Roger Duronio faces up to eight years in a federal prison when he steps before a judge this week to be sentenced for sabotaging UBS PaineWebber’s IT systems in 2002. If you think there are no potential Duronios in your organization, consider this a brief history lesson on tech employees gone bad, and a refresher course on how to identify and stop insider malcontents before they do some serious damage.
As a system administrator, Duronio, convicted this summer, placed a "logic bomb" to knock out much of UBS’s network, then made financial bets that would pay off if the company’s stock tanked as a result. A former VP of IT at SourceMedia, Stevan Hoffacker, was arrested in mid-November on charges he hacked into his former company’s E-mail system so he could warn people still working there that they were going to be laid off. Prudential Insurance IT staffer Donald McNeese in 2002 stole records from a Prudential database containing information on about 60,000 employees and was caught trying to sell identities for credit card fraud.
Nearly two-thirds of the 616 security pros surveyed this year by the Computer Security Institute say insiders account for some portion of the financial losses their organizations experience because of breaches. Some 39% of respondents attribute more than 20% of their organizations’ financial losses to insider attacks, while 7% estimate that insiders account for a whopping 80% of financial losses.
Insiders aren’t the most common security problem, but they can be among the most costly and the most damaging to a company’s reputation. Insider attacks against IT infrastructure are among the security breaches most feared by both government and corporate security pros, says Eric Shaw, a psychologist and former CIA intelligence officer who has studied insider threats the past decade.
What to do? The risks can be lessened first by doing background checks on potential IT employees--something far more companies are doing this year, according to Carnegie Mellon University’s CERT (see story, The Case For Background Checks). If an employee is terminated, it’s crucial that all system access be revoked immediately. It sounds obvious, but that doesn’t mean it’s always done. About half of all insider attacks take place between the time an IT employee is dismissed and his or her user privileges are taken away, says Dawn Cappelli, a senior member at the CERT Coordination Center, part of Carnegie Mellon’s Software Engineering Institute.
When it comes to current employees, IT managers must do something they might not have a taste for: Keep an eye out for insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues--all warning signs someone may be capable of system sabotage or data theft. "The biggest misconception about preventing insider attacks is that IT needs to worry only about technology issues and HR has to worry only about personnel issues," Cappelli says.
Defending against insiders isn’t easy, but knowing what to look for and understanding who you’re up against certainly helps, says Shaw, who co-authored a report last year titled, "Ten Tales Of Betrayal: The Threat To Corporate Infrastructures By Information Technology Insiders."
IT managers must be watchful any time someone with access to sensitive systems has a falling out with his or her bosses. That’s what happened with Duronio, who was upset his bonus fell about $15,000 short of his expectations. It’s also the story of Claude Carpenter, who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he’d be fired after a dispute with a co-worker, Carpenter inserted several lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues’ suspicion by calling several times during the next two weeks to ask "if the machines were running OK" and "if anything was wrong with the servers," says a July 2001 Justice Department description of the case. Carpenter was sentenced to 15 months in prison and ordered to pay $108,800 in restitution.
One related element: Make sure each IT worker has just enough system access to get his or her job done. "Usually, a person who does damage was given more access than they needed," says Bill Moylan, senior director of Aon Consulting’s IT risk consulting group, who spent 25 years with Long Island’s Nassau County Police Department. One financial services CIO makes that point by not giving himself data center access, since he doesn’t need to be in there to do his job. Access can be something of a status symbol, so don’t wait for IT staffers to complain they have too much, Moylan says.