Locating the real threats to corporate security

• Tags:
• Crime,
• Statistics,
• Administrator,
• Malware

Tom Espiner ZDNet.co.uk

Published: 27 Jul 2007 17:06 BST

• 
• 
• 
• 
• 

In 2006, sysadmin and programmer Roger Duronio was found guilty of planting malware — known as Unix logic bombs — in investment bank UBS. The company claimed the resulting damage cost an estimated $3.1m.

The motivation? Duronio allegedly received a bonus from his employer that he was not happy with. He complained and eventually quit, but not without leaving behind a parting gift.

Following Duronio's swift departure, a series of logic bombs triggered, deleting vital files from approximately 2,000 of the investment bank's servers.

At the subsequent trial Duronio maintained his innocence, and pointed to alleged security holes in the bank's systems to explain the breach — security holes that he maintained he had attempted to bring to the attention of his employers. However, two copies of the virus found on Duronio's home computer systems and a printout of the virus on his dresser convinced the jury that he was guilty. The 63-year-old was eventually sentenced to eight years' imprisonment.

The Duronio case highlights one of the mainstays of IT security planning — that employees are a bigger threat than external forces. One study estimated that 90 percent of economic computer crimes were committed by employees of the victimised companies.

Insider-threat studies by the US Computer Emergency Response Team (CERT) show that one of the main motivations for company employees instigating security breaches is revenge, rather than corruption or infiltration by organised crime.

The most recent study released by US CERT on insider threats found that the majority of insiders were disgruntled and motivated for revenge by "a negative work-related event", and chose to get even by trying to sabotage the IT systems.

Most attacks perpetrated by insiders don't just come out of the blue. CERT found that 80 percent of insiders exhibited "concerning behaviour" prior to attack, including lateness, truancy, arguments with co-workers and poor job performance.

Inside cyberattacks are most likely to come from those with the keys to the crown jewels. Eighty-six percent of the insiders held technical positions, while 90 percent of them were granted system administrator or privileged system access when hired by the organisation.

Many of these technically proficient, disgruntled employees used privileged system access to take technical steps to set up the attack before they were fired. Insiders created a backdoor account, installed and ran a password cracker, took advantage of ineffective security controls in firing processes, or exploited gaps in their organisation's access controls to wreak technical havoc.

Stephen Bonner, head of information security risk at Barclays, says there are four main areas of motivation for insiders compromising company data. These are: money or items of value; ideology; a situation in which they themselves are compromised and are responding to blackmail; or ego, leading to revenge or justification.

Trusted insiders are obviously in a unique position to wreak havoc on their company systems — especially if they enjoy admin privileges or other special access granted to IT staff. However, disgruntled staff are not the only threat to business security, and there is mounting evidence that they may be less of a problem than they once were.

Cybercrime shift
Recently, experts have begun to pick up on a shift in who is perpetrating cybercrime. Computer-related fraud and other crimes have become big business. Figures released in 2005 by the former National High Tech Crime Unit, now part of the Serious Organised Crime Agency (SOCA), put the cost of cybercrime to the UK at £2.45bn.

The UK's Metropolitan Police Department described cybercrime as "the most rapidly expanding form of criminality, encompassing both new criminal offences in relation to computers (viruses and hacking etc), and 'old' crimes (fraud, harassment etc), committed using digital or computer technology."

Given this escalation of cybercrime, some experts claim the ratio of internal versus external threats has shifted and even reversed. According to the US IT skills and training organisation, SANS Institute, only 38 percent of security breaches are now caused by insiders.

A mantra that has been repeated by the security community for years is: "Hackers are no longer kids in back bedrooms looking for glory — they are now serious organised criminals, motivated by profit."

There is plenty of evidence to back this assertion up. While there are still individuals accused of hacking who claim to have been motivated by idealistic notions, such as finding evidence of extraterrestrials, a whole black economy operates around the generation of malware.

The compromise and sale of herds of zombie computers known as "botnets" is one way cybercriminals perpetrate crime.

According to the FBI, "a botnet is a collection of compromised computers under the remote command and control of a criminal "botherder". Most owners of the compromised computers are unknowing and unwitting victims. Because of their widely distributed capabilities, botnets are a growing threat to national security, the national information infrastructure, and the economy", the agency claims.

In response to this threat, earlier this month the FBI launched "Operation Bot Roast", which is determined to disassemble botnets and discourage criminal activity. However, botnets can still be used to try to compromise company computer systems through the distribution of spyware and malware.

A more insidious external threat comes from spearphishing through malware in targeted emails, while IT managers are also...

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit