearing an identification badge was considered indicative of "management". An outsider exploited this. He moved in and took over an empty office. He actually spent several months 'working' as an insider, charging to company accounts and using corporate resources, before the abuse was uncovered. When finally discovered, the company was so embarrassed that they simply let the man walk out. [18]
In order to be effective, proper human relations and personnel
management
controls should be synchronized with audit controls and information
system
controls. Otherwise, insiders may move on, either through the hierarchy
to
different units or outside of the system entirely, leaving special
authorizations and access ("holes") to be exploited at a later date (by
themselves or others). Controls also need to be consistently applied
across
the organization and their usage monitored.
While insiders have authorized access to internal systems, the issue of when authorized use becomes unauthorized use may not be clear. Company policy, convention and law govern the access and use of systems by authorized insiders.
Company policy governing the acceptable or authorized use of systems is a formal process, involving a combination of written policy and procedure, non-disclosure agreements, technology and computer use contracts and other employee-employee contract agreements. Non-compliance penalties would typically result in loss of employment or other employment sanctions, criminal or civil procecution. (Ideally, sanctions would be defined within the policies).
Convention refers to the common use of information systems within the corporation. For example, if no formal policy exists regarding the personal use of corporate email systems, and workers have traditionally used email for personal use, then the employer could be considered as having sanctioned such use despite not having stated a policy on the matter.
Criminal and/or military law would apply when the actions of an authorized user come into conflict with the law. One problem concerns the circumstances under which an initially authorized access may become unauthorized or may otherwise turn into a criminal action. "In most countries, [new computer laws] only deal with the initial unauthorized access, thus criminalizing only the acts of outsiders; other countries also proscribe unauthorized use or presence in systems, thus also criminalizing use of 'time theft' by both outsiders and employees". [19]
Criminal law does not clearly apply to a person with authorized system access who may be using the system for unauthorized but legal purposes. Employers may view surfing the web or sending personal email as a 'theft of resources', while the law may not. Most observers would consider the scope of the 'theft of resources' to be a significant factor in determining the extent of criminal prosecution, but this is not guaranteed within the law. A consideration might be the amount of financial loss of the company during the unauthorized use. This could be significant if the service is sold on a timeshare basis (such as Internet connection time by an Internet Service Provider) or trivial otherwise. In the latter case losses would be limited to issues like the cost of the use of power, for example. Some states such as California have enacted legislation to attempt to protect employees from criminal charges for 'trivial' misuse of systems while still retaining the ability to persecute more serious employee abuses. [20]
Insiders, because they are employees, share many common characteristics (to varying degrees). Examples include access to corporate information systems, knowledge of business operations and procedures, operational skills, knowledge of existing controls, responsibility within the business environment, access to resources, and a common corporate culture. The degree that all employees share these characteristics is often not directly related to the level of the person within the corporate hierarchy or to the scope of their function within the organization. The degree to which these characteristics can be exploited can be considered as a component of the total "insider threat potential" of a position, or individual.
Access to corporate information systems does not simply mean the ability to "log on". Users of information systems can be considered as direct (interaction with the system) or indirect (using reports and output from the system) or both. For example, some employees are direct users of the corporate payroll system (entering data, modifying code, etc.) while virtually all employees can be considered as indirect users of the payroll system (as they provide input documents, are issued reports such as pay stubs etc.). Either type of access can be (and has been) abused.
Access (for criminal purpose) can also be examined from the perspective of the system as 'target' or 'tool'. The information system is the target of the attack when, for example, information located on the system is changed. The system is a tool when it is used to move drug money or distribute child pornography. The level of access required to commit a 'computer crime' may range from the technical ability to bypass complex systems controls (in target crimes) to merely having a few minutes alone at a workstation (in tool crimes).
Programmers and data professionals (and some other persons with highly specialized system knowledge or authority such as computer operators) are often (simplistically) considered as having the highest threat potential, usually because they have a high level of direct system access (to data elements, definitions and internal system components for example). However, such persons are usually subject to significant management and administrative controls to mitigate this potential. [21] In addition, the traditional data processing employee may lack the broad perspective required to understand the implications of their work, the nature of the external controls in place and the implications and interactions of one specific system with another. These positions tend to have broad understanding of systems internals but have a shallow understanding of the environment in which the system functions. Management actively encourages this (or should). "Segregation of duties is an important control in limiting the operational knowledge of persons with high levels of system access." [22]
Executives and other managers are usually responsible for major monetary transactions and other significant operational events as part of their job roles, and may be given special systems access to view and modify data beyond that of the more typical user. In addition, executive and management users are expected to have a keen understanding of the business environment as part of their job role. As such, their threat potential is greater.
An increased risk may also exist when a manager or other executive is given additional access because of their hierarchical position, rather than any displayed need for increased data/systems access. Equally, an increased risk may exist when persons without executive status have operational capabilities on systems used by executives. [23]
In the case of using the computer as a tool to further some other crime
(such
as child pornography or harassment), risk is increased when general
access
controls are not enabled (such as login passwords) and/or when the
system is
connected to outside networks (such as the Internet). A classic example
may
be a 'public access' terminal at a local library, connected to the
Internet.
Any user of such a system could be considered to be an insider (since
they
have, albeit temporarily) legitimate systems access. Such system users
have
insider access, but relatively few controls, especially in terms of any
transaction audit trail.
Persons who build systems (usually programmers) are not likely to see flaws that are the indirect result of design decisions. Systems analysts and systems designers are more likely to perceive such flaws and may need to be considered as having higher insider threat potential. They have been more directly involved with the environment in which the system is expected to operate, and will have studied the interactions of the system and its environment during the analysis phase of the system life cycle. They may also continue to study the systems interaction with its environment during the operational phase and may be the first to be notified (by the user community) of operational security issues.
Crossover employees (for example a data processing person who switches careers into another operational unit) are also potentially more dangerous in that they have expertise in internal systems operations and the opportunity to see and use the system within its operational environment. [24]
No specialized system knowledge need be available to the operator of an
information system. The knowledge of typical business operations and
procedures can be enough to provide a window of opportunity for
exploitation
of a system. For example [25] a pharmacist in a
small Northwest Florida
community thought he had the perfect fraud system--his drug store and
lots of
customers covered by insurance and Medicaid. As a patient presented a
prescription, the pharmacist recorded the transaction on a computer.
Using
custom software, the pharmacist typed in the information and the
computer
printed out the label for the bottle, an invoice, and often an
electronic
claim for payment. He filled the prescription and the computer "dialed
up" the
coverage provider and posted the claim. The problem was that the payment
system didn't have built in checks to determine whether the claim had
been
previously filed. The pharmacist decided to take advantage of this
vulnerability by changing the dates and re-submitting claims for
prescriptions
already paid by the Florida Medicaid system. In this case, the
pharmacist
needed no special knowledge to "trick" the system; he merely took
advantage of
a missing internal control.
Skills that are required by an insider to perform their operational
function
can be abused for gain. For example [26] the owner
of AlterNIC, a Washington
State-based commercial registration service for Internet domain names
has
admitted that on two occasions in July 1997, he unleashed software on
the
Internet that interrupted service for tens of thousands of Internet
users
worldwide. By exploiting a software weakness, he hijacked Internet users
attempting to reach the Web Site for InterNIC, his chief commercial
competitor, to his AlterNIC Web Site. In this case, it was not just
insider
access that allowed the attack, but the understanding of operational
details
of the Internet exploited by specialized operational skills. These are
the
same details and specialized skills required by the owner to operate his
business successfully (and legally).
Controls such as check digits, hashing totals, transaction numbers, etc.
are
often applied to procedures involving financial transactions. Such
controls
are typically designed to be subject to audit, and usually become known
by
those persons performing the procedure. Non-technical insiders who are
in a
position to observe the operation of controls and determine shortfalls
can
exploit control weakness. For example [27] a
timekeeping clerk noticed that,
although the data entered into the company's timekeeping and payroll
system
included both the number and name of the employee, the payroll system
only
used the employee number to process overtime payments for paychecks. By
substituting her employee number during data entry for the number of the
employee who actually worked the overtime, the clerk was able to gain
credit
for the hours worked on other employee's claims. The employee simply
exploited her knowledge of the controls within the payroll system for
personal
gain.
Controls may not be equally applied to all members of a business
community.
Persons in more senior positions may be exempt from controls altogether
or
subject to controls that may not be in accordance with the potential
level of
employee abuse. Aspects of the "Equity 2" case [28]
demonstrate that
responsibility of position is not an assurance of a low threat
potential. In
another example [29] on 1998-02-17, a former chief
computer network program
designer from Delaware was arraigned for allegedly unleashing a $10
million
programming "bomb" 20 days after his dismissal. The bomb deleted all
the
design and production programs of a New Jersey-based manufacturer of
high-tech
measurement and control instruments used by NASA and the U.S. Navy.
While this case may also be considered as sabotage, the devastating
effects of
the logic bomb were at least in part due to the senior level of
responsibility
of the alleged perpetrator and were made possible because of the insider
position held at the time.
"The most costly sources of insider attack seem to be executives". [30] In the "Equity 2" case (see [10] for details) the president of a major corporation was able to steal over 17 million dollars. The theft was made possible because of software dubbed "Equity" which a programmer developed, maintained, and enhanced at the direction of the store's owner to facilitate the alteration of the store's books.
In another case [31] a detective providing loss
prevention services was
investigating suspicions from the head office of a food chain over
larger than
normal "shrinkage" (unexplained inventory losses) at a local outlet.
The
detective noticed that one of the cash register checkouts (lane 7) was
seldom
used, except when the store was very busy. The detective checked with
the
central office and discovered that the company had only installed 6
checkout
lanes at that particular store. Investigation revealed that the manager
had
built the lane for himself. All sales that passed through that till
were
never reported; the till was not connected to the central company
information
system. The necessary renovations and work to accomplish the theft were
obtained by using the resources available in his position as store
manager.
Corporate cultures have characteristics that can be classified as 'open' or 'closed'. Examples of 'open' characteristics include fewer controls on dress, hours of work, etc. 'Closed' corporate cultures may have more rigid standards such as the wearing of nametags, expected levels of dress, more rigid office hours, etc. Most corporations will display characteristics from both cultures. These characteristics can be exploited to affect the insider threat potential. For example, a person working at a terminal in jeans and a tee shirt late at night may be accepted or challenged depending on the culture of the organization. On the other hand, in some cultures, a person wearing a suit with a nametag and carrying a clipboard may be automatically accepted as an insider.
The corporate culture is also important in making existing controls effective. "The best way to prevent authorized users from becoming security risks is providing a work environment that induces loyalty and compliance with policies. As job security, promotion and salary increases are reduced, this is increasingly difficult to do". [32] In addition, trends of increased work (more with less), continual re-investments in hardware and software, continual re-learning and constant change have caused increased staff stress.
The methods used by insiders to gain advantage are as varied as the systems in which the insiders work. Almost every attack form can be used; almost any control can be bypassed. Insiders can (and do) use techniques from many threat types (such as hackers, crackers, and criminals, to name a few).
To the Army general, strategy may be to win the battle by taking the town. The general is setting a direction; a high level plan that leaves many of the details of implementation to others. To the captain in the field this is translated to one of a series of related tactics, with other groups, to capture high ground, while to the individual soldier the operation is to climb (and fight) up a particular hill. Each of these viewpoints is different; each viewpoint can provide a differing perspective on the insider threat.
The strategically orientated insider threat can be perceived as "the big picture". Here we could classify the executive level threat, based on their knowledge of target system interactions coupled with traditionally weaker controls on executives and their use of resources (such as [10] the "Equity 2" case). While there may be only a single large transaction involved, such incidents often result in large dollar loss and are usually unique to the particular situation.
The tactical level insider threat may be considered as a middle management approach, perhaps involving collusion to avoid existing controls or to take advantage of a lack of coordinated controls. For example [33] in 1998, charges were filed against four men in California who manipulated computer chips in 140 Mapco Oil gas pumps at 12 different stations. The modified chips controlled pumps to dispense less fuel than meters showed. Over $1 million was skimmed before the insiders were caught. Such tactical level attacks are usually capable of being repeated, with minor modification, by others in similar situations. "I would be amazed if it's not happening at gas pumps in other states" said Los Angeles County District Attorney Gil Garcetti.
The operational level insider threat can be viewed as an exploitation of weakness or lack of control in a single process or work role. This would appear to be the most common, and perhaps the least expensive type of insider threat (on a per instance basis). An individual who becomes aware of a weakness uses that weakness for gain, usually in a repetitive fashion based on the process cycle (such as "salami slicing" [see[6]] or the shifting of data on employee time cards [see [12]]). Another interesting case [34] is a meat plant shipper, who noticed that the shipping system in the plant tracked all boxes of frozen chicken parts by the box size weight (for example, fifty 20-pound boxes of breast). The shipper arranged for new boxes to be made, each marked as 20 pounds, but each actually holding 25 pounds when filled. This allowed the shipper to pack out an additional 25% of "free" meat to selected customers, for which he later received a cash payment. Total losses were estimated at over $1 million. The theft went on for many years because all inventory controls were followed, and constantly checked and audited - and was only uncovered when an angry customer turned in the shipper (for having an affair with the customer's wife).
Motives for any crime are difficult to determine in advance (of an act), and probably are as varied as the character of the people committing the act. "Psychologists and criminologists warn that it is nearly impossible to create a taxonomy of motives because any such taxonomy would be too complex, and would change continually." [35]
Cases can be found to support all of the traditional criminal motives of love, hate, and greed. Electronic stalking, harassment, revenge, sabotage, theft and many other crimes committed on or through computer systems can usually be traced (in hindsight) to these human frailties.
There are, however, motivations that are relatively unique to computer system attackers. "Cyber criminals often distinguish between the unacceptable practice of doing harm to people and the impersonal acts of doing harm to, or through, computers." [36] "Criminological research has identified a variation of the Robin Hood syndrome: criminals tend to differentiate between doing harm to individual people, which they regard as highly immoral, and doing harm to a corporation, which they can more easily rationalize. Computer systems facilitate these kinds of crimes, as a computer does not show emotion when it is attacked." [37]
Insiders are able to rationalize their illegitimate or illegal information systems activities easier since there are no direct victims. They are not confronted with staff members and friends traumatized by their actions (as may be the case in an armed robbery, for example). The victim has no face. The victim has no feelings. It becomes easier to rationalize that any received benefit of the act (for the perpetrator by attaining their goal of money, revenge or satisfaction) will compensate for the harm that may be done.
Of the traditional motives, greed is arguably the most significant trigger of 'computer crime'. According to folklore, Willie Sutton, the famous bank robber, when asked, "Why do you rob banks?" responded with "Because that's where the money is". In our world of electronic transaction and digital debit, corporate information systems now represent "where the money is". "Virtually every white collar crime has a computer or telecommunications link" says Carlton Fitzpatrick, Branch Manager of the Federal Law Enforcement Training Center's Financial Fraud Institute. [38]
Many of the traditional controls applied to insider access have been either migrated from physical systems (and are proving ineffective or inappropriate for the digital domain) or are becoming better understood and easier to bypass as the degree of expertise available to system users rises. The skills and knowledge required to bypass complex system controls are rapidly becoming available to the layperson; tools and techniques are widely distributed through hacker web sites and discussion groups readily available on the Internet.
Corporations are continually required to re-invest in information systems technology at both the capital and operational level and this in turn is causing continual pressure on information systems professionals to re-tool themselves to new hardware and software standards for both business operations and for security. Workplace pressures will no doubt continue to set the priority on reactive business operations over proactive security concerns. Maintaining an adequate systems security environment is becoming increasingly more important, and increasingly more difficult to do (as the list of threat types and attack methods increases in number, style and complexity).
The business community remains reticent to report incidents of computer misuse. In 1994, the United Nations stated that "based on reports of its member countries (it is) estimated that only 5% of computer crime was reported to law enforcement". [39] United States and Canadian practitioners are more likely to report incidents. Perhaps the most striking result of the 1999 CSI/FBI survey is the dramatic increase in the number of respondents reporting serious incidents to law enforcement: 32% of respondents did so, a significant increase over the three prior years, in which only 17% had reported such events to the authorities. [40]
However, with electronic commerce becoming an increasing force in western society, businesses are likely to continue to refrain from publicly reporting abuse that could potentially exacerbate consumer fears about the financial safety of the process (or the value of the company stock).
Even if reported, the risks associated with computer crime incidence are lower than traditional crime areas. Courts and law enforcement is widely admitted to be lagging in computer crime areas. A 1998 survey of 531 Canadian Police organizations, likely to investigate computer crime incidences because of size and/or mandate reported that "overall their responses paint a bleak picture of inadequate training and resources, slightly tempered with a few success stories". [41] American law enforcement officials echo much the same thoughts, because "crime involving high technology is going to go off the boards" predicts FBI special agent William Tafoya. "It won't be long before the bad guys outstrip our ability to keep up with them". [42]
The insider threat remains a significant issue for information systems security.
The responses of 520 security practitioners to the 1999 CSI Survey indicated a dramatic increase in reported security breaches in 1999. While the growth (and increased awareness) of information threat to systems by outsiders over the Internet for example is real, about half of reported breaches are cited as internal. CSI reported that unauthorized access by insiders rose for the third straight year; 55% of respondents reported incidents. Most breaches involve money, with an estimated $100 billion dollars in quantifiable losses reported. Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of e-mail systems) was reported by 97%. [43]
The rise of e-commerce, increased systems dependency by corporations and individuals, increased literacy by many users of information systems coupled with large numbers of neophyte users, easy availability of control bypass tools such as password crackers, over-worked and over-extended systems resources, and weak response capability by law enforcement are just a few of the current trends that will no doubt continue to drive computer security concerns.
Emerging technologies such as integrated voice processing, multimedia, IP telephone services (to name a few) will continue to provide new opportunities for abuse by their users. Attempts to shore up defenses against insider abuse will lead to more sophisticated security applications (like biometrics) which will no doubt mean more sophisticated breaches.
"Corporations and government agencies that want to survive in the 'Information Age' simply have to dedicate more resources to staffing and training of information security professionals. Furthermore, information security professionals who want to succeed have to increase their own level of technical acumen in order to face the challenges ahead." [44]
[1] Cohen; Frederick "The All.net Security Database "Insider threat"
[2] Parker, Donn B. " Fighting computer crime : a new framework for protecting information " New York : J. Wiley, c1998.
[4] Jacquard, Joseph Marie 1752 -- 1834 Silk-weaver, born in Lyon, France. His invention (1801--8) of the Jacquard loom, controlled by punched cards, enabled an ordinary workman to produce the most beautiful patterns in a style previously accomplished only with patience, skill, and labor. But though Napoleon rewarded him with a small pension and the Ligion d'Honneur, the silk weavers were long opposed to his machine. At his death his machine was in almost universal use, and his punched card system was adopted in the 20th-c as a control and data input system for many office machines and early digital computers.
[5] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 20
[6] Whiteside, Thomas "Computer capers: Tales of electronic thievery, embezzlement, and fraud" 1st ed. Crowell New York, c1978.
[7] Pipkin, Donald L. "Halting the Hacker; A Practical Guide to Computer Security" Prentice Hall New Jersey, c1997. Pg. 8
[9] "The largest (known) computer crime in the world occurred in Los Angeles in 1973 and resulted in the destruction of the Equity Funding and Insurance Company, with losses of two billion dollars. The company's management tried to make Equity the funding the fastest growing and largest company in the industry. Unfortunately, they attempted to gain that position by engaging in virtually every type of known business fraud. In the course of their downward spiral into crime, management created 64,000 fake people in their computer systems and insured them with policies that they then sold off to reinsurers. The government convicted twenty-two top executives, including two from the firm that audited the company, and sent them off to prison." Parker. P.65
[10] "Equity 2" http://www.ustreas.gov/irs/ci/articles/cis.htm In the largest computer fraud case investigated by the IRS, the fraud was committed with a computer--and the computer, in turn, convicted the criminals.
The top executive of one of America's large food retailers, a man previously applauded as an entrepreneurial genius, plead guilty to skimming $17 million in sales to avoid paying $6.7 million in taxes.
What led to the successful conviction of the retailer and other conspirators in this investigation was the discovery of computer software dubbed "Equity" which a programmer developed, maintained, and enhanced at the direction of the store's owner to facilitate the alteration of the store's books and records.
The computer software was programmed to adjust for skimming of the store's profits--allowing all accounts, including bank deposits, to be adjusted within seconds. By permanently altering the books and records to reflect the post-skim sales and bank deposit figures, it not only reduced total sales figures, but reduced sales on an item-by-item basis. The original data was destroyed forever, and the reduced sales data was recorded on the journals from which the tax returns were prepared. The program was designed to leave no trace that it had ever been run; and it was modified numerous times from 1982 to 1991 to accommodate the changing environment at the store.
Through the gathering of evidence and testimony and the interpretation of the seized computer evidence, the formidable CID team was able to determine how the computer program worked and, using the seized computers, was able to operate the program. The CIS would have been capable at trial, if necessary, to demonstrate to the jury exactly how the reduction of sales and deposits was done.
The convicted founder and owner of this retail business was sentenced to four years and four months in prison for his role in using an elaborate computer program to defraud the IRS in the collection of taxes. He was also ordered to pay approximately $15 million in additional taxes owed to the IRS, penalties, and interest. The store's executive vice present was sentenced to three years and five months in prison, and the chief financial officer was sentenced to one year and six months in prison.
[11] Cohen, Frederick B., Protection and security on the information SuperHighway" New York: Wiley, c1995. Chapter 3 pg.13
[12] Icove, David J. "Computer crime : a crimefighter's handbook / David Icove, Karl Seger, and William VonStorch."; 1st ed. Sebastopol, CA : O'Reilly & Associates, 1995. Pp 118
[13] Kevin Fu; Crime and Law in Cyberspace - DOJ/FBI Training Session; 1996 as reported in Nandonews at nando.net
[15] Cohen/Insider Threat ibid.
[16] Cohen/Insider Threat ibid.
[17] Cohen/Insider Threat ibid.
[19] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 100.
[20] International Review; ibid. Paragraphs 100-101
[21] see Cohen; "Protection and security on the information SuperHighway" chapter 3.
[23] For example, spoofing e-mail on a company intranet or gaining access to file server data is much easier of you already have access to that part of the intranet (especially when firewall technology is in place) or are already storing data on a common file server
[25] from http://www.ustreas.gov/irs/ci/articles/cis.htm A pharmacist in a small Northwest Florida community thought he had the perfect fraud system--his drug store and lots of customers covered by insurance and Medicaid.
As a patient presented a prescription, the pharmacist recorded the transaction on a computer. Using custom software, the pharmacist typed in the information and the computer printed out the label for the bottle, an invoice, and often an electronic claim for payment. He filled the prescription and the computer "dialed up" the coverage provider and posted the claim. The problem was that the payment system didn't have built in checks to determine whether the claim had been previously filed. The pharmacist decided to take advantage of this vulnerability by changing the dates and re-submitting claims for prescriptions already paid by the Florida Medicaid system.
While the investigation was ongoing, we could not seize the pharmacy's computers. The prescription records were needed to meet patient's requirements for medicine. Therefore, a CIS was called upon to make an exact copy of the computer's hard drive for analysis and evidentiary use.
An extensive history file, showing over one year's claims, generated a report of the total Medicaid claims. The total matched the amount shown by the Florida Medicaid system, to the penny. A separate report showed the patient profile and prescriptions picked up from the pharmacy. As expected, the patient profile represented actual prescriptions, while the Medicaid listing was the total of all claims filed, actual and fraudulent.
Why was this important? Because, at trial, the pharmacist claimed he did not make the claims. He believed that someone else made a backup of the computer's data, took that copy offsite, and made over $1.5 million in fraudulent claims, all without his knowledge.
After the reports of the claims taken from the pharmacy computer were explained and introduced into evidence, the software's author was called. He testified as to the inner workings of the software, how the claims were recorded in the computer's files, and testified that: (a) the claims shown on the pharmacy computer were exactly the same as the total claims shown on the state's system, and (b) since it would not be possible to edit the pharmacy computer files to make them equal, it is not reasonably possible for someone to have transmitted the claims from anywhere else.
The computer evidence in this case performed two major roles: It tied the amount of the false claims from the pharmacy to the state; and it tied the false claims to the pharmacy computer and owner. Convicted for money laundering, this pharmacist is currently serving a sentence of seven years.
[26] from http://www.usdoj.gov/criminal/cybercrime/kashpurepr.htm) March 19, 1998 Federal Bureau of Investigation 212-384-2715
Eugene E. Kashpureff Pleaded Guilty to Unleashing Software on the Internet That Interrupted Service for Tens of Thousands of Internet Users Worldwide
ZACHARY W. CARTER, United States Attorney for the Eastern District of New York, and LEWIS D. SCHILIRO, Assistant Director in Charge, Federal Bureau of Investigation in New York, today announced the filing of a criminal information and guilty plea of EUGENE E. KASHPUREFF, the owner of AlterNIC, a Washington State-based commercial registration service for Internet domain names associated with Internet Web Sites. KASHPUREFF was charged with violating the federal computer fraud statute, 18 United States Code, Section 1030.
In pleading guilty, KASHPUREFF has admitted that on two occasions in July 1997, he unleashed software on the Internet that interrupted service for tens of thousands of Internet users worldwide. KASHPUREFF, a self-described "webslinger," designed a corruption of the software system that allows Internet-linked computers to communicate with each other. By exploiting a weakness in that software, KASHPUREFF hijacked Internet users attempting to reach the Web Site for InterNIC, his chief commercial competitor, to his AlterNIC Web Site, impeding those users' ability to register Web Site domain names or to review InterNIC's popular "electronic directory" for existing domain names.
Since 1993, the National Science Foundation has designated InterNIC as the exclusive registrar for all Internet domain names containing the generic abbreviations ".com" (for commercial entities), ".org" (for non-profit organizations), ".edu" (for educational institutions), ".net" (for computer networks and Internet Service Providers) and ".gov" (for government entities). InterNIC currently administers over 1.2 million domain names, and its Web Site is visited over the Internet approximately 1 million times per day. InterNIC also administers the popular "WHOIS" directory, which identifies names and addresses on the Internet.
KASHPUREFF worked to perfect this DNS corruption over a one-year period, under the name "Operation DNS Storm." As a result of KASHPUREFF's actions, between July 10 and 14, 1997, and again between July 21 and 24, 1997, thousands of Internet users throughout the world trying to reach InterNIC were involuntarily rerouted to AlterNIC's Web Site, and were impeded from registering or updating the registration of domain names.
After launching his Internet attacks, KASHPUREFF boasted to the media about the effects of his scheme, claiming that he could divert all communications destined for China, the 100 most visited Web Sites in the world, and the White House Web Site.
On September 12, 1997, a criminal complaint and warrant for KASHPUREFF's arrest were obtained. After discovering that KASHPUREFF had left the United States and was residing in Canada, the government initiated extradition proceedings with the Canadian Department of Justice. Canadian authorities arrested KASHPUREFF in Toronto where he remained in custody for almost two months while he resisted extradition to the United States. On December 24, 1997, after waiving extradition, KASHPUREFF was turned over by Canada to United States authorities and arraigned on charges in Brooklyn.
In announcing today's guilty plea, MR. CARTER expressed his appreciation to the FBI and in particular to its New York Computer Crime Squad, for its invaluable contribution to the case. MR. CARTER also thanked the Canadian Department of Justice for its assistance in the extradition proceedings brought against KASHPUREFF.
KASHPUREFF pleaded guilty today before United States District Judge Allyne Ross. He faces a maximum sentence of five years and a maximum fine of $250,000. The case was prosecuted by Assistant United States Attorneys Joel M. Cohen and Jo Ann Navickas.
[27] Icove et. al. ibid. pg. 49
[28] see [10] for details; the perpetrator occupied the position of President of the company
[29] see http://www.usdoj.gov/criminal/cybercrime/lloydpr.htm Former Chief Computer Network Program Designer Arraigned for Alleged $10 Million Computer "Bomb"
1998-02-17 -- Lloyd, Timothy -- Indictment -- News Release NEWARK -- A former chief computer network program designer from Delaware was arraigned this morning for allegedly unleashing a $10 million programming "bomb" 20 days after his dismissal that deleted all the design and production programs of a New Jersey-based manufacturer of high-tech measurement and control instruments used by NASA and the U.S. Navy, U.S. Attorney Faith S. Hochberg announced.
The case is believed to be one of the most expensive computer sabotage cases in U.S. Secret Service history, according to C. Danny Spriggs, special agent in charge of the U.S. Secret Service's Philadelphia Office.
Timothy Allen Lloyd, (DOB 1967-10-16), of Wilmington, a former computer network programmer for Omega Engineering Corp. ("Omega"), a Bridgeport, Gloucester County, New Jersey corporation with offices in Stamford, Connecticut, and branches around the world, was arraigned before U.S. District Judge William H. Walls.
Judge Walls scheduled Lloyd's trial for April 20. 1998 and set a $25,000 secured bond, according to Assistant U.S. Attorney V. Grady O'Malley.
A two-count Indictment, returned Jan. 28, 1998 by a Camden Federal Grand Jury, alleges that, on July 30, 1996, Lloyd intentionally caused irreparable damage to Omega's computer system by activating a "bomb" that permanently deleted all of the company's sophisticated software programs.
The sabotage occurred on or about July 30, 1996. Lloyd had been terminated from Omega on July 10, after working for the company for approximately 11 years. The Indictment also reflects that the sabotage resulted in a loss to Omega of at least $10 million in sales and contracts.
Lloyd is also charged, in Count Two of the Indictment, with transporting interstate approximately $50,000 worth of computer equipment stolen from Omega to his Delaware residence.
Lloyd faces a maximum of five years in federal prison on Count One and 10 years on Count Two. Each count carries a maximum fine from $250,000 to twice the loss or gain from the crime. If convicted, Lloyd could also be ordered to make restitution.
An Indictment is a formal charge made by a grand jury, a body of 16 to 23 citizens, Hochberg noted. Grand jury proceedings are secret, and neither persons under investigation nor their attorneys have the right to be present. A grand jury may vote an Indictment if 12 or more jurors find probable cause to believe that the defendant has committed the crime or crimes charged.
Despite Indictment, every defendant is presumed innocent, unless and until found guilty beyond a reasonable doubt following a trial at which the defendant has all of the trial rights guaranteed by the U.S. Constitution and federal law.
Under the Sentencing Guidelines, Judge Walls would, upon conviction, determine the actual sentence based upon a formula that takes into account the severity and characteristics of the offense and the defendant's criminal history, if any, Hochberg said.
Hochberg credited Special Agents of the Secret Service in Philadelphia under the direction of Spriggs, for developing the case against Lloyd.
The Government is represented by Assistant U.S. Attorney O'Malley, senior litigation counsel in the U.S.Attorney's Criminal Division in Newark.
[31] Constable R. D. Ferguson; Saskatoon, Saskatchewan Canada; as cited by the author from a personal interview in 1999
[32] Overview of IT Security Issues: Report of the ITSS Legal Issues Working Group; Justice Dept Govt. of Canada 1995.
[33] Prosecutors claim altered computer chips bilked motorists out of $1 million Los Angeles (October 8, 1998) Associated Press as quoted by Nando.net (www.nandotimes.com)
[34] Interview with Cst. R. D. Ferguson. ibid.
[37] International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 59.
[38] U.S. News and World Report. "Cops want more power to fight cyber-criminals" January 23, 1995
[39] Colloquium on Computer crime and Other Crimes Against Information Technology: Wurzburg Germany; 5-8 October 1992 as quoted in the International Review of Criminal Policy: United Nations Manual on the Prevention and Control of Computer-related Crime; 1994. Paragraph 27.
[40] http://www.gocsi.com/prelea990301.htm Cyber attacks rise from outside and inside corporations Dramatic increase in reports to law enforcement
SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the results of its fourth annual "Computer Crime and Security Survey." The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad. The aim of this effort is to help raise the level of security awareness as well as determine the scope of computer crime in the United States.
Highlights of the "1999 Computer Crime and Security Survey" include the following: Corporations, financial institutions and government agencies face threats from outside as well as inside. System penetration by outsiders increased for the third year in a row; 30% of respondents report intrusions.
Those reporting their Internet connection as a frequent point of attack rose for the third straight year; from 37% of respondents in 1996 to 57% in 1999.
Meanwhile, unauthorized access by insiders also rose for the third straight year; 55% of respondents reported incidents.
Other types of cyber attack also rose. For example, 26% of respondents reported theft of proprietary information.
Perhaps the most striking result of the 1999 CSI/FBI survey is the dramatic increase in the number of respondents reporting serious incidents to law enforcement: 32% of respondents did so, a significant increase over the three prior years, in which only 17% had reported such events to the authorities.
For the third straight year, financial losses due to computer security breaches mounted to over a $100,000,000. Although 51% of respondents acknowledge suffering financial losses from such security breaches, only 31% were able to quantify their losses. The total financial losses for the 163 organizations that could put a dollar figure on them add up to $123,779,000.
The most serious financial losses occurred through theft of proprietary information (23 respondents reported a total of $42,496,000) and financial fraud (27 respondents reported a total of $39,706,000).
Summary data for responses to all 1999 survey questions and a table displaying financial losses due to various types of security breaches reported in 1997, 1998 and 1999 accompany this press release.
Although these survey results indicate a wide range of computer security breaches, perhaps the most disturbing trend is the continued increase in attacks from outside the organization. This trend was reinforced by other survey results. For example, of those who acknowledged unauthorized use, 43% reported from one to five incidents originating outside the organization, and 37% reported from one to five incidents originating inside the organization.
Further evidence of increased system penetration from the outside can be gleaned from a series of questions on WWW sites and electronic commerce that were asked for the first time this year. Ninety-six percent of respondents have WWW sites, 30% provide electronic commerce services. Twenty percent had detected unauthorized access or misuse of their WWW sites within the last 12 months (disturbingly, 33% answered "don't know.")
Of those who reported unauthorized access or misuse, 38% reported from two to five incidents, and 26% reported 10 or more incidents. Thirty-eight percent reported that the unauthorized access or misuse came from outside. Several types of attack were specified: 98% reported vandalism, 93% reported denial of service, 27% reported financial fraud, 25% reported theft of transaction information. Only 12 of the 95 respondents who had their WWW sites attacked could quantify their financial losses. The total losses for the 12 respondents totaled $2,383,000 (an average of $198,583 in financial losses for each respondent.)
Based on responses from 521 security practitioners in U.S. corporations, government agencies, financial institutions and universities, the findings of the "1999 Computer Crime and Security Survey" confirm trends established over the last three annual surveys. It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace. It is also clear that the financial cost is tangible and alarming.
Sixty-two percent of respondents reported computer security breaches within the last twelve months.
The breaches detected by respondents include a diverse array of serious attacks, several of which rose in the number of reports from 1998 to 1999; for example, system penetration by outsiders, unauthorized access by insiders and theft of proprietary information as mentioned above.
Here are some other examples.
Denial of service attacks were reported by 32%.
Sabotage of data or networks was reported by 19%.
Financial fraud was reported by 14%.
Insider abuse of Internet access privileges (for example, downloading pornography or pirated software or engaging in inappropriate use of e-mail systems) was reported by 97%.
This increase indicates that the danger of entanglement in civil liability suits is also on the rise.
Virus contamination was reported by 90%.
Laptop theft was reported by 69%.
Patrice Rapalus, CSI director, suggests that organizations pay more attention to information security staffing and training. "It is interesting to note that while many respondents answered 'yes' to the use of sophisticated security technologies, serious breaches continue to increase. It is also significant that so many respondents answered 'don't know' to whether or not their WWW sites had been attacked. Corporations and government agencies that want to survive in the 'Information Age' simply have to dedicate more resources to staffing and training of information security professionals. Furthermore, information security professionals who want to succeed have to increase their own level of technical acumen in order to face the challenges ahead."
Michael A. Vatis, Director of the National Infrastructure Protection Center, FBI headquarters, Washington, D.C., observed that "this year's CSI/FBI study confirms the need for industry and government to work together to address the growing problem of computer intrusions and cyber crime generally. Only by sharing information about incidents, and threats, and exploited vulnerabilities can we begin to stem the rising tide of illegal activity on networks and protect our nation's critical infrastructure from destructive cyber attacks."
[41] "Investigating Computer Crime" Canadian Police Chief, May 1998.
[42] U.S. News and World Report January 23, 1995