Inside the insider threat

Computerworld - Six years ago, I warned the U.S. Senate that it was possible to "take down the Internet in 30 minutes."
There are still critical weaknesses in central points of the public network. Although more distributed now, remote points can still be harnessed to cause disruption and confusion in ways similar to distributed denial-of-service attacks (DDoS). These methods refer to a threat model embodied by the collective Internet. An Internetwide outage would affect everyone on the Web, but corporations, organizations and governments face even greater threat models that encompass much more acute localized pain and risk.
One of the oldest and least modified over the years has been the insider threat -- hackers infiltrating internal networks. This threat is more common than insider attacks or destruction. The infiltration is achieved in various ways common to network interlopers and attackers, and most importantly, it is largely missed by existing audit and intrusion-detection systems (IDS).
Web site defacement, concurrent versions system (CVS) attacks and DDoS attacks are rarely instigated by agents once they get inside an organization. Such overt attacks too easily reveal them. Once inside a network, a hacker's priorities change -- from vandal to spy.
The insider threat is unaddressed by today's IDSs, which are focused on attacks. Attacks are noisy, so they're rarely used by insiders intent on remaining invisible inside of a network. Real-world examples of insiders include Robert Hanssen, the FBI mole; Aldrich Ames, the CIA mole; and the sleeper terrorist cells inside the U.S. that were responsible for 9/11. How many lives could have been saved if these moles and sleeper cells had been discovered earlier?
Over the years, I have found critical systems, such as Supervisory Control and Data Acquisition/Data Control System components for utilities companies and large phone-switching systems for telecommunications companies, compromised by insiders who were camping out in these networks. Often, the system's critical function was unknown to the interloper, whose sights were set elsewhere. But many times control of the critical system was the ultimate goal.
Proprietary source code, microchip design plans and databases full of personal information continue to become public, or competitor, domain. Companies and organizations of all shapes and sizes continue to bear this risk with little mitigation coming from the expensive network security defenses they have deployed.
So how do antagonists continue to gain access so easily?
Let's take a closer look at some of the tactics hackers commonly use.
Sniffing, Trojan horses and application back doors
Sniffing is the easiest and most profitable method hackers use to