13 June 2007

ID Theft: The Innocent Insider...

If you were a betting person you might think that the threat of 1 Million Botnets is a greater Operational Risk than a "lone wolf insider". What is the likelihood that one person will impact your business and disrupt your operations vs. the power of thousands of rogue computers unleashing a salvo of malicious code or denial of service attacks on your institution?

A botnet is a collection of compromised computers under the remote command and control of a criminal “botherder.” Most owners of the compromised computers are unknowing and unwitting victims. They have unintentionally allowed unauthorized access and use of their computers as a vehicle to facilitate other crimes, such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam and spyware. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy.

“The majority of victims are not even aware that their computer has been compromised or their personal information exploited,” said FBI Assistant Director for the Cyber Division James Finch. “An attacker gains control by infecting the computer with a virus or other malicious code and the computer continues to operate normally. Citizens can protect themselves from botnets and the associated schemes by practicing strong computer security habits to reduce the risk that your computer will be compromised.”

Yet there are individuals within your own organization who lie in wait, innocently. For the right timing and the right vulnerability to be exploited. They have been unknowingly planning and operating under cover for years and are masters at evading detection. In the Executive Suite, the "Bot" may operate in the background or under the radar of management audits and risk management control mechanisms. So how do you catch them or at least detect their presence? Send everyone on vacation.

When was the last time you had the fraud investigators training the internal auditors? When did you last utilize a "True" Independent outside advisor, investigator or consultant to assist your CISO in early detection. If you have 10,000 employees, 99.x% of these employees are hard working and honest people without any hidden agenda to bring harm to the organization or individuals inside the company. However, not all who would bring harm to you are stealing money or other physical assets from the warehouse. We aren't talking about a few items from the office supplies closet or a case of beer from the 7-11.

We are talking about the one employee who is operating a "Botnet" from behind the walls of your Fortune 50 company. Do you have anyone sharing pictures or music in the executive suite? Without you detecting it.

We define peer-to-peer, bot, and botnet below.

  • peer-to-peer - A peer-to-peer network is a network in which any node in the network can act as both a client and a server.
  • bot - A bot is a program that performs user centric tasks automatically without any interaction from a user.
  • botnet - A botnet is a network of malicious bots that illegally control computing resources.

Some definitions of peer-to-peer networks require no form of centralized coordination. Our definition is more relaxed because the attacker may be interested in hybrid architectures. Our definition of a bot is not inherently malicious. However, the malicious nature of a bot is implicit under some contexts. Finally, we do define a botnet to be malicious in nature.

The case study of the Trojan.Peacomm bot demonstrates one implementation of peer-to-peer functionality used by a botnet. That "Lone Wolf" in your organization could be your innocent administrative secretary and they don't even know it.

No comments:

Post a Comment