I recently advised a client who was concerned that insiders to his company could be a concern for fraud or theft. The client’s network was well designed and maintained with good protection against external attack. A proposed solution was designed to detect insider improper activity but, implementation delayed until the busy season was over. Unfortunately, the concerns turned to reality in that an analyst, via manipulation of system clocks, was able to make off with a very large sum.

So, I wondered how big a threat exists from ones own staff and am amazed to learn that more than 20% of electronic crime detected and identified (an important caveat as no one knows exactly what level of Cybercrime actually exists) is by insiders. Usually technical staff.

Insider threats include fraud, theft of confidential or proprietary information and sabotage.

The reasons vary from monetary gain, power, revenge and blackmail. A common source is when an organization is undergoing change such as take-over or down-sizing and staff insecurity rises.

The placement of “logic bombs” is not new but becoming more common. Refer to the case of Yung-Hsun Lin who placed a logic bomb in the systems of his employer, Medco Health Solutions Inc in the USA because of his concern about being fired. He received a record 30 months in prison and ordered to pay restitution of $US81,200. (Reuters Jan 9, 2008).

Although defence against insider Cybercrime is difficult the processes must be layered including clear and well notified company policies & procedures, technical controls and actual implementation of these. It is important that when an employee leaves departure procedures are implemented including removal of passwords, physical access and remote access tools.

Be very alert to programs in the system with a delayed trigger time and date such as the birthday of someone dismissed.

Most attacks are found after the damage is done – often detected manually due to system mal-function or irregularity.

The most common form of locating the source of the malicious insider is via system logs. These should be kept for at least a year with, preferably, an off-site copy. Remember, if the insider criminal is very technical capable the logs could also be tainted.

A final word: potential problems may arise when development tools, systems and people are not separated from those for normal business operations.

No votes yet