United States
Anatomy of an ARP Poisoning Attack
WatchGuard Technologies, Inc.
WatchGuard Technologies, Inc.

Security Articles

Video Tutorials

WatchGuard Feeds

White Papers

Case Studies

Network Security Glossary

With Employees Like These, Who Needs Enemies?

By Scott Pinzon, Staff Editor, WatchGuard Technologies www.watchguard.com

I hope you're not the type to shoot the messenger, because I have bad news about your co-workers. ICSA.net has reported the results of a survey they took in June and July 2000, co-sponsored by Global Integrity, with almost 1900 infosecurity professionals responding.

Here's the bad news: Insider sabotage is up -- 'way up. Nearly twice as many companies experienced insider attacks (such as sabotage, theft, or intentional destruction of computer property) as compared to 1999. And 41 percent more companies had to deal with employees who intentionally disclosed or destroyed proprietary corporate information.

While the details are new, the basic premise is not: your co-workers represent at least as much risk to your corporate assets as external crackers and virus writers.

Criminals in Cubicles?

Given that insiders are a genuine threat, why are we often reluctant to acknowledge it? Some reasons might be:

  • We like our co-workers and don't think of them as "the enemy" (Well, except that one smarmy guy who keeps forcing fund-raiser candy bars on everyone);

  • We "know" none of them are criminals (especially in smaller organizations);

  • We can't think of any reason why someone would be angry with our company.

We perceive our company's people as too nice to be crooked. In short, we trust them. What friendly network administrators must understand is that a great deal of the security havoc generated by employees comes from good workers with no malicious intent. Yes, they're sweet. Yes, they're cute. They're also clueless about security.

This assertion is proven by another finding of the survey: the number one insider breach problem is the installation of unauthorized software. In at least half the cases, employees were merely trying to increase their personal productivity, or seeking "harmless" amusement. But for those survey respondents who found unauthorized software on their systems, 33 percent -- a full third -- reported that the software caused data corruption. Eleven percent reported that unauthorized software caused a temporary loss of Internet access. In smaller measures, other impacts of unauthorized software included disclosure of sensitive information, public embarrassment or bad PR, and even the temporary loss of the corporate Web site. Is any of that worth it just so a few wacky guys in Sales can enjoy Unreal DoomQuake Arena Tournament IX?

If you have telecommuters or other home computers connected to your system, your exposure to security risks is obviously greater. Workers feel more free to install preferred software on machines they run at home, regardless of whether the machine is technically theirs or yours. They'll install pirated copies of software, unaware that pirated software is a notorious source of Trojans; they'll leave passwords where 15-year-old son Brandon can find them, unaware that Brandon is a burgeoning script kiddy (known online as D3vi1Sp1k3); and God knows what kind of web sites they visit away from the boss's view. Cumulatively, this leaves your network about as secure as the candy inside a piñata -- all without malicious intent.

Spooks and Samaritans

A study from Eric Shaw, Jerrold Post, and Keven Ruby supports the notion of the accidental saboteur. Shaw, Post, and Ruby are, respectively, a specialist in individual and group psychology; a former CIA man; and a senior analyst of insider computer crime. Together, as the principals of PPA/IS (Political Psychology Associates/ Information Security), they have identified eight sub-types of insider perpetrators, categorized according to motivation and work relationships. Three of the eight perpetrator types typically have no criminal intent:

  • Explorers -- curious individuals too busy chasing the White Rabbit to notice they're violating company information policies

  • Samaritans -- individuals who hack systems and bypass protocols to fix problems or help co-workers accomplish assignments

  • Exceptions -- individuals who, for whatever reason, simply feel entitled, special, and above the rules set for all the other employees.

These types really are not trying to turn your security shield into a sieve. It just comes naturally.

Another thing Shaw, Post, and Ruby have documented is that many of the personalities who intentionally harm your network do it because of a meltdown in their personal lives, unrelated to work. So, even if your company has never fired anyone a month before their stock options fully vest, that doesn't guarantee no employee will try to harm you.

What to Do?

For the sake of argument, let's stipulate that you now view even the friendliest co-worker as a walking, seething time bomb of cybermayhem. What can you do about it?

As a network administrator, you're probably predisposed toward seeking a technological fix. Technology is rarely the answer to internal issues because insiders almost always find a way around the technology. Of the four most helpful things you can do, only the last one is really technology-based:

  1. Educate. Most of those good-natured people unintentionally, yet efficiently, dismantling your security would stop if they knew it was ruining your day (not to mention, hurting corporate assets). Explain to all employees, and every new one joining henceforth, about the hazards of unauthorized software. Be sure to point out that when they are doing harm, it won't seem like it, so they need to trust your wisdom on this. Keep letting them know you care, and they'll care, too.

  2. Develop and enforce a security policy. The ICSA.net survey found that organizations with a security policy actually do detect a greater number of security attacks and insider incidents than those that don't have a policy. Those companies also knew what to do when they found employees porn surfing, online trading, gambling online, or managing personal e-commerce sites from corporate computers. You want to formulate your response to these practices while calm and collected, not when hostile lawyers force the issue on you.

  3. Implement screensavers that require a password. Insider attacks are often spurred by opportunity. Leaving a workstation logged in to your network and unattended does not help honest people stay honest. Enforce a 5- or 10-minute timeout on idle computers that requires the user to re-log in, thus heading off opportunists.

  4. And now the technology part (drum roll, please): implement several layers of security. The ICSA.net survey found that firms with many security controls in place notice (and, presumably, defeat) more attacks and breaches. You already employ user IDs and passwords. You already use firewalls. Adding tools such as authentication tokens, VPNs, transactional encryption (SSL/SET/SHTTP), and server security software enhances your security and limits the damage an insider can do.

The Bottom Line

Purposeful insider breaches are rising, but you don't need overt criminals in your organization to have an insider security problem. Even nice people sometimes -- no, make that often -- throw the gates open to the barbarians. I now activate the VCS (Venerable Cliché Server, the bizarre result of a collision between a 386 Win 3.1 machine and a pallet of fortune cookies) for the final word:

  • With friends like these, who needs enemies?

  • Locked doors help keep honest people honest.


ICSA.net Survey Report
Shaw, Post, and Ruby report on insider perpetrator types
Shaw, Post, and Ruby report on managing insider threats
Recommended white paper on layered security, or "defense in depth"