A couple of readers responded to my recent blog posting on the internal threat. As developers, it is obvious to them how easy it would be for an unscrupulous admin, DBA, or programmer to defraud the organization they work for. One reader, kckn4fun, recently built a single sign-on application for his employer. He says:
“Now if I was really unscrupulous... what is p>to stop me from logging every username and password to SMTP without anyone ever knowing it was in the code? I could compile an external library, to which nobody else would know what it did, and I could simply say it was a necessary library I downloaded as open source. Now then, I don't do anything until I make an entry in the config file.”
Another reader, Vdenisov states:
I've been working on a large Internet payment system as of late. Specifically, I've developed a library responsible for passing card transactions to appropriate processors. As such, I can access thousands of real-world CC details - I'm positive that I can sneak in a few lines of code that will forward such detail from production system to me in some inconspicous way.
There're no real technical means to deter me from doing this, save for a full-blown code security audit - and even that won't necessarily find the hole - I know pretty well how such audits are done and will, of course, take necessary precautions.
But of course I'll never do such a thing - my professional ethics and self-esteem do not allow for such behavior. But I know of several less scrupulous fellows who now make quite a decent living by leaving such backdoors in the systems they develop.
These are just two examples of how easy it is for those with the keys to your applications and your data to hurt you.
The industry is starting to respond to this threat. Imperva just introduced a database monitoring product that is a network device that looks for database access. It can alert on unusual activity. Application Security, Inc.has a similar offering as well as database vulnerability scanning and database encryption products.
It is only through good coding practice and real time monitoring that organizations are going to be able to address the insider threat.