When the Hacker Is on the Inside

[William Knowles <wk () C4I ORG>]

http://www.businessweek.com/bwdaily/dnflash/dec2000/nf20001213_253.htm

By Dennis Blank in Orlando
Edited by Alex Salkever
DECEMBER 13, 2000

Thousands of attacks each year come from current or former employees
-- and companies are only now beginning to step up their defenses

For Elite Web Hosting in Orlando, Fla., September, 2000, was a
nightmare. A disgruntled former employee allegedly hacked into the
company's computer system without authorization. He then allegedly
sent e-mails that contained vulgar language and implying that Elite
was moving into the Web porn business to every Elite customer. The
missives further claimed that the company's majority owner, Augustino
Mireles, had been raiding Elite's coffers for personal use.

The impact on Elite was immediate. Thirty steady customers jumped
ship, each taking $5,000 per month in revenue from Elite's cash flow.
Elite owner Mireles brought in Advanced Computer Investigations (ACI),
a computer-security company. Its assignment was to bolster the
company's defenses against hackers and ensure that the former employee
could not get back into the system.

BLOOD FROM A STONE.  But the exodus of longtime customers was so great
that Elite folded, says ACI President Kellie Carlisle. Mireles decided
not to sue because you "can't get blood out of a stone." The
ex-employee is now on probation after pleading guilty to assault
charges arising from a physical altercation he had with Mireles.

Elite's sad tale is far more common than you might imagine. Experts
say insider hacking represents about 70% of all malicious attacks and
causes $1 billion in damages each year to U.S. businesses. And it
appears to be on the rise as more companies come to rely on computer
networks and e-mail. "I have seen a lot of cases of a systems
administrator gone bad," says Bill Spernow, security-research director
for technology-industry consultancy Gartner.

Pinning down the exact number and nature of transgressions by
once-trusted workers remains more art than science, but they likely
number in the thousands each year. The motivation in most cases is
simple. "Most of them are doing it for revenge, because they felt they
were harmed in some way," says Diana Neuman, a computer analyst with
information-security company EnGarde Systems in Albuquerque, N.M.

ALL BARK, NO BITE.  However, justice is rarely meted out. "Most of
these cases never go to court," notes Karen Worstell, a computer
investigator for consultancy AtomicTangerine in Tacoma, Wash.
Companies don't want their trade secrets publicly examined and the
negative publicity court cases generate, she says.

Once in court, a company will have to show that an employee violated
policies to break into the system. That can be trickier than it
sounds, particularly for many small and midsize companies: "There
seldom is a corporate policy that addresses this issue," says Spernow.
Businesses that do maintain such policies often have difficulty
enforcing them. "Even when there is one, it's always in a gray area,
and you end up with one that has no teeth."

Elite found out how hard it is to make charges stick. "It's
interesting, but one of the defenses being used was that [the former
employee] was authorized to do what he was doing and that companies
were frequently negligent in defining the level of access," says Bill
Cook, a former U.S. Justice Dept. prosecutor who now represents
companies that have suffered inside hacks. Cook says a company's first
legal action should be to get a temporary restraining order preventing
the former employee from using internal security and other
information. That can at least set a clear date beyond which
incursions are illegal.

BUILDING DEFENSES.  According to Cook and others, more insider-hacking
complaints are being filed with the FBI. And companies have been more
successful in getting their cases prosecuted without suffering
public-relations black eyes. But the best way to avoid such a
catastrophe is to plan for it before it happens. Gartner's Spernow
says using new filtering and blocking systems from reputable software
makers can frustrate errant employees.

That may sound like a simple solution. But companies are only now
beginning to acknowledge that security is a major concern. Gartner
says most of the companies it has surveyed spend only 1% to 3% of
their budget to tackle this problem.

To be sure, most of them plan to boost such spending in the near
future, Gartner notes. But the majority of security providers and
consultants continue to emphasize defending against external
intruders. The far stickier issue of inside hacks is usually not
addressed. That will have to change if business owners like Mireles
will be able to sleep easy at night.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".