How To Spot Insider-Attack Risks In The IT Department

They're one of the biggest security risks because of their knowledge and access. IT managers need to learn to identify and stop insider malcontents before they do some serious damage.
This is the CIO’s problem to solve. Though technology is everywhere in companies, system attacks are nearly all driven by scoundrels working in IT who have the knowledge and access to pull them off. A recent survey by the Secret Service and CERT Coordination Center/SEI indicates that 86% of internal computer sabotage incidents are perpetrated by tech workers.

The rise of identify theft and the heightened sensitivity around customer and employee data have raised the stakes. One of the first insider cases to drive this point home was that of former Prudential database administrator McNeese, who was charged with identity theft, credit card fraud, and money laundering for stealing records from a Prudential database. He even sent E-mails to victims, trying to incriminate his former boss. McNeese received three years’ probation, was ordered to pay $3,000 in restitution, and was required to get psychiatric treatment.

Employees most likely to commit insider theft or sabotage share a number of characteristics, which can include mental health disorders, personalities that clash with authority, and a history of behavioral violations in the workplace, often documented by HR, says Shaw, who has worked as a consultant to the Defense Department profiling characteristics of insiders who commit computer crimes.

Other clues are less academic but no less important. Simply getting to know employees will create loyalty and may even tip off potential problems. "If a guy on your staff needs an extra $20,000 to pay for his kid’s college tuition, he might try to sell credit card numbers," says David Giambruno, VP of global service delivery for cosmetics company Revlon and formerly the director of engineering, security, and deployment at Pitney Bowes.

Technology also plays a key role in thwarting insider attacks. Giambruno believes in encrypting data that "could remotely be seen as sensitive." Revlon encrypts sensitive data in applications and databases using Ingrian Networks’ DataSecure network appliance, with its built-in encryption software and middleware for connecting to servers. Giambruno advocates creating an audit trail, where employees who want access to encrypted data have to state their reasons and get executive sign-off on the decryption key. By encrypting data, he says, "you take away the low-hanging fruit for insiders."

Risk management software and services can help, too. IBM last week announced plans to buy Consul Risk Management and add Consul’s products to the Tivoli line of IT management software. Consul and rival risk management offerings from Elemental Security and others are designed to alert IT managers when data or systems are improperly accessed, whether from the outside or by staffers.

Technology plays a vital role when an IT worker is fired. Immediately cutting network, system, and data access privileges is only the start. If there’s a reason for concern, managers should, ideally before termination, audit projects the employee worked on to understand his or her access privileges and look for backdoor access programs they may have created in anticipation of being fired. "Termination doesn’t end the risk," Shaw says. "It probably just escalates it."

If you doubt such steps will be enough to deter angry IT employees, Shaw suggests laying it on the table that you’ll be keeping tabs on them. "Hold something over the former employee’s head, such as their severance package or continued benefits," he says. "Let them know that if you see any problems with your IT systems, you’ll have the police pay them a visit."

Sound like the kind of stuff you’d prefer to let HR handle, so you can get back to working with your talented, trusted employees? When it comes to insider threats, IT departments must accept that they’re the first line of defense, with HR as their closest partner, CERT’s Cappelli says. "They need to have an understanding of both the psychology and the technology behind these attacks to prevent them from happening," she says.

Great, like IT managers need another hat to wear--now they’re psychologists. But it’s true that all IT pros are in this together against the rotten few, whether the rogue who’s "just" peeking at documents he shouldn’t access or the saboteur who’s knocking out a company on which tens of thousands depend for their livelihoods. Thwarting them--and keeping the respect and trust an entire profession has earned--is what’s at stake.

--With Sharon Gaudin