The Enemy Within

Though many firms are focused on preventing external breaches in computer security, the greatest threats often lurk within a company's workforce.

It's January 2000, and the world hasn't imploded under the weight of the Y2k problem. Planes aren't falling out of the sky, and trains aren't careening off their tracks. But in a few short months, Craig Goldberg's start-up will come face to face with a more sinister threat that will take it to the brink of disaster: cybercrime.

The CEO of Internet Trading Technologies Inc. (ITTI), a New York-based technology subsidiary of stock trade regulator LaBranche & Co., had just completed a second round of funding that helped fuel an expansion of the company's IT staff. Within two months, Goldberg hired a half-dozen more software developers and tapped a CIO with 15 years of experience to take on the role of chief operating officer.

Trouble lurked beneath the surface, however. Two of the company's software developers approached ITTI's new COO and demanded that the company "pay them a lot of money or they will resign immediately and not provide any assistance to the development team," according to Goldberg, who eventually succumbed to the demands.

But that wasn't enough for the two developers, who left the premises, demanded more money and stock options and threatened to let the development work founder. "It felt like we were being held up," says Goldberg. Faced with the equivalent of a cyberhijacking, he refused to budge, and the developers were dismissed.


What the Experts Say

Most experts recommend that companies offer regular training programs on network security procedures, information handling techniques, how to deal with social engineering techniques used by outsiders, the importance of physical security standards and Web/computer asset usage guidelines.
Managers should receive training in how to handle disgruntled employees and make sure clear career paths for IT personnel are established. Close attention should be paid to layoffs and compensation packages.
Clear security guidelines should be published and, if necessary, employees should be asked to sign nondisclosure and computer usage agreements. Internal information should be classified and shared according to its sensitivity and employee need-to-know parameters.
Companies should also encrypt sensitive communications, use network monitoring tools, enforce security practices and separate IT development network environment from sales and support divisions.

The first denial-of-service attack hit the next morning, a Thursday, and crashed the company's application server. Somebody sitting at a computer in a downtown Manhattan Kinko's had gained access to ITTI's server using an internal development password. The server was brought back online, only to be hit again two minutes later, says Goldberg. Passwords were changed, and development systems were air-gapped—physically disconnected—from the Internet. But the attacks continued through the weekend.

The situation soon became critical. "If the attacks continued to go on, we would go out of business," Goldberg says. He called in a security consulting firm and the Secret Service.

The last attack, which occurred Monday morning, hit as federal authorities were installing monitoring equipment on ITTI's networks. Authorities traced the attacker to a computer at Queens College in Flushing, N.Y., where one of the former employees was a student. Witnesses placed the individual at the specific computer at the precise time of the attack. Within an hour, the Secret Service officials had their man. No evidence or charges were brought against the other former employee.

Stress Points

Experts agree that cybercrimes, such as the one perpetrated against ITTI, are often the result of a combination of factors that are unique to the modern IT workplace. Although most managers believe, as Goldberg says, that "security is both about risk management and hiring honest people," experts in criminal psychology say the onus is often on managers to take action to prevent current and former employees from lashing out in the form of cybercrime.

Jerrold Post, a professor of psychiatry at The George Washington University in Washington, developed the "Camp David profiles," which focus on understanding the psychology of terrorism and political violence. They were developed for then-President Jimmy Carter. Post says cybercrime can be seen as a subset of workplace violence, where employees become frustrated but have no way to mitigate the stress.

"In almost every case, the act which occurs in the information system era is the reflection of unmet personal needs that are channeled into the area of expertise," says Post. "Almost all of these people are loyal at the time of hiring, so this isn't a matter of screening them out."

Post acknowledges that only a small percentage of IT workers who share a common set of personality traits actually commit crimes. However, for those who do become cyberoffenders, their actions are often the result of not having skilled managers who can alleviate workplace stressors, he says.

Post suggests several approaches that managers can take to both identify and alleviate those stressors for employees, including providing more distinct career paths. He also says managers need to acquire better leadership skills to help people feel like they really matter to an organization.

Bill Tafoya has spent the better part of the past 25 years profiling criminals. A former special agent at the FBI and now a professor of criminal justice at Governors State University in University Park, Ill., Tafoya says many IT workers today sometimes feel browbeaten by their employers.

"Most of the time, however, they merely become cynics who infect co-workers with their misanthropic view and undertake career-long, one-person work slowdowns," he says.

Managers often mishandle difficult situations, he says. "In some organizations, when personnel falter and are subsequently disciplined, the records department is a favorite reassignment [that] management uses for purposes of punishing the miscreant," Tafoya says. "I ask you, who is being punished?" Career paths need to be developed for IT personnel who handle a company's crown jewels—its information, he adds.

Obviously, not all cybercrimes occur as a result of frustrated employees. Many computer security breaches are the acts of dishonest people who crack into systems from the outside using the Internet.

Sometimes, they get a little indirect help from unsuspecting employees.

In February, a major bank in the Northeast whose name is being withheld for security purposes discovered that unauthorized purchases were being made on the Internet using its customers' information. The bank called the Emergency Response Team (ERT) at Internet Security Systems Inc. (ISS), an Atlanta-based security firm. After 131 hours of forensics processing, both ISS and bank officials suspected that a mole in the company was helping the attacker.

"The client was convinced there was a collaborator and was ready to terminate a number of individuals, as well as contractors," said Allan Fideli, director of the ERT and the former chief of worldwide security at IBM. However, Fideli and another analyst eventually narrowed down the perpetrator to a contractor in Europe who had stolen passwords from his mother-in-law, who was an employee of the bank.

Scott Christie, an assistant attorney at the U.S. Attorney's Office for the District of New Jersey in Newark, says a lack of oversight is a key enabler in many cybercrime cases.

"Without any oversight, [criminals] can do what they want without fear of being caught," says Christie.

Richard Hunter, an analyst at Stamford, Conn.-based Gartner Inc., says management inattention can be a contributing factor. "Some managers are inattentive to the point that they do not even check resumes for people being hired into positions where sensitive data is available," says Hunter.

Although Post acknowledges that the majority of hackers are little more than garden-variety criminals, the world of cybercrime does have its share of Lee Harvey Oswalds, he says. The most recent example is Abraham Abdallah, a 32-year-old Brooklyn busboy who in March managed to pull off the biggest Internet identity heist in history by stealing the online identities of 200 of the richest people in America.

There is little difference in motivation between criminals like Abdallah and Oswald, says Post. "To steal somebody's identity is to escape from one's place of insignificance. It's a special species of assassination," he says.

For Tafoya, the assassination metaphor goes too far. "Those who have been so victimized see the theft of their identity as more akin to rape," he says.

According to ITTI's Goldberg, however, cybercrime is about greed. "We talked and negotiated in good faith, but at a certain point in time, it becomes extortion," he says.

For Web resources on this topic, head to our Cybercrime Research Links page.

Special Report

Security Risk and Reward

Stories in this report:


Copyright © 2001 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon