Information Security News mailing list archives
When the Hacker Is on the Inside
From: William Knowles <wk () C4I ORG>
Date: Wed, 13 Dec 2000 22:53:12 -0600
http://www.businessweek.com/bwdaily/dnflash/dec2000/nf20001213_253.htm By Dennis Blank in Orlando Edited by Alex Salkever DECEMBER 13, 2000 Thousands of attacks each year come from current or former employees -- and companies are only now beginning to step up their defenses For Elite Web Hosting in Orlando, Fla., September, 2000, was a nightmare. A disgruntled former employee allegedly hacked into the company's computer system without authorization. He then allegedly sent e-mails that contained vulgar language and implying that Elite was moving into the Web porn business to every Elite customer. The missives further claimed that the company's majority owner, Augustino Mireles, had been raiding Elite's coffers for personal use. The impact on Elite was immediate. Thirty steady customers jumped ship, each taking $5,000 per month in revenue from Elite's cash flow. Elite owner Mireles brought in Advanced Computer Investigations (ACI), a computer-security company. Its assignment was to bolster the company's defenses against hackers and ensure that the former employee could not get back into the system. BLOOD FROM A STONE. But the exodus of longtime customers was so great that Elite folded, says ACI President Kellie Carlisle. Mireles decided not to sue because you "can't get blood out of a stone." The ex-employee is now on probation after pleading guilty to assault charges arising from a physical altercation he had with Mireles. Elite's sad tale is far more common than you might imagine. Experts say insider hacking represents about 70% of all malicious attacks and causes $1 billion in damages each year to U.S. businesses. And it appears to be on the rise as more companies come to rely on computer networks and e-mail. "I have seen a lot of cases of a systems administrator gone bad," says Bill Spernow, security-research director for technology-industry consultancy Gartner. Pinning down the exact number and nature of transgressions by once-trusted workers remains more art than science, but they likely number in the thousands each year. The motivation in most cases is simple. "Most of them are doing it for revenge, because they felt they were harmed in some way," says Diana Neuman, a computer analyst with information-security company EnGarde Systems in Albuquerque, N.M. ALL BARK, NO BITE. However, justice is rarely meted out. "Most of these cases never go to court," notes Karen Worstell, a computer investigator for consultancy AtomicTangerine in Tacoma, Wash. Companies don't want their trade secrets publicly examined and the negative publicity court cases generate, she says. Once in court, a company will have to show that an employee violated policies to break into the system. That can be trickier than it sounds, particularly for many small and midsize companies: "There seldom is a corporate policy that addresses this issue," says Spernow. Businesses that do maintain such policies often have difficulty enforcing them. "Even when there is one, it's always in a gray area, and you end up with one that has no teeth." Elite found out how hard it is to make charges stick. "It's interesting, but one of the defenses being used was that [the former employee] was authorized to do what he was doing and that companies were frequently negligent in defining the level of access," says Bill Cook, a former U.S. Justice Dept. prosecutor who now represents companies that have suffered inside hacks. Cook says a company's first legal action should be to get a temporary restraining order preventing the former employee from using internal security and other information. That can at least set a clear date beyond which incursions are illegal. BUILDING DEFENSES. According to Cook and others, more insider-hacking complaints are being filed with the FBI. And companies have been more successful in getting their cases prosecuted without suffering public-relations black eyes. But the best way to avoid such a catastrophe is to plan for it before it happens. Gartner's Spernow says using new filtering and blocking systems from reputable software makers can frustrate errant employees. That may sound like a simple solution. But companies are only now beginning to acknowledge that security is a major concern. Gartner says most of the companies it has surveyed spend only 1% to 3% of their budget to tackle this problem. To be sure, most of them plan to boost such spending in the near future, Gartner notes. But the majority of security providers and consultants continue to emphasize defending against external intruders. The far stickier issue of inside hacks is usually not addressed. That will have to change if business owners like Mireles will be able to sleep easy at night. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- When the Hacker Is on the Inside William Knowles (Dec 14)