search menu icon-carat-right cmu-wordmark

Top 10 Insider Threat Posts

Greg Shannon
• SEI Blog
Greg Shannon

For two consecutive years, organizations reported that insider crimes caused comparable damage (34 percent) to external attacks (31 percent), according to a recent cybercrime report co-sponsored by the CERT Division at the Carnegie Mellon University Software Engineering Institute. Despite this near parity, media reports of attacks often focus on external attacks and their aftermath, yet an attack can be equally or even more devastating when carried out from within an organization. Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Researchers at the CERT Insider Threat Center define insider threat as actions by an individual who meets the following criteria:

  • a current or former employee, contractor, or business partner who has or has had authorized access to an organization's network, system, or data
  • and intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems.

Insider threats are influenced by a combination of technical, behavioral, and organizational issues that organizations must address through policies, procedures, and technologies. Insider threats are influenced by a combination of technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies. Researchers at the The CERT Insider Threat Center provides analysis and solutions to organizations through partnerships with the U.S. Department of Defense, the U.S. Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community. This blog post, the second in a series, introduces the CERT Insider Threat Center blog, which highlights the latest research and security solutions to help organizations protect against insider threat.

Before we take a deeper dive into the most visited insider threat posts of the last six months, let's take a look at the top 10 posts (as measured by number of visits) on both CERT blogs (CERT/CC and Insider Threat):

The most visited posts on the CERT/CC blog center around a critical area of research: SSL Certificates as a core foundation of trust transmissions on the Internet along with certificates. These posts explore weaknesses in those trust relationships as implemented in mobile platforms and also highlight tools that have been created at CERT to explore those vulnerabilities. Before we take a deeper dive into SSL Certificates, let's take a look at the top 10 posts (as measured by number of visits) on the CERT blogs:

headlinenumber one

number 2

number 3

fourth most popular post

fifth most popular post

sixth most popular post

seventh most popular post

eighth most popular post

ninth most popular post

tenth most popular post

Although some of these posts are several years old, their continued popularity demonstrates the ongoing relevance of work by researchers at the CERT Insider Threat Center.

Insider Threat Statistics

During presentations, assessments, or while instructing courses, our researchers are often asked about the state of insider threat. "Just how bad is it?" is a question often heard. Capturing accurate data on insider threat proves difficult, however, as organizations are often loathe to report incidents and risk negative press or damage to standing. These repeated requests became the catalyst for the post Interesting Insider Threat Statistics which has been the most popular post on the CERT Insider threat blog in the six months ending in March 2015. This blog post presents statistics as well as the cost that organizations encounter as a result of an insider threat incident.

Here is an excerpt from the post:

According to the 2010 CyberSecurity Watch Survey, sponsored by CSO Magazine, the United States Secret Service (USSS), CERT, and Deloitte, the mean monetary value of losses due to cybercrime was $394,700 among the organizations that experienced a security event. Note that this figure accounts for all types of security incidents, including both insiders and outsiders. What is especially concerning is that 67 percent of respondents stated that insider breaches are more costly than outsider breaches.

This dollar figure does not fully account for the damages caused by insiders, though. For instance, activities such as website defacement and exposure of private email correspondence may not involve expensive remediation, but they would still cause a great deal of harm to the victim organization. How valuable is your reputation? How much does your website represent you? If you are an e-commerce company that assures its customers that they will have secure transactions, imagine the damage to your business if your website gets compromised.

Another common question we often receive is, "How many insider attacks take place annually?" This is a much more difficult question to answer. Consider that in the same survey, among 523 respondents, 51% of those who experienced a security incident also experienced an insider attack. The problem with approximating a total number of insider attacks is that, in our experience, a large number of these attacks go unreported. In fact, according to the survey, "the public may not be aware of the number of incidents because almost three-quarters (72%), on average, of the insider incidents are handled internally without legal action or the involvement of law enforcement." There are a variety of reasons why companies choose not to report insider cases; in particular, lack of evidence to prosecute, damage levels that were insufficient to warrant prosecution, inability to identify the perpetrator, and fear of public embarrassment. However, even this does not tell the full story. Based on our research and collaboration with other industry leaders, we believe that most insider crimes go unreported not because they are handled internally, but because they are never discovered in the first place.

The complete post Interesting Insider Threat Statistics can be read here.

Insider Threat and Physical Security of Organizations

In our database of incidents involving malicious insider activity--these include crimes of IT sabotage, theft of intellectual property, and fraud--about 8 percent involve physical security issues.

Physical access to an organization's secure areas, equipment, or materials containing sensitive data may make it easier for a malicious insider to commit a crime. Therefore, an organization's physical security controls are often just as important as its technical security controls. The post Insider Threat and Physical Security of Organizations provides some case studies of physical security issues as well as some physical security controls.

Here is an excerpt from the post:

In our case repository of incidents of malicious insider activity, including crimes of IT sabotage, theft of intellectual property, and fraud, about 8 percent involve physical security issues of concern. The case summaries below outline a few of these cases that we've analyzed.

For more than a year, a contract janitor stole customer account and personally identifiable information from hard-copy documents at a major U.S. bank. The janitor and two co-conspirators used this information to steal the identities of more than 250 people. They were able to open credit cards and then submit online change-of-address requests so the victims would not receive bank statements or other notifications of fraudulent activity. The insiders drained customers' accounts, and the loss to the organization exceeded $200,000.

A contract programmer tricked a janitor into unlocking another employee's office after hours. He switched the door's name plate and requested that the janitor let him into "his" office. The programmer, who had already obtained employment with a competitor, was able to download sensitive source code onto removable media.

A hospital security guard accessed and stole personally identifiable information regarding the organization's patients. The guard and three co-conspirators opened fraudulent cell phone plans and credit card accounts. As part of the scheme, they changed the account addresses of the victims so the bills would never reach the account owners. After being caught, the insider was ordered to pay $18,000 for the crime.

A communications director showed an expired ID badge to a security guard to gain unauthorized access to a data backup facility. Once inside, the director unplugged security cameras and stole backup tapes containing records for up to 80,000 employees.

A contract security guard used a key to obtain physical access to a hospital's heating, ventilating, and air conditioning (HVAC) computer and another workstation. The guard used password-cracking software to obtain access and install malicious software on the machines. The incident could have affected temperature-sensitive patients, drugs, and supplies.

An insider stole an organization's trade-secret drawings that were marked for destruction and sold them to a competing organization. The victim organization estimated its losses at $100 million. The competing organization that received the stolen documents was forced to declare bankruptcy after a lawsuit.

We have also observed the following physical security issues in the case data:

  • Infiltration/exfiltration of physical property: activities such as bringing removable media in and out of a facility
  • Improper termination of an employee's physical access or access badge
  • Unauthorized access to facility: employees entering facilities during unusual hours or unauthorized employees walking through an open door behind an authorized employee (known as "piggybacking")
  • Generally poor physical security: general issues such as insufficient guard oversight or insufficient separation of duties for physical access controls
  • Employee used an unauthorized workstation: employees who are able to physically enter another employee's office/workspace and access their workstation
  • Breaking and entering/physical destruction: employees breaking into secure spaces or stealing physical equipment
  • Janitorial staff issues: janitorial staff who steal sensitive information or are socially engineered into violating physical security
  • Improper disposal or destruction of organization information

The complete post Insider Threat and Physical Security of Organizations can be read here.

Theft of Intellectual Property and Tips for Prevention

One of the most damaging ways an insider can compromise an organization is by stealing its intellectual property (IP). An organization cannot underestimate the value of its secrets, product plans, and customer lists. In the publication An Analysis of Technical Observations in Insider Theft of Intellectual Property Cases, CERT Insider Threat researchers took a critical look at the technical aspects of cases in which insiders stole IP from their organization. Insiders commit these crimes for various reasons, such as to benefit another entity, to gain a competitive business advantage, to start a competing organization or firm, or to gain personal financial benefit. By understanding the specific technical methods that insiders use to steal information, organizations can consider gaps in their network implementation and can identify ways to improve controls that protect their IP.

Technical discussions of IP theft are helpful for operational staff to understand how insiders can compromise their organization. Additionally, organizations should always attempt to better understand the human behavioral elements of insider crimes. The report A Preliminary Model of Insider Theft of Intellectual Property details two preliminary models of behavior associated with insider theft of IP. The third most visited post on the CERT Insider Threat blog Theft of Intellectual Property and Tips for Prevention presents highlights of the research in both reports.

Here is an excerpt from the post:

Our study indicated that the most common method of physical exfiltration of data was removable media. Prior to 2005, the most common removable medium was writable CD. However, recent incidents indicate that removable USB mass storage devices like thumb drives and external hard disks are now more popular. USB devices have a much greater storage capacity than CDs, which makes it easier for insider to move their entire desired data set at once.

What can organizations do about these problems? First, they can always consider the role of best practices and established standards in defending against insider attacks. Insider attacks frequently exploit policies or controls that are covered in accepted best practices for IT system security. Second, organizations should always consider more than just the technical aspects of the crime. In a recent report Deriving Candidate Technical Controls and Indicators of Insider Attack from Socio-Technical Models and Data, we examined the importance of creating technical indicators for behavioral actions so that we can gain a more complete understanding of how to defend against insider crimes. Organizations should pay specific attention to these technical vulnerabilities while they attempt to understand what controls are practical to put in place for removable media in the organization. If removable media is necessary to keep operations moving, an organization may want to establish technical measures to limit which machines allow use of removable media, take an inventory of authorized media, and implement some measure of physical security to prevent removal or introduction of new uninventoried devices from the facility. When considering network security, organizations should attempt to identify suspicious email communications (particularly with attachments) to direct competitors, foreign governments, or other illegitimate recipients of corporate mail. Organizations should consider using a log aggregation and indexing tool to look for patterns in behavior that might warrant further investigation. This is especially true during major organizational events that may cause stress among employees, such as mergers, downsizing, acquisitions, or reorganizations. These events could possibly influence employee behavior in a negative way, and a heightened awareness of security might be necessary.

The complete post Theft of Intellectual Property and Tips for Prevention can be read here.

Theft of Intellectual Property by Insiders

The CERT insider threat database was started in 2001 and contains insider threat cases that can be categorized into one of four groupings:

  • fraud
  • sabotage
  • theft of intellectual property
  • miscellaneous

The post Theft of Intellectual Property by Insiders presents cases in our database that involve the theft of IP. As of the date of this post (December 18, 2013), 103 insider threat cases in the database included the theft of IP. (All statistics are reported as a percentage of the cases that had relevant information available.)

Here is an excerpt from the post:

Insider theft of IP occurred most frequently in the information technology (35 percent of cases), banking and finance (13 percent), and chemical (12 percent) industry sectors. (The industry sector was known in 101 of the 103 cases.)

Industry Chart Sector

The majority of insider IP theft incidents occurred onsite. (The attack location was known in 78 of the 103 cases.)

Trusted business partners accounted for over 17 percent of attackers and former employees accounted for 21 percent. (Employment status was known in 100 of the 103 cases.)

Over 30 percent of insider theft of IP cases were detected by non-technical means, while fewer than 6% cases were detected by a software solution.

The financial impact of these attacks is substantial. The impact was over $1,000,000 USD in 48 percent of cases and over $100,000 in 71 percent of insider theft of IP cases. (Financial impact was known in 35 of the 103 cases.)

For additional information and more in-depth analysis of the insider threat cases involving the theft of IP with foreign beneficiaries, please see our report Spotlight On: Insider Theft of Intellectual Property Inside the United States Involving Foreign Governments or Organizations.

In addition to the theft of intellectual property, the CERT Insider Threat Center has conducted studies of other insider threat cases, including insider fraud in the U.S. financial services sector and potential patterns of insider threat cases involving sabotage.

The complete post Theft of Intellectual Property by Insiders can be read here.

Looking Ahead: Helping Organizations Establish an Insider Threat Program

This has been an important year for the insider threat blog in terms of keeping our stakeholders informed and helping them protect themselves against ever-present cyber threats. Now that we have looked at the top posts, I would like to make you aware of a new series that was recently launched on the Insider Threat blog.

Earlier this year, researchers at the CERT Insider Threat Center launched a series of blog posts aimed at helping organizations establish an insider threat program. This series is intended to help organizations affected by Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, to establish a program for deterring, detecting, and mitigating insider threats. This executive order affects organizations that work within the U.S. federal government and that operate or access classified computer networks.

The first post by Randy Trzeciak, technical manager of the Insider Threat Center, was published early in March 2015 and outlines planned posts for the series.

Here is an excerpt from that post:

Because of a number of high-profile incidents that have significantly impacted organizations recently (e.g., sabotage, theft of information, fraud, national-security espionage), many organizations across government, industry, and academia have recognized the need to build an insider threat program (InTP) to protect their critical assets. Over the course of the next few months, we will be discussing the following topics as part of our blog series:

  1. Introduction to the CERT Insider Threat Center
  2. Components of an Insider Threat Program
  3. Requirements for a Formal Program
  4. Organization-Wide Participation
  5. Oversight of Program Compliance and Effectiveness
  6. Integration with Enterprise Risk Management
  7. Prevention, Detection, and Response Infrastructure
  8. Insider Threat Training and Awareness
  9. Confidential Reporting Procedures and Mechanisms
  10. Insider Threat Practices Related to Trusted Business Partners
  11. Data Collection and Analysis Tools, Techniques, and Practices
  12. Insider Incident Response Plan
  13. Communication of Insider Threat Events
  14. Policies, Procedures, and Practices to Support the Insider Threat Program
  15. Protection of Employee Civil Liberties and Privacy Rights
  16. Defining the Insider Threat Framework
  17. Developing an Implementation Plan
  18. Conclusion and Resources

In this series we will describe the key elements of an effective insider threat program. We will begin by examining the need to build a program.

The complete post, InTP Series: Establishing an Insider Threat Program (Part 1 of 18), can be read here.

As always, we welcome your ideas for future posts and your feedback on those already published. Please leave feedback in the comments section below.

Additional Resources:

For more information about the CERT Insider Threat Center, please visit

To view the CERT Insider Threat Blog, please visit

About the Author