Before You Fire the Company Geek...
If you notice a fellow employee suddenly freaking out or acting really suspicious, he may be having personal problems -- or he may be in the process of hacking the company. So says a new study on "insider threats" released Monday by the U.S. Secret Service and the Carnegie Mellon Software Engineering Institute's CERT (that used to stand for Computer Emergency Response Team, but now they just call it CERT).
The study examined 49 insider attacks, carried out between 1996 and 2002, where disgruntled employees took advantage of their access to the company's network and computer resources to destroy data or embarrass fellow employees or their employer. The study focused less on the incidence of hacking committed by trusted employees than on the motivation of insider hackers and the circumstances that allowed them to inflict damage on the affected companies. As such, it includes some interesting anecdotes, but also a lot of "no duh" findings.
For example of the latter, the study's "executive summary" notes that in 62 percent of the cases, "a negative work-related event triggered most of the insiders' actions." The study also found that 82 percent of the time the people who hacked their company "exhibited unusual behavior in the workplace prior to carrying out their activities." The survey surmises that's probably because the insiders were angry at someone they worked with or for: 84 percent of attacks were motivated by a desire to seek revenge, and in 85 percent of the cases the insider had a documented grievance against their employer or a co-worker.
Part of that "unusual behavior" was no doubt a result of the employee trying to hit "alt-tab" fast enough to hide their screen when the boss walks by. In 27% of the cases, "the overt behaviors were technical actions taken to set up the attack, including constructing and testing a logic bomb on the network, centralizing critical assets and sabotaging backups, or installing backdoors." For the uninitiated, a "logic bomb" is a destructive computer program -- like a virus -- designed to go off at a time predetermined by the attacker, usually after said attacker is no longer employed by the target. A "backdoor" is a simple program that allows the attacker to secretly gain access to the company's network, even if the credentials given to them by their employer to access the network have been revoked.
To get to the more interesting findings, forget the executive summary and the 10 pages of methodology and check out some of the real-life anecdotes upon which the report was based. For instance:
"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company's manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator's termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company's server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees."
As it turns out, the report's title is a bit of a misnomer: In almost 60 percent of the time, the attacks were launched by contractors or people who had recently been fired (48 percent). Eighty-six percent of insiders were techie types, including system administrators, programmers, engineers and IT specialists. What lessons can we take away from this? According to the report, if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.
Some other interesting (although not particularly surprising) tidbits: Almost all -- 96 percent -- of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent.
Now the good news: almost all of them got caught. Ninety percent of the insiders faced formal criminal charges, and 61 percent of those charged faced penalties under federal law. Eight-three percent of those charged were convicted, and another 5 percent didn't contest the charges.
Posted by: Alan | May 17, 2005 1:53 PM | Report abuse
Posted by: Neil | May 17, 2005 1:59 PM | Report abuse
Posted by: Steve | May 17, 2005 2:26 PM | Report abuse
Posted by: phil | May 17, 2005 2:32 PM | Report abuse
Posted by: Ben | May 17, 2005 2:39 PM | Report abuse
Posted by: Mustansar | May 17, 2005 2:53 PM | Report abuse
Posted by: Dave | May 17, 2005 3:02 PM | Report abuse
Posted by: C0rpR4t3_H4C| | May 17, 2005 3:12 PM | Report abuse
Posted by: Lod | May 17, 2005 3:38 PM | Report abuse
Posted by: Raul Ortsac | May 17, 2005 3:51 PM | Report abuse
Posted by: Norbert | May 17, 2005 4:03 PM | Report abuse
Posted by: Jeremy | May 17, 2005 4:31 PM | Report abuse
Posted by: Mo | May 17, 2005 4:35 PM | Report abuse
Posted by: mv | May 17, 2005 5:34 PM | Report abuse
Posted by: George | May 17, 2005 6:12 PM | Report abuse
Posted by: Peets | May 17, 2005 6:19 PM | Report abuse
Posted by: Sean | May 17, 2005 10:02 PM | Report abuse
Posted by: dcperspective | May 17, 2005 10:14 PM | Report abuse
Posted by: Jack | May 17, 2005 10:19 PM | Report abuse
Posted by: inIT | May 17, 2005 11:01 PM | Report abuse
Posted by: moe | May 18, 2005 12:29 AM | Report abuse
Posted by: unknown | May 18, 2005 3:49 AM | Report abuse
Posted by: Anonymous | May 18, 2005 10:46 AM | Report abuse
Posted by: Ben | May 18, 2005 8:18 PM | Report abuse
Posted by: Doc | May 19, 2005 1:04 AM | Report abuse
Posted by: CK | May 19, 2005 5:34 PM | Report abuse
Posted by: I-Am-Not-A-Piece-Of-Your-Inventory | August 15, 2005 11:10 AM | Report abuse
Posted by: Steve Rathkopf | September 15, 2005 4:15 AM | Report abuse
The comments to this entry are closed.