ANGELSecureNetworks.com
 
Stopping Computer Piracy: The Insider Threat

ANGEL for
Financial Institutions
ANGEL Capabilities
Data Sheet
Basle Committee
Comptroller of the Currency
Straight Through Processing

ANGEL For
Deep Space
ANGEL Capabilities

ANGEL For
Checkpoint Control
ANGEL Capabilities

Experience
Real-time Settlement
Real-time Feed
Web-based Security
Strobed Encryption
Patent Development

Company
Mission
History
Contact Us
Strobed Encryption Audited Secure Logon Audited Source Code  ANGEL Advantages
   Analyzing the Risk of Data Theft

      To analyze the risk of data theft, a starting point for managers is to consider the terminal at which the legitimate user of the data is working.  At that terminal, the user will be given certain predefined locations to which the data can be sent. The goal in protecting the data is to be certain that the data is transferred securely to those predefined ultimate locations, and that it is not and cannot be transferred anywhere else.

      For example, suppose we have two legitimate users, A and B.   We would want A to be limited by the program running at his or her terminal as to the options available for use of that data, such as the locations to which the data can be sent. Let us say that the only option is to transfer the data to B.  In this case, we would want A to be able to transfer the data to B, but otherwise, the data would be unreadable and not transferable.

      If the data were properly encrypted, it could not be intercepted as it went from A to B.

Figure 1

       Although the above configuration may superficially appear to be secure, the data may not actually be protected from technologically sophisticated insider pirates.  For example, the program running at either A or B could secretly be sending a copy of the data to C1 or C2.

Figure 2

or

Figure 3



     C1 and C2 are pirate applications that receive data from “hidden trap doors” installed in A and B. Hidden trap doors are fragments of secret software code that have been installed by a trusted, insider developer.

     No matter how well the data is encrypted between A and B, this encryption counts for nothing if the connection between A and C1 or B and C2 is open.   A manager could feel “safe”, because he or she had implemented end-to-end encryption between A and B, and yet the system could still be insecure.

     Here is another common scenario: 

Figure 4

     In this case, A and D are behind a firewall, and E and B are behind another firewall.  The data is encrypted between D and E.     

     A common belief is that while the data is inside the firewall, the data is protected.   In many cases, the data inside the firewall is not encrypted.   A thief at A, D, E, or B could copy the data inside the firewall to hard medium (a floppy, or ZIP disk) and walk out of the building with it.  Alternatively, a thief could copy the data inside the firewall, encrypt it, and send it out over a telephone line or send it out via a wireless connection.  The system administrator could easily reconfigure the firewall to send data through the firewall and then could reset the firewall so that the hole would disappear.

     In the financial industry, many companies use the SWIFT network as shown in the above diagram, where the SWIFT network is the link between D and E.   Even though SWIFT is encrypted, the system as a whole is wide open and unprotected.

     Some companies believe that they can deal with this problem by not allowing floppy disk drives to be installed on production machines.   However, suppose a pirate uses a hidden trap door to divert a copy of the data inside the firewall, the data going either to C1 or C2. 

Figure 5

     C1 or C2 would be some machine inside the firewall, but not the machine on which the legitimate user is working.  Many firewalls have hundreds or thousands of machines inside their perimeter. The pirate would chose machines that were not easily visible to management, to be C1 or C2. 

     For companies that do not permit floppies, a ZIP drive, or similar device, can be easily connected to almost any computer.  In any case, it is not very difficult to take apart machines and install other interfaces.  Companies sometimes put seals over the computer cases to prevent them from being disassembled.  But, of course, system administrators can reconfigure machines and steal the data.   Moreover, a non-system administrator could find some way to replace the seal.  Most companies do not check seals carefully.

     Here is another type of attack:

Step 1

Figure 6

     In this scenario, the pirate has access to D or E or both, and is able to steal the encryption keys used to encrypt data between D and E.  In Step 1, the pirate causes D or E to be brought down momentarily. 

Step 2

Figure 7
 
     When D reconnects, in Step 2, D connects to another machine pretending to be E, which is not E, but another machine, C1, set up by the pirate.  A copy of the data is transferred to the pirate machine, which has the key words needed to decrypt the data.  The pirate drops the connection and D reconnects to E.  This can all be done in a few seconds. 

Step 3

Figure 8
 
     In Step 3, the system is back to “normal”.  The system administrators think there has been some static on the line.   This attack might involve multiple insider pirates, conspiring together, possibly on different sides of the connection.

Summary 

     In Figures 2 and 3, end-to-end encryption did not provide protection against data theft. In Figure 4, a firewall plus link encryption between D and E did not provide the necessary protection.  In Figure 5 , the addition of other features, such as no floppy disks, to the Figure 4 system did not provide the necessary protection. 

     Figures 6 ,7, and 8 represent an attack where an insider pirate or pirates transfer data right through the firewall. 

      Maximum security involves setting up procedures that audit for hidden trap doors such as C1 and C1 shown in Figures 2, 3,4, and 5, and which audit network connections so that D, in Figures 6 ,7, and 8 can be certain that he or she is actually talking to E and not to a machine controlled by a pirate.   Moreover, encryption keys should be randomly generated, hidden from human sight, and changed (strobed) constantly.

      Maximum security cannot be achieved with software alone, but requires an orthagonal approach.  An orthogonal approach means that multiple independent lines of command are required to complete an objective. Such an approach requires the use of internal or independent auditors, and requires that the installation of the network cannot be completely conducted by its developer. Maximum security requires formal procedures involving multiple parties.

      ANGEL Secure Networks™ is a system which will provide the maximum security required to thwart the attacks described above. 


1. Here are some examples and statistics having to do with powerful, trusted insiders who have been able to commit spectacular frauds.

 Trusted engineers.  Wall Street Journal, April 14, 2000, "Microsoft Acknowledges Its Engineers Placed Security Flaw in Some Software." 
 
Senior Vice President, major international bank. "Missing: One Banker and $66 Million: Trail Grows Cold as FBI hunts for Loan Officer With a Zest for Living". The New York Times, May 3, 1998. 

In general. The average organization loses about 6% of its total revenue to fraud and abuse committed by its own employees.  Median losses caused by managers are four times those caused by employees. Median losses caused by executives are 16 times those of their employees.  “Fraud Facts from The Association of Certified Fraud Examiners’ Report to the Nation”, The RMA Journal, March 2001, p 21. 
 





© 2001 ANGEL Secure Networks, Inc.™,All Rights Reserved

Legal Notices

 


 
 
 


 
 
 


Powerful insiders are the greatest threat(1).

 

 
 
Data is more difficult to protect than cash because it can be stolen (by being copied) without being missed.

 
 
 
 
 
 
 
 
 
 
 
 
 

 
 

t