UNDER CONSTRUCTION

Cyber-sabotage incidents - as for insider threat incidents in general - tend to be underreported to authorities by organizations because organizations have strong incentives to limit reputation harm by avoiding publicity on the event and chances of obtaining reparation are low (Randazzo et al., 2005).

For these reasons, statistics should be considered from a critical perspective. Statistics provided in this article are extracted from the studies referenced in the bibliographic section. These studies have several limitations (geographic location, underreporting, etc.). The statistics in this article are provided in parenthesis with the mention “e.g.” to stress these limitations.

Most saboteurs had personal predispositions Moore et al., 2008, including:

• Serious mental health disorders.

• Social skill difficulties and decision-making biases.

• A history of rule violations.

• Saboteurs tend to not share common characteristics, i.e. their gender, IT expertise, age, marital status, professional success, ethnicity, etc. are not meaningful predictors (Randazzo et al., 2005).

• Most insider plan their attack in advance (e.g. 81% inRandazzo et al., 2005)

• A majority of them tend to not properly consider the potential negative consequences of their action (e.g. 65% in Randazzo et al., 2005). Some had the sentiment that committing sabotage on a computer was less serious than causing physical damage (Randazzo et al., 2005).

• For general insider attacks, a majority of incidents do not require technical sophistication but use simple and legitimate capabilities or exploit systemic vulnerabilities in applications or business processes (e.g.: 87% in Randazzo et al., 2005). In contrast, IT saboteurs tend to hold technical positions (e.g. 86% in Moore et al., 2008), often with high privileged accesses.

• While most insider attacks are executed at the workplace and during normal business hours (Randazzo et al., 2005), a majority of saboteurs are former employees (e.g. 59% in Moore et al., 2008)

• A minority of insiders were known for being difficult to manage (e.g. 15%) or untrustwothy (e.g. 4%).

• Unmet expectations (salary, bonus, promotion, recognition, and/or personal control of IT systems) causing dissatisfaction or disgruntlement, and a desire of revenge. A majority of saboteurs were perceived as disgruntled employees before the attack (e.g., 57% in Moore et al., 2008), many were motivated by revenge (e.g., 84% in Moore et al., 2008 and 23% of general insider attackers in Randazzo et al., 2005), or a desire for respect (e.g., 15% in Randazzo et al., 2005).

• A minority of inside attackers tend to have multiple motives (e.g. 27% in Randazzo et al., 2005), financial gain being the most prevalent motive for general inside attackers (Randazzo et al., 2005).

For general insider attacks, the insider’s planning behavior is noticeable in a number of cases (e.g.: 31% in Randazzo et al., 2005). More specifically for IT saboteurs, behavioral incidents seem to come to the attention of supervisors or co-workers before the sabotage takes place in a high number of cases (97% in Moore et al., 2008). Such incidents comprise:

• Conflicts with co-workers, aggressive or violent behavior, mood swings, sexual harassment.

• Poor job performance.

• Deception about qualifications.

• Absence or tardiness. Violations of explicit organizational policies and rules. Inappropriate purchases on company accounts. Violations of dress code, poor hygiene. Drug abuse.

Most often, technical precursors took place before the sabotage (87% in Moore et al., 2008), such as:

• Usage of hacking tools (including password crackers),

• Unauthorized accesses,

• Inappropriate Internet access,

• Setup of backdoor accounts or unauthorized (sometimes remote) accesses,

• Failure to create backups,

• Documentation failure.

• Stressful work-related negative events such as termination, dispute, transfer, demotion, or disciplinary sanction (e.g. 97% in Moore et al., 2008) reinforcing the feeling of unmet expectations (e.g. salary, bonus, promotion, recognition). Moore et al., 2008Randazzo et al., 2005. Paradoxically, disciplinary sanctions whose objective is to stop inadequate behaviors may become precipitating events for the saboteur. ^①

• Stressful private negative events (e.g.: divorce or death in the family) Moore et al., 2008.

• Not being listened to when alerting the organization on security issues Randazzo et al., 2005.

• Management youth / inexperience^①.

• Insufficient access controls (93% in Moore et al., 2008).

• Usage of coworkers’ unattended computers.

• Ability to create accounts unknown to organization.

• Ability to release code into production systems without verification or knowledge by the organization.

• Insufficient disabling of electronic and physical access at termination.

• Falling in the “trust trap”, i.e. a lack of technical and behavioral monitoring and feedback caused by a desire to create a trusting environment and a flawed perception of risk.

• Financial losses (Randazzo et al., 2005)

• Reputation harm (Randazzo et al., 2005)

• Logic bombs are known for being particularly destructive (Randazzo et al., 2005)

Building organizational resiliency against IT sabotage requires the recognition by management of the insider threat and a multi-disciplinary approach. The following countermeasures may contribute to the mitigation of IT sabotages Moore et al., 2008:

• Taking references + conducting background checks to detect criminal records (Randazzo et al., 2005)

• Thus, efforts to increase an employee’s awareness of the organization’s ability to monitor
  activities and of the possibility of a prosecution or civil lawsuit against the insider (such as
  through the use of security banners on employees’ computers) may be an important addition
  to an organization’s practices for prevention. (Randazzo et al., 2005)

• Good communication between employees and managers with regular reviews that address subjects of dissatisfaction and set realistic expectations.

• Consistent policy enforcement making clear that employees are not above the rules.

• Acceptable use policy

• Clear statement of the consequences of IT sabotage

• Cooperation between management and human resources to define clear job responsibilities

• Employee assistance program / counseling

• Targeted behavioral and technical monitoring within the bounds of clearly-defined policies

• Technical monitoring (including honeypots) or audits to identify backdoor accounts creation and unauthorized accesses. Audits. Especially irregular unpredictable audits (Randazzo et al., 2005) Logging and monitoring (Randazzo et al., 2005)

• Privileged access management

• Not allowing critical accesses from home (Randazzo et al., 2005)

• Robust IAM leavers process + Revoking access to terminated employees (Randazzo et al., 2005)

• Traceability of software development and deployment

• Robust remote access controls

• mechanisms to prevent the usage of other’s identities incl idle computer session locking (Randazzo et al., 2005)

• Prohibition of shared accounts

• A good understanding of the risks related to the employee's accesses and technical capabilities as part of the termination and demotion processes

• Role-based access control for privileged employees

• Least privilege

• SoD, (Randazzo et al., 2005), group trading (Randazzo et al., 2005).

• Automated-provisioning to reduce ophan accounts^① and opportunities to create backdoor accounts

• Speak-up culture + encouraging employees to alert on suspicious activities (Randazzo et al., 2005). In 85% of the incidents, someone other than the insider had full or partial knowledge about the insider’s intentions, plans, and/or activities. (Randazzo et al., 2005 ). 61% of the cases, individuals from more than one area of the insider’s life knew something of the insider’s intentions, plans, and/or ongoing activities.(Randazzo et al., 2005)

• Monitoring by others, incl. supervisors, security personel, etc. (Randazzo et al., 2005)