With Employees Like These, Who Needs Enemies?
By Scott Pinzon, Staff Editor, WatchGuard Technologies www.watchguard.com
I hope you're not the type to shoot the messenger, because I have bad news about your co-workers. ICSA.net has reported the results of a survey they took in June and July 2000, co-sponsored by Global Integrity, with almost 1900 infosecurity professionals responding.
Here's the bad news: Insider sabotage is up -- 'way up. Nearly twice as many companies experienced insider attacks (such as sabotage, theft, or intentional destruction of computer property) as compared to 1999. And 41 percent more companies had to deal with employees who intentionally disclosed or destroyed proprietary corporate information.
While the details are new, the basic premise is not: your co-workers represent at least as much risk to your corporate assets as external crackers and virus writers.
Criminals in Cubicles?
Given that insiders are a genuine threat, why are we often reluctant to acknowledge it? Some reasons might be:
We perceive our company's people as too nice to be crooked. In short, we trust them. What friendly network administrators must understand is that a great deal of the security havoc generated by employees comes from good workers with no malicious intent. Yes, they're sweet. Yes, they're cute. They're also clueless about security.
This assertion is proven by another finding of the survey: the number one insider breach problem is the installation of unauthorized software. In at least half the cases, employees were merely trying to increase their personal productivity, or seeking "harmless" amusement. But for those survey respondents who found unauthorized software on their systems, 33 percent -- a full third -- reported that the software caused data corruption. Eleven percent reported that unauthorized software caused a temporary loss of Internet access. In smaller measures, other impacts of unauthorized software included disclosure of sensitive information, public embarrassment or bad PR, and even the temporary loss of the corporate Web site. Is any of that worth it just so a few wacky guys in Sales can enjoy Unreal DoomQuake Arena Tournament IX?
If you have telecommuters or other home computers connected to your system, your exposure to security risks is obviously greater. Workers feel more free to install preferred software on machines they run at home, regardless of whether the machine is technically theirs or yours. They'll install pirated copies of software, unaware that pirated software is a notorious source of Trojans; they'll leave passwords where 15-year-old son Brandon can find them, unaware that Brandon is a burgeoning script kiddy (known online as D3vi1Sp1k3); and God knows what kind of web sites they visit away from the boss's view. Cumulatively, this leaves your network about as secure as the candy inside a piñata -- all without malicious intent.
Spooks and Samaritans
A study from Eric Shaw, Jerrold Post, and Keven Ruby supports the notion of the accidental saboteur. Shaw, Post, and Ruby are, respectively, a specialist in individual and group psychology; a former CIA man; and a senior analyst of insider computer crime. Together, as the principals of PPA/IS (Political Psychology Associates/ Information Security), they have identified eight sub-types of insider perpetrators, categorized according to motivation and work relationships. Three of the eight perpetrator types typically have no criminal intent:
These types really are not trying to turn your security shield into a sieve. It just comes naturally.
Another thing Shaw, Post, and Ruby have documented is that many of the personalities who intentionally harm your network do it because of a meltdown in their personal lives, unrelated to work. So, even if your company has never fired anyone a month before their stock options fully vest, that doesn't guarantee no employee will try to harm you.
What to Do?
For the sake of argument, let's stipulate that you now view even the friendliest co-worker as a walking, seething time bomb of cybermayhem. What can you do about it?
As a network administrator, you're probably predisposed toward seeking a technological fix. Technology is rarely the answer to internal issues because insiders almost always find a way around the technology. Of the four most helpful things you can do, only the last one is really technology-based:
The Bottom Line
Purposeful insider breaches are rising, but you don't need overt criminals in your organization to have an insider security problem. Even nice people sometimes -- no, make that often -- throw the gates open to the barbarians. I now activate the VCS (Venerable Cliché Server, the bizarre result of a collision between a 386 Win 3.1 machine and a pallet of fortune cookies) for the final word:
ICSA.net Survey Report