Jurassic Park

Jurassic Park

(a lesson on insider threat)

Jurassic Park was one of my favorite movies as a kid. As an adult, it is still one of my all time favorites. I owned it on VHS (remember those?), but I never actually owned it on DVD. However, my wife recently found a copy at Target, and we sat down as a family one rainy Sunday afternoon to watch. As we were watching, the thought dawned on me for the first time that none of the tragic second half of the movie would have happened had it not been for the actions of Dennis Nedry.

Let me step back for a moment. For those who may not have seen the movie (or read the excellent book) here is a short plot summary. John Hammond, the owner/CEO of a company called InGen, created a park in which Dinosaurs had been genetically engineered and brought back to life using sophisticated DNA extraction and gene sequencing techniques. Hammond wished to created an experience that was part zoo, part Disney World, where the main attraction would be a ride in which the park guests can view these Dinosaurs.

Before the opening of the park, there was a serious accident (a worker was devoured by a velociraptor), and the park’s investors became concerned that the park would be unsafe for guests. As such, in an effort to put the investors minds at ease, Hammond brought in two of the “top minds” in paleontology to tour the park and give it their blessing. The lawyer representing the investors also brought to the park his own expert, Ian Malcolm. Malcolm, played by Jeff Goldblum, was a mathematician who specialized in Chaos Theory.

Jurassic Park was extremely automated, using a very sophisticated computer system (for its time) where the phones, rides, and even the fences were all networked. The engineer behind this automation was their “IT guy”, for lack of a better word, Dennis Nedry. There was a problem. Nedry apparently had some financial problems, at least that is what can be assumed based on a conversation that he had with Hammond during the movie. As such, he had secretly made a deal with a rival company to steal embryos from the park in exchange for a very large sum of money.

In order to pull off this theft, Nedry engineered an 18 minute window for himself, during which time he could shut off the park systems that he needed to in order to steal the embryos and make his escape without getting caught. The result of Nedry’s plan (along with a tropical storm system that hit the park) was all hell breaking lose in the park, whereby many people were eaten and injured by the dinosaurs, who had escaped since Nedry shut off the park’s electric fences.

We have learned, based on the summary above, that Nedry was a shady character. His actions ultimately perpetuated the chain of events that caused many deaths and the subsequent failure of the park. But what does this have to do with insider threat? Additionally, how can something like this be prevented in a real world organization?

The term “insider threat” is fairly self explanatory. Loosely defined, it is the risk that an employee or contractor (i.e. “insider”) with the appropriate amount of access and or knowledge will perform a malicious act (i.e. plant malware, siphon off confidential data, etc.) to the detriment of the organization in which he/she works (or worked). I tried to find some useful statistics with regards to exactly how big this problem is. However, the metrics widely vary. One citation that I found particularly intriguing is as follows: “The 2009 CSI Computer Crime survey, probably one of the most respected reports covering insider threats, says insiders are responsible for 43 percent of malicious attacks.” [1]

Can the risk of insider threat be mitigated? The short answer is yes. It can be accomplished through a number of layered controls (think “Defense in Depth”) that can be deployed/utilized. For those who want a nice, long, dry read, the Common Sense Guide to Prevention and Detection of Insider Threats 3rd Edition – Version 3.1 from CERT has everything you need to know. For a short breakdown, some important best practices [2] are as follows:

  1. 1) Consider threats from insiders and business partners in enterprise-wide risk assessments.
  2. 2) Clearly document and consistently enforce policies and controls.
  3. 3) Institute periodic security awareness training for all employees.
  4. 4) Monitor and respond to suspicious or disruptive behavior, beginning with the hiring process.
  5. 5) Anticipate and manage negative workplace issues.
  6. 6) Track and secure the physical environment.
  7. 7) Implement strict password and account management policies and practices.
  8. 8) Enforce separation of duties and least privilege.
  9. 9) Consider insider threats in the software development life cycle.
  10. 10) Use extra caution with system administrators and technical or privileged users.
  11. 11) Implement system change controls.
  12. 12) Log, monitor, and audit employee online actions.
  13. 13) Use layered defense against remote attacks.
  14. 14) Deactivate computer access following termination.
  15. 15) Implement secure backup and recovery processes.
  16. 16) Develop an insider incident response plan.

Based on the events that transpired in the movie, which of the aforementioned best practices were not utilized that could have been utilized in order to avoid the dinosaur feast?

For starters, Nedry was the single point of failure from a information technology standpoint. Based on what was stated and implied in the movie, the whole automation of the park, from system administration to debugging millions of lines of code, rested on his shoulders. As such, they certainly did not employ the concept of separation of duties. Separation of duties is defined as the requirement of “dividing functions among people to limit the possibility that one employee could steal information or commit fraud or sabotage without the cooperation of another.” [3]

Additionally, Hammond did not, “anticipate and manage negative workplace issues”. He could have worked with Nedry with regards to negating Nedry’s financial incentive to do what he did. However, since appeasement is no guarantee, they should have also employed monitoring and logging, appropriate software development practices (so Nedry could not have planted backdoors and or logic bombs in the code), as well as more appropriate physical security of the facility.

When you think about it though, the root cause for the failure of the park was the lack of separation of duties.

~ Fin ~

[1] Article: “The true extent of insider security threats”; Author: Roger Grimes; Date: May 11, 2010

[2] Cut and paste from the CERT PDF.

[3] Again copied from the CERT PDF.