FBI spy case highlights insider threat to corporate data

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO57889,00.html

By DAN VERTON
February 21, 2001

A career FBI agent with significant experience and access to FBI IT
systems was charged yesterday with spying for Russia since 1985, in
what FBI Director Louis Freeh has called the worst case of insider
espionage in FBI history.

The agent, Robert Phillip Hanssen, is accused of giving Russian
intelligence agents highly classified documents and divulging details
about American intelligence sources and electronic surveillance
operations. In exchange, he allegedly received an estimated $1.4
million in cash and diamonds.

According to a 100-page affidavit filed in the U.S. District Court in
Alexandria, Va., Hanssen used his access to the FBI's Electronic Case
File system, which contains classified information about ongoing FBI
investigations, to check if the FBI had been alerted to his
activities. Although Hanssen and his Russian handlers relied heavily
on traditional spying methods, such as dead drops for exchanging
packages anonymously, the case is being touted by the FBI and IT
security experts as a harsh lesson in a growing threat to corporate
data by insiders.

"In short, the trusted insider betrayed his trust without detection,"
said Freeh, during a press conference yesterday. "He constantly
checked FBI records for signs that he and the drop sites he was using
were being investigated." Freeh has since ordered that a special panel
be formed to review all FBI processes and systems and to study the
issue of insider abuse.

"The most important lesson to be learned from this incident is that
most security breaches are the work of insiders, not outsiders," said
Richard Hunter, a security analyst at Stamford, Conn.-based Gartner
Group Inc. "This incident is not about cybercrime or hacking per se,
but historically, the vast majority of cybercrimes are committed by
insiders," said Hunter, who is also a former analyst at the National
Security Agency. "Security is not mainly about software or biometrics.
First and foremost, it's about people and policies."

According to a recent survey of 359 companies by the FBI and the
Computer Security Institute (CSI), companies lost more than $50
million in 2000 as a result of unauthorized insider access and insider
abuse of IT systems. And while 38% of companies in the FBI/CSI survey
reported between one and five incidents of insider abuse, 37% of
companies said they didn't know how many security breaches related to
insiders had taken place.

Hanssen, an expert in counterintelligence methods at the FBI, was
detailed to the New York Field Office's intelligence division in 1979
to help establish the FBI's automated counterintelligence database in
that office. Investigators characterized Hanssen as having a "high
degree of computer technology expertise."

Although Hanssen was arrested while dropping off classified hard-copy
documents at a predetermined location for his Russian handlers, he
made extensive use of computer media, such as encrypted floppy disks,
removable storage devices and a Palm II handheld computer, to
communicate with Russian intelligence officers, according to the
affidavit. In fact, he provided as many as 26 encrypted floppy disks
during the course of his espionage activities, it said.

The lesson for corporate America "is that companies tend to gain a
false sense of security from strong perimeter security," such as
firewalls and intrusion detection systems, said Eric Friedberg, a
former computer and telecommunications crime coordinator at the U.S.
Attorney's Office in New York. "What goes on behind the firewall can
be even more damaging because of the degree of access insiders have."
Friedberg is now a computer crime consultant at Stroz and Associates,
a New York firm founded by Ed Stroz, the former head of the FBI's New
York Computer Crimes Squad.

During the past six months, Stroz and Associates has worked with half
a dozen companies that have been victimized by insiders, said
Friedberg. Those cases involved everything from deleted files to trade
secrets that were mailed to unauthorized parties and cases where
individuals set up competing businesses on the company's own server
without the company's knowledge, he said.

One way companies can protect themselves from insider abuse is to
focus on what their networks can tell them about what is going on
inside the company, said Friedberg. He recommended that companies look
into artificial intelligence-enabled security software that can tip
administrators off to "anomalous activity" on the network.

"At the end of the day, all of our systems probably need to be looked
at and maybe improved," said FBI Director Freeh. "But at the end of
the day, what we rely upon is honest people."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".