As Published In February 2007

Can Insider Cybercrime Happen to You?
By Minda Zetlin

Effective information technology management helps lessen the risk.

A database administrator spent four productive years at her job, earning promotions and commendations for her expertise and hard work. But then, she ran into trouble with a male supervisor. She complained repeatedly to her company's human resources department, saying the supervisor had made sexual remarks, overridden her technical decisions—although he had little database expertise—and contacted outside contractors about her projects without her knowledge. Human resources took no action. Meanwhile, the male supervisor filed negative performance reviews, and the DBA was demoted.

Factoids In 2006, 55 percent of executives reported at least one incident of insider cybercrime in the previous year, up from 39 percent in 2005. A full 58 percent of cyberattacks were known to come from outsiders, 27 percent from insiders, and 14 percent from unknown sources. In 2005, only 20 percent were known to come from insiders. Of executives surveyed, 28 percent named current or former employees as their No. 1 cybersecurity threat. Source: 2006 E-Crime Watch Survey, conducted by CSO Magazine with the U.S. Secret Service, the CERT Coordination Center, and Microsoft.

More than a year after filing her first complaint, she took a job at another company. It looked like the episode would pass into history—leaving nothing but unpleasant memories.

Only it wasn't over. Two months after starting her new job, the DBA learned that only her bad performance reviews—not the accolades she'd earned over the years—had been forwarded to her new employer. She was furious and wanted to strike back. And, because of her technical skills, she knew just how to do so.

At her old job, she'd used a shared DBA account, and although the IT staff had terminated her own account when she left, they had failed to change the password on the shared account. She now used that account to get back into her former employer's system, access the database, and delete critical spaces—rendering it useless.

The sabotage was traced to the DBA in question, who was arrested, sentenced to five months in prison, and ordered to pay restitution of US$35,000. But this was little consolation to her former bosses. Unfortunately for them, the company had been having backup problems at the time of her attack, and its most recent database backup was two weeks out-of-date. It took 115 employees a total of 1,800 hours to retrieve and reenter the lost data.

Incidents like these are why many companies are beginning to pay closer attention to the growing threat of insider cybercrime—electronic or computer-based theft, fraud, or sabotage committed by current or former employees. In the 2006 E-Crime Watch Survey, conducted by CSO Magazine, the U.S. Secret Service, the CERT (Computer Emergency Response Team) Coordination Center at Carnegie Mellon University, and Microsoft, 55 percent of responding executives reported at least one insider cyberattack in the previous year, up from 39 percent in the 2005 survey. And 28 percent cited current or former employees as the top threat to their organization's cybersecurity.

"The insider problem is concerning, because not as much attention has been paid to it," notes Eugene H. Spafford, a professor at Purdue University and executive director of Purdue's Center for Education and Research in Information Assurance and Security.

"For a long time, the really obvious problem was outsiders—recreational hackers and virus authors," he notes. "So although there were a steady number of incidents attributable to insiders, more attention was paid to the outsider threat, which was easier to quantify and demonstrate. As a result, the most commonly used tools, such as intrusion detection, firewalls, and antivirus software, have all been outward-facing defenses." The lack of inward-facing defenses and the trusted status of insiders mean that they can be more of a threat than outsiders, he says.

Firing without Getting Burned Telling an employee he or she is fired is never easy, and most people are hurt and angry at the news. According to CERT research, for some already disgruntled employees, getting fired can be a "precipitating event"—the ultimate humiliation that inspires them to turn to sabotage. How can you avoid having this happen to your company? Here are some tips that may help: 1 Handle the termination as sensitively as you can. If you can provide some form of financial cushion or outplacement service, so much the better. 2 Many managers start preparing to disable an employee's access when they begin planning his or her termination—but by then it may be way too late. Most people know or suspect ahead of time when they're likely to lose their job. Indeed, many legal advisors insist employees be given ample warning if their performance is unsatisfactory. Employees who are inclined to cybercrime can use this time to install malicious code that may take a year or more to manifest. The safest strategy is to monitor such issues as account creation for everyone on a routine basis. 3 Make sure to revoke all access and disable all accounts—and to change passwords on shared accounts. Shared accounts, such as test accounts used by several different employees, are often overlooked when an employee is terminated, and many instances of insider sabotage involve a former employee gaining access to an employer's system through a shared account. 4 Make sure that people are aware that the terminated employee no longer works for your company. If key contacts inside and outside the organization don't know that the person they're accustomed to dealing with is no longer an employee, they may share system access or inside information that will make it easier to launch a cyberattack. Close off this route by making sure everyone who deals with that employee knows he or she has left your firm.

IT employees, with their detailed understanding of the hardware and software that run their organizations, are in a uniquely powerful position when it comes to insider cybercrime. "We saw one interesting case in a state lottery system, where a losing ticket could be redesignated as a winning ticket, using a screen in the system's computer application," says Dawn Cappelli, senior member of the technical staff at Carnegie Mellon University's Software Engineering Institute CERT Program. "Access to that screen was restricted to only a very few trusted users," she notes. "And if anyone used it, a message was automatically sent to security."

These sound like good protections, but they weren't good enough; one of the state's programmers simply modified the source code for that screen to disable the security warning and then gave himself access. It's a telling example of the power of those who manage technology to slip past the defenses their organizations seek to erect.

Profiling the Insider Cybercriminal

To help employers better understand the insider threat, CERT worked with Secret Service psychologists as well as the U.S. Department of Defense to create a model of how insiders turn to cybercrime (focusing on sabotage usually motivated by animosity, as opposed to fraud or theft motivated by personal gain). The model, Cappelli says, has three important elements:

• Personal predisposition. This is not to say that cybercriminals are necessarily born that way, but "they have some baggage they bring with them," Cappelli says. "This is why, when a whole team is faced with similar stressors, only one turns to cybercrime."
• Unmet expectations. "Maybe they didn't get a raise or a bonus they were expecting, or got turned down for a promotion," Cappelli says. "Sometimes it involved power. They expected to have control of the system or that they wouldn't have to adhere to organizational policies as did other employees. Because of these unmet expectations, they became disgruntled."
• Precipitating event. Finally, "something happens to set them off," Cappelli says. In the DBA example above, the precipitating event was learning that her employer had forwarded only negative reviews. In many cases, Cappelli notes, the precipitating event was termination. "We found that 59 percent of insiders who committed IT sabotage were former employees," she says. "In many cases, their employers chose termination as the solution to a problem—but by doing so, they made the problem much worse."

Creating Cybersecurity Policies

Reasons like these are why experts agree that the most effective ways to fight insider cybercrime focus on the human, rather than technological, elements. "A lot of people want some technology to take care of the issue, but if they don't have the basics in place, there's little they can do to reduce insider cybercrime threats," says Tom DeSot, executive vice president of Compliance and Security Operations for the network security firm Digital Defense.

Putting the basics in place begins with carefully created policies that determine who has access to critical systems and how that access is governed. Consider including

Mark Drake Is Missing Who stole Mark Drake—his identity, that is? Robert Walker wants to know, because it's his bank's money that's on the line. Can he depend on the intelligent and beautiful Jordan Mills to nab the thieves who think they are too smart to get caught? Watch the characters in this unique Webcast as they dig deeper and deeper into the international financial dealings of Atlas Worldwide Bank. Why spend 10 minutes of your time watching this? Because the challenges confronting Atlas Worldwide Bank are problems that more and more companies are confronting: how to use middleware to integrate disparate information systems, share information, and manage risks. Middleware is an arcane topic, but this Webcast explains the critical role of middleware from a business perspective—knowledge that you can take to the bank, even if your business doesn't involve solving international crimes. Watch the Webcast at oracle.com/markdrake.

• Account management and auditing. Every time a new account is created, a neutral third party and the account owner should be notified. "One stealthy insider, anticipating his pending termination, created VPN [virtual private network] accounts for his supervisor, the CFO, and the vice president of sales—but didn't tell any of them that the accounts had been created," Cappelli recalls. When the employee in question was fired, his own account was disabled, but those VPN accounts remained active and available to him for his attack. An account audit wouldn't have been much help, since these appeared to be legitimate accounts. The only way to catch problems like these is by monitoring account creation on an ongoing basis.
• Passwords. Passwords should be "strong" (at least seven or eight characters, including both letters and numbers, uppercase and lowercase). The policy should also govern how passwords are stored—safely locked away when not in use. "Make sure people aren't storing them under their desk blotters or in their Rolodexes," DeSot advises. "We still see this with both large and small organizations." The policy also needs to specify how often passwords will be rotated—particularly when it comes to shared accounts (test accounts, sys-admin accounts, and so on) that may be available to several users.
• Configuration controls and characterization. For the most sensitive systems, it may be a good idea to review what's running on the system on a regular basis so that someone in the security area is notified whenever a new piece of code is installed. "You can't just suddenly check your systems right before you terminate someone," Cappelli says, because most employees suspect in advance when they're about to lose their jobs and may plan ahead. "In one case, a disgruntled employee planted a logic bomb six months before he quit his job," she says. "He set it to go off six months after he left—a full year after it was planted." Only regular system monitoring can catch an attack like this one.
• Separation of duties. Separation of duties is important for data entry and approval processes, Cappelli says, so that users with access to critical data cannot manipulate it on their own behalf. In one case she describes, because a foreign currency trader for a financial institution was also a programmer, he managed to manipulate the system to hide nearly US$700 million in losses over a five-year period. Separation of duties should also be applied, she says, "so that system administrators and programmers cannot release changes independently to critical systems."

Just as important as the policies themselves is what happens after they are put in place, DeSot says. "It's great to have policies and procedures, but you also need someone to monitor and update them; otherwise they may just sit there and grow stale." It's equally important, he adds, to designate someone with the responsibility to make sure passwords are rotated on a regular basis.

And, Spafford says, once policies are in place, make sure everyone follows them consistently. "It's important to have a culture of honesty and security," he says. "When there are rules, everyone from the CEO on down should be accountable for following them. If there are exceptions, it may not be the person making the exception who causes the problem, but that sets an example. So you need reasonable rules and everyone adhering to them publicly."

Dealing with Troubled Employees

CERT's research shows that very frequently, insider cybercriminals exhibit changes in behavior well before they turn to sabotage. "There were observable behavioral precursors in most IT sabotage cases," Cappelli says. "They had conflicts with others, problems with drugs or alcohol, were excessively absent or late for work; their performance dropped precipitously. Many people go through these kinds of things on occasion, but if you see altered behavior over time, you should respond." In situations like this, putting mechanisms in place to provide counseling and other types of support for troubled employees is not only good human resources policy but may help prevent an unhappy employee from reaching the point of turning to crime.

Make sure that all employees understand that they need to be alert to behavior changes that could signal an employee is disgruntled—and that if a peer talks of sabotage, those comments should be reported to human resources. "In a lot of cases, someone else knew the insider was going to do something or was considering something but didn't know whom to tell," Cappelli states.

Seeing the Big Picture

One of the main obstacles to fighting insider cybercrime is that the task involves disciplines that are usually separate in most organizations: information systems and human resources, risk management and security. All of these are "staff" rather than "line" functions—that is, they are not directly involved with the company's core business and have no immediate effect on revenues. As a result, in many cases top managers tend to delegate insider cybercrime prevention to either human resources or IT and focus on what they consider their real work.

That's a big mistake, says Sam McQuade, professor and graduate program coordinator in the Center for Multidisciplinary Studies at the Rochester Institute of Technology. He and other experts agree that the most effective way to prevent insider cybercrime is for managers to learn about technology and for the technologists to learn about management.

"Someone who's been through a classical management training program and doesn't understand technology can be blindsided by insider cybercrime," McQuade says. "The converse is also true for someone who understands the technology but is not trained as a manager."

It's particularly important, he adds, for top managers to understand these issues as they make decisions about allocating resources for cybercrime security. "Many firms don't have a great big piggy bank to upgrade security systems across-the-board, but with expert advice, they can do an assessment of where the biggest risks are and identify what they should invest in first, second, and third," he says.

And, McQuade emphasizes, "The people who have lead responsibility for digital security should have a seat at the senior management table—because if you lose your data, you've lost everything."