Extrusion: The story of 'trusted' digital insider theft

Enhancing Business Mobility with Convertible PCs Backup and Recovery for Microsoft Exchange Server Not All QSAs Are Created Equal: What You Should Know Before You Buy Reduce Energy Costs and Go Green Case Study: Trinity Health Care Sign up to receive Security Resource Alerts

March 09, 2004 (Computerworld) -- "The risk of cyber attacks continues to be high. Even organizations that have deployed a wide range of security technologies fall victim to significant losses. ... The percentage of incidents that are reported to law enforcement agencies remains low ... Attackers may reasonably infer that the odds against their being caught and prosecuted remain strongly in their favor." -- Computer Security Institute/FBI 2003 Computer Crime and Security Survey

In the hit parade of security technology buzzwords, antivirus and intrusion-detection systems are in the top five. After all, there are a lot of bad guys out there writing worms and trying to break in.
Stop for a second and ask yourself a question.
Is intrusion your key threat just because that's what the IT vendors are selling?
You know the joke about the cement factory in Poland. Every day, a worker leaves the factory at closing time with a wheelbarrow of sand. After a month of this, the guard finally says to the worker, "I know you're stealing something; I just can't figure out what the heck it is." The worker replies, "I'm stealing wheelbarrows." That's extrusion: unauthorized transfer of your assets in broad daylight.
The sources of insider theft
Let's examine the sources of digital asset extrusion: trusted insiders, human error and criminals. Trusted insiders are your employees, your suppliers and your customers. Employees may be the software development group that was axed or the sales representative who skims credit card transactions. Suppliers may be the courier who flirts with the receptionist or the night security guard who copies sensitive documents.
Outsourcing contractors are also threats. In the quest for operational efficiency, our industry outsources IT functions, but oddly, some banks and insurance companies outsource their information security functions even though their business is the most information-intensive industry on the planet.
What about human error? One extra click in Outlook, and a casual friend is on the distribution list together with the board members in the middle of due diligence.
Customers may not be direct threats, but many business-to-consumer Web sites are vulnerable to credit card theft by organized crime. Tens of thousands of stolen credit card numbers are offered for sale each week on the Web. This black market e-business, where credit card prices fluctuate with supply and demand, costs the financial system more than $1 billion a year and shows how easily personal information is being stolen and traded.
People do it because of anger and greed. Emotions are a powerful motivator, and anger at being terminated will cause a person to act quickly and irrationally. A supplier trying to collect money may view extrusion of digital assets belonging to his customer as a way of taking a hostage that will ensure receipt of payment.
Employees are aware that extrusions can be traced when they use their office lines or cell phones and may prefer to use alternative channels such as instant messaging or peer-to-peer systems that are readily available in most offices, yet can't be traced or tapped with conventional network facilities.
Most companies don't report extrusion to law enforcement agencies out of fear of negative publicity and of competitors taking advantage of the bad news.
A CEO considering the extrusion problem must gauge the potential damage to a valuable and hard-earned corporate brand without assuming that fear and loyalty will prevent an employee from stealing a digital asset on the network.
Cases of insider theft
In order to understand what digital assets people steal, let's consider the following two brief case studies:

• A technology start-up retains a company to do software development. Since the vice president for research and development adopted extreme programming methods, he demands that all the work be done on-site. The vice president also requires that the on-site developers check in all software updates to the source repository. Sadly, rapid romances don't always lead to stable marriages, and in the middle of the project, the supplier is sacked. The start-up doesn't pay its bill, and one of the supplier's developers thoughtfully takes a backup of the entire source tree and extrudes the entire project over a virtual private network (VPN) on his last day on the job. Exposure to the investors from extrusion of the source code containing proprietary intellectual property can be as much as $2 million to $10 million, depending on the uniqueness of the technology and the company's valuation.


• A large credit card issuer with more than 4 million cardholders operates a call center. Private investigators working divorce cases socialize with call operators on their smoking breaks in the courtyard outside the building. On any given shift of 150 customer-service reps, at least one has taken a bribe to extrude personal information from the CRM system to the private eyes.

Extrusion happens in your office and during normal business hours. When an extruder needs a username and password, she may deploy social engineering to get the information. When a disgruntled programmer is terminated, he may copy the project source repository over the company VPN in his last few hours at work.
In summary
Extrusion is the unauthorized transfer of digital assets that are essential to accomplishing your company's mission -- credit card numbers, customer records, transactional information, source code and other classified information.
In Part 2, I'll suggest some best practices for extrusion prevention and survey technology requirements.
In Part 3, I'll review the current state of legal and statutory requirements in this country and in Europe.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Part III: Insider theft and the role of regulation Extrusion Part 2: Insider theft of digital assets -- best (and not so best) practices Extrusion: The story of 'trusted' digital insider theft

"Today's US college business professors, hopefully, aren't all like the one who is teaching a Florida university's business major. Maybe..." Read more... "For the first time in 30 years, there were no public offerings from a venture backed company. Look for more..." Read more... Read more Management posts or See all Blogs

Microsoft promises four patches next week Google gives away home-cooked Web application security scanner Storm botnet stages Fourth of July attacks More top stories...

Microsoft trumpets security additions in upcoming IE8 Apple cuts price of high-end SSD MacBook Air by $500 Ultrathin showdown: Apple MacBook Air vs. Lenovo ThinkPad X300 vs. Toshiba Portege R500

This old laptop: Revitalizing an aging notebook on the cheap All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how. Bill Gates moves on Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft. Five things you should never tell your boss There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss. Hands-On: Firefox 3 fixes what's broke and keeps what's right With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 3 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone See your link here

Computerworld invites all storage industry leaders to join us at an exclusive virtual event! Computerworld invites all storage industry leaders to join us at an exclusive virtual event! Register now and we'll see you LIVE on June 24th at 11am! Go to the webcast  Computerworld Technology Briefing: Meetings @ the Speed of Business Download this Technology Briefing now, compliments of Microsoft! (Source: Microsoft) For large organizations, Web conferencing gives a major boost to collaboration among far-flung offices. For smaller companies, experts say Web conferencing is no longer a luxury but a necessity for everything from webinars to customer presentations. But the real value lies in saving soft costs and in increases in productivity. Download this executive briefing  Taking Control of Software Licensing Get this white paper now! (Source: BDNA) Pricing model changes, virtualization, and vendor audits are just a few of the reasons why software licensing is full of factors outside your control. Accurate information is the best weapon for managing vendors. This white paper discusses new technologies to enter conversations with vendors on your toes, not your heels. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Toward More Flexible, Next-Generation Collaboration Solutions Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Part III: Insider theft and the role of regulation
• Extrusion Part 2: Insider theft of digital assets -- best (and not so best) practices
• Extrusion: The story of 'trusted' digital insider theft

• Microsoft promises four patches next week
• Google gives away home-cooked Web application security scanner
• Storm botnet stages Fourth of July attacks
• More top stories 

Intercept Spam & Viruses With MessageLabs MessageLabs is offering a complimentary 30 day trial of its managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all know and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk. Register for a complimentary trial and receive a free datasheet. Download this white paper now!

Is Your Company a Great Place to Work? Our annual survey recognizes top employers that offer satisfying and challenging work environments for their IT staffs. Nominate a company here. See the 2007 Best Places to Work in IT report

Enhancing Business Mobility with Convertible PCs For years Pen enabled computing devices have enjoyed great success and acceptance in highly vertical industries like delivery services, auditing and POS. The primary limitations of early pen computing devices, which were the hurdles to early mainstream adoption, were the power limitations of the devices, no stable OS environment for application development, and the lack of a keyboard for traditional input. Now, with the availability of Windows XP Tablet PC edition and Vista, which are both Pen Enabled operating systems, the flexibility afforded by dual function convertible notebooks and a host of 3rd party applications, Pen Computing has expanded into areas like healthcare, insurance, education, retail, and sales force automation. What used to be strictly vertical has now caught on as a preferred alternative to standard notebooks. Is now the right time for you to consider pen computing? Tune in to find out what these amazing mobile devices can do to simplify tasks, expand the utility of a traditional notebook, and increase the ROI of traditional notebook computing. Listen to this podcast now