February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Hacker -- A Holiday Tale | Main | Criminals Exploit the Cloak of the Internet »

December 15, 2006
Tell-Tale Signs of an Insider Attack

In a recent survey of IT pros at least two-thirds indicated that company insiders accounted for at least some of the losses their company experienced from security breaches. Seven percent of those surveyed said that insiders accounted for 80% of their financial losses.

While the above data makes it clear that insiders are not the most common form of attack, they can be by far the most costly and most damaging, which makes insider attacks the most feared by both the government and security pros.

The first and most obvious way to prevent these types of attacks is to do detailed background checks on all prospective employees. Second, the fact that most attacks take place between when an employee is terminated and their access is revoked means that system access should be terminated simultaneously with employee end-of-employment notification.

While defending against an insider attack can be difficult, the following patterns, found on Information Week, gives the warning signs of a potential insider attack.

Be aware of anytime anyone with access to sensitive information has a falling out with his or her superiors. For instance, there is the story of Claude Carpenter, “who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he'd be fired after a dispute with a co-worker, Carpenter inserted several lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues' suspicion by calling several times during the next two weeks to ask "if the machines were running OK" and "if anything was wrong with the servers.”

Therefore, managers should make it clear to employees that their access and use are being tracked. Also, it is important that each worker be given just enough access to get the job done. In the past, those who have done the most damage had more access then was required to do the job. And as access can often be something of a status symbol, don’t expect employees to complain of having too much.

On a related point, even though technology is everywhere in companies, insider attacks almost always come from IT professionals. A recent survey by the Secret Service and CERT indicated that 86% of internal computer sabotage came from tech workers.

The employees most likely to attack from the inside do share certain characteristics, namely signs of mental health trouble, anti-authoritarian personalities that often clash with their bosses, and a history of behavioral infractions often well-documented by HR. Some recommend that simply getting to know your employees will help create loyalty and tip off potential problems.

Technology can also play a key role in thwarting insider attacks. Any information that could remotely be seen as sensitive should be encrypted. And it is a good idea to create an audit train, where employees that need access must get written approval from their bosses, which creates a written record.

Risk management software can also help, as I blogged here recently about IBM buying Consul Risk Management. These services are designed to alert managers when certain data or system are improperly accessed.

Technology also plays a big role when an employee is terminated, as immediately severing all access privileges is just a start. Managers should ideally audit projects the employee worked on before the termination process to fully understand the employees access.

The fact is, termination does not end the risk, and in many cases just begins it. It’s not always a bad idea to be able to hold something over a former employees head, like their severance package, just to keep them in line. And while that might seem to many IT managers the responsibility of HR, IT has to know that they are in fact the first line of defense when it comes to insider attacks.

Posted by pschooff in Better Protection |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1095

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map