Most computer attacks come from the outside. But the costliest ones come from the inside. Here's how to manage the risk without making honest employees feel like crooks.
- Learn why your biggest security risks are inside your organisation. - See how guarding against internal threats can protect against external ones too. - Discover how CIOs balance the need to trust workers with efforts to reduce risks.
When John Michael Sullivan moved to Charlotte, North Carolina, to help develop a mobile computer program for Lance Incorporated, he hung up an old plaque. Inscribed "Dr Crime's Terminal of Doom", the memento celebrated Sullivan's youthful love of the movie Indiana Jones and the Temple of Doom - and his reputation as a computer hacker who went by the handle Dr Crime.
"I was a hacker long before being a hacker was cool," Sullivan wrote on a Web page the FBI later found on his hard drive, describing his affection for the plaque."More than once I was accused (falsely?) of perpetrating acts of computer crime against various systems and agencies. But regardless if I did or didn't, I never got caught . . . And although I have 'settled in' to a real job, Dr Crime still lives . . . quietly, anonymously and discreet."
Or not. After Sullivan was demoted at snack-food maker Lance in May 1998, he planted a logic bomb. This malicious code, set to execute on September 23, 1998, the anniversary of his hire date, would destroy part of the program being written for the handheld computers for Lance's sales force. When the bomb went off - months after Sullivan had resigned - more than 700 salespeople who rove the Southeastern United States with truckloads of Captain's Wafers, Cape Cod Potato Chips and Toastchee crackers couldn't communicate electronically with headquarters for days, and Lance feared the attack might cost $US1 million.
The evidence Dr Crime left is unique, but the scenario? Hardly. Whether it's sabotage or the theft of trade secrets, a growing number of companies are learning the hard way that their biggest security risks are on the inside. Employees, contractors, temps and other insiders are trusted users. They know how a company works, and they understand its weaknesses - and that gives the occasional bad apple a chance to really make things rotten.
Rather than handling the situation internally as something to cover up, as do many companies faced with insider crime, Lance decided to act."We wanted to send the message that these types of actions were not accepted by senior management," said Rudy Gragnani, vice president of IS at the $US583 million company, in an interview that his edgy legal department allowed him to conduct only via e-mail."The livelihood of our sales representatives was being impacted, and we took this situation very seriously."
In April 2001, the then-40-year-old Sullivan - who also wrote on that Web page that he'd relocated from New York to North Carolina to give his family a better quality of life - was sentenced to two years in prison without parole and ordered to pay almost $US200,000 restitution. He lost an appeal in February 2002.
Damage by insiders such as Sullivan"is an incredibly fast-growing problem", says Patrick Gray, who worked for the FBI for 20 years until he retired in late 2001 to join Internet Security Systems, a managed security company based in Atlanta."It's a tough threat that CIOs are going to have to address. Whether you're a Fortune 100 company or a three or four person company, you still have to deal with that biosphere that sits between the keyboard and the chair."
Supposedly the wake-up calls came in 1996, in computer sabotage's most famous chapter, when a former systems administrator at New Jersey-based Omega Engineering unleashed malicious code that cost the company more than $US10 million; in February 2002, Tim Lloyd, 39, was sentenced to 41 months in federal prison and ordered to pay Omega more than $US2 million in restitution.
But the bells are still ringing.
This past January, software vendor NetSupport worked with the FBI to arrest a sales manager who allegedly offered to sell the company's customer list to at least two competitors for $US20,000.
And in March, the FBI arrested a former employee of Global Crossing on charges of identity theft and posting threatening communications on the Internet - this after he allegedly posted menacing messages and personal information at his Web site (including Social Security numbers and birthdays) about hundreds of current and former employees at the communications company.
Those cases attract wide publicity, yet observers say they are surprised at how little companies do to minimise the risk posed by employees."I'll talk to my peers in other organisations, where it's sort of: 'We think we're protected - there's a guy downstairs who takes care of it'," says Tim Talbot, senior vice president and CIO at Maryland-based PHH Arval, a fleet-management company, that's a subsidiary of the Avis Group."OK, so the guy downstairs has never made a mistake, knowingly or unknowingly?"
Many companies don't do enough to protect against insider threats because they are leery of breaking the trust they have built with their employees. Treat someone like a criminal, the thinking goes, and he might start to act like one. The good news is that there are some easy ways to improve internal security without making honest people feel like crooks - steps that will help protect against external threats as well. Here are five things you can do.
1 | Emphasise Security from Day One
Good security starts with whom you hire, and that's why it's crucial to have a pre-employment screening, including reference checks, says one executive who's been there."You really have to know the people that you're hiring and make sure that their interests ally with yours," says Craig Goldberg, CEO of New York City-based Internet Trading Technologies, which successfully prosecuted two employees who, unhappy with the company, attempted extortion and then attacked the company's systems.
CIOs can also limit the damage any one employee can do by setting up access controls that map a person's job function to the resources he needs to do that job. Do that from day one, and your company can avoid giving the impression that access levels have to do with him as a person - they're simply part of a given job function. (See"Software Sentries", page 110, for details on the technology that can help you do this.)Also, there should be checks and balances in place that minimise the damage that one IT employee could do. One person might be in charge of changing files, another in charge of changing the network fabric and a third in charge of modifying payroll records."Most big computer systems have a log-in that might be in a generic way described as the superuser," says Daniel Geer, CTO of managed security company @Stake."If I gain the superuser power and I should not have it, the question is: how far does it extend? I'd rather not have the power to change the company invested in one person - not because I don't trust that person, but because if their credentials are stolen, that is an uncontainable risk."
2 | Build Security from the Inside Out
These access controls are only the first step toward a decreasing emphasis on what's known as perimeter protection - security's equivalent of the moat around a castle. Surprisingly, more than half of companies that responded to one CIO (US) survey last year don't have critical information restricted to a confined area, separate from other information that requires less security. In other words, once an intruder gets over the moat, he won't even need to pick a lock to get the crown jewels."Some corporations run hard on the outside and soft on the inside: once you get in, you have free access," says Larry Bickner, vice president and information security officer at Nasdaq in New York City.
To protect its trading floor, Nasdaq takes the opposite approach, and one that experts recommend: progressive hardening from the inside out."We break our world into various trust zones, and we control who's within that zone or space," Bickner says."I don't have access to human resources servers or systems. It's not part of my job. We have a completely different trust space for the market system, and where those overlap, we control those connections very strictly . . . Even if one layer isn't set correctly, the other layers compensate. That layering gives you hardening. Our architecture is hardened to the point that when you're on the inside, it's not much easier to get at things, frankly, from being on the outside."
3 | Make Security Part of the Culture
Another key element is establishing a culture that values security. That helps keep the honest people honest and makes it easier to deal with people who cross the line. At George Washington University in Washington, DC, the CIO and his information security officer, Krizi Trivisani, have made computer security part of the university's code of conduct that students, faculty and staff have to read and sign once a year."Policy is a great vehicle," says CIO Dave Swartz."Of course, you have to be ready to enforce the policy, and that's the problem. What's the hammer?" Swartz's department forwards people who break security policies (including students who try to test hacker techniques they've learned in class) to the appropriate disciplinary organisation, but they prefer to focus on prevention. The IT department hosts regular security forums and invites members of the legal department, compliance office, and audit, policy and student groups."Education and awareness is a very powerful tool," Swartz says.
CIOs who decide to implement stricter policies for employees should be doubly sensitive to educating users about reasons for the changes."This is a classic situation where what your culture is and what you've done in the past lays a foundation for future efforts," says Mitchell Marks, an organisational psychologist in San Francisco."If you don't explain why you are [increasing security], then people will talk about it at the coffee machine, fill in the information voids with perceptions that are probably more negative than reality [and conclude]: leadership doesn't trust us."
4 | Watch for Unusual Activity
Despite those precautions, companies also need to protect against the possibility that those levels of security will be broken. At Sony Pictures Entertainment, right before a big movie release like Spider-Man, the hacks start coming from insiders and outsiders who want to get a prereleased version of the movie or see the stars' salaries. That's where the company's intrusion detection system (IDS) steps in, by watching for unauthorised activity. Employees who poke around for inappropriate information on Sony's network might generate an alert that lands on the desk of Jeff Uslan, the company's director of information protection and security."The system would tell me your machine address and IP address," he says."You might get a call from myself, saying: 'Is there something I can help you with, because you're trying to get into these files that you shouldn't.'" The IDS would also help Uslan find out if a hacker had infiltrated Sony's system and was using an employee's credentials or computer to launch an attack.
In addition to an IDS, California-based shipping company APL uses a product called Silent Runner, from a company by the same name, to get a visual look at what's happening on the shipping company's network - a high number of FTP downloads, for example, or unusual activity in a department that is going through a painful reorganisation, or even e-mails that match keyword searches."I have a bird's-eye view of what's happening," says Van Nguyen, director of information security."I don't necessarily look at every single one of the 11,000 employees, but when I need to I can."
That isn't enough for everyone, of course. Some companies, especially ones that deal with financial transactions or other sensitive information, will have to go to a more extreme route and use more sophisticated monitoring and controls. (For a checklist of the internal controls at one company that deals with wads of cash, see"How Harrah's Protects the House's Money", page 120.)5| Know How to Let Go A little sensitivity when someone leaves the company can go a long way in avoiding retaliation or sabotage. But there are technical details to take care of as well. It can take months for IT departments to painstakingly close the accounts of a former employee. That usually happens because of poor communication with HR or because there are so many different accounts controlled by different systems administrators, which is a major problem not only because employees might attempt to access system resources but also because hackers can take advantage of inactive accounts."We see a lot of companies that don't have policies to cancel passwords and log-in names when somebody is terminated," says FBI supervisory special agent David Ford, who manages a regional computer crimes office in Atlanta."You would think that would be the first thing that would happen, but a lot of companies don't take the basic steps you would expect."
Until recently, the New York City-based clothing designer Josephine Chaus was no exception. When Ed Eskew became vice president of IT about three years ago, there was no formal system in place for shutting down accounts of employees who resign or are let go. Now, human resources and IT work together closely - a process that, unfortunately, had to be used when the company recently had retrenchments."The moment a person is called from their desk into HR for termination, our IT people will go to their desk and remove the CPU" and change the password for their voice mail, Eskew says. People who leave the company voluntarily may get an interim password with limited access during their notice period.
Sound extreme? Perhaps, but Eskew says there's no way to tell how someone will react to being fired."You like to think that people will behave themselves professionally, but from a security perspective, how do you know? How do you explain that you didn't protect against that?"
But that's not always enough, as Lance learned when"Dr Crime" ended up behind bars. Now, says IT chief Gragnani,"when someone leaves our IT department under suspect circumstances, we will go back and review the program changes that person has implemented recently."
It's another prudent move for IT executives faced with securing their company's assets. But it's not like they have to spend all day, every day treating their colleagues as suspects.
Nasdaq's Bickner uses 80 per cent of his time getting people to do the right thing and only 20 per cent making sure no one does the wrong thing."Most of the people will do the right thing most of the time," he says."We're counting on people to make the right decisions and training them to do that. And the more you succeed on average, the less you begin to see any errant behaviour."
- Software Sentries Access controls and administrative tools help limit in-house threats You can't erase every in-house security threat. But there is software to help you manage the risks. Steve Hunt, an analyst at Giga Information Group, puts the software into four categories.
1. AUTHENTICATION SOFTWARE
It answers the question: who are you? It includes passwords, smart cards, biometrics and single sign-on technologies. Web single sign-on is often used as a single point of authentication for browser-based users accessing Web-based applications. Leading vendors include Netegrity and Computer Associates.
2. AUTHORISATION SOFTWARE
Operating systems such as Unix and Windows NT offer modest protection for controlling who has access to what files. Systems administrators can set permission levels so that certain users can read, write or execute certain files or folders. The problem? The settings are time-consuming to configure and easy for savvy users to override. Authorisation software, sold by Computer Associates, IBM and others, enforces the rules you've set up.
3. ADMINISTRATION SOFTWARE
This software makes access control a little neater. Sold by Access360, BMC Software, IBM's Tivoli Systems and others, administration software allows companies to keep track of all their users and what access those users have to specific data. It would allow a security manager to place one call instead of asking 25 systems administrators to change access levels, Hunt says. A company with 30,000 employees would spend about $US1 million on software and consulting fees. But even then, Hunt says, a savvy internal hacker could cause problems.
4. AUDIT SOFTWARE
BindView, Counterpane and PentaSafe offer products and services for answering the question: what happened? They report security events, identify anomalies and identify trends. Companies use audit info to improve the quality of their applications as well as security.
Hunt says that CIOs can solve 90 per cent of the threat by combining the use of tools such as these with corporate firewalls, internal VPNs and network intrusion detection tools."That just cost you $US2 million if you're a big company, but you have to ask yourself, What would a competitive espionage breach cost you in market momentum, legal fees or embarrassment?" Hunt asks."That's when you take a walk through your cubicles and try to see how disgruntled your employees are."
Harrah's Entertainment has every need to trust its employees, and every reason to be paranoid. Employees of the Las Vegas-based casino chain handle $US10 million to $US15 million in cash every day - as much as the US's largest banks. About 12,000 of its 47,000 employees have access to the sensitive information housed in Harrah's customer relationship management system, which keeps track of how customers have gambled and spent on previous visits to its casinos across the country.
"There's an implicit trust that we have with our employees," says CIO John Boushy. But there are also intense checks and balances to keep everyone honest - little ways that add up to robust security. Here's a checklist.
CHECKS AND BALANCES
At least three people are involved whenever it's time to replenish the supply of chips at a gambling table. Each employee's step gets documented.
Employees must have IDs to be on the casino floor, and badges are revoked when employees leave the company.
USER ACCOUNT MONITORING
Employee accounts are usually closed within a day of their leaving the company. Every quarter, managers compare personnel files with security files, looking for discrepancies.
DAILY LOG REVIEWS
Every night at each property, an IT employee reviews significant changes, such as a change to a customer's credit limit.
From stairwells to the data centre, cameras are installed practically everywhere except inside hotel rooms.
LIMITED ACCESS BASED ON LOCATION
Systems are configured so that certain kinds of information can be accessed only in certain locations. For example, someone behind the front desk couldn't submit a request to send more chips to a table.
STRICT ACCESS TO DATA CENTRES
To enter, an employee needs to type in a password that changes at least once a month. On the keypad, the way numbers are assigned to buttons is randomly generated so that no one can casually observe an employee punch in numbers.
LIMITED ACCESS TO THE PRODUCTION SYSTEM
When an IT employee needs to make a change to the production system, which handles transactions on the casino floor and houses the CRM loyalty program, he needs to call the help desk for a temporary user ID. The reason for the change is logged, and the changes are monitored.
Boushy says it was important to make sure Harrah's built such security steps into its operations from the start."It's just been such a major component of the way we operate our business," he says.