The Threat From Within

Insiders represent one of the biggest security risks because of their knowledge and access. To head them off, consider the psychology and technology behind attacks.

Who Can You Trust?

When it comes to current employees, IT managers must keep an eye out for insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues -- all warning signs someone may be capable of system sabotage or data theft. "The biggest misconception about preventing insider attacks is that IT needs to worry only about technology issues and HR has to worry only about personnel issues," Cappelli says.

Defending against insiders isn't easy, but knowing what to look for certainly helps, says Shaw, who co-authored a report last year titled, "Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders."

IT managers must be watchful any time someone with access to sensitive systems has a falling out with his or her bosses. That's what happened with Duronio, who was upset over his bonus. It's also the story of Claude Carpenter, who worked for government contractor Network Resources doing part-time systems administration on three Internal Revenue Service servers. In May 2000, suspecting he'd be fired after a dispute with a coworker, Carpenter inserted lines of code that would command the three servers under his care to wipe out data if network traffic reached a certain level. He tried to conceal his activities by turning off system logs and removing history files, but he aroused colleagues' suspicion by calling several times to ask "if anything was wrong with the servers," according to a July 2001 Justice Department description of the case. Carpenter was sentenced to 15 months in prison and ordered to pay $108,800 in restitution.

Managers must not only monitor system access, but also let employees know their system changes can be tracked. Employers should be wary of people unwilling to share their knowledge about systems or uncomfortable with the fact that their activities accessing systems or data can be tracked.

One related element: Make sure each IT worker has just enough system access to get his or her job done. "Usually, a person who does damage was given more access than they needed," says Bill Moylan, senior director of Aon Consulting's IT risk consulting group, who spent 25 years with the Nassau County Police Department in New York. He relates that one financial services CIO makes that point by not giving himself data center access, since he doesn't need to be in there to do his job. Access can be something of a status symbol, so don't wait for IT staffers to complain about having too much, Moylan says.

This is the CIO's problem to solve. Though technology is everywhere in companies, insider system attacks are nearly all driven by scoundrels working in IT who have the knowledge and access to pull them off. A recent survey by the Secret Service and CERT Coordination Center/SEI indicates that 86 percent of internal computer sabotage incidents are perpetrated by tech workers.

The rise of identity theft and the heightened sensitivity around customer data have raised the stakes. One of the first insider cases to drive this point home was that of former Prudential database administrator McNeese, who was charged with identity theft, credit card fraud and money laundering for stealing records from a Prudential database. McNeese received three years' probation, was ordered to pay $3,000 in restitution and was required to get psychiatric treatment.

Employees most likely to commit insider theft or sabotage share a number of characteristics, which can include mental health disorders, personalities that clash with authority and a history of behavioral violations in the workplace, often documented by HR, says Shaw, who has worked as a consultant to the Defense Department profiling characteristics of insiders who commit computer crimes.

Other clues are less academic but no less important. Simply getting to know employees will create loyalty and may even tip off potential problems. "If a guy on your staff needs an extra $20,000 to pay for his kid's college tuition, he might try to sell credit card numbers," says David Giambruno, VP of global service delivery for cosmetics company Revlon and formerly the director of engineering, security and deployment at Pitney Bowes.

2 of 3