[ISN] Secret Service: Inside Attacks Generally Launched By Problem Employees

From: InfoSec News (alerts@private)
Date: Sun Aug 27 2006 - 22:04:32 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=192300415

By Sharon Gaudin
InformationWeek
Aug 25, 2006

Brian Robak, a network security analyst at National Cooperative Bank, 
used to manage the company's help desk workers back when he was the LAN 
manager. Being a manager is never an easy chore, but there was one 
employee who generally made his job a nightmare.

Robak says he was reluctant to take the management position in the first 
place because of this one woman who was hired to lead the help desk. Far 
from being a leader, she was the epitome of the problem employee. She 
had a bad attitude, he says, and apparently felt no qualms about 
displaying it. Assigned the task of being a liaison with the users at 
the bank, Robak frequently had to deal with complaints that she would 
end a conversation with a user by cursing about them and slamming the 
phone down. The cursing part came while the user was still on the line.

Robak says the problems started about six months into her tenure at 
National Cooperative and she continued to work there for about another 
three years.

"She was a beast," he says. "And she was even worse to other technical 
people when she'd have to talk to them on the phone." Robak says she got 
into a screaming match with him over summer hours, loudly informing him 
that he wasn't the boss of her. The help desk manager's own boss had to 
come running to deal with the situation.

This behavior didn't get her fired, however. The bank had a policy of 
working with employees and trying really hard to iron out bad 
situations. They offered her free conflict-management counseling.

Ultimately, she was caught giving her friends in the bank higher levels 
of access than they were supposed to have. A domain administrator, the 
woman had full access to all of the bank's workstations and servers. She 
changed access rights for her pals, allowing them to bypass the Web 
proxy used to restrict access to objectionable Web sites. Ignoring 
company security policies, she even allowed her friends to download 
prohibited software, potentially opening the network up to virus and 
hacker attack.

The woman eventually left to take another job. "As her manager, I was 
genuinely concerned that she was putting our network in danger," says 
Robak, adding that late in her time at the bank he restricted her server 
access.

Robert Sica, special agent in charge at the U.S. Secret Service, would 
contend that the bank got off easy. It could have wound up going very 
badly, as it has in other situations, where a disgruntled insider has 
caused major systems or network damage. A full 80% of people who launch 
a computer-related attack on their own company's system had been problem 
employees, according to the Secret Service, which divides its time 
between protecting state officials and investigating financial crimes. A 
study of insider attacks shows that the people behind the schemes had 
previously exhibited what Sica calls concerning patterns of 
behavior--aggression in the workplace, insubordination, and hostile 
speech with coworkers and supervisors. (See related story, "Study 
Highlights Insider Threats.")

"These people are generally not your best employees," says Sica. "What 
we're finding is that there are behavioral markers being laid down that 
management and coworkers might be able to pick up on and potentially 
prevent an insider from acting."

And there's been anecdotal evidence to back up what Sica is saying.

This summer, a former systems administrator was found guilty in U.S. 
District Court for planting a software time bomb back in 2002 that took 
down about 2,000 servers inside UBS PaineWebber. Months before the 
attack was launched, Roger Duronio's supervisor told him that the 
company was struggling after Sept. 11 and none of the employees should 
expect big bonuses that year. His manager testified that Duronio was 
upset at the news and complained loudly and often about his money 
troubles and the fact that his anticipated $50,000 bonus was going to 
fall short.

As part of what prosecutors called a vengeful, money-making scheme, 
Duronio built the destructive code and pushed it out to UBS servers 
across the country. Before he set off the attack, he bought put options 
against the company which would only pay out if the UBS stock dropped in 
price. His plan centered around the security incident driving down the 
company's stock price " so he could cash out.

Duronio wasn't the first disgruntled employee to plant a time bomb to 
take down his company's network.

Six years ago, Tim Lloyd was tried in the first federal criminal 
computer sabotage case. Lloyd, a former network administrator at Omega 
Engineering Corp.'s Bridgeport, N.J. manufacturing plant, was convicted 
of launching a very similar attack on that company. Lloyd had been with 
Omega Engineering for 11 years, even building the company's computer 
network. But as the company grew into a global corporation, Lloyd saw 
his clout diminish. He was no longer the big fish in the little pond. 
And it made him angry. He began causing problems, bottlenecking projects 
and even elbowing a coworker.

Lloyd ultimately planted malicious code that wiped out Omega's key 
manufacturing programs, a serious problem for a company that builds 
measurement and instrumentation devices for NASA and the U.S. Navy. The 
attack cost the company more than $10 million and led to 80 layoffs. 
Kevin O'Dowd, an Assistant U.S. Attorney, sees these kinds of corporate 
attacks becoming more common.

"It's fair to say that as companies become more dependent on technology 
and computers are more part of our daily lives, the growth of computer 
crime is inevitable," says O'Dowd, who is chief of the commercial crimes 
unit in Newark, N.J. "To think otherwise is nave. It's a question of how 
we're going to fight it."

Sica says the first step to countering inside attacks is to recognize 
the problem when it's coming head-on toward you.

"It's surprising the amount of companies where these behaviors are 
noticed and not dealt with," he says. "People say that's just the way 
someone is. He has a quirky side to him, and that quirkiness goes 
unaddressed. But that behavior maybe one of those markers we're talking 
about." And with 62% of attacks being planned in advance, managers 
shouldn't ignore clues that trouble might be brewing.

Sica says managers should keep an eye on employees who complain of 
financial trouble, or are consistently late for work or absent 
altogether. Managers also should closely monitor employees who fight 
with coworkers or supervisors, and are insubordinate. Also beware of 
employees who are aggressive either verbally or physically.

The real markers are not one-shot deals, Sica emphasizes. If an employee 
is late to work one day and complains about being short in his checking 
account, it might not necessarily be time to shut down his network 
access. But if any of these behaviors become a pattern, then it's time 
to go to HR, address the concerns with the worker, begin to monitor his 
movements on the system, and consider pulling back on his network 
access.

"Companies need to really hold managers accountable to doing exactly 
that," says Sica. "Processes need to be in place and managers need to 
have training in how to pursue this It has to be cultural. It's 
something you nurture. Awareness is the answer."

Back at the National Cooperative Bank, Robak says he's more alert for 
employees who could go from bothersome complainers to people capable of 
causing real damage to the system, and to the business.

"I would try to rein someone in earlier," he says. "I follow the bank's 
policy of giving the benefit of the doubt and working hard with the 
problem employee to solve their issues, but now I'm working security and 
it's my job to trust no one."


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Sun Aug 27 2006 - 22:22:51 PDT