Advanced | Help | Encyclopedia
Directory

Encyclopaedia
I
In
Ina
Inb
Inc
Ind
Ine
Inf
Ing
Inh
Ini
Inj
Ink
Inl
Inm
Inn
Ino
Inp
Inq
Inr
Ins
Int
Inu
Inv
Inw
Inx
Iny
Inz

Insider attack

This article needs to be cleaned up to conform to a higher standard of article quality.
See How to Edit and Style and How-to for help, or this article's talk page. Remove this message when done.

Insider Attacks are a fundamental problem with any system which relies on trusted personnel (or software agents) to access and control the system. On what basis can we safely trust those personnel or agents?

The problem of Insider Attack or “corrupt insiders” is typically and routinely overlooked by those, like governments and police services, who hold some of our most sensitive data – despite the egregious examples in our recent history of abuse at the highest levels. J Edgar Hoover is the obvious example of the ultimate corrupt insider. As head of the primary law enforcement and intelligence gathering agency in the USA for 5 decades, he single-handedly crippled attempts at investigating organised crime for most of that time in order to protect himself from Mafia blackmail in regard to his homosexuality. On the question of abuse of information, there are a number of well founded claims that he used the FBI to gather sensitive information on no less than 8 US presidents and then subsequently used the information to blackmail them into supporting him and his agenda – one of the reasons he stayed in post till his death in 1972 well past the official retirement age (The Secret Life of J. Edgar Hoover (1993), Anthony Summers ISBN 039–913–8005).

In the UK, Dr Chris Williams (European Centre for the Study of Policing, Open University, Milton Keynes) wrote this in a letter to the Daily Telegraph 28 April 2004

One problem with the proposal for a national ID Card (News, Apr 27) is the security of the information in its "clean" database.

Although police all sign the Official Secrets Act, and are well paid, well supervised and largely trustworthy, at least one policeman has been sent to prison for selling the information on the Police National Computer to the highest bidder – in this case, credit reference agencies. HM Inspectorate of Constabulary recorded their concern over this practice in 1999 and recommended measures to stop it, yet the Police Complaints Commission admitted in 2002 that "there will always be a few officers willing to risk their careers by obtaining data improperly".

So we can't trust the police to keep a sensitive database watertight. Can we trust other state institutions or outsourcing companies such as Capita? To be usable, an ID Card database has to be accessible by hundreds of thousands of people. And the security has to be permanent.

In 1938, the Gestapo took over the files of Interpol's predecessor when they entered Vienna. If we put all our data eggs in one basket, we need to be certain that a DVD with all our details on it never gets to al-Qa'eda, the IRA or the unknown evils that the future doubtless holds.

Elsewhere we learn:

The worst department is the Inland Revenue, which was forced to investigate 1,369 cases of computer misuse between 1997 and 2003. According to official figures, 1,174 of those resulted in disciplinary action.

HM Customs & Excise investigated 328 cases of computer misuse with 147 resulting in disciplinary action.

Other departments that appeared to have a problem include the Department for Work and Pensions and the Northern Ireland Office, which handles many secure and sensitive documents.

Between 1998 and 2003, the Department for Work and Pensions has recorded 23 cases of manipulation of computer systems where people have fiddled with personal records.

In the UK's National Health Service – which is currently in the process of putting every patient’s records on a national database we learn:

Up to 200,000 requests are made under by investigators under false pretences to obtain health information on British patients each year. And most attempts succeed, according to the Foundation for Information Policy Research (FIPR).

If a country as security aware and highly regulated as the UK is unable to eliminate the problem of Insider Attack, it is reasonable to assume that all or most other countries are suffering similar problems.

There is no consensus on solutions to the problem.

Clearly rigorous vetting prior to recruitment or promotion of those who will be permitted to access data would be of some help. But if the head of the organisation who is primarily concerned with such vetting is himself untrustworthy (eg Hoover), then the entire vetting system is rendered worthless.

Monitoring of every physical access and every keystroke is now technically feasible. But, in order to detect abuse, that access log must itself be available to people independent from the organisation holding the data and who are trusted by the wider community for different reasons.

Some advocate complete data transparency – where not only the data being held is as available to perusal as is any wiki page, but so too are the identities of all those who access or amend the data, together with their reasons for access and the subsequent use they make of the data.

Others advocate pseudonymity as a solution – where the data is available as per the data transparency model but all personal identifiers are replaced with anonymous identity keys which can only be traced back to their owners via a trusted third party Key Escrow system.








Links: Addme | Keyword Research | Paid Inclusion | Femail | Software | Completive Intelligence

Add URL | About Slider | FREE Slider Toolbar - Simply Amazing
Copyright © 2000-2008 Slider.com. All rights reserved.
Content is distributed under the GNU Free Documentation License.