[IWAR] SECURITY Corporate blackmail, employees

From: 7Pillars Partners (partnersat_private)
Date: Sun Mar 01 1998 - 17:53:49 PST

  • Next message: 7Pillars Partners: "[IWAR] US POLICY nuclear strategy"

    Companies weary of internal security problems
    N.Y. Times 
    
     The computer supervisor at a Midwestern engine manufacturing
     company approached his bosses last month and made them an offer
     they could not refuse. Either they gave him a big raise immediately and
     agreed to a list of other job demands, or he would shut the company
     down, according to Erik Thompson, a computer security consultant
     who was called in to help the firm after the incident.
    
     The employee, Thompson said, got his raise, and yet another
     company discovered what thousands of businesses have learned the
     hard way in recent years: Despite justifiable fears about rogue
     programmers attacking an organization's information systems over the
     Internet, the greatest threat to a company's data security probably
     works just down the hall.
    
     ``Nobody wants to think that the guy I work with may be a bad guy,
     my worst nightmare,'' said Charisse Castagnoli of Internet Security
     Services Inc., an Atlanta-based consulting company. ``If you look at
     the statistics, though, about 70 percent to 80 percent of security
     breaches are internal.''
    
     According to an informal survey conducted by the Computer Security
     Institute, an association of corporate data-security officers, for the
     FBI's International Computer Crime Squad, computer attacks by
     insiders were more common last year than external, Internet-based
     attacks.
    
     More than 87 percent of the corporate, financial, government and
     university information-security managers polled by the survey said
     disgruntled employees were the most likely cause of data security
     ``incidents,'' ranging from sabotage, fraud and theft of proprietary
     information to unauthorized snooping in a colleague's e-mail or storing
     digital pornography on a company computer.
    
     Several different dynamics are increasing the risk of insider fraud or
     sabotage, security officials said. Companies increasingly are relying on
     outside contractors for technical work, and giving those outsiders
     insider privileges, in part because of a shortage of programmers
     exacerbated by the work needed to fix ``year 2000'' programming
     flaws.
    
     ``The Y2K problem is causing a lack of programmers, and people
     are hiring anybody,'' said Michael Zboray, a vice president at The
     Gartner Group in Stamford, Conn., using the industry's acronym for
     the year 2000 problem.
    
     ``Companies are now doing Y2K development offshore, sending
     work to Russia and India, and they haven't a clue as to what's coming
     back. They don't do background checks. What we're hearing is an
     undercurrent of back doors being programmed in.''
    
     According to the Computer Security Institute, companies employ on
     average one computer-security administrator for every 1,000 users of
     the computer system. The budget for computer security, traditionally
     1 percent to 3 percent of the total information-technology budgets for
     many corporations, is expected to rise to 3 percent to 5 percent this
     year, the institute said.
    
     But, as with the case of the automotive-engine manufacturer, most
     companies are fearful of adverse publicity and never report internal
     security breaches, even the most severe ones, to law-enforcement
     agencies, security analysts contend.
    
     ``Most firms would rather go public with the news that their chief
     executive officer was an active alcoholic than the news that there was
     an insider security problem,'' said William Malik, a vice president and
     research director for Gartner Group.
    
     One notable exception occurred last month when a former computer
     network administrator for a government subcontractor was arraigned
     in federal court in New Jersey, charged with having destroyed critical
     company data in 1996 using a software ``logic bomb'' that detonated
     three weeks after he was dismissed from his job.
    
     The logic bomb erased all of the engineering programs and files at
     Omega Engineering Inc. of Bridgeport, N.J. Backup tapes were
     stolen as well, and losses from the sabotage could eventually cost the
     company more than $10 million, U.S. Secret Service investigators
     said.
    
     Speaking to a data-security conference last month, Dan Nielsen, a
     special agent with the FBI's newly renamed National Infrastructure
     Protection Agency, said insider attacks are rarely reported, and thus
     the agency has no reliable estimate of the dollar losses sustained from
     them. But the tally for the relatively few attacks that were reported in
     1996 was $100 million, according to the Computer Security
     Institute/FBI survey.
    
     Early responses from the 1997 year-end survey indicate a 30 percent
     rise in reported losses in the past 12 months, said Richard Power,
     president of the Computer Security Institute. And it appears the
     percentage of companies reporting computer-security incidents in
     1997 will also rise sharply, to more than 60 percent, he said.
    
     Half of the 563 information security professionals responding to the
     1996 survey said their organizations had sustained the unauthorized
     use of systems last year, and among those, insider attacks were
     reported to be more common than external attacks.
    
     The 249 organizations that were able to quantify the losses from all
     computer attacks reported losses totaling $100 million. The
     Computer Security Institute is now compiling results from the 1997
     survey.
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:05:54 PDT