How To Spot Insider - Attack Risks In The IT Department

How To Spot Insider - Attack Risks In The IT Department
How To Spot Insider - Attack Risks In The IT Department 

By Larry Greenemeier
Dec 11, 2006

Roger Duronio faces up to eight years in a federal prison when he steps 
before a judge this week to be sentenced for sabotaging UBS 
PaineWebber's IT systems in 2002. If you think there are no potential 
Duronios in your organization, consider this a brief history lesson on 
tech employees gone bad, and a refresher course on how to identify and 
stop insider malcontents before they do some serious damage.

As a system administrator, Duronio, convicted this summer, placed a 
"logic bomb" to knock out much of UBS's network, then made financial 
bets that would pay off if the company's stock tanked as a result. A 
former VP of IT at SourceMedia, Stevan Hoffacker, was arrested in 
mid-November on charges he hacked into his former company's E-mail 
system so he could warn people still working there that they were going 
to be laid off. Prudential Insurance IT staffer Donald McNeese in 2002 
stole records from a Prudential database containing information on about 
60,000 employees and was caught trying to sell identities for credit 
card fraud.

Nearly two-thirds of the 616 security pros surveyed this year by the 
Computer Security Institute say insiders account for some portion of the 
financial losses their organizations experience because of breaches. 
Some 39% of respondents attribute more than 20% of their organizations' 
financial losses to insider attacks, while 7% estimate that insiders 
account for a whopping 80% of financial losses.

Insiders aren't the most common security problem, but they can be among 
the most costly and the most damaging to a company's reputation. Insider 
attacks against IT infrastructure are among the security breaches most 
feared by both government and corporate security pros, says Eric Shaw, a 
psychologist and former CIA intelligence officer who has studied insider 
threats the past decade.

What to do? The risks can be lessened first by doing background checks 
on potential IT employees--something far more companies are doing this 
year, according to Carnegie Mellon University's CERT (see story, The 
Case For Background Checks). If an employee is terminated, it's crucial 
that all system access be revoked immediately. It sounds obvious, but 
that doesn't mean it's always done. About half of all insider attacks 
take place between the time an IT employee is dismissed and his or her 
user privileges are taken away, says Dawn Cappelli, a senior member at 
the CERT Coordination Center, part of Carnegie Mellon's Software 
Engineering Institute.

When it comes to current employees, IT managers must do something they 
might not have a taste for: Keep an eye out for insubordination, anger 
over perceived mistreatment, or resistance to sharing responsibility or 
training colleagues--all warning signs someone may be capable of system 
sabotage or data theft. "The biggest misconception about preventing 
insider attacks is that IT needs to worry only about technology issues 
and HR has to worry only about personnel issues," Cappelli says.

Defending against insiders isn't easy, but knowing what to look for and 
understanding who you're up against certainly helps, says Shaw, who 
co-authored a report last year titled, "Ten Tales Of Betrayal: The 
Threat To Corporate Infrastructures By Information Technology Insiders."

IT managers must be watchful any time someone with access to sensitive 
systems has a falling out with his or her bosses. That's what happened 
with Duronio, who was upset his bonus fell about $15,000 short of his 
expectations. It's also the story of Claude Carpenter, who worked for 
government contractor Network Resources doing part-time systems 
administration on three Internal Revenue Service servers. In May 2000, 
suspecting he'd be fired after a dispute with a co-worker, Carpenter 
inserted several lines of code that would command the three servers 
under his care to wipe out data if network traffic reached a certain 
level. He tried to conceal his activities by turning off system logs and 
removing history files, but he aroused colleagues' suspicion by calling 
several times during the next two weeks to ask "if the machines were 
running OK" and "if anything was wrong with the servers," says a July 
2001 Justice Department description of the case. Carpenter was sentenced 
to 15 months in prison and ordered to pay $108,800 in restitution.

Managers must not only monitor system access, but also let employees 
know their system changes can be tracked. Employers should be wary of 
people unwilling to share their knowledge about systems or uncomfortable 
with the fact that their activities accessing systems or data can be 

One related element: Make sure each IT worker has just enough system 
access to get his or her job done. "Usually, a person who does damage 
was given more access than they needed," says Bill Moylan, senior 
director of Aon Consulting's IT risk consulting group, who spent 25 
years with Long Island's Nassau County Police Department. One financial 
services CIO makes that point by not giving himself data center access, 
since he doesn't need to be in there to do his job. Access can be 
something of a status symbol, so don't wait for IT staffers to complain 
they have too much, Moylan says.

This is the CIO's problem to solve. Though technology is everywhere in 
companies, system attacks are nearly all driven by scoundrels working in 
IT who have the knowledge and access to pull them off. A recent survey 
by the Secret Service and CERT Coordination Center/SEI indicates that 
86% of internal computer sabotage incidents are perpetrated by tech 

The rise of identify theft and the heightened sensitivity around 
customer and employee data have raised the stakes. One of the first 
insider cases to drive this point home was that of former Prudential 
database administrator McNeese, who was charged with identity theft, 
credit card fraud, and money laundering for stealing records from a 
Prudential database. He even sent E-mails to victims, trying to 
incriminate his former boss. McNeese received three years' probation, 
was ordered to pay $3,000 in restitution, and was required to get 
psychiatric treatment.

Employees most likely to commit insider theft or sabotage share a number 
of characteristics, which can include mental health disorders, 
personalities that clash with authority, and a history of behavioral 
violations in the workplace, often documented by HR, says Shaw, who has 
worked as a consultant to the Defense Department profiling 
characteristics of insiders who commit computer crimes.

Other clues are less academic but no less important. Simply getting to 
know employees will create loyalty and may even tip off potential 
problems. "If a guy on your staff needs an extra $20,000 to pay for his 
kid's college tuition, he might try to sell credit card numbers," says 
David Giambruno, VP of global service delivery for cosmetics company 
Revlon and formerly the director of engineering, security, and 
deployment at Pitney Bowes.


Technology also plays a key role in thwarting insider attacks. Giambruno 
believes in encrypting data that "could remotely be seen as sensitive." 
Revlon encrypts sensitive data in applications and databases using 
Ingrian Networks' DataSecure network appliance, with its built-in 
encryption software and middleware for connecting to servers. Giambruno 
advocates creating an audit trail, where employees who want access to 
encrypted data have to state their reasons and get executive sign-off on 
the decryption key. By encrypting data, he says, "you take away the 
low-hanging fruit for insiders."

Risk management software and services can help, too. IBM last week 
announced plans to buy Consul Risk Management and add Consul's products 
to the Tivoli line of IT management software. Consul and rival risk 
management offerings from Elemental Security and others are designed to 
alert IT managers when data or systems are improperly accessed, whether 
from the outside or by staffers.

Technology plays a vital role when an IT worker is fired. Immediately 
cutting network, system, and data access privileges is only the start. 
If there's a reason for concern, managers should, ideally before 
termination, audit projects the employee worked on to understand his or 
her access privileges and look for backdoor access programs they may 
have created in anticipation of being fired. "Termination doesn't end 
the risk," Shaw says. "It probably just escalates it."

If you doubt such steps will be enough to deter angry IT employees, Shaw 
suggests laying it on the table that you'll be keeping tabs on them. 
"Hold something over the former employee's head, such as their severance 
package or continued benefits," he says. "Let them know that if you see 
any problems with your IT systems, you'll have the police pay them a 

Sound like the kind of stuff you'd prefer to let HR handle, so you can 
get back to working with your talented, trusted employees? When it comes 
to insider threats, IT departments must accept that they're the first 
line of defense, with HR as their closest partner, CERT's Cappelli says. 
"They need to have an understanding of both the psychology and the 
technology behind these attacks to prevent them from happening," she 

Great, like IT managers need another hat to wear--now they're 
psychologists. But it's true that all IT pros are in this together 
against the rotten few, whether the rogue who's "just" peeking at 
documents he shouldn't access or the saboteur who's knocking out a 
company on which tens of thousands depend for their livelihoods. 
Thwarting them--and keeping the respect and trust an entire profession 
has earned--is what's at stake.

--With Sharon Gaudin

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods