How To Spot Insider-Attack Risks In The IT Department - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:15 PM

How To Spot Insider-Attack Risks In The IT Department

They're one of the biggest security risks because of their knowledge and access. IT managers need to learn to identify and stop insider malcontents before they do some serious damage.

Roger Duronio faces up to eight years in a federal prison when he steps before a judge this week to be sentenced for sabotaging UBS PaineWebber’s IT systems in 2002. If you think there are no potential Duronios in your organization, consider this a brief history lesson on tech employees gone bad, and a refresher course on how to identify and stop insider malcontents before they do some serious damage.

As a system administrator, Duronio, convicted this summer, placed a "logic bomb" to knock out much of UBS’s network, then made financial bets that would pay off if the company’s stock tanked as a result. A former VP of IT at SourceMedia, Stevan Hoffacker, was arrested in mid-November on charges he hacked into his former company’s E-mail system so he could warn people still working there that they were going to be laid off. Prudential Insurance IT staffer Donald McNeese in 2002 stole records from a Prudential database containing information on about 60,000 employees and was caught trying to sell identities for credit card fraud.

Nearly two-thirds of the 616 security pros surveyed this year by the Computer Security Institute say insiders account for some portion of the financial losses their organizations experience because of breaches. Some 39% of respondents attribute more than 20% of their organizations’ financial losses to insider attacks, while 7% estimate that insiders account for a whopping 80% of financial losses.

Insiders aren’t the most common security problem, but they can be among the most costly and the most damaging to a company’s reputation. Insider attacks against IT infrastructure are among the security breaches most feared by both government and corporate security pros, says Eric Shaw, a psychologist and former CIA intelligence officer who has studied insider threats the past decade.

What to do? The risks can be lessened first by doing background checks on potential IT employees--something far more companies are doing this year, according to Carnegie Mellon University’s CERT (see story, The Case For Background Checks). If an employee is terminated, it’s crucial that all system access be revoked immediately. It sounds obvious, but that doesn’t mean it’s always done. About half of all insider attacks take place between the time an IT employee is dismissed and his or her user privileges are taken away, says Dawn Cappelli, a senior member at the CERT Coordination Center, part of Carnegie Mellon’s Software Engineering Institute.

When it comes to current employees, IT managers must do something they might not have a taste for: Keep an eye out for insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues--all warning signs someone may be capable of system sabotage or data theft. "The biggest misconception about preventing insider attacks is that IT needs to worry only about technology issues and HR has to worry only about personnel issues," Cappelli says.

Defending against insiders isn’t easy, but knowing what to look for and understanding who you’re up against certainly helps, says Shaw, who co-authored a report last year titled, "Ten Tales Of Betrayal: The Threat To Corporate Infrastructures By Information Technology Insiders."

IT managers must be watchful any time someone with access to sensitive systems has a falling out with his or her bosses. That’s what happened with Duronio, who was upset his bonus fell about $15,000 short of his expectations. It’s also the story of Claude Carpenter, who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he’d be fired after a dispute with a co-worker, Carpenter inserted several lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues’ suspicion by calling several times during the next two weeks to ask "if the machines were running OK" and "if anything was wrong with the servers," says a July 2001 Justice Department description of the case. Carpenter was sentenced to 15 months in prison and ordered to pay $108,800 in restitution.

InformationWeek Download

Managers must not only monitor system access, but also let employees know their system changes can be tracked. Employers should be wary of people unwilling to share their knowledge about systems or uncomfortable with the fact that their activities accessing systems or data can be tracked.

One related element: Make sure each IT worker has just enough system access to get his or her job done. "Usually, a person who does damage was given more access than they needed," says Bill Moylan, senior director of Aon Consulting’s IT risk consulting group, who spent 25 years with Long Island’s Nassau County Police Department. One financial services CIO makes that point by not giving himself data center access, since he doesn’t need to be in there to do his job. Access can be something of a status symbol, so don’t wait for IT staffers to complain they have too much, Moylan says.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll