Locating the real threats to corporate security

In 2006, sysadmin and programmer Roger Duronio was found guilty of planting malware — known as Unix logic bombs — in investment bank UBS. The company claimed the resulting damage cost an estimated $3.1m.

The motivation? Duronio allegedly received a bonus from his employer that he was not happy with. He complained and eventually quit, but not without leaving behind a parting gift.

Following Duronio's swift departure, a series of logic bombs triggered, deleting vital files from approximately 2,000 of the investment bank's servers.

At the subsequent trial Duronio maintained his innocence, and pointed to alleged security holes in the bank's systems to explain the breach — security holes that he maintained he had attempted to bring to the attention of his employers. However, two copies of the virus found on Duronio's home computer systems and a printout of the virus on his dresser convinced the jury that he was guilty. The 63-year-old was eventually sentenced to eight years' imprisonment.

The Duronio case highlights one of the mainstays of IT security planning — that employees are a bigger threat than external forces. One study estimated that 90 percent of economic computer crimes were committed by employees of the victimised companies.

Insider-threat studies by the US Computer Emergency Response Team (CERT) show that one of the main motivations for company employees instigating security breaches is revenge, rather than corruption or infiltration by organised crime.

The most recent study released by US CERT on insider threats found that the majority of insiders were disgruntled and motivated for revenge by "a negative work-related event", and chose to get even by trying to sabotage the IT systems.

Most attacks perpetrated by insiders don't just come out of the blue. CERT found that 80 percent of insiders exhibited "concerning behaviour" prior to attack, including lateness, truancy, arguments with co-workers and poor job performance.

Inside cyberattacks are most likely to come from those with the keys to the crown jewels. Eighty-six percent of the insiders held technical positions, while 90 percent of them were granted system administrator or privileged system access when hired by the organisation.

Many of these technically proficient, disgruntled employees used privileged system access to take technical steps to set up the attack before they were fired. Insiders created a backdoor account, installed and ran a password cracker, took advantage of ineffective security controls in firing processes, or exploited gaps in their organisation's access controls to wreak technical havoc.

Stephen Bonner, head of information security risk at Barclays, says there are four main areas of motivation for insiders compromising company data. These are: money or items of value; ideology; a situation in which they themselves are compromised and are responding to blackmail; or ego, leading to revenge or justification.

Trusted insiders are obviously in a unique position to wreak havoc on their company systems — especially if they enjoy admin privileges or other special access granted to IT staff. However, disgruntled staff are not the only threat to business security, and there is mounting evidence that they may be less of a problem than they once were.

Cybercrime shift
Recently, experts have begun to pick up on a shift in who is perpetrating cybercrime. Computer-related fraud and other crimes have become big business. Figures released in 2005 by the former National High Tech Crime Unit, now part of the Serious Organised Crime Agency (SOCA), put the cost of cybercrime to the UK at £2.45bn.

The UK's Metropolitan Police Department described cybercrime as "the most rapidly expanding form of criminality, encompassing both new criminal offences in relation to computers (viruses and hacking etc), and 'old' crimes (fraud, harassment etc), committed using digital or computer technology."

Given this escalation of cybercrime, some experts claim the ratio of internal versus external threats has shifted and even reversed. According to the US IT skills and training organisation, SANS Institute, only 38 percent of security breaches are now caused by insiders.

A mantra that has been repeated by the security community for years is: "Hackers are no longer kids in back bedrooms looking for glory — they are now serious organised criminals, motivated by profit."

There is plenty of evidence to back this assertion up. While there are still individuals accused of hacking who claim to have been motivated by idealistic notions, such as finding evidence of extraterrestrials, a whole black economy operates around the generation of malware.

The compromise and sale of herds of zombie computers known as "botnets" is one way cybercriminals perpetrate crime.

According to the FBI, "a botnet is a collection of compromised computers under the remote command and control of a criminal "botherder". Most owners of the compromised computers are unknowing and unwitting victims. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy", the agency claims.

In response to this threat, earlier this month the FBI launched "Operation Bot Roast", which is determined to disassemble botnets and discourage criminal activity. However, botnets can still be used to try to compromise company computer systems through the distribution of spyware and malware.

A more insidious external threat comes from spearphishing through malware in targeted emails, while IT managers are also...

...concerned about web threats such as cross-site scripting attacks, as more applications vendors move services online.

Many companies have invested in the technology necessary to secure systems and in educating employees in good security practice. But new methods such as Wi-Fi hacks are emerging all the time, so any security policy has to evolve to keep pace.

Hackers who stole 45 million customer records from TJX, the parent company of TK Maxx, did so by breaking into the retail company's wireless LAN. TJX had secured its wireless network using Wired Equivalent Privacy (WEP) — one of the weakest forms of security for wireless LANs. Hackers broke in and stole the records — which included millions of credit-card numbers — in the second half of 2005 and throughout 2006.

Infiltrating businesses
The involvement of organised gangs in cybercrime has also led to a blurring of the line between internal and external threats.

Speaking at the Infosecurity 2006 conference in London, Tony Neate, e-crime liaison for the SOCA, said insider "plants" are causing significant damage to companies.

"[Organised crime] has changed. You still have traditional organised crime, but now they have learned to compromise employees and contractors. [They are] new age, maybe have computer degrees and are enterprising themselves. They have a wide circle of associates and new structures," he added.

SOCA paints a bleak picture of the threat to business from organised crime, especially criminals corrupting the susceptible. As well as the criminal justice system being exposed to corruption, some local and central government employees are not above the odd back-hander, says SOCA, while accountants and bankers may be seduced by the lure of ill-gotten gains.

"The use of corruption by serious organised criminals is not restricted to those employed within the criminal justice system, or only for essentially defensive purposes," said SOCA's most recent report, the 2006 United Kingdom Threat Assessment of Serious Organised Crime.

"There are examples of corrupt relationships with central and local government employees, accountants, and others in the financial field, plus a range of other professionals, all aimed at facilitating money-making criminal activity," said the report. "Similarly, serious organised criminals involved in high-value robberies or lorry thefts may look to corrupt someone with inside information about security measures at sites where valuable items are stored, or about shipment details of such items."

When asked by ZDNet.co.uk, neither SOCA nor the Home Office could provide statistics showing just how much of a threat organised crime is to businesses in terms of infiltration rates, or the relative percentages of IT security breaches caused by insiders and outsiders.

Spotting the mole
Behaviour is the key to determining whether an insider is a threat to your organisation, according to Stephen Bonner. While the CERT team reported on negative behaviour, Bonner said that positive behaviour could also be displayed by criminals who had managed to infiltrate organisations.

"Some of the main indicators are a willingness to work late, taking an interest in other people's work, and trying to extend responsibility. Unfortunately, these are also the signs of a good employee," says Bonner.

However, there are still some obvious ways to spot potential moles in your business, according to Bonner. Approximately half of the people who turned out to be employed by organised criminal gangs already had criminal records, indicating that organisations concerned about infiltration should employ rigorous screening of job applicants. As the goal of an outsider is to become an internal administrator, reducing the number of accounts with administrator privileges controls both internal and external threats, he claims.

There are other ways to protect information from employees who may be acting suspiciously. Richard LeVine, senior manager at Accenture, who will be hosting a talk on the risks posed by insiders at the RSA Conference Europe in London later this year, claims there are technologies available to limit the damage employees can do - even if documents are held on an employees home computer: "With the application of Information Leak Prevention and DRM technologies we can begin to lock down leaks and make it possible to revoke all document access when an employee leaves a firm, even if there are documents on the employees home computer – we don’t have to delete them or even ask to see his home computer – we just revoke the key and they cannot be opened. This even serves to revoke documents on read only media such as CD-R disks," he says.

IT managers obviously have a difficult balancing act when it comes to protecting systems from both within and without. If recent predictions that more attacks now come from external sources are correct, IT managers should not blindly rely on technology to mitigate security threats, according to analyst Jon Collins of Freeform Dynamics.