Network News

X My Profile
View More Activity

Before You Fire the Company Geek...

If you notice a fellow employee suddenly freaking out or acting really suspicious, he may be having personal problems -- or he may be in the process of hacking the company. So says a new study on "insider threats" released Monday by the U.S. Secret Service and the Carnegie Mellon Software Engineering Institute's CERT (that used to stand for Computer Emergency Response Team, but now they just call it CERT).

The study examined 49 insider attacks, carried out between 1996 and 2002, where disgruntled employees took advantage of their access to the company's network and computer resources to destroy data or embarrass fellow employees or their employer. The study focused less on the incidence of hacking committed by trusted employees than on the motivation of insider hackers and the circumstances that allowed them to inflict damage on the affected companies. As such, it includes some interesting anecdotes, but also a lot of "no duh" findings.

For example of the latter, the study's "executive summary" notes that in 62 percent of the cases, "a negative work-related event triggered most of the insiders' actions." The study also found that 82 percent of the time the people who hacked their company "exhibited unusual behavior in the workplace prior to carrying out their activities." The survey surmises that's probably because the insiders were angry at someone they worked with or for: 84 percent of attacks were motivated by a desire to seek revenge, and in 85 percent of the cases the insider had a documented grievance against their employer or a co-worker.

Part of that "unusual behavior" was no doubt a result of the employee trying to hit "alt-tab" fast enough to hide their screen when the boss walks by. In 27% of the cases, "the overt behaviors were technical actions taken to set up the attack, including constructing and testing a logic bomb on the network, centralizing critical assets and sabotaging backups, or installing backdoors." For the uninitiated, a "logic bomb" is a destructive computer program -- like a virus -- designed to go off at a time predetermined by the attacker, usually after said attacker is no longer employed by the target. A "backdoor" is a simple program that allows the attacker to secretly gain access to the company's network, even if the credentials given to them by their employer to access the network have been revoked.

To get to the more interesting findings, forget the executive summary and the 10 pages of methodology and check out some of the real-life anecdotes upon which the report was based. For instance:

"A system administrator, angered by his diminished role in a thriving defense manufacturing firm whose computer network he alone had developed and managed, centralized the software that supported the company's manufacturing processes on a single server, and then intimidated a coworker into giving him the only backup tapes for that software. Following the system administrator's termination for inappropriate and abusive treatment of his coworkers, a logic bomb previously planted by the insider detonated, deleting the only remaining copy of the critical software from the company's server. The company estimated the cost of damage in excess of $10 million, which led to the layoff of some 80 employees."

As it turns out, the report's title is a bit of a misnomer: In almost 60 percent of the time, the attacks were launched by contractors or people who had recently been fired (48 percent). Eighty-six percent of insiders were techie types, including system administrators, programmers, engineers and IT specialists. What lessons can we take away from this? According to the report, if you're going to fire someone (particularly company geeks who have the motive, means and access to inflict pain on your computer systems) make double sure you cut off their e-mail and network access at the same time you hand them their walking papers.

Some other interesting (although not particularly surprising) tidbits: Almost all -- 96 percent -- of the insiders were men, and 30 percent of them had previously been arrested, including arrests for violent offenses (18 percent), alcohol or drug-related offenses (11 percent), and non-financial-fraud related theft offenses (11 percent.

Now the good news: almost all of them got caught. Ninety percent of the insiders faced formal criminal charges, and 61 percent of those charged faced penalties under federal law. Eight-three percent of those charged were convicted, and another 5 percent didn't contest the charges.

By Brian Krebs  |  May 17, 2005; 10:58 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Updates Tiger OS X
Next: When Phones Lie

Comments

"Now the good news: almost all of them got caught." Rubbish. It's well known that companies will cover up security breaches whenever possible, and let the perp escape, or even pay him off, rather than face bad publicity. Perhaps 90% of those cases reported were caught.

Posted by: Alan | May 17, 2005 1:53 PM | Report abuse

49 cases is barely scraping into the statistically significant sample category let alone having multiple degrees of freedom. Anecdotal to say the least.

Posted by: Neil | May 17, 2005 1:59 PM | Report abuse

Assume for a moment that the disgruntled sysadmin in the article did his logic bomb well. From the company's viewpoint, what's the "good news" about this guy getting caught? They get to make an object lesson of him in the courts? So what, they're out $10M and 80 people are out of work. They needed to have other checks and balances in place that were independent of the one critical person!

Posted by: Steve | May 17, 2005 2:26 PM | Report abuse

Don't forget physical security, make last check contingent on receiving keys, id and access cards, have someone present while the employee is cleaning out the office/desk and change locks if you even suspect that the former employee has a duplicate key (especially the "i lost my key, can i have another?" a month before being fired)

Posted by: phil | May 17, 2005 2:32 PM | Report abuse

I wonder how these numbers compare to inadvertant damage caused by people fired for incompetence or negligence? In my career, damage incidents such as this (by my predecessors and colleagues, not by me!) far outweigh any possible intentional damage... it would be interesting to see numbers and find out which problem really deserves the priority attention.

Posted by: Ben | May 17, 2005 2:39 PM | Report abuse

Well all these statistics seem to focus onto to people who are unhappy with the employer or co-workers. Since every one(or most) tend(s) to bahave abnormal/revengeful if pinched at a wrong place. So I guess effort should be to make sure no one gets pinched bad. Treat them like humans and dont expect them to work like machines(submissively) even if they work with machines. Problem between employee and employer arises only when we ignore their goals.
Mustansar.Mehmood@marist.edu

Posted by: Mustansar | May 17, 2005 2:53 PM | Report abuse

I agree with the poster "Alan". I observed our IT staff watch helplessly as a hacker actively infiltrated our highly sensitive accounting server. He had access to everything: credit cards, personal info, confidential financial information. After the damage was done, the president/CEO of our site walked around and told everyone who knew what happened that this break-in wasn't to be discussed, and that we weren't going to report it to corporate.

Posted by: Dave | May 17, 2005 3:02 PM | Report abuse

idiocy to say the least
having been a statistic myself
i see that fear and stupidy prevail
nothing is secure
trust no-one
ever

Posted by: C0rpR4t3_H4C| | May 17, 2005 3:12 PM | Report abuse

I had been bullying this sysadmin guy here in the office for years.. he was a total geek. Then one day all the doughnuts were eaten before I made it to the break room. Coincidence?

Posted by: Lod | May 17, 2005 3:38 PM | Report abuse

Majority got caught eh.
"If no one catches a cracker,
or even realises (s)he did it,
is it really a cracker ?"
quite apart from what is
intentionally glossed over.

As in the real world.
Many embezzlers and white collar
criminals get caught because of their smugness at "getting away with it" or
for saying "I showed them a thing or 2".

If no one knows you got your revenge,
is it really revenge?

& lets now forget those incidents of incompetance where a Certain Operating System was just Begging To Be Broken Into because the perp realised he could get away with it due to nonexistent access auditing.

Which is stronger: Innate ethical/morality checks & balances-
Or the simple fear of being caught.

Opportunity makes a theif of us all.

Posted by: Raul Ortsac | May 17, 2005 3:51 PM | Report abuse

Money=power Nowadays you can apparently have power without the possibility to convert it into something more usefull. This is what frustates people. I even get job offers like: Build complete IT department and maybe you can become the manager of that department. So I can understand why people take revenge when they are underappreciated. Taking the revenge in reality is I think the worse you can do. Going forward with the realisation that you are better than the others and you have the brains to pull this through, can get you so much more.

Posted by: Norbert | May 17, 2005 4:03 PM | Report abuse

Steve Wrote:
49 cases is barely scraping into the statistically significant sample category let alone having multiple degrees of freedom. Anecdotal to say the least.

In that case it is a qualitative survey and not a quantitative one, but it would nonetheless be important because it demonstrates the *kinds* of things that can happen, and how they happen, and opens up the motivations behind the problems to inspection. None of that would be available in a quantitative survey. However a quantitative survey could be useful in reporting how much this happens, or how often, or what types of organizations are more prone to be affected, etc. Both kinds of studies are beneficial.

Posted by: Jeremy | May 17, 2005 4:31 PM | Report abuse

I once worked for major company. They fired an IT guy but he shoulder surfed into the data with a pair of hedge clippers... destroyed a LOT of hardware.

Posted by: Mo | May 17, 2005 4:35 PM | Report abuse

Well thank God we're punishing those evil techies. And how is Kenneth Lay of Enron fame doing these days?

Here's what happens in the non-tech world: A company I worked at serves notice to a non-productive idiot. He starts bragging about how he should put a "cap in the ass" of all his co-workers. Goes so far as to bring in an actual handgun one day, shows it off. And how does this awful tale end up? He nets $40,000 to keep him happy.

Right. Evil techies. eeeeeevil.

Posted by: mv | May 17, 2005 5:34 PM | Report abuse

I would actually think less than half get caught. Saying that "almost all of them got caught" is like say, "almost everyone who votes went to the polls". uh.. yea! Maybe they meant, "almost all of ones who got caught were punished".

Posted by: George | May 17, 2005 6:12 PM | Report abuse

I think we're glossing over the human factor here: if there was any real effort put into decent HR management the instance of such problems would be much lower. And happy people work harder, so even pencil pushers should be able to get that one.

Yet it ain't happening.

Posted by: Peets | May 17, 2005 6:19 PM | Report abuse

If I caught anyone in my division calling the IT staff "techie types" or "company geeks" I'd fire them. They know better. I expect performance and respect among peers, not slope-headed name calling. I'm disappointed that WaPo would let this half-researched drivel out the door.

Posted by: Sean | May 17, 2005 10:02 PM | Report abuse

49 cases ? 6 Years ?
They examined a whopping 49 cases, over 6 years to find out that disgruntled people do bad things, even with computers ?

The 12 page report ? I'd love to see the expenditures on this one. 49 cases ? 6 Years ? God I pray they were phone interviews.

Security tip- unhappy people with keyborads are just as dangerous as unhappy people with guns, planes, and bombs- treat people with respect first then review your procedures with a trusted third party.

Posted by: dcperspective | May 17, 2005 10:14 PM | Report abuse

This really shouldn't be a surprise. Living thru the dot.bomb era, I've worked for several companies, many going under because the suits have taken millions in VC money and squandered it because they were blind to what the industry was doing.

What I've seen in 8 years:

Technical managers who were not technical at all managing people who were technically brilliant but were not allowed to be so because it would outshine their rocks-for-brains managers.

Sales and Business Dev folks who are selling technology but have no idea what it is they are selling. But hey, they are BUSINESS people. They have MBA's!

Consistantly cutting corners and forcing the technical staff to do sub-par work while telling their clients that they are a world class organization, only to have their work crumble because the business folks didn't really think QA was something that was worth it.

Management having no idea what motivates their technical staff. It's not always money. Sometimes it's wearing a t-shirt to work because the A/C on the floor they work on is constantly foobared because the folks on the business floor are catering lunch every day for the staff.


I've seen a lot of good folks go while the f*cknut business folks retain their expense accounts and parking spots. This story warmed my heart.

Posted by: Jack | May 17, 2005 10:19 PM | Report abuse

Only 2 ways to stop this crap:

1) Pay your IT staff well and treat them *genuinely* nice.

or

2) Do the IT stuff all by yourself and NO ONE ELSE [you *do* trust yourself, do you? :) ]

Posted by: inIT | May 17, 2005 11:01 PM | Report abuse

What can we expect from this research? All IT professionals with DUI arrests and the like will suddenly find themselves under the microscope.

Round up the usual suspects...

Posted by: moe | May 18, 2005 12:29 AM | Report abuse

I believe it's only those that are reported. Meaning to say, over that 6 years, i believe there couldn't be only these few cases. Alot went unreported. As pointed out by Alan, many companies will cover up whatever thing they can to prevent bad publicity. Thus, i can assure you that, these are not all the cases. And these are taken only to deter people from such actions. Which in the first place could be prevented if the employers know how to manage their staff properly. Why would a whole department depends on one sole guy? Why is it that when there is only 1 last copy of backup left? Couldn't they duplicated the data?

Only when those at the mangement can have a good view of what is going on, and learn how to handle them well, otherwise, time bomb like this will always happen. It doesn't always have to be IT geeks. Key appointment holders could do likewise damage on business. Any accounting department that doesn't do sufficient aduits to keep fault report or whatever in check could always face big problem in future if any of it's staff decided to do something funny. So it's all down to the respective company's processes. Stop blaming the techies for the company's shortcoming. Deal with the root of the problem instead!

Posted by: unknown | May 18, 2005 3:49 AM | Report abuse

At least 80% of statistics are made up on the spot.

Posted by: Anonymous | May 18, 2005 10:46 AM | Report abuse

This is old news. Let's face it, this kind of thing has been going on since the beginning. Geeks are often not the easiest people to get along with. But it would be impossible to prevent this kind of thing from happening. It doesn't take much more than a laptop and port on a switch for a disgruntled geek to cause severe disruptions on a corporate network, even if they have no login to work with. Most ITs I know, even the entry-level guys, install root kits as a first order of business when they join a company. They do it as a reflex, not because they have malicious intent or plan to hack the company, but to give themselves convenient access so they can work from home or school. I once hacked a company from a touch-screen terminal they had in their lobby, when I told their IT guys about it they laughed with me and shruged it off. A month later they still hadn't fixed it.

Posted by: Ben | May 18, 2005 8:18 PM | Report abuse

So, what's new about this? The same stuff happened back in the quill and ink bottle days. I once worked with a lowly book keeper who had set up all the financial records according to her own unique system. She was eligible to retire, but chose to keep working. The front office hotshots kept humiliating her and otherwise messing her over. So, she took two weeks of vacation and left her her two week retirement notice in the boss' basket. Nobody had a clue how her system worked. I was one of the people who got stuck figuring out the mess, and I still thought it was hilarious.

But, you know, even though it annoys the empty suits when somebody puts one over on them, it doesn't hurt them, not really. They're the ones who get to decide who's at fault, and they certainly aren't going to blame their own bad management. Besides, apart from their paychecks and the chance of getting to mess up at ever higher levels, about the only interest most of them have is to get their egos massaged. If they're not owners, they don't give a **** about the business.

Posted by: Doc | May 19, 2005 1:04 AM | Report abuse

The number of cases analyzed is only one factor; I would not call the study useless. What's important is that the Secret Service/CERT draws attention to the "inside" factor.
The most illustrious and accomplished examples involve geeks, naturally, but that is not to say that for every tech there aren't 100 other employees who try and fail.
I bet every tech support person knows examples of sabotage of systems by non-geeks. When done by the digitally illiterate, it's called liberating or some honorable rebellion against the dominance of technology.
To be fair, the Secret Service also calls attention to other factors. Just a day later, at a conference in DC, its director pointed the finger at organized crime and massive attacks, as opposed to relatively minor acts by individuals.

Posted by: CK | May 19, 2005 5:34 PM | Report abuse

Oooooo! Now I'm terrorized by all these geeks!! Can't we just call them all "terrorists" and then shoot them, according to God's will, as delivered by His Messenger, the Republican Party??

Isn't that where you're all going? (removes tongue from cheek)

I wanna work for Sean!!

(PS: If you really want to fix this problem, and I mean the digital version as well as the real one, I'll give you a hint in all caps so even AOL-ers can read it: STOP TREATING PEOPLE LIKE "HUMAN RESOURCES"!! THEY *ARE* HUMAN, BUT THEY ARE *NOT* YOUR "RESOURCES"!! If you don't understand that, pay careful attention to this key statement by poster "Sean": "I expect performance and respect among peers, not slope-headed name calling." -- Do you get it yet? If not, read it again.)
(imitates Wm. Shatner): "Performance... AND Respect...!!"

Posted by: I-Am-Not-A-Piece-Of-Your-Inventory | August 15, 2005 11:10 AM | Report abuse

I was the Lead Programmer for a large manufacturing/distribution network of companies in the late 90's and 2000. As such I had access to all the information one could want. AND, that was necessary for me to do my job. On all my contract positions as well, I had access to VERY sensitive information.

Since the management think only in terms of the bottom line and see ADDITIONAL IT expenses and irksome at best and unneeded at best, how are they ever going to have the security they need, and say they want?

In truth, it is only the integrity of the IT professionals that keep these companies alive.
The ways I know that this problem can be approached (in reality) is to make sure:
1) the IT department is actually staffed sufficiently to handle all the work the managers want and need to manage the enterprise. This will eliminate work backlogs, keeping the management supplied with the current information they need to do THEIR work.
2) SPEND the extra money to have the IT staff well paid, trained, cross-trained, and taking continuing education to stay abreast of industry advances(both IT and the specific business activity). This will at once make them more productive and satisfied, as well as make them more attractive to being hired away. THEREFORE, management must treat the IT staff, as colleagues and NOT as subordinate staff to "do their bidding".
3) realize and treat the IT staff, not as the machines they manage, but as the guardians and improvers of the company's ability to continue to do business and make a profit.

Even then, fallen human nature being what it is, we will still have problems. That is why business MUST focus on spending all the money they can justify to protect their ability to continue to do business into the future, and on a profitable basis.

NOW, for my next trick....

Posted by: Steve Rathkopf | September 15, 2005 4:15 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company