Guarding Against Threats From Within - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

Guarding Against Threats From Within

Solid technology and tough policies can protect companies from malicious employees

When Roger Duronio, a former UBS PaineWebber Inc. systems administrator, was charged last week with planting a so-called logic bomb on the financial-services company's network, it once again highlighted the difficulties businesses face securing systems from insiders who turn bad. Federal prosecutors last week said Duronio bought UBS put options with the hope that the company's stock price would fall as a result of damage caused by the logic bomb, software code designed to harm computer systems. On March 4, the indictment contends, the bomb went off and damaged files on more than 1,000 of UBS's computers.

Chief security officers say it's very difficult to protect business-technology systems from trusted employees. "If someone on the inside is brazen enough, there's not much you can do. You've got to trust people," says a security officer at a major financial-services firm.

There have been plenty of examples in recent months of insiders and former employees committing computer crimes. Just last month, federal investigators said they thwarted the largest identity-theft ring in U.S. history. It was led largely by a person who had access to customer credit reports and reportedly victimized more than 30,000 people, with losses expected to exceed $2.7 million. In September, a San Dimas, Calif., man pleaded guilty to illegally accessing the computer systems of his former employer to gain competitive advantage after taking a job with a rival company.

ROGER DURONIO

Duronio is accused of damaging files at UBS PaineWebber with a logic bomb.
Security and business-technology managers view attacks over the Internet as their greatest threat. For the fifth year in a row, respondents to the Computer Security Institute/FBI Computer Crime and Security Survey cite the Internet as the most frequent point of attack: 74% cite the Internet, while 33% cite internal systems.

"Companies aren't spending enough, or doing enough, to protect their systems," says Mark Rasch, former head of the Justice Department's computer crimes unit and senior VP and chief security counsel for security vendor Solutionary Inc. "It's still mostly just talk. The bad news is it's going to take a catastrophic event" to get companies to take security seriously, and Rasch believes that such an event "is going to happen."

And it may be caused by insiders, those who know a company's systems and weaknesses and can inflict serious damage. It takes solid technology, tough policies, and tight control over systems changes to protect a company's electronic assets from malicious employees, security experts say.

"It's a matter of strong change control," says Peter Tippett, vice chairman and chief technologist for security-services company TruSecure Corp. "When it comes to administrators with access to servers, you have to have them watch each other. It should take two administrators present for any changes to the system." All server changes need to be logged to separate systems that the administrators can't access and change, Tippett says. "You start doing that, and they'll know they'll get caught. It's a deterrent."

That advice looks good on paper, says the chief security officer at a consumer-goods manufacturer in New Jersey. "I barely have the staff to keep up on maintenance and patches," he says. "I can't afford to have two administrators at every server for every update."

Still, it might be cheaper than dealing with the damage caused by a disgruntled staffer or former employee. While no company can totally protect its systems, especially from insiders, aggressive policies can cut the risk. "It will still happen from time to time," Tippett says. "But you can greatly reduce the likelihood."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Why It's Nice to Know What Can Go Wrong with AI
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  11/11/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll